Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Joining On Prem Workstations to Azure AD Domain Services

January 16, 2019, 10:00 pm
$
0
0

Hi There

Hope someone could provide advice and insight on the following;

Senario

I have a client which i setup in Azure running two VM's joined to Azure ADDS. These VM's host RDS and SQL Server Roles which host the clients LoB Applications. In this setup a S2S VPN was configured which gives on Prem users access to the resources stored within the 2 VM's.

The Network has been setup in Azure with three subnets (Default LAN, AD DS and Gateway).

A Few weeks ago this clients on prem DC failed and has since then been restored from backups. The Single DC hosted Roaming Profiles.


Question

I am looking at Replacing the onsite DC, however as Roaming Profiles is a requirement; i would like to know if anyone has been able to connect physical workstations to AD DS? (Given AD DS is a restricted subnet and cannot be reached over the VPN)

I have been looking at Azure AD and the use of enterprise roaming, would this be a better option as Roaming is required given the nature of the business.

Many Thanks



Search

Unable to install the synchronization service

January 14, 2019, 2:36 am
$
0
0

Dear Support ,

Please support for me i install Azure Active Directory Connect

I Have Problem error log below 

[09:39:48.977] [  7] [INFO ] ServiceControllerProvider: InvalidOperationException on serviceController.Status property means the service AzureADConnectHealthSyncMonitor was not found
[09:39:48.977] [  7] [WARN ] Monitoring Agent service is not installed, so the service cannot be restarted.
[09:39:55.393] [  1] [INFO ] MicrosoftOnlinePersistedStateProvider.Save: saving the persisted state file
[09:39:55.393] [  1] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: False
[09:39:55.396] [  1] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: True
[09:39:55.406] [  1] [INFO ] PersistAzureAffinity: updating Azure affinity to Worldwide (0).  Original value: <not configured>.
[09:39:55.408] [  1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.ExecuteADSyncConfiguration in Page:"Configuring"
[09:39:55.408] [  1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:34321945
[09:39:55.410] [ 13] [INFO ] PerformConfigurationPageViewModel.ExecuteADSyncConfiguration: Preparing to configure sync engine (WizardMode=ExpressInstall).
[09:39:55.412] [ 13] [INFO ] PerformConfigurationPageViewModel.ExecuteSyncEngineInstallCore: Preparing to install sync engine (WizardMode=ExpressInstall).
[09:39:55.417] [ 13] [INFO ] Starting Sync Engine installation
[09:40:22.080] [ 13] [INFO ] IsManagedServiceAccountSupported: OS > W2008R2
[09:40:22.080] [ 13] [INFO ] IsManagedServiceAccountSupported: True
[09:40:22.161] [ 13] [INFO ] ServiceControllerProvider: InvalidOperationException on serviceController.Status property means the service ADSync was not found
[09:40:22.407] [ 13] [INFO ] ServiceControllerProvider:CreateService - serviceName:ADSync, username:NT SERVICE\ADSync, assemblyPath:C:\Program Files\Microsoft Azure Active Directory Connect\ADSyncBootstrap.exe
[09:40:22.732] [ 13] [INFO ] ServiceControllerProvider: Processing StartService request for: ADSync
[09:40:22.733] [ 13] [VERB ] ServiceControllerProvider:Initial service status: Stopped
[09:40:22.733] [ 13] [VERB ] ServiceControllerProvider:Starting service and waiting for completion.
[09:40:22.735] [ 13] [WARN ] ServiceControllerProvider: StartService failed to start service (ADSync), attempt (1).
Exception Data (Raw): System.InvalidOperationException: Cannot start service ADSync on computer '.'. ---> System.ComponentModel.Win32Exception: The service did not start due to a logon failure
   --- End of inner exception stack trace ---
   at System.ServiceProcess.ServiceController.Start(String[] args)
   at Microsoft.Online.Deployment.Framework.Providers.ServiceControllerProvider.StartService(String serviceName, TimeSpan timeout, Boolean verifyStart, String[] args)
[09:40:22.782] [ 13] [VERB ] ServiceControllerProvider:Initial service status: Stopped
[09:40:22.782] [ 13] [VERB ] ServiceControllerProvider:Starting service and waiting for completion.
[09:40:22.784] [ 13] [WARN ] ServiceControllerProvider: StartService failed to start service (ADSync), attempt (2).
Exception Data (Raw): System.InvalidOperationException: Cannot start service ADSync on computer '.'. ---> System.ComponentModel.Win32Exception: The service did not start due to a logon failure
   --- End of inner exception stack trace ---
   at System.ServiceProcess.ServiceController.Start(String[] args)
   at Microsoft.Online.Deployment.Framework.Providers.ServiceControllerProvider.StartService(String serviceName, TimeSpan timeout, Boolean verifyStart, String[] args)
[09:40:22.784] [ 13] [VERB ] ServiceControllerProvider:Initial service status: Stopped
[09:40:22.784] [ 13] [VERB ] ServiceControllerProvider:Starting service and waiting for completion.
[09:40:22.786] [ 13] [WARN ] ServiceControllerProvider: StartService failed to start service (ADSync), attempt (3).
Exception Data (Raw): System.InvalidOperationException: Cannot start service ADSync on computer '.'. ---> System.ComponentModel.Win32Exception: The service did not start due to a logon failure
   --- End of inner exception stack trace ---
   at System.ServiceProcess.ServiceController.Start(String[] args)
   at Microsoft.Online.Deployment.Framework.Providers.ServiceControllerProvider.StartService(String serviceName, TimeSpan timeout, Boolean verifyStart, String[] args)
[09:40:22.786] [ 13] [ERROR] ServiceControllerProvider: StartService unable to start service (ADSync). The system event log may contain more details for this issue.
[09:40:25.447] [ 13] [ERROR] PerformConfigurationPageViewModel: Caught exception while installing synchronization service.
Exception Data (Raw): System.Exception: Unable to install the Synchronization Service.  Please see the event log for additional details. ---> System.NullReferenceException: Object reference not set to an instance of an object.
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.AccountManagementAdapter.RemoveMembersFromLocalGroup(SecurityIdentifier groupSid, DirectoryEntry[] members)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SyncServiceAccount.<>c__DisplayClass53_0.<RemoveFromLocalAdministratorsGroup>b__0()
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.Execute(Action action, String description)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InstallCore(String logFilePath, String logFileSuffix)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.ExecuteWithSetupResultsStatus(SetupAction action, String description, String logFileName, String logFileSuffix)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()

Directory Synchronisation issues

January 18, 2019, 6:41 am
$
0
0

I am getting the error: 

Directory synchronisation is currently in a pending disable state for this directory. Please wait until directory synchronisation has been fully disabled before trying again.

i have been waiting for the past 72 hours now. Can someone help???

Assigning o365 licenses through groups is not possible

January 14, 2019, 12:42 am
$
0
0

I am trying to assign o365 licenses through groups in azure portal:

Home > org name > Licenses - Overview > Products > Office 365 ProPlus for students - Licensed groups > Assign license

My problem is that I cannot select any groups, only users.

I have other organizations I manage where I can select groups as well as users.

Federation between two Azure AD B2C instances

January 16, 2019, 2:23 am
$
0
0

Hi,

is there a way to federate two azure AD B2C instances (from same subscitpion or not).

I've got a Azure AD B2C with users and I want to be able to signin (transparently) in a second Azure AD B2C with the user from the first one.

I've tried to with create a identity provider (OpenId Connect that is in preview) but for the moment it doesn't working

Thanks for your help

Edit Employee Number in AzureAD

January 18, 2019, 5:57 am
$
0
0
We'd like to store employee numbers in the employeeID field, however, we cannot figure out a way to edit that field in AzureAD. All the documentation points to using AD sync to synchronize that field from AD, however, we do not have an on-premises AD instance to sync from, our directory is AzureAD. Is there a way to edit and store data in that attribute's field?

Accessing Partner Central Consent Url doesn't match the URl configured for the application

January 18, 2019, 1:58 am
$
0
0

I am trying to retrieve the billing data from the Partner Central through API call 

But firstly i'll need some kind of a access_token

From the documentation I got that with executing following Powershell code

        $credential = Get-Credential
    $token = New-PartnerAccessToken -Consent -Credential $credential -Resource https://api.partnercenter.microsoft.com -ServicePrincipal

I will get a refresh token and can execute this Powershell code to retrieve the Token

    $refreshToken = 'Enter the refresh token value here'

    $credential = Get-Credential
    $pcToken = New-PartnerAccessToken -RefreshToken $refreshToken -Resource https://api.partnercenter.microsoft.com -Credential $credential -ServicePrincipal

    Connect-PartnerCenter -AccessToken $pcToken.AccessToken -AccessTokenExpiresOn $pcToken.ExpiresOn -ApplicationId $appId


But I can't seem to retrieve the refresh token (first PS commands). When i execute the code I'll get Get-Credential login screen where I fill in my Client_ID and Client_secret. Afterwords I'll get a azure login page where I fill in my Credentials.
But I keep to get this error: 


Even when I add the URL "https://api.partnercenter.microsoft.com/" in my Azure AD application settings, in the setting redirect URL's:



Is there some kind of permission I forgot to give to access the token ?
Or do I miss an obvious step  ?


By adding the Redirect URL : urn:ietf:wg:oauth:2.0:oob  from the suggested setting I did not get a fail anymore. But the Token is empty . Even when i've granted access to retrieve access_tokens



AAD v2 Webapp to WebAPI - WebAPI service principal is not created in customers tenant on consent

February 4, 2019, 1:19 pm
$
0
0

I have an Webapp that includes the scopes of a WebAPI defined in it's manifest under the requiredResourceAccess field

When a customer attempts to login to the webapp, an error is returned.

AADSTS650052: The app needs access to a service [SERVICENAME] that your organization [CUSTOMER TENANT] has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions.
Trace ID: a4a34e3f-5d55-4d05-8c73-c8b9981aab00
Correlation ID: 5fd2a2e4-bcc9-40bf-8b88-2fedb55d28c0
Timestamp: 2019-02-04 21:10:59Z:invalid_client

If I were to register the service principal in the customers tenant manually, the customer is presented with the consent page with the list of permissions.

The command I use to register the service principal in the customers tenant: az ad sp create --id [APP ID]


Search

UnsupportedAuthorityValidation | Error when configuring the sample code to use my own Azure AD B2C tenant

February 5, 2019, 1:01 am
$
0
0
I am referring to the link https://azure.microsoft.com/en-in/resources/samples/active-directory-b2c-javascript-msal-singlepageapp/ It works fine for me for the sample tenant but when I am trying to use my own tenant, it throws UnsupportedAuthorityValidation error. All my details i.e. Client ID, Authority, B2C Scopes and webApi are correct and verified. Any help would be much appreciated.

Open LDAP sync to Office 365

February 6, 2019, 6:06 pm
$
0
0

Hi Guys,

Is it possible to synchronize the Open LDAP users to Office 365 using Azure AD Connect?

Thanks,

Lawrence

Connect to Azure AD - Creds not Working

February 6, 2019, 1:30 pm
$
0
0
Trying to setup Micorsoft Azure Active Directory Connect and I'm at the Connect to Azure AD screen. Now the username and password that I'm using to get into the portal are what I'm inputting here and I'm getting an error about the user name or password being incorrect. What am I missing? The credentials are fine - I can sign into the portal without an issue. 

Removing Azure AD registration from AAD and the PC?

February 5, 2019, 10:43 pm
$
0
0

I've noticed that when using the AAD portal to remove AD-registered Win10 PCs that it only removes it from AAD and doesn't touch the PC. That is, if you look at the PC later, even rebooted, you'll still see it as "Connected to an Azure AD."  It really isn't though, so you have to disconnect it using the Win10 UI (Settings, Accounts, Access work or school).

Is there a better way?  Perhaps a Powershell command or something?  Once in a while, you'll be on a build of Win10 where, because of a bug, attempting to remove it from the UI doesn't even work, so it's doubly annoying then.

Azure AD B2C and Flask

February 6, 2019, 10:45 pm
$
0
0

I'm trying to authenticate my Python Flask app with Azure AD B2C and my user flow (policy). However I keep getting this error:


oauthlib.oauth2.rfc6749.errors.MissingTokenError: (missing_token) Missing access token parameter.127.0.0.1 - - [07/Feb/2019 17:06:17] "GET /login/azure/authorized?state=g5eLKxWF2kszx5gzF7QfM7KnslPitW&code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMCIsInppcCI6IkRlZmxhdGUiLCJzZXIiOiIxLjAifQ..EHAU5oTr_dHWEmX9.nQeRzPwRPtTaIS6BK_dJ9AFFfUiNPbQTuYkbb0pbb23zoGfPBjxWVaExr_bSA9TMGq3ixZ4hOhNrxkupAnO9MooCVF10zEM3RBpnsPGcxJjWW26tzC2a_EvA1Xtcgf5vgrwXaX3pE2pXjcM4CAhHraVcsR8vXQzPZe8MASetm9UcvySjbGVyZXFz5GIhURsXMnlezMkGqDkW6XSAl8-LVZit-bomuIaNK-CpaOVau3FfJ0oICs_HqHh-P8qM-tZb2mYFFBG0UbPuEDzrKSZAx6wtIfAjyWEVrJp7k7e2V6YxOvhnmx2Qu3td9OZl5cYYJyeKndiCd3f0mmozj4lul6SEtjdsrTNFCOsuE4JYhhYzyoblGXccDfSl-YA6kunZE5RP3m8qHhfefCEDFpN0Yphu-DBKsbA6sbg_ledys4h0WMpPf2JSDK6BY_Th7cH23EPHtfOSiJK5KVi78la01wv0R-E.MCY61vRgj5Cu6tBBCSGIqw

when trying https://<tenant>.b2clogin.com/<tenant>.onmicrosoft.com/oauth2/v2.0/authorize?p=b2c<name>

I have been able to successfully authenticateto https://login.microsoftonline.com/<tenant>.onmicrosoft.com/oauth2/v2.0/authorize?

Any ideas?

Thanks

Azure Identity Protection missing options from Sign-in Policy controls

February 6, 2019, 10:48 pm
$
0
0

Hello!

Started playing with Azure Identity Protection and noticed that I do not have same options for controls that the MS docs site has: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-sign-in-risk-policy

Image: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/media/howto-sign-in-risk-policy/13.png

I only have "Require Password change" under User Risk policy when allowing access
And only have "Require multi-factor authentication aunder Sign-in risk policy when allowing access

Password changes should only occur on On Prem AD not require in Azure AD

February 7, 2019, 1:22 am
$
0
0
Password changes should only occur on On Prem AD not require in Azure AD (don’t want two way). is there any possibility? 
Search

Azure MFA server - conditional access

February 7, 2019, 1:59 am
$
0
0

Hi, 

We have an on-prem MFA server which uses the local Active Directory as primary authentication and Azure MFA service for phone auth. 

This is working fine, however, is it possible to utilise the conditional access settings found in Azure for these logins?

The accounts are being sync'd to Azure Active Directory using AD connect. 

Regards

Shaun

Migrate Azure Joined Machines to new Tenancy

February 7, 2019, 3:14 am
$
0
0

Hi,

I was wondering if anyone can advised the best way to migrate Azure Joined windows 10 machines to new tenancy.

Old tenancy is cloud setup. New tenancy has on-site AD with Azure Connect.

Thanks in advance

Filling Application Registration Form for SAML2 application.

February 7, 2019, 4:24 am
$
0
0

Hi Team, 

We are trying to add our application into Microsoft Azure AD app gallery for SAML2 authentication.

In the process of app listing, there are fields like "Sign-on URL", "Entity ID", "ACS URL", "Relay State" (Specify all the possible values or patterns of sign on URL using comma as seperator).

Below are the values which we want to provide for these fields. Wanted to check if these values can be provided or not.

We want to provide pattern for Assertion Consumer Service URL.
“Specify all the possible values or patterns of ACS URL using comma as separator”
Can we specify it like below. Because we have multi-tenant system where sub domain will be different for each tenant.
https://*.webmethodscloud.com/integration/live/saml/ssoResponse,https://*.webmethodscloud.eu/integration/live/saml/ssoResponse,https://*.webmethodscloud.de/integration/live/saml/ssoResponse

For “Sign-on URL” can we specify like below:
https://*.webmethodscloud.com/integration/live/saml/ssoRequest,https://*.webmethodscloud.eu/integration/live/saml/ssoRequest,https://*.webmethodscloud.de/integration/live/saml/ssoRequest

For “Entity ID” can we specify like below:
*.webmethodscloud.com, *.webmethodscloud.eu, *.webmethodscloud.de

For “Relay State” can we specify like below: We will have some alpha numeric characters here. So can we put just “*” to indicate it to accept anything.
*

One more question is: Can we change these (or add new urls) in the future if required?

Thanks,
Surya.

Is there any option to create a Azure Germany Tenant?

February 7, 2019, 4:26 am
$
0
0

We currently have the issue that we can't create new Azure Germany Tenants with this URL "https://account.windowsazure.de/Home/Index"

Have any body an Idea how I can create a Tenant in germany? 

Unable to create Service Principal with correct permissions to Log Analytics

February 4, 2019, 3:03 pm
$
0
0

Hi all

I'm trying to create a Service Principal (SP) with the correct permissions to Log Analytics to allow me to connect with Grafana to create Dashboards.  Whichever way I create the SP (Portal, CLI, etc) or use an existing SP, Grafana gives me the below error

Azure Log Analytics: Forbidden: InsufficientAccessError. The provided credentials have insufficient access to perform the requested operation

I have followed the documentation to create the SP that's in various locations eg https://dev.loganalytics.io/oms/documentation/2-Authorization/1-AAD-Setup or https://docs.microsoft.com/en-us/azure/azure-monitor/platform/grafana-plugin.

The SP has Log Analytics Contributor role to the workspace itself (as well as the rest of the subscription). The SP has Delegated Permissions to Read Log Analytics Data as user and permissions have been granted.  Not sure what I'm missing, have tried this with different installs of Grafana (local machine and hosted in Azure).  

I can connect to Azure Monitor successfully from Grafana using an SP.  If I try to use the same SP for Log Analytics I get the above error again.  I'm trying to test this out in my MSDN subscription, if that makes any difference?

Happy to provide any other info that might be useful

Thanks

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>