Hi All
I've been reviewing Bad Password Attempts on my work Azure AD tenant and I'm seeing a lot of bad password attempts in the Azure AD Connect Health - AD FS Services blade
For many of these failures there are 2 addresses (1 is external to my LAN and the other is a LAN IP - all the same due to the way that we NAT traffic)
My question is, what is the scenario that would show 2 IP addresses for a single sign-in attempt?
Thanks
Danny
Hello friends,
The purpose of AAD Guest user is giving limited access to non domain / non corporate user - based on his/her email id.
The purpose of AAD B2C is giving access to non domain / non corporate user. So what is the difference ? Can AAD Guest user not be sufficient and accomplish what AAD B2C is trying to accomplish?
Regards,
Snehal.
Hello,
In one of the solution architectures - I proposed to use API Management service to 1.
However one of the colleagues is opposing it stating that the Azure Web Access Firewall can also do the same, so why do we need API Management. Though I dont agree with him, I want to know what is the exact difference and purpose of it?
Can we use WAG instead of API Management?
Regards,
Snehal
Hi all,
I am about to deploy Password Protect for our on-premise AD.
Noting that AAD P1 or P2 license is required for on-prem accounts synced to Azure AD. All our users have AAD P1 so that is find. Also, we have a number of service accounts that requires sync to AAD, but does not have a license.
Would these service accounts require a license? They do not change password normally and have no requirement for global or custom password ban list.
Thanks.
Hi
is it possible to create Azure AD B2C - Applications with powershell?
I nedd to create a bunch of application
it'd be great to have app id and secret back, i need to put them in my web application config
something like this where the value is a return value
<sc.variable name="clientId" value="xXx" />thank you
Hi
We have Azure AD connect (1.2.7) installed, and it's syncing user accounts and password hashes to 5 different domains more or successfully. We do not use password writeback.
We have added a further domain, with the same settings as the other ones. The domain has a single 2012r2 DC.
For this domain, password sync does not work.
I think I can see a possible reason for this, but not sure how to fix it. When I run the AADconnect troubleshooting tool, it says this specific domain has password writeback enable. (the others do not say this)
| SourceConnector: | troublesomedomain.internal |
| TargetConnector: | publicdomain.com - AAD |
| Enabled: | True |
| LatestHeartBeatTime: | N/A |
I have rerun the wizard, ensuring password writeback is off. It is. Run the script here to reset sync on that connector: https://social.technet.microsoft.com/wiki/contents/articles/28433.how-to-use-powershell-to-trigger-a-full-password-sync-in-azure-ad-sync.aspx
but still it says password writeback is enabled on that connector.
Any ideas on how to turn it off? I suspect that's why the password sync is not working.
Is there a way to generate a report of all members in the Roles and administrators section in Azure AD? For example we have Global admins, Exchange admins, Billing admins (etc) - we would like a list of all the users within.
Thank you.
I want to create an AAD tenant for a domain I own. When I try to create the domain, the validation says : 'Already in use by another directory'.
The domain name is quite unusual -- it's unlikely (not impossible of course) that the AAD domain was created by someone else.
Question is: How could I possibly find the AAD, access it, and add it to my Azure Portal?
Assume I can answer any security questions etc that would identify me as the owner.
Use Azure AD
User Azure Web App
Azure app is registered with Azure AD
Created API Key
How do I pass the API key via URL to the web app to permit authentication?
Greeting
I have this error for a single user in the Sync Service Manager:
Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [OnPremiseSecurityIdentifier System.Byte[];ProxyAddresses SMTP:User@domain.com;]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.In the past, I've either had to clear the Immutable ID on the MSOL object or set the Immutable ID on the MSOL object to the Object ID of the on prem object. This option is no longer available as I believe MS has disabled it.
Using the soft match option does not work (setting the proxyAddresses attribute on the on prem object)
Besides out right deleting the MSOL object in Azure and then running a delta sync, how do I fix this?
Regards
I would like to know if Azure AD supports remotely authenticating windows laptops / desktops. I have an on prem 2012 R2 domain controller that I am considering integrating with azure ad using azure ad connect but I need to verify that this configuration will allow domain connected remote computers to authenticate windows logins remotely.
If not could you please advise what configuration would work in this scenario?
Thanks in Advance.
#the license SKU we are interested in. use Msol-GetAccountSku to see a list of all identifiers in your tenant
$skuId = "contoso:EMS"
#find all users that have the SKU license assigned
Get-MsolUser -All | where {$_.isLicensed -eq $true -and $_.Licenses.AccountSKUID -eq $skuId} | select `
ObjectId, `
@{Name="SkuId";Expression={$skuId}}, `
@{Name="AssignedDirectly";Expression={(UserHasLicenseAssignedDirectly $_ $skuId)}}, `
@{Name="AssignedFromGroup";Expression={(UserHasLicenseAssignedFromGroup $_ $skuId)}}Maelito
Hello
I try to integrate website to azure AD, I authenticate with saml but it not provide the user groups.
When I try to "Grant admin consent for APP" it open pop up for the permissions I want then it redirect to my server:
https://myserverapp/saml2/acs?admin_consent=True&tenant={id}
What should I do now?
How should I handle this request?
Based on the article below, it sounds like there is an additonal step when having non-routable domain names for your onprem setup. It sounds like if I did a domain name change to match the azure ad domain, that would allow my user's corp credentials to match their Azure AD creds and allow them to access all corp and azure cloud resources with the same credentials (username and password) Is that correct? The goal would be to decom the physical server and leverage Azure AD and Intune or MDM which "should" replace group policy. Or am I way off and regardless if you PHS or PTA or Federate it only sync's the password and doesnt care about the username?
https://docs.microsoft.com/en-us/azure/security/azure-ad-choose-authn
Hi, anyone knows why being co-administrator of a subscription i can't deploy from a release pipeline in DevOps to a Windows App Service on the very same subscription?
This is the error im getting:
Failed to create an app in Azure Active Directory. Error: Insufficient privileges to complete the operation. For troubleshooting refer to https://go.microsoft.com/fwlink/?linkid=835898.
I'm a user in the Active Directory. Should i be admin?
Hi all,
I am about to deploy Password Protect for our on-premise AD.
Noting that AAD P1 or P2 license is required for on-prem accounts synced to Azure AD. All our users have AAD P1 so that is find. Also, we have a number of service accounts that requires sync to AAD, but does not have a license.
Would these service accounts require a license? They do not change password normally and have no requirement for global or custom password ban list.
Thanks.
Hi,
I am creating a Custom Policy in Azure AD B2C, where I'm adding a new Technical Profile using protocol OAuth2.
And I'm configuring the metadata item HttpBinding as "POST" as this documentation - https://docs.microsoft.com/en-us/azure/active-directory-b2c/oauth2-technical-profile - says that this value sets "The expected HTTP binding to the access token
and claims token endpoints.".
However, the Claims token endpoint is being called by GET, not POST. And the access token is being sent to the claims endpoint as a query string parameter.
How can I configure it to pass the access token in the Authorization header (and not in the query string), and call the claims endpoint by POST?
Thanks!
Currently I am implementing the "sign in with Microsoft" feature and potentially the SSO feature. But there seems like a couple of similar ways to achieve a seemingly same goal, and the documentation is not clear enough for me to distinguish them(pros and cons, user scenarios etc). So my questions is are they the same thing? What are they for?
1: Authorize access to Azure Active Directory web
2: How to configure your App Service application to use Microsoft Account login
3: Authentication and authorization in Azure App Service
4: Microsoft Account external login setup with ASP.NET Core
Seems to me the difference among them is some are more focusing on AZURE and some are not. But reading all of these make me actually more confused because I dont know which one to choose from.
