Any help would be most appreciated - I'll really try to explain the problem and its context. Hopefully others can learn from my troubles!!! :)

My objective: Create a company wiki hosted on the cloud where employees can use their logins registered in the Azure Active Directory to access wiki resources.

The Basic Set-up: - Cloud-hosted Azure VM w/ this image:

> 
https://bitnami.com/stack/mediawiki/virtual-machine
> Basically contains an apache2 web server, and an image of mediawiki

- In addition to the base image, the extension OAuth2 Client has been installed following these instructions:

> https://www.mediawiki.org/wiki/Extension:OAuth2_Client> OAuth2 Client is built off this open-source project:     > https://github.com/thephpleague/oauth2-client

- Azure Active Directory (AD) with a registered Web app / API

The Encountered Problem: After providing the Azure Active Directory's user credentials (email and password), a `Fatal exception of type "GuzzleHttp\Exception\ConnectException"` is thrown.

Attempted in-depth problem analysis: So after attempting a login, the reply url is as such:

(note: I've randomly changed some values)

http://mywikidomain/Special:OAuth2Client/callback?code=AQABAAIAAACEfexXxjamQb3OeGQ4Gugv1Q04EA_ey_K-rj0okPNekuIB-BakV6Gq_pFBR8lfoaNJSWfK3uie9f88BM4C8vgULYulQtX9wh6LY2U0hACqr8cOz41OqbB9SQm0yqSv1Rhw7Pgri1DDwwS_DY1M1b49WR4qV2siDc_5_YmqG5MB-5xfASoTPjYHhWkN5nJ5FfIcK8KhkKGcOUeDNiTBeWZBcKIEBFVsk_pZjwQ-PFpbDRsbOrJvJGX8nuh2lJJpc00z1wrwFqMu-jVlhC7NTE1D3PZxPQEycvzi4_D7TcewyskXDTMiswr1AdYdCDTf68l8jMKpResRlu6qqWjeOIqsJNryGbPBXkA682AEyy8IiTw9KG1vB45uvh8SMLaPZEuHGsw-knUlt-gNAzMv6upc4-f3BtUe49ezFudsaMoLecKA33qvVFj2f9p9HbzbgK3KNDIJ8hcgipMpIR5__fjFe0XvABbRcVbaE4-HkIqWagfsw_GnNxIl7oxhF9H7-AVBRNAeg19gyPfwzTZmpXLH4LGQ_iZcroxdqcmfvZK3hawx1X2w5RbEo078TXYweBJ4mGMGt6RkMp5iSTv8SpGHXIuYKYfKNX__eG0X9kZN-a6QpN8ctmsvqZ_GA46d0LEF43lcw3RmKIeOc3_CL9QWiTs_hhCscxf4O2aQGugpNyAA&state=79c92d94bd9651231fw9dc06269eb1&session_state=96054b69-edab-4f5e-a583-75e83a440379

So, it is sending back an authorization token, but for some reason, mediawiki failing to proceed to the next step and request an access token, and refresh token with the newly acquired authorization token.

I've tried to check the logs in the Apache2 server, but nothing is added.

Is there a way to change that and get more error info??

Configurations/Changes made:

1. As per the OAuth2 Client instructions, I modified LocalSettings.php. Here, I'll briefly describe what information from the Azure AD I put where (<> contains a pseudo variable):

LocalSettings.php _______________________________________

wfLoadExtension( 'MW-OAuth2Client ')

$wgOAuth2Client['client']['id'] = <Application ID>;

$wgOAuth2Client['client']['id'] = <Key created in AD app registration - basically a hash value>

$wgOAuth2Client['configuration']['authorize_endpoint'] = <Azure AD OAUTH 2.0 AUTHORIZATION ENDPOINT>

$wgOAuth2Client['configuration']['access_token_endpoint'] = <Azure AD OAUTH 2.0 TOKEN ENDPOINT>

$wgOAuth2Client['configuration']['api_endpoint'] = <Azure App registered - App ID URI>

// As per the OAuth2 Client instructions...

$wgOAuth2Client['configuration']['redirect_uri'] = <http://mywikidomain/Special:OAuth2Client/callback>

//scopes not mentioned in OAuth2 Client install instructions

//Was throwing an index error if not set.

//https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code

//According to the above link, when requesting an authorization code, scope is ignored and hence shouldn't matter what it is.

//Got the idea of 'user_impersonation' from the above microsoft docs link - use authorization code... -> successful response -> resource

$wgOAuth2Client['configuration']['scopes'] = 'user_impersonation';

// Defaults from OAuth2 Client NOT sure if needed to be changed

$wgOAuth2Client['configuration']['username'] = 'username';

$wgOAuth2Client['configuration']['email'] = 'email';

LocalSettings.php _______________________________________

2. As the above wasn't working, I tried to look through the source code of oauth2-client made by the phpleague to understand what was going on.

> https://github.com/thephpleague/oauth2-client

I noticed that the version that OAuth2 installs is version 1.4 as my code was different, and oauth2-client is up to 2.4.1, so I checkout into master and pulled the new version. No success.

3. I noticed that the oauth2-client has packages developed for specific providers, including the Azure AD.

> https://github.com/thenetworg/oauth2-azure

Hence, I installed as instructed but no change. I think I have to modify some things, but I have no idea what.

Please let me know if there is any more information you need!!!

I have a service application that can request single sign on from azure, in this case using openId. I have a customer trying to implement this feature, but any request to the oauth api under their azure tenant results in a timeout. I have other customers set up who don't have an issue, just this one. Any ideas?

One of the api calls from the tenant: https://login.microsoftonline.com/02760698-17fe-40de-9be0-0e948230e39f/oauth2/v2.0/authorize

I know that this call doesn't work without the other query parameters, but normally this base url call would result in the microsoft page displaying an error message and error code. This url just causes the browser itself to eventually implement a timeout error.

I have automated provisioning set up between Azure AD and G Suite. This works fine, I enter admin credentials for G Suite and authorise Azure AD, then users get provisioned across.

Then a few hours later, I get an email to say that automatic provisioning failed. I log back into Azure, re-authorise the connection to G Suite, and all is well once again.

Surely this can't be right. I thought the whole point of automated provisioning is to automate things, if I have to log into Azure and re-authorise a connection multiple times each day then the purpose is defeated.

What is the recommended approach from Microsoft on dealing with this? Can a Google service account with domain wide delegation be used so that I'm not entering an actual user's credentials? Have I missed something obvious like a tickbox?

This is the tutorial I used to set this up. Specifically see steps 11 - 14. https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-provisioning-tutorial

This is the error I get in Azure audit logs:

I have an Webapp that includes the scopes of a WebAPI defined in it's manifest under the requiredResourceAccess field

When a customer attempts to login to the webapp, an error is returned.

AADSTS650052: The app needs access to a service [SERVICENAME] that your organization [CUSTOMER TENANT] has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions.
Trace ID: a4a34e3f-5d55-4d05-8c73-c8b9981aab00
Correlation ID: 5fd2a2e4-bcc9-40bf-8b88-2fedb55d28c0
Timestamp: 2019-02-04 21:10:59Z:invalid_client

If I were to register the service principal in the customers tenant manually, the customer is presented with the consent page with the list of permissions.

The command I use to register the service principal in the customers tenant: az ad sp create --id [APP ID]

I've tried to configure this trust multiple times using Azure AD Connect Wizard and it fails ever time.  I tried pasting the output of the install log while trying Federate an Azure AD Domain but it was too long.

Can the trust be created not using Azure AD Connect?

I have setup two AD DS forest which are both setup for domain join with Azure Active Directory using AAD Connect latest version.

I have a federated scenario using ADFS 2016 and everything seems to work fine. I now also activated Hello for Business with Key trust scenario, and also this works without detecting any problems.

Because I have ADFS, ADCS and also have services depending on smartcard authentication (certificate auth) I would like to switch Hello for Business to certificate trust instead of Key trust.

So I started checking if everythings is in order to get this working. I noticed the following AadCloudAPPlugin event errors, is there anybody who can explain what general problem I am having here. Or how to fix this.

1081OAuth response error: invalid_request
Error description: AADSTS500032: Cannot find signing certificate/private key to issue a certificate.
Trace ID: 3d98d0ff-a9d3-449e-ba8c-4e6add0b2900
Correlation ID: 2d4fd0b9-bc54-4d3a-8704-f3a137f19529
Timestamp: 2019-01-13 08:11:18Z
CorrelationID: 2d4fd0b9-bc54-4d3a-8704-f3a137f19529
1131Update P2P device certificate failure. Status: 0xC00000D0 Correlation ID: 2D4FD0B9-BC54-4D3A-8704-F3A137F19529
1165Logon failure. Status: 0xC00000D0 Correlation ID: 2D4FD0B9-BC54-4D3A-8704-F3A137F19529
1025Http request status: 400. Method: POST Endpoint Uri: https://<FQDN adfs>/adfs/oauth2/token/ Correlation ID: 57BB9433-BE34-4EAF-B7BA-E9503D5C0FF9
1081OAuth response error: invalid_grant
Error description: MSIS9682: Received invalid OAuth JWT Bearer request. The certificate used to sign JWT Bearer request is not from a registered device with a Transport key.
CorrelationID:
1118Enterprise STS Logon failure. Status: 0xC000006D Correlation ID: 57BB9433-BE34-4EAF-B7BA-E9503D5C0FF9
1025Http request status: 400. Method: POST Endpoint Uri: https://login.microsoftonline.com/ff65dbab-37bf-42ae-939b-d08ed05f1799/oauth2/token Correlation ID: B9B93936-03A2-485C-8925-95F31075F173
 

---

Mike Couwenbergh IT Infrastructuur Architect

Dear Teach Support,

We have our own inhouse app designed Java tomcat and hosted on Azure in Centos VM, we are using SAML 2.0 and

org.opensaml.saml2.metadata.provider

org.springframework.security.saml

for our SSO needs , while integrating our app with Microsoft Azure active directory sso with non gallaery app, we are receving following error. 

We have followed https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications

please help and advise



Error as follows:

HTTP Status 401 - Authentication Failed: Incoming SAML message is invalid

type Status report

message Authentication Failed: Incoming SAML message is invalid

description This request requires HTTP authentication.

Apache Tomcat/7.0.47

Hi,

We have a Saml 2.0 IDP setup that works for Google and Dropbox, but when implementing it on office 365 it keeps of failing.

It fails with the following response before JS auto redirect.

"AADSTS70002: Error validating credentials. AADSTS50064: Credential validation failed.
Trace ID: 5eb644d1-5d7e-4f6d-b9c4-cba667cf8500
Correlation ID: 77e1d097-ffe9-4775-94b8-857b206281f7
Timestamp: 2019-01-11 07:17:26Z"
After redirect, it will show this.

Sorry, that didn't work.
Please go back to Office.com and try again.
Thanks.

We are pretty sure that the NameID, IDPEmail are both correct since we tried logging in with Google as IDP and successfully logged in with the same values.

Already tried submitting an office 365 support ticket, but they replied saying that they don't deal with this kind of issues, so if anyone knows where I can get some help it would be very helpful.

Thanks in advance,

Michael

Hello,

We have registered an app by following the document https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code to implement the oAUth 2.0. We are able to integrate the OAuth 2.0 for our application. Now, we want to display the user details[user name, user-id] who logged into our application. Could you please provide us with the API details to fetch the user profile who logged using MSA .

We also tried the document https://docs.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0 , which is throwing below error:

{
    "error": {
        "code": "InvalidAuthenticationToken",
        "message": "Access token validation failure.",
        "innerError": {
            "request-id": "1eb4daaa-6b50-4d9f-b9c9-0cb7f0223a93",
            "date": "2019-01-14T05:41:11"
        }
    }
}

We have not taken permissions for Graph API's which is not required for us.

Kindly provide us with the API details where/How we can fetch user profile.

Note: It's a fresh account where  there is no resurcegroup/resources are exists.

Hi,

I've just installed AAD connector. Installed express settings and all seemd well. But have 2 mismatches. Started with those two where global admins i AAD. Removed the role, and now i have  conflict 

ProxyAddresses
SMTP:user@ourdomain.no
Error Type: AttributeValueMustBeUnique

I alredy had an tenant i aad, and most of my existing users on premiss have been manually created i office 365 and AAD. But now i wanted to establish single signon, and therefore sync users between on premiss and Azure

My question is: How to fix this? 

My user i AAD are connected with exchange in office 365, and I want that my user on premiss should grant this user.

 

I deployed Azure active directory domain service then enabled secure LDAP to be accessed from the internet through the same VNET or any other connected VNETs using site 2 site i can join any machine to the active directory service

if its doable, is verified custom domain required or any other configuration required .

Hi,

I have setup Azure Domain Services and managed to join a local VM on same subnet to the domain.  I was wondering what is the easiest method to join a PC to this domain over the internet.

I have LDAPs in place and relevant ports open back to my own network as able to ldaps to the domain.

Appreciate DNS is running in the Azure network so what's the best way to expose this to my local network so my PC can lookup the appropriate SRV records and join AD?

Lee

Hi,

I am currently moving from dirsync on server 2008 to Azure AD connect on windows 2018

I have download the latest version of adconnect (december 2018)

When I run the azureadconnect.exe /migrate I eventually run into problems. 

I have been getting various error messages such as "an error occurred executing configure aad sync task sequence contains no elements" 

I have attached the contents of the log file below. Any help will be much appreciated.

Kind Regards

[09:30:11.496] [  1] [INFO ] 
[09:30:11.496] [  1] [INFO ] ================================================================================
[09:30:11.496] [  1] [INFO ] Application starting
[09:30:11.496] [  1] [INFO ] ================================================================================
[09:30:11.496] [  1] [INFO ] Start Time (Local): Tue, 15 Jan 2019 09:30:11 GMT
[09:30:11.496] [  1] [INFO ] Start Time (UTC): Tue, 15 Jan 2019 09:30:11 GMT
[09:30:11.496] [  1] [INFO ] Application Version: 1.2.68.0
[09:30:11.496] [  1] [INFO ] Application Build Date: 2018-11-29 02:50:36Z
[09:30:12.608] [  1] [INFO ] Telemetry session identifier: {edf29165-bb34-4b0b-81b6-2d0a2811a36c}
[09:30:12.608] [  1] [INFO ] Telemetry device identifier: Fr5X/itcmxbEzhzpZ7iFSHqVIiPNjBoOBuH1ZIl9CM4=
[09:30:12.608] [  1] [INFO ] Application Build Identifier: AD-IAM-HybridSync master (3cf46bbe5)
[09:30:12.702] [  1] [INFO ] machine.config path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config.
[09:30:12.702] [  1] [INFO ] Default Proxy [ProxyAddress]: <Unspecified>
[09:30:12.702] [  1] [INFO ] Default Proxy [UseSystemDefault]: Unspecified
[09:30:12.702] [  1] [INFO ] Default Proxy [BypassOnLocal]: Unspecified
[09:30:12.702] [  1] [INFO ] Default Proxy [Enabled]: True
[09:30:12.702] [  1] [INFO ] Default Proxy [AutoDetect]: Unspecified
[09:30:12.749] [  1] [VERB ] Scheduler wizard mutex wait timeout: 00:00:05
[09:30:12.749] [  1] [INFO ] AADConnect changes ALLOWED: Successfully acquired the configuration change mutex.
[09:30:12.827] [  1] [INFO ] RootPageViewModel.GetInitialPages: Beginning detection for creating initial pages.
[09:30:12.842] [  1] [INFO ] Checking if machine version is 6.1.7601 or higher
[09:30:12.858] [  1] [INFO ] The current operating system version is 10.0.14393, the requirement is 6.1.7601.
[09:30:12.858] [  1] [INFO ] Password Hash Sync supported: 'True'
[09:30:12.889] [  1] [INFO ] DetectInstalledComponents stage: The installed OS SKU is 7
[09:30:12.905] [  1] [INFO ] DetectInstalledComponents stage: Checking install context.
[09:30:12.905] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Visual C++ 2013 Redistributable Package
[09:30:12.905] [  1] [VERB ] Getting list of installed packages by upgrade code
[09:30:12.921] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {20400cf0-de7c-327e-9ae4-f0f38d9085f8}: verified product code {a749d8e6-b613-3be3-8f5f-045c84eba29b}.
[09:30:12.921] [  1] [VERB ] Package=Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005, Version=12.0.21005, ProductCode=a749d8e6-b613-3be3-8f5f-045c84eba29b, UpgradeCode=20400cf0-de7c-327e-9ae4-f0f38d9085f8
[09:30:12.921] [  1] [INFO ] Determining installation action for Microsoft Visual C++ 2013 Redistributable Package (20400cf0-de7c-327e-9ae4-f0f38d9085f8)
[09:30:12.921] [  1] [INFO ] Product Microsoft Visual C++ 2013 Redistributable Package (version 12.0.21005) is installed.
[09:30:12.921] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Directory Sync Tool
[09:30:12.921] [  1] [VERB ] Getting list of installed packages by upgrade code
[09:30:12.921] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {bef7e7d9-2ac2-44b9-abfc-3335222b92a7}: no registered products found.
[09:30:12.921] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {dc9e604e-37b0-4efc-b429-21721cf49d0d}: no registered products found.
[09:30:12.936] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {545334d7-13cd-4bab-8da1-2775fa8cf7c2}: no registered products found.
[09:30:12.936] [  1] [INFO ] Determining installation action for Microsoft Directory Sync Tool UpgradeCodes {bef7e7d9-2ac2-44b9-abfc-3335222b92a7}, {dc9e604e-37b0-4efc-b429-21721cf49d0d}
[09:30:12.936] [  1] [INFO ] DirectorySyncComponent: Product Microsoft Directory Sync Tool is not installed.
[09:30:12.936] [  1] [INFO ] Performing direct lookup of upgrade codes for: Azure AD Sync Engine
[09:30:12.936] [  1] [VERB ] Getting list of installed packages by upgrade code
[09:30:12.936] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {545334d7-13cd-4bab-8da1-2775fa8cf7c2}: no registered products found.
[09:30:12.936] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {dc9e604e-37b0-4efc-b429-21721cf49d0d}: no registered products found.
[09:30:12.936] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {bef7e7d9-2ac2-44b9-abfc-3335222b92a7}: no registered products found.
[09:30:12.936] [  1] [INFO ] Determining installation action for Azure AD Sync Engine (545334d7-13cd-4bab-8da1-2775fa8cf7c2)
[09:30:13.217] [  1] [INFO ] Product Azure AD Sync Engine is not installed.
[09:30:13.217] [  1] [INFO ] Performing direct lookup of upgrade codes for: Azure AD Connect Synchronization Agent
[09:30:13.217] [  1] [VERB ] Getting list of installed packages by upgrade code
[09:30:13.217] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {3cd653e3-5195-4ff2-9d6c-db3dacc82c25}: no registered products found.
[09:30:13.233] [  1] [INFO ] Determining installation action for Azure AD Connect Synchronization Agent (3cd653e3-5195-4ff2-9d6c-db3dacc82c25)
[09:30:13.233] [  1] [INFO ] Product Azure AD Connect Synchronization Agent is not installed.
[09:30:13.233] [  1] [INFO ] Performing direct lookup of upgrade codes for: Azure AD Connect Health agent for sync
[09:30:13.233] [  1] [VERB ] Getting list of installed packages by upgrade code
[09:30:13.233] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {114fb294-8aa6-43db-9e5c-4ede5e32886f}: no registered products found.
[09:30:13.233] [  1] [INFO ] Determining installation action for Azure AD Connect Health agent for sync (114fb294-8aa6-43db-9e5c-4ede5e32886f)
[09:30:13.233] [  1] [INFO ] Product Azure AD Connect Health agent for sync is not installed.
[09:30:13.233] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Azure AD Connect Authentication Agent
[09:30:13.233] [  1] [VERB ] Getting list of installed packages by upgrade code
[09:30:13.233] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {0c06f9df-c56b-42c4-a41b-f5f64d01a35c}: no registered products found.
[09:30:13.233] [  1] [INFO ] Determining installation action for Microsoft Azure AD Connect Authentication Agent (0c06f9df-c56b-42c4-a41b-f5f64d01a35c)
[09:30:13.233] [  1] [INFO ] Product Microsoft Azure AD Connect Authentication Agent is not installed.
[09:30:13.233] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft SQL Server 2012 Command Line Utilities
[09:30:13.233] [  1] [VERB ] Getting list of installed packages by upgrade code
[09:30:13.233] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {52446750-c08e-49ef-8c2e-1e0662791e7b}: no registered products found.
[09:30:13.233] [  1] [INFO ] Determining installation action for Microsoft SQL Server 2012 Command Line Utilities (52446750-c08e-49ef-8c2e-1e0662791e7b)
[09:30:13.233] [  1] [INFO ] Product Microsoft SQL Server 2012 Command Line Utilities is not installed.
[09:30:13.233] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft SQL Server 2012 Express LocalDB
[09:30:13.233] [  1] [VERB ] Getting list of installed packages by upgrade code
[09:30:13.233] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {c3593f78-0f11-4d8d-8d82-55460308e261}: no registered products found.
[09:30:13.233] [  1] [INFO ] Determining installation action for Microsoft SQL Server 2012 Express LocalDB (c3593f78-0f11-4d8d-8d82-55460308e261)
[09:30:13.233] [  1] [INFO ] Product Microsoft SQL Server 2012 Express LocalDB is not installed.
[09:30:13.233] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft SQL Server 2012 Native Client
[09:30:13.233] [  1] [VERB ] Getting list of installed packages by upgrade code
[09:30:13.233] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {1d2d1fa0-e158-4798-98c6-a296f55414f9}: verified product code {b9274744-8bae-4874-8e59-2610919cd419}.
[09:30:13.233] [  1] [VERB ] Package=Microsoft SQL Server 2012 Native Client , Version=11.4.7001.0, ProductCode=b9274744-8bae-4874-8e59-2610919cd419, UpgradeCode=1d2d1fa0-e158-4798-98c6-a296f55414f9
[09:30:13.233] [  1] [INFO ] Determining installation action for Microsoft SQL Server 2012 Native Client (1d2d1fa0-e158-4798-98c6-a296f55414f9)
[09:30:13.233] [  1] [INFO ] Product Microsoft SQL Server 2012 Native Client (version 11.4.7001.0) is installed.
[09:30:13.233] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Azure AD Connect Authentication Agent
[09:30:13.233] [  1] [VERB ] Getting list of installed packages by upgrade code
[09:30:13.233] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {fb3feca7-5190-43e7-8d4b-5eec88ed9455}: no registered products found.
[09:30:13.233] [  1] [INFO ] Determining installation action for Microsoft Azure AD Connect Authentication Agent (fb3feca7-5190-43e7-8d4b-5eec88ed9455)
[09:30:13.233] [  1] [INFO ] Product Microsoft Azure AD Connect Authentication Agent is not installed.
[09:30:13.233] [  1] [INFO ] Determining installation action for Microsoft Azure AD Connection Tool.
[09:30:13.249] [  1] [WARN ] Failed to read DisplayName registry key: An error occurred while executing the 'Get-ItemProperty' command. Cannot find path 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MicrosoftAzureADConnectionTool' because it does not exist.
[09:30:13.264] [  1] [INFO ] Product Microsoft Azure AD Connection Tool is not installed.
[09:30:13.264] [  1] [INFO ] Performing direct lookup of upgrade codes for: Azure Active Directory Connect
[09:30:13.264] [  1] [VERB ] Getting list of installed packages by upgrade code
[09:30:13.264] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {d61eb959-f2d1-4170-be64-4dc367f451ea}: verified product code {79d9d935-fb8c-4e64-8486-253633c32c31}.
[09:30:13.264] [  1] [VERB ] Package=Microsoft Azure AD Connect, Version=1.2.68.0, ProductCode=79d9d935-fb8c-4e64-8486-253633c32c31, UpgradeCode=d61eb959-f2d1-4170-be64-4dc367f451ea
[09:30:13.264] [  1] [INFO ] Determining installation action for Azure Active Directory Connect (d61eb959-f2d1-4170-be64-4dc367f451ea)
[09:30:13.264] [  1] [INFO ] Product Azure Active Directory Connect (version 1.2.68.0) is installed.
[09:30:13.358] [  1] [INFO ] ServiceControllerProvider: GetServiceStartMode(seclogon) is 'Manual'.
[09:30:13.358] [  1] [INFO ] ServiceControllerProvider: verifying EventLog is in state (Running)
[09:30:13.358] [  1] [INFO ] ServiceControllerProvider: current service status: Running
[09:30:13.358] [  1] [INFO ] Checking for DirSync conditions.
[09:30:13.358] [  1] [INFO ] Called SetWizardMode(DirSyncParallelInstall, True)
[09:30:13.358] [  1] [WARN ] MicrosoftOnlinePersistedStateProvider.Save: zero state elements provided, saving an empty persisted state file
[09:30:13.499] [  1] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: True
[09:30:13.499] [  1] [INFO ] Starting DirSync flow. dirSyncPresent=False, migrateDirSyncSettings=True, WizardMode=DirSyncParallelInstall
[09:32:37.843] [  1] [INFO ] Page transition from "Welcome" [LicensePageViewModel] to "Upgrade DirSync" [UpgradeFromDirSyncPageViewModel]
[09:32:37.984] [  1] [INFO ] UpgradeFromDirSyncPage: prompting for location of previously exported DirSync settings file.
[09:32:45.830] [  1] [VERB ] Showing exported settings browse dialog.
[09:32:51.096] [  1] [INFO ] Reading exported DirSync settings from file: \\liveds\c$\Users\dst3\Desktop\DirSyncSettings.xml.
[09:32:51.117] [  1] [INFO ] GetConfigurationFromFile: Creating DirSync output directory C:\ProgramData\AADConnect\dirsync
[09:32:51.487] [  1] [INFO ] DirsyncDataProvider ExistingMvObjectCount = 37935.
[09:32:51.487] [  1] [INFO ] DirsyncDataProvider ExistingMvObjectCount=37935
[09:32:51.488] [  1] [INFO ] DirsyncDataProvider: EnableExchangeHybridDeployment = True
[09:32:51.491] [  1] [INFO ] DirSyncDataProvider: DirSync install path from export file = False
[09:32:51.491] [  1] [INFO ] DirSyncDataProvider: DirSync installedAtCustomPath from export file = False
[09:32:51.494] [  1] [INFO ] DirSync was installed using SQL Express hence sqlServer and sqlInstance will be empty
[09:32:51.494] [  1] [INFO ] DirSyncDataProvider: migrated SQL server name = 
[09:32:51.494] [  1] [INFO ] DirSyncDataProvider: migrated SQL instance = 
[09:32:51.496] [  1] [INFO ] DirsyncDataProvider ServiceAccountName=.\MIIS_Service
[09:32:51.496] [  1] [INFO ] DirsyncDataProvider GetServiceAccountConfig: username is in the format of domain\username (.\MIIS_Service). 
[09:32:51.497] [  1] [INFO ] DirsyncDataProvider GetServiceAccountConfig: custom service account: True.
[09:32:51.498] [  1] [INFO ] DirsyncDataProvider.ReadMVConfigData: Reading MV file C:\ProgramData\AADConnect\dirsync\mv.xml
[09:32:51.505] [  1] [INFO ] DirsyncDataProvider.ReadExportedConfig: Reading MA file C:\ProgramData\AADConnect\dirsync\MA-{1D2C95FB-F61F-45A7-B6D5-F4124D5F7002}.XML
[09:32:51.513] [  1] [INFO ] DirsyncDataProvider.ReadExportedConfig: C:\ProgramData\AADConnect\dirsync\MA-{1D2C95FB-F61F-45A7-B6D5-F4124D5F7002}.XML contains the AAD MA data.
[09:32:51.527] [  1] [INFO ] DirsyncDataProvider.ReadExportedConfig: Reading MA file C:\ProgramData\AADConnect\dirsync\MA-{CB7D5198-66E8-49EC-9C0F-406A55FD4317}.XML
[09:32:51.568] [  1] [INFO ] DirsyncDataProvider.ReadExportedConfig: C:\ProgramData\AADConnect\dirsync\MA-{CB7D5198-66E8-49EC-9C0F-406A55FD4317}.XML contains the ADMA data.
[09:32:51.616] [  1] [INFO ] DirsyncDataProvider: PasswordResetEnabled = False
[09:32:51.617] [  1] [INFO ] DirsyncDataProvider: PasswordSyncEnabled = False
[09:32:51.647] [  1] [INFO ] DirsyncDataProvider: imported inclusions/exclusions for (1) partitions.
[09:32:51.715] [  1] [INFO ] CreateDirSyncContext: Enabling staging mode for DirSync Parallel Install.
[09:32:51.715] [  1] [INFO ] CreateDirSyncContext: Will create a new ADMA connector account for parallel install.
[09:32:51.744] [  1] [INFO ] Property ServiceAccountName failed validation with error Enter the credentials of a domain user account
[09:32:51.750] [  1] [INFO ] Property ServiceAccountName failed validation with error The account name must be in the format DOMAIN\username
[09:32:59.085] [  1] [INFO ] UpgradeFromDirSyncPage: proceeding with upgrade (DirSyncParallelInstall).
[09:32:59.085] [  1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.UpgradeFromDirSyncPageViewModel.ValidateSettings in Page:"Upgrade From DirSync"
[09:32:59.085] [  1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:3226
[09:32:59.124] [ 16] [INFO ] SyncEngineSetupViewModel: Validating sync engine settings.
[09:32:59.127] [ 16] [INFO ] Sync engine data directory exists. Checking if the directory is empty.
[09:32:59.131] [ 16] [INFO ] IsManagedServiceAccountSupported: OS > W2008R2
[09:32:59.131] [ 16] [INFO ] IsManagedServiceAccountSupported: True
[09:32:59.136] [ 16] [INFO ] Enter ValidateSqlVersion.
[09:32:59.136] [ 16] [INFO ] Exit ValidateSqlVersion (localdb).
[09:32:59.140] [ 16] [INFO ] Enter ValidateSqlAoaAsyncInstance.
[09:32:59.140] [ 16] [INFO ] Exit ValidateSqlAoaAsyncInstance (localdb).
[09:32:59.141] [ 16] [INFO ] The ADSync database does not exist and will be created.  serverAdmin=True.
[09:32:59.142] [ 16] [INFO ] Attaching to the ADSync database: SQLServerName=DoesNotExist SQLInstanceName= ServiceAccountName=, state=.\MIIS_Service, Collation=, /UseExistingDatabase=False.
[09:32:59.142] [ 16] [INFO ] UpgradeFromDirSyncPage: SQL Server Name being used = 
[09:32:59.142] [ 16] [INFO ] UpgradeFromDirSyncPage: SQL Server Instance name being used = 
[09:32:59.142] [ 16] [INFO ] UpgradeFromDirSyncPage: SqlAoaAsync Mode for the SQL Server Name being used = False
[09:32:59.142] [ 16] [INFO ] UpgradeFromDirSyncPage: SqlAoaAsync Mode for the SQL Server Name being used = False
[09:32:59.142] [ 16] [INFO ] UpgradeFromDirSyncPage: Service Account Name being used = .\MIIS_Service
[09:32:59.142] [ 16] [INFO ] UpgradeFromDirSyncPage: SyncAdminsGroup Name being used = 
[09:32:59.142] [ 16] [INFO ] UpgradeFromDirSyncPage: SyncBrowseGroup Name being used = 
[09:32:59.142] [ 16] [INFO ] UpgradeFromDirSyncPage: SyncOperatorsGroup Name being used = 
[09:32:59.142] [ 16] [INFO ] UpgradeFromDirSyncPage: SyncPasswordResetGroup Name being used = 
[09:32:59.145] [ 16] [INFO ] Starting Prerequisite installation
[09:32:59.148] [ 16] [VERB ] WorkflowEngine created
[09:32:59.151] [ 16] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Visual C++ 2013 Redistributable Package
[09:32:59.151] [ 16] [VERB ] Getting list of installed packages by upgrade code
[09:32:59.151] [ 16] [INFO ] GetInstalledPackagesByUpgradeCode {20400cf0-de7c-327e-9ae4-f0f38d9085f8}: verified product code {a749d8e6-b613-3be3-8f5f-045c84eba29b}.
[09:32:59.152] [ 16] [VERB ] Package=Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005, Version=12.0.21005, ProductCode=a749d8e6-b613-3be3-8f5f-045c84eba29b, UpgradeCode=20400cf0-de7c-327e-9ae4-f0f38d9085f8
[09:32:59.152] [ 16] [INFO ] Determining installation action for Microsoft Visual C++ 2013 Redistributable Package (20400cf0-de7c-327e-9ae4-f0f38d9085f8)
[09:32:59.152] [ 16] [INFO ] Product Microsoft Visual C++ 2013 Redistributable Package (version 12.0.21005) is installed.
[09:32:59.154] [  1] [INFO ] Page transition from "Upgrade DirSync" [UpgradeFromDirSyncPageViewModel] to "Connect to Azure AD" [AzureTenantPageViewModel]
[09:32:59.177] [  1] [INFO ] Property Password failed validation with error A valid domain must be selected.
[09:33:08.285] [ 12] [INFO ] AzureTenantPage: Beginning Windows Azure tenant credential validation for user - fim.admin@mailglyndwrac.onmicrosoft.com
[09:33:08.576] [ 12] [INFO ] AzureConfigurationFromPrincipalName: Successfully resolved UPN (fim.admin@mailglyndwrac.onmicrosoft.com) to the Worldwide Azure instance. 
Resolution Method [AzureInstanceDiscovery]: Cloud Instance Name (microsoftonline.com), Tenant Region Scope (EU), Token Endpoint (https://login.microsoftonline.com/0bba78d8-4f4d-4dd9-9b5a-ee121b116efe/oauth2/token).
[09:33:08.592] [ 12] [INFO ] ResolveAzureInstance [Worldwide]: authority=HTTPS://LOGIN.WINDOWS.NET/MAILGLYNDWRAC.ONMICROSOFT.COM, 
Resolution Method [AzureInstanceDiscovery]: Cloud Instance Name (microsoftonline.com), Tenant Region Scope (EU), Token Endpoint (https://login.microsoftonline.com/0bba78d8-4f4d-4dd9-9b5a-ee121b116efe/oauth2/token).
[09:33:08.607] [ 12] [INFO ] Authenticate-ADAL [Acquiring token]: STS endpoint (HTTPS://LOGIN.WINDOWS.NET/MAILGLYNDWRAC.ONMICROSOFT.COM), resource (https://graph.windows.net), userName (fim.admin@mailglyndwrac.onmicrosoft.com).
[09:33:08.622] [ 12] [INFO ] ADAL: 2019-01-15T09:33:08.6209787Z: 00000000-0000-0000-0000-000000000000 - LoggerBase.cs: Clearing Cache :- 0 items to be removed
[09:33:08.622] [ 12] [INFO ] ADAL: 2019-01-15T09:33:08.6229782Z: 00000000-0000-0000-0000-000000000000 - LoggerBase.cs: Successfully Cleared Cache
[09:33:08.642] [ 12] [INFO ] ADAL: 2019-01-15T09:33:08.6429809Z: 1b0d3f6f-2054-4741-baa3-7ed813189f16 - LoggerBase.cs: ADAL PCL.Desktop with assembly version '3.19.6.14301', file version '3.19.50523.1839' and informational version '1ae77ee16c2204403e53d7e652ddc8f4d315cfb1' is running...
[09:33:08.643] [ 12] [INFO ] ADAL: 2019-01-15T09:33:08.6439869Z: 1b0d3f6f-2054-4741-baa3-7ed813189f16 - LoggerBase.cs: === Token Acquisition started: 
CacheType: null
Authentication Target: User
, Authority Host: login.windows.net
[09:33:09.102] [ 11] [INFO ] ADAL: 2019-01-15T09:33:09.1022315Z: 1b0d3f6f-2054-4741-baa3-7ed813189f16 - LoggerBase.cs: No matching token was found in the cache
[09:33:09.102] [ 11] [INFO ] ADAL: 2019-01-15T09:33:09.1022315Z: 1b0d3f6f-2054-4741-baa3-7ed813189f16 - LoggerBase.cs: No matching token was found in the cache
[09:33:09.102] [ 11] [INFO ] ADAL: 2019-01-15T09:33:09.1022315Z: 1b0d3f6f-2054-4741-baa3-7ed813189f16 - LoggerBase.cs: No matching token was found in the cache
[09:33:09.102] [ 11] [INFO ] ADAL: 2019-01-15T09:33:09.1022315Z: 1b0d3f6f-2054-4741-baa3-7ed813189f16 - LoggerBase.cs: No matching token was found in the cache
[09:33:09.102] [ 11] [INFO ] ADAL: 2019-01-15T09:33:09.1022315Z: 1b0d3f6f-2054-4741-baa3-7ed813189f16 - LoggerBase.cs: No matching token was found in the cache
[09:33:09.102] [ 11] [INFO ] ADAL: 2019-01-15T09:33:09.1022315Z: 1b0d3f6f-2054-4741-baa3-7ed813189f16 - LoggerBase.cs: No matching token was found in the cache
[09:33:09.119] [ 11] [INFO ] ADAL: 2019-01-15T09:33:09.1192312Z: 1b0d3f6f-2054-4741-baa3-7ed813189f16 - LoggerBase.cs: Sending request to userrealm endpoint.
[09:33:09.468] [ 11] [ERROR] ADAL: 2019-01-15T09:33:09.4684370Z: 1b0d3f6f-2054-4741-baa3-7ed813189f16 - LoggerBase.cs: Exception type: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalClaimChallengeException, ErrorCode: interaction_required, StatusCode: 400 ---> Exception type: System.Net.Http.HttpRequestException ---> Exception type: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException, ErrorCode: {"error":"interaction_required","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0000-c000-000000000000'.\r\nTrace ID: 02a3587f-0f2e-4f2d-8294-fb10f5206f00\r\nCorrelation ID: 1b0d3f6f-2054-4741-baa3-7ed813189f16\r\nTimestamp: 2019-01-15 09:33:09Z","error_codes":[50076],"timestamp":"2019-01-15 09:33:09Z","trace_id":"02a3587f-0f2e-4f2d-8294-fb10f5206f00","correlation_id":"1b0d3f6f-2054-4741-baa3-7ed813189f16","suberror":"basic_action"}
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.AdalHttpClient.<GetResponseAsync>d__22`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.AdalHttpClient.<GetResponseAsync>d__21`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<SendHttpMessageAsync>d__72.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<SendTokenRequestAsync>d__69.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<CheckAndAcquireTokenUsingBrokerAsync>d__59.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<RunAsync>d__57.MoveNext()
[09:33:09.473] [ 12] [INFO ] Authenticate-ADAL [AdalError.UserInteractionRequired]: user interaction required to complete authentication.
[09:33:09.473] [ 12] [INFO ] Authenticate-ADAL: acquiring token using interactive authentication.
[09:33:09.486] [ 12] [INFO ] ADAL: 2019-01-15T09:33:09.4864354Z: b2ee3158-bfc1-4174-b2a2-a9658809b4e1 - LoggerBase.cs: ADAL PCL.Desktop with assembly version '3.19.6.14301', file version '3.19.50523.1839' and informational version '1ae77ee16c2204403e53d7e652ddc8f4d315cfb1' is running...
[09:33:09.486] [ 12] [INFO ] ADAL: 2019-01-15T09:33:09.4864354Z: b2ee3158-bfc1-4174-b2a2-a9658809b4e1 - LoggerBase.cs: === Token Acquisition started: 
CacheType: null
Authentication Target: User
, Authority Host: login.windows.net
[09:33:35.742] [  6] [INFO ] ADAL: 2019-01-15T09:33:35.7427756Z: b2ee3158-bfc1-4174-b2a2-a9658809b4e1 - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 15/01/2019 10:33:35 +00:00
[09:33:35.742] [ 12] [INFO ] Authenticate-ADAL: successfully acquired an access token.  TenantId=0bba78d8-4f4d-4dd9-9b5a-ee121b116efe, ExpiresUTC=15/01/2019 10:33:35 +00:00, UserInfo=fim.admin@MAILGLYNDWRAC.onmicrosoft.com, IdentityProvider=https://sts.windows.net/0bba78d8-4f4d-4dd9-9b5a-ee121b116efe/.
[09:33:35.745] [ 12] [INFO ] AzureTenantPage: attempting to connect to Azure via AAD PowerShell.
[09:33:35.751] [ 12] [INFO ] DiscoverServiceEndpoint [AzurePowerShell]: ServiceEndpoint=https://provisioningapi.microsoftonline.com/provisioningwebservice.svc, AdalAuthority=HTTPS://LOGIN.WINDOWS.NET/MAILGLYNDWRAC.ONMICROSOFT.COM, AdalResource=https://graph.windows.net.
[09:33:35.751] [ 12] [INFO ] AcquireServiceToken [AzurePowerShell]: acquiring service token.
[09:33:35.751] [ 12] [INFO ] Authenticate-ADAL [Acquiring token]: STS endpoint (HTTPS://LOGIN.WINDOWS.NET/MAILGLYNDWRAC.ONMICROSOFT.COM), resource (https://graph.windows.net), userName (fim.admin@mailglyndwrac.onmicrosoft.com).
[09:33:35.752] [ 12] [INFO ] ADAL: 2019-01-15T09:33:35.7527754Z: a67aea58-b6ab-40e9-b830-6b4b42bc7bcd - LoggerBase.cs: ADAL PCL.Desktop with assembly version '3.19.6.14301', file version '3.19.50523.1839' and informational version '1ae77ee16c2204403e53d7e652ddc8f4d315cfb1' is running...
[09:33:35.752] [ 12] [INFO ] ADAL: 2019-01-15T09:33:35.7527754Z: a67aea58-b6ab-40e9-b830-6b4b42bc7bcd - LoggerBase.cs: === Token Acquisition started: 
CacheType: null
Authentication Target: User
, Authority Host: login.windows.net
[09:33:35.752] [ 12] [INFO ] ADAL: 2019-01-15T09:33:35.7527754Z: a67aea58-b6ab-40e9-b830-6b4b42bc7bcd - LoggerBase.cs: An item matching the requested resource was found in the cache
[09:33:35.754] [ 12] [INFO ] ADAL: 2019-01-15T09:33:35.7547724Z: a67aea58-b6ab-40e9-b830-6b4b42bc7bcd - LoggerBase.cs: 59.9985998866667 minutes left until token in cache expires
[09:33:35.754] [ 12] [INFO ] ADAL: 2019-01-15T09:33:35.7547724Z: a67aea58-b6ab-40e9-b830-6b4b42bc7bcd - LoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache
[09:33:35.754] [ 12] [INFO ] ADAL: 2019-01-15T09:33:35.7547724Z: a67aea58-b6ab-40e9-b830-6b4b42bc7bcd - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 15/01/2019 10:33:35 +00:00
[09:33:35.754] [ 12] [INFO ] Authenticate-ADAL: successfully acquired an access token.  TenantId=0bba78d8-4f4d-4dd9-9b5a-ee121b116efe, ExpiresUTC=15/01/2019 10:33:35 +00:00, UserInfo=fim.admin@MAILGLYNDWRAC.onmicrosoft.com, IdentityProvider=https://sts.windows.net/0bba78d8-4f4d-4dd9-9b5a-ee121b116efe/.
[09:33:35.755] [ 12] [INFO ] PowerShellHelper.ConnectMsolService: Connecting using an AccessToken. AzureEnvironment=0.
[09:33:39.844] [ 12] [INFO ] AzureTenantPage: successfully connected to Azure via AAD PowerShell.
[09:33:40.904] [ 12] [INFO ] AzureTenantPage: Successfully retrieved company information for tenant 0bba78d8-4f4d-4dd9-9b5a-ee121b116efe.  Initial domain (MAILGLYNDWRAC.onmicrosoft.com).
[09:33:40.908] [ 12] [INFO ] AzureTenantPage: DirectorySynchronizationEnabled=True
[09:33:40.911] [ 12] [INFO ] AzureTenantPage: DirectorySynchronizationStatus=Enabled
[09:33:40.915] [ 12] [INFO ] PowershellHelper: lastDirectorySyncTime=null
[09:33:43.350] [ 12] [INFO ] AzureTenantPageViewModel.GetSynchronizedUserCount: number of synchronized users (max 500) - 500
[09:33:45.316] [ 12] [INFO ] AzureTenantPageViewModel.GetSynchronizedUserCount: number of synchronized users (max 500) - 500
[09:33:45.553] [ 12] [INFO ] AzureTenantPage: Successfully retrieved 6 domains from the tenant.
[09:33:45.553] [ 12] [INFO ] AzureTenantPage: Calling to get the last dir sync time for the current user
[09:33:45.933] [ 12] [INFO ] DiscoverServiceEndpoint [AdminWebService]: ServiceEndpoint=https://adminwebservice.microsoftonline.com/provisioningservice.svc, AdalAuthority=HTTPS://LOGIN.WINDOWS.NET/MAILGLYNDWRAC.ONMICROSOFT.COM, AdalResource=https://graph.windows.net.
[09:33:45.950] [ 12] [INFO ] DiscoverServiceEndpoint [AdminWebService]: ServiceEndpoint=https://adminwebservice.microsoftonline.com/provisioningservice.svc, AdalAuthority=HTTPS://LOGIN.WINDOWS.NET/MAILGLYNDWRAC.ONMICROSOFT.COM, AdalResource=https://graph.windows.net.
[09:33:45.950] [ 12] [INFO ] AcquireServiceToken [AdminWebService]: acquiring service token.
[09:33:45.950] [ 12] [INFO ] Authenticate-ADAL [Acquiring token]: STS endpoint (HTTPS://LOGIN.WINDOWS.NET/MAILGLYNDWRAC.ONMICROSOFT.COM), resource (https://graph.windows.net), userName (fim.admin@mailglyndwrac.onmicrosoft.com).
[09:33:45.951] [ 12] [INFO ] ADAL: 2019-01-15T09:33:45.9519384Z: c8240d40-bcf2-430e-a125-22d3228452ed - LoggerBase.cs: ADAL PCL.Desktop with assembly version '3.19.6.14301', file version '3.19.50523.1839' and informational version '1ae77ee16c2204403e53d7e652ddc8f4d315cfb1' is running...
[09:33:45.951] [ 12] [INFO ] ADAL: 2019-01-15T09:33:45.9519384Z: c8240d40-bcf2-430e-a125-22d3228452ed - LoggerBase.cs: === Token Acquisition started: 
CacheType: null
Authentication Target: User
, Authority Host: login.windows.net
[09:33:45.951] [ 12] [INFO ] ADAL: 2019-01-15T09:33:45.9519384Z: c8240d40-bcf2-430e-a125-22d3228452ed - LoggerBase.cs: An item matching the requested resource was found in the cache
[09:33:45.951] [ 12] [INFO ] ADAL: 2019-01-15T09:33:45.9519384Z: c8240d40-bcf2-430e-a125-22d3228452ed - LoggerBase.cs: 59.82864712 minutes left until token in cache expires
[09:33:45.951] [ 12] [INFO ] ADAL: 2019-01-15T09:33:45.9519384Z: c8240d40-bcf2-430e-a125-22d3228452ed - LoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache
[09:33:45.951] [ 12] [INFO ] ADAL: 2019-01-15T09:33:45.9519384Z: c8240d40-bcf2-430e-a125-22d3228452ed - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 15/01/2019 10:33:35 +00:00
[09:33:45.951] [ 12] [INFO ] Authenticate-ADAL: successfully acquired an access token.  TenantId=0bba78d8-4f4d-4dd9-9b5a-ee121b116efe, ExpiresUTC=15/01/2019 10:33:35 +00:00, UserInfo=fim.admin@MAILGLYNDWRAC.onmicrosoft.com, IdentityProvider=https://sts.windows.net/0bba78d8-4f4d-4dd9-9b5a-ee121b116efe/.
[09:33:46.973] [ 12] [INFO ] GetCompanyConfiguration: tenantId=(0bba78d8-4f4d-4dd9-9b5a-ee121b116efe), IsDirSyncing=True, IsPasswordSyncing=False, DomainName=, DirSyncFeatures=56, AllowedFeatures=ObjectWriteback, PasswordWriteback.
[09:33:46.973] [ 12] [INFO ] AzureTenantPage: AdminWebService returned the company information for tenant 0bba78d8-4f4d-4dd9-9b5a-ee121b116efe.
[09:33:46.973] [ 12] [INFO ] AzureTenantPage: AzureTenantSourceAnchorAttribute is mS-DS-ConsistencyGuid
[09:33:47.009] [ 12] [INFO ] MicrosoftOnlinePersistedStateProvider.Save: saving the persisted state file
[09:33:47.009] [ 12] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: False
[09:33:47.026] [ 12] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: True
[09:33:47.027] [ 12] [INFO ] AzureTenantPage: Windows Azure tenant credentials validation succeeded.
[09:33:47.035] [  1] [INFO ] Page transition from "Connect to Azure AD" [AzureTenantPageViewModel] to "Connect to AD DS" [ConfigOnPremiseCredentialsPageViewModel]
[09:33:47.043] [  1] [INFO ] Property Username failed validation with error Enterprise Administrator credentials are required
[09:34:43.046] [  1] [INFO ] Property Username failed validation with error The username format is incorrect. Specify the username in the format of DOMAIN\username.
[09:34:48.415] [  1] [INFO ] Property Password failed validation with error A password is required - unless using a Virtual or Managed Service Account .
[09:34:54.825] [  5] [INFO ] ConfigOnPremiseCredentialsPage: Validating credentials for user - domain.LOCAL\user
[09:34:54.858] [  5] [INFO ] ConfigOnPremiseCredentialsPage: LogonUser succeeded for user domain.LOCAL\user
[09:34:54.923] [  5] [INFO ] ActiveDirectoryProvider.GetRootDomainName: getting user root domain name
[09:34:55.033] [  5] [INFO ] ActiveDirectoryProvider.GetRootDomainName: user root domain - domain.local
[09:34:55.041] [  5] [INFO ] ActiveDirectoryProvider.IsUserGroupMember: checking if domain.LOCAL\user has AccountEnterpriseAdminsSid privileges in domain.local
[09:34:55.261] [  5] [INFO ] ActiveDirectoryProvider.IsUserGroupMember: domain sid - S-1-5-21-3267819758-2355104669-2829333711, group sid - S-1-5-21-3267819758-2355104669-2829333711-519
[09:34:55.263] [  5] [INFO ] ActiveDirectoryProvider.GetGroupMembershipSidsForUser: retrieving group membership SIDs from AD
[09:34:55.276] [  5] [INFO ] ActiveDirectoryProvider.IsUserGroupMember: found membership - user is a member of the group
[09:34:55.307] [  5] [INFO ] ValidateCredentials DirSyncUpgrade: The forest name 'domain.local' was successfully matched.
[09:34:55.315] [  5] [INFO ] ConfigOnPremiseCredentialsPage: Validating forest
[09:34:55.323] [  5] [INFO ] Validating forest with FQDN domain.local
[09:34:55.392] [  5] [INFO ] Examining domain domain.local (:0% complete)
[09:34:55.398] [  5] [INFO ] ValidateForest: using DC03.domain.local to validate domain domain.local
[09:34:55.402] [  5] [INFO ] Successfully examined domain domain.local GUID:7b9daeee-d94a-4f27-b354-12c9c98d9f93  DN:DC=domain,DC=local
[09:34:55.437] [  5] [INFO ] ConfigOnPremiseCredentialsPageViewModel: Credentials will be used to administer the AD MA account (DirSync/AADSync/AADConnect Upgrade).
[09:34:55.457] [  5] [INFO ] Page transition from "Connect to AD DS" [ConfigOnPremiseCredentialsPageViewModel] to "Configure" [PerformConfigurationPageViewModel]
[09:34:55.462] [  5] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.BackgroundInitialize in Page:"Ready to configure"
[09:34:55.462] [  5] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:22311
[09:34:56.536] [  5] [VERB ] PerformConfigurationPageViewModel:ExecuteAutoUpgradeCheck: context.WizardMode DirSyncParallelInstall.
[09:34:56.608] [  5] [WARN ] DetermineAutoUpgradeState: AutoUpgrade entering SUSPENDED mode by default.
[09:34:56.608] [  5] [VERB ] PerformConfigurationPageViewModel:ExecuteAutoUpgradeCheck: autoUpgradeState set to Suspended.
[09:34:56.612] [  5] [INFO ] SetAutoUpgradeViaAdhealthRegistrykey: Updated SOFTWARE\Microsoft\ADHealthAgent\Sync\UpdateCheckEnabled registry value to 1
[09:34:56.615] [  5] [INFO ] Restarting Monitoring Agent service.
[09:34:56.617] [  5] [INFO ] ServiceControllerProvider: InvalidOperationException on serviceController.Status property means the service AzureADConnectHealthSyncMonitor was not found
[09:34:56.617] [  5] [WARN ] Monitoring Agent service is not installed, so the service cannot be restarted.
[09:35:03.389] [  1] [INFO ] MicrosoftOnlinePersistedStateProvider.Save: saving the persisted state file
[09:35:03.389] [  1] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: False
[09:35:03.404] [  1] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: True
[09:35:03.412] [  1] [INFO ] PersistAzureAffinity: updating Azure affinity to Worldwide (0).  Original value: <not configured>.
[09:35:03.413] [  1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.ExecuteADSyncConfiguration in Page:"Configuring"
[09:35:03.413] [  1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:24474
[09:35:03.414] [  4] [INFO ] PerformConfigurationPageViewModel.ExecuteADSyncConfiguration: Preparing to configure sync engine (WizardMode=DirSyncParallelInstall).
[09:35:03.427] [  4] [INFO ] PerformConfigurationPageViewModel.ExecuteSyncEngineInstallCore: Preparing to install sync engine (WizardMode=DirSyncParallelInstall).
[09:35:03.431] [  4] [INFO ] Starting Sync Engine installation
[09:35:03.478] [  4] [INFO ] SyncEngineSetup: Using custom service account .\MIIS_Service
[09:35:13.318] [  4] [INFO ] IsManagedServiceAccountSupported: OS > W2008R2
[09:35:13.318] [  4] [INFO ] IsManagedServiceAccountSupported: True
[09:35:14.349] [  4] [ERROR] PerformConfigurationPageViewModel: Caught exception while installing synchronization service.
Exception Data (Raw): System.Exception: Unable to install the Synchronization Service.  Please see the event log for additional details. ---> System.DirectoryServices.AccountManagement.PrincipalServerDownException: The server could not be contacted. ---> System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
   at System.DirectoryServices.Protocols.LdapConnection.Connect()
   at System.DirectoryServices.Protocols.LdapConnection.SendRequestHelper(DirectoryRequest request, Int32& messageID)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)
   --- End of inner exception stack trace ---
   at System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)
   at System.DirectoryServices.AccountManagement.PrincipalContext.DoServerVerifyAndPropRetrieval()
   at System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name, String container, ContextOptions options, String userName, String password)
   at System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SyncServiceAccount.GetPrincipal(Boolean isDomainController, AccountManagementAdapter localAccountManagementAdapter, AccountManagementAdapter& domainAccountManagementAdapter)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SyncServiceAccount.ResolveSid(Boolean isDomainController)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InstallCore(String logFilePath, String logFileSuffix)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.ExecuteWithSetupResultsStatus(SetupAction action, String description, String logFileName, String logFileSuffix)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
   --- End of inner exception stack trace ---
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.ThrowSetupTaskFailureException(String exceptionFormatString, String taskName, Exception innerException)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
   at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstallCore(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
   at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstall(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.ExecuteSyncEngineInstallCore(AADConnectResult& result)
[09:35:24.628] [  1] [INFO ] Opened log file at path C:\ProgramData\AADConnect\trace-20190115-093011.log

I have one query related to the Azure Active Directory Email provisions

The AAD provides a self service portal for recovery, where we can update the Email and Phone number by self. Can some one help us know actually where these information are stored in the Azure Active Directory. Because the upfront Email and Phone number in the Azure portal does not reflect these changed information.

I am attaching the document to refer the self service portal

I have a WebApp hosted in azure and Azure AD is used for authentication and i am am able to login to the application. But while calling a Azure Search Service api i am getting CORS error as per below only in MS Edge browser in chrome and IE its working fine.

I have tracked the network and below is my observation: 
When the Azure search service API is called its redirecting to Azure AD authentication and the CORS error is thrown but this rediection is not happening in chrome or IE so no issue in these browsers.

I have already configured my site url to Azure AD and i guess i can't modify the response header of the AD, then how to overcome this issue.

(Note: 1. I have added the CORS url in azure search as well as web app as well as while calling search api. 2. I am not getting this error in chrome or IE)

Error Message: SEC7120: [CORS] The origin 'https://mysiteurl.com' did not find 'https://mysiteurl.com' in the Access-Control-Allow-Origin response header for cross-origin resource at 'https://login.windows.net/ea80952e-a476-42d4-aaf4-5457852b0f7e/oauth2/authorize?response_type=code+id_token&redirect_uri=https%3A%2F%2Fmysiteurl.com%2F.auth%2Flogin%2Faad%2Fcallback&client_id=ca68e724-2c3d-4699-82bc-f8a56efa243a&scope=openid+profile+email&response_mode=form_post&nonce=8c756622bc8f4b02b03adcb41fbab33b_20190108150104&state=redir%3D%252Fapi%252Fsearch'.

My search method:

return fetch("/api/search",
{
mode: "cors",
headers: {"api-key": searchState.config.queryKey,"Access-Control-Allow-Credentials": "true","access-control-allow-origin": "https://mysiteurl.com","Content-Type": "application/json","Access-Control-Allow-Headers": "Origin, X-Requested-With, Content-Type, Accept"
},
method: "POST",
body: JSON.stringify(postBody)
});

What I have tried:

I have added the CORS url in azure search as well as web app

I have Web api which is used by may applications. Now for some analytics purpose  need the app name which is calling my web api.

All applications which are calling my web api are registered in AAD. All clients call my web api with a application generated token. I can get the app id from claims.

I had a solution but i dont want to maintain appid-appname in my config file as these will be changed from environment to environment and its hard to maintain for growing number of clients.

I have created a new Web App Bot in Azure Portal, using Microsoft App Id and Password which was provided by my organization admin, because of my permissions (I don't have Active Directory permissions to register a new application).

I created the bot successfully, but it is not working as expected. The messages are not sent from the bot. As soon as I send the message I got this error in bot output,

Error: Refresh access token failed with status code: 400 at Request._callback 
(D:\home\site\wwwroot\node_modules\botbuilder\lib\bots\ChatConnector.js:697:36) at Request.self.callback 
(D:\home\site\wwwroot\node_modules\request\request.js:185:22) at emitTwo (events.js:106:13) at Request.emit (events.js:191:7) at Request. 
(D:\home\site\wwwroot\node_modules\request\request.js:1161:10) at emitOne (events.js:96:13) at Request.emit (events.js:188:7) at IncomingMessage. 
(D:\home\site\wwwroot\node_modules\request\request.js:1083:12) at IncomingMessage.g (events.js:291:16) at emitNone (events.js:91:20)

Then I tried to troubleshoot the bot authentication, I followed the step provided in this page https://docs.microsoft.com/en-us/azure/bot-service/bot-service-troubleshoot-authentication-problems?view=azure-bot-service-3.0#step-2

Here after the POST request from curl with App Id as client Id and App password as client secret, I got the below error

{    "error": "unauthorized_client",    "error_description": "AADSTS700016: Application with identifier '[AppId]' was not found in the directory 'botframework.com'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant\r\nTrace ID: fb60c381-afa9-48f4-8946-155a3ab21a00\r\nCorrelation ID: 5f51355a-8e8d-471d-aeba-a286ba620362\r\nTimestamp: 2019-01-10 06:54:24Z",    "error_codes": [700016],    "timestamp": "2019-01-10 06:54:24Z",    "trace_id": "fb60c381-afa9-48f4-8946-155a3ab21a00",    "correlation_id": "5f51355a-8e8d-471d-aeba-a286ba620362"
}

From this one, I understood there is an issue with Bot's AppId and Password.

How can I fix this issue ??

I just found out that it is not possible to clear the attribute "immutableID" anymore.

Is there any new way to achieve this? I use this procedure to convert users from synchronized to cloud.

Hello everyone,

My company has a web app which is supposed to access our clients' websites, log on it, and get data we have to process for them. Lately, one of our clients deployed Azure ADFS. The problem is, we used to log in with a username and a password through a basic HTTP POST request. Now with the SSO we can't have the same process, as the request is redirected to a MS login page, then an adfs prefixed page and finally on the website we were trying to reach in the first place. 

I've read a lot of documentation about it, but I'm really lost in it. My Azure knowledge is pretty much inexistant. Our client gave us credentials (client_id, client_secret) to get an access_token. When I perform the GET request to obtain the token I get one, but I'm asolutely clueless when it comes to using it. I tried accessing the client's website directly with the bearer token as Authorization, I've tried to use it and add the username and password, but I keep being bounced back on the MS login form, never logged in.

If you have any idea or if you could point me in the right direction it would be amazing!

Thanks in advance!