Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

New domain in forest not seen by Azure AD Connect

February 27, 2019, 5:19 am
$
0
0

Hi,

We have an onPremise AD forest sync with Azure by AD Connect (we use only Skype and Teams in the Cloud, all the rest is on premise).

Each domain of our forest is a new tree root domain. We don't have sub-domains but all our domains are at the same level than the root domain of the forest.

The sync of all "past" domains was and still is working fine but we needed to create a new tree root domain. we want to also synchronize it.

We first run the Set-ADSyncBasicReadPermissions command to give permissions to the MSOL account on the new domain. When I run the ADConnect configuration tool to customize the sync options and click to refresh the domain list into the domain/OU filtering section, I can see the new domain (with a note indicating "newly added domain") but I can't browse it to see the OU list. After some time, the configuration tool stop with an unknow error.

Does anyone know what I am missing?

Thanks

Marc

Search

How do I fix this Azure AD Connect Sync Error - AttributeValueMustBeUnique

February 26, 2019, 3:11 pm
$
0
0

Greetings

I have this error for a single user in the Sync Service Manager:

Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [OnPremiseSecurityIdentifier System.Byte[];ProxyAddresses SMTP:User@domain.com;].  Correct or remove the duplicate values in your local directory.  Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.

Tracking Id: 1a529055-ab4a-4768-8f0e-6461c7282e14
ExtraErrorDetails:
[{"Key":"ObjectId","Value":["aa2432b7-a013-4528-93b2-0af697c3f3e4"]},{"Key":"ObjectIdInConflict","Value":["9c8dc03b-0f6e-461b-bd7c-e93feb4b0498"]},{"Key":"AttributeConflictName","Value":["OnPremiseSecurityIdentifier"]},{"Key":"AttributeConflictValues","Value":["System.Byte[]"]}]

In the past, I've either had to clear the Immutable ID on the MSOL object or set the Immutable ID on the MSOL object to the Object ID of the on prem object. This option is no longer available as I believe MS has disabled it.

Using the soft match option does not work (setting the proxyAddresses attribute on the on prem object)

Besides out right deleting the MSOL object in Azure and then running a delta sync, how do I fix this?

Regards


I failed to get access token to use azure ad API to get user groups: There was an error issuing a token.

February 28, 2019, 6:33 am
$
0
0
I am trying to get user groups, I implement saml but it not return me the user groups.

I have:
Azure Ad directory:
Directory id = {directory id}

Enterprise application with saml authentication that works:

Application id = {enterprize app id}

Application in apps dot dev dot microsoft dot com/
Application id = {app id}
Client secret ={secret}





https login dot microsoftonline dot com/{directory id}/oauth2/authorize?client_id={enterprize app id}&response_type=code&redirect_uri={uri}&prompt=admin_consent


POST https login dot microsoftonline dot com/{directory id}f/oauth2/v2.0/token
Post fields:
grant_type=authorization_code
client_id={enterprize app id}
scope=https graph dot microsoft dot com/v1.0/me/memberOf
code=code from previous request
redirect_uri={enterpise app redirect uri}

Response:
AADSTS50000: There was an error issuing a token.

When I try with the {app id} and Client secret I get:

https dot login dot microsoftonlinedot com/{directory id}/oauth2/authorize?client_id={app id}&response_type=code&redirect_uri={uri}&prompt=admin_consent

POST https login dot microsoftonline dot com/{directory id}f/oauth2/v2.0/token
Post fields:
grant_type=authorization_code
client_id={app id}
scope=https graph dot microsoft dot com/v1.0/me/memberOf
code=code from previous request
redirect_uri={app redirect uri}
client_secret={secret}

Got the same error:
There was an error issuing a token.

Invalidating Azure AD Bearer Token on LogOut

February 20, 2019, 11:16 pm
$
0
0

Application Implementation Details - My application is structured as follows:

  1. MVC Web Application hosted on Azure Web App.
  2. Angular JS is used at the client side integrated with the web application.
  3. Services are hosted on Azure Service Fabric Cluster.
  4. Authentication is happening using Azure AD.

Service Fabric APIs are hit from angular js files as follows -

  1. After authentication from Azure AD, the bearer access token is received.
  2. This token is added as Authorization header in the AJAX request from js.
  3. The token is retrieved from the header in the API and validated.

Due to the above implementation, the bearer access token is retrievable from the developer tool in browsers. And using this token, unauthorized requests can be made to the APIs from tools like Postman etc. The default expiry of this token is 60 mins.

Problem Statement - I need to invalidate the token once the user logs out of the application. This is to prevent unauthorized access to the APIs.

Question - Need input on how to invalidate or expire this token? Or is there any other approach which can be used to solve this problem?

Authenticator - App lock

February 23, 2019, 12:34 am
$
0
0

To enhance the security in Microsoft Authenticator I enabled App Lock with the assumption to prevent the "push approval" from lock screen without passcode or biometrics, obviously this had no affect at all. The App Lock feature only requires passcode or biometrics if the device is already unlocked, is this a limitation or a bug?

To summarize, passcode/biometrics is required for authentication if the devices is unlocked, approval still works without passcode/biometrics from lock screen.

azure ad b2c create appliation with powershell

February 26, 2019, 5:33 am
$
0
0

Hi 

is it possible to create Azure AD B2C - Applications with powershell?

I nedd to create a bunch of application

it'd be great to have app id and secret back, i need to put them in my web application config

something like this where the value is a return value

 <sc.variable name="clientId" value="xXx" />
 <sc.variable name="clientSecret" value="xXx" />

thank you

Azure AD Connect password sync issue on specific forest

February 26, 2019, 7:07 am
$
0
0

Hi

We have Azure AD connect (1.2.7) installed, and it's syncing user accounts and password hashes to 5 different domains more or successfully. We do not use password writeback.

We have added a further domain, with the same settings as the other ones. The domain has a single 2012r2 DC.

For this domain, password sync does not work.

I think I can see a possible reason for this, but not sure how to fix it. When I run the AADconnect troubleshooting tool, it says this specific domain has password writeback enable. (the others do not say this)

Azure AD Connect Password Writeback - Status

SourceConnector:troublesomedomain.internal
TargetConnector:publicdomain.com - AAD
Enabled:True
LatestHeartBeatTime:

N/A

I have rerun the wizard, ensuring password writeback is off. It is. Run the script here to reset sync on that connector: https://social.technet.microsoft.com/wiki/contents/articles/28433.how-to-use-powershell-to-trigger-a-full-password-sync-in-azure-ad-sync.aspx

but still it says password writeback is enabled on that connector.

Any ideas on how to turn it off? I suspect that's why the password sync is not working.

How to create Azure AD Connect evaluation for O365 education.

February 25, 2019, 10:21 pm
$
0
0

Hello, Members

I would like to create Azure Active Directory environment for O365 education.
(BTW, I'm not education staff.)
Does anyone tell me how to create a development/evaluate environment?
(It is mean that what subscription should I use)

I want to evaluate the following.
* Create an AD on on-prem. (I've already it)
* Add users(10 ~ 100) into on-prem AD.
* Synchronize user to Azure AD with Azure AD Connect.
* Send/Recieve O365 mail (Need just one user.)

Does Office 365 Business Essentials is for that?
It it possible to create multile account on Azure AD?
(I need only one user for O365 mail)

Best regards.




Search

Trying to implement both OpenID Connect for Azure AD and Forms Authentication in the same ASP.NET Web Forms application

February 28, 2019, 12:00 am
$
0
0
I have an ASP.NET Web Forms application. I have successfully implemented Azure AD authentication by implementing the middleware for OpenID Connect using ADAL.NET.

The requirement from client is that when internet connection is not there the same application should run with forms authentication.

I am facing the following difficulties: 1] When I specify a default page in web.config (for forms authentication) the Azure AD authentication breaks. 2] When I do not do as aforementioned then HttpContext.Current.User.IsAuthenticated is coming false.

How to register a centralized application with multiple deployments with Azure AD for Single Sign On

February 27, 2019, 3:03 am
$
0
0
So I am implementing this single sign on feature using Azure AD as the authentication provider. My question is : is it possible to register just one centralized application for potentially multiple deployments?

doc

Scenario: I have one core app for potentially multiple deployments, and they all have their unique urls.

 1. abc.com
 2. abc1.com 
 3. abc2.com

The list will go longer, so it is painful if I need to set up the application for each one. Can I get around by just setting one centralized app? 

For the `redirect url` I think I can set up multiple `reply urls`. Or can I?

The difficult part is the `logouturl`: `AAD` only allow to set up one value, so I need to set up a centralized endpoint (logout.com/logout) to receive the logout call, and then redirect the call to the associated deployment. ( a user log out from abc.com, `logout.com/logout` is fired, it will then need to identify that the logout happens in abc.com, then it direct the call to abc.com so abc.com can receive and perform cleanups.)


  [1]: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

Who will be announced as the next Azure Active Directory Guru? Read more about March 2019 competition!!

March 2, 2019, 12:02 am
$
0
0


What is TechNet Guru Competition?

Each month the TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!

One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. Winners will be announced in dedicated blog post that will be published in Microsoft Wiki Ninjas blog, a tweet from the Wiki Ninjas Twitter account, links will be published at Microsoft TNWiki group on Facebook, and other acknowledgement from the community will follow.

Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.

If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in March 2019 and must be in English. However, the original blog or forum content can be from beforeMarch 2019.

Come and see who is making waves in all your favorite technologies. Maybe it will be you!

Who can join the Competition?

Anyone who has basic knowledge and the desire to share the knowledge is welcome. Articles can appeal to beginners or discusse advanced topics. All you have to do is to add your article to TechNet Wiki from your own specialty category.

How can you win?

  1. Please copy/Write over your Microsoft technical solutions and revelations to TechNetWiki.
  2. Add a link to your new article on THIS WIKI COMPETITION PAGE (so we know you've contributed)
  3. (Optional but recommended) Add a link to your article at the TechNetWiki group on Facebook. The group is very active and people love to help, you can get feedback and even direct improvements in the article before the contest starts.

Do you have any question or want more information?

Feel free to ask any questions below, or Join us at the official MicrosoftTechNet Wiki groups on facebook. Read More about TechNet Guru Awards.

If you win, people will sing your praises online and your name will be raised as Guru of the Month.


PS: Above top banner came from Rajeesh Menoth.

Who will be announced as the next Azure Active Directory Guru? Read more about March 2019 competition!!

March 2, 2019, 12:47 am
$
0
0


What is TechNet Guru Competition?

Each month the TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!

One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. Winners will be announced in dedicated blog post that will be published in Microsoft Wiki Ninjas blog, a tweet from the Wiki Ninjas Twitter account, links will be published at Microsoft TNWiki group on Facebook, and other acknowledgement from the community will follow.

Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.

If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in March 2019 and must be in English. However, the original blog or forum content can be from beforeMarch 2019.

Come and see who is making waves in all your favorite technologies. Maybe it will be you!

Who can join the Competition?

Anyone who has basic knowledge and the desire to share the knowledge is welcome. Articles can appeal to beginners or discusse advanced topics. All you have to do is to add your article to TechNet Wiki from your own specialty category.

How can you win?

  1. Please copy/Write over your Microsoft technical solutions and revelations to TechNetWiki.
  2. Add a link to your new article on THIS WIKI COMPETITION PAGE (so we know you've contributed)
  3. (Optional but recommended) Add a link to your article at the TechNetWiki group on Facebook. The group is very active and people love to help, you can get feedback and even direct improvements in the article before the contest starts.

Do you have any question or want more information?

Feel free to ask any questions below, or Join us at the official MicrosoftTechNet Wiki groups on facebook. Read More about TechNet Guru Awards.

If you win, people will sing your praises online and your name will be raised as Guru of the Month.


PS: Above top banner came from Rajeesh Menoth.

JAYENDRAN ARUMUGAM

Azure AD Connect stopped the on-premise AD sychronization

March 2, 2019, 1:01 am
$
0
0

Hello!

I am new in the Azure AD technology. A have a AD server with WinSrv 2012R2. I installed on it the Azure AD Connect too. I use an ADFS server where the domain has already federated. When the AD Connect installation finished, the synchronization is started immediately, and the user account, groups is appeared in the Azure AD. At this time I can get the synchronization details with the Get-ADSyncScheduler and I can use the Start-ADSyncSyncCycle, etc. command without any error. After a short time, the synchronization stopped. I checked the sync status, but shown the sync is enabled and last sync 13 hours ago. When I open the Synchronization Service Manager and Run a Full Synchronization manually, the result is success, no error messages, but the last sync status is still 13 hours in the Azure AD portal. When I want to run the Start-ADSyncSyncCycle command, got the long error message:

I have no idea.

Azure AD Connect - Unable Sync ( Disconnector objects)

March 2, 2019, 1:50 am
$
0
0

HI Team,

Urgent need your support, As I am facing issue to implement Azure AD connect setup. I have successfully installed Azure AD connect but unable configure properly. 

While syncing object from on-prem to O365, found all object shows in Disconnects ( Internal domain connector) and not able to found in export connector for O365. While am searching object in metaverse shows only one internal connector not for Azure Connector.

Could you please suggest where is the problem why object does to disconnector and now shows azure connector in AAD connect.

Even I fixed all object from IDFIX tool, re-install azure ad connect even install new machine but result are same.

Thanks

Rajesh Kumar

ADFS 3.0 & "AutoCertificateRollover set to False"

February 4, 2019, 4:50 am
$
0
0

Dear,

i need to double check one thing for ADFS certificates

Token Sign/Decrypt certificates are about to expire (< 1 month)
Service Com/SSL    certificate is about to expire (1 month)

Now, when logging on Portal.office.com I have a message that states that 

"One of your on-premises Federation Service certificates is expiring.
Failure to renew the certificate and update trust properties within 11 days
will result in a loss of access to all O365 services for all users"

Considering that
- all three certs are generated from a CA => none are self-signed.
- "AutoCertificateRollover"  is set to False

Will ADFS still generate the new self signed certificates within this period (my understanding is no)
Is that "11 days" the effective value or is it the certificates expiry date that matters ?

Kind regards,
Thanks in advance 



 

If the provided answer is helpful, please click 'Propose as Answer' Managing Office 365, Identities and Requirements Windows Server Virtualization, Configuration

Search

SAML federation error - try again later?

February 21, 2019, 2:46 pm
$
0
0

Greetings all. We are getting a weird error trying to set up a second domain for federation. I already opened a case with MS but am getting nothing helpful so far. Anyone have any additional thoughts?

This URL links to the instructions provided by Gemalto for this solution.

(https://resources.safenetid.com/help/Office%20365/Index.htm#SPInstallation)

These are the steps we followed last fall to successfully federate our other domain domain.online. We are now trying to federate domain.ab.xyz and that is when we receive the error in the attached screen shot.

               The commands that I ran are listed below. The variables for this operation came from our instance in Gemalto’s cloud.

               Namely Issuer Entity ID ishttps://idp.safenetid.com/auth/realms/R8UCZTEN7I-STA and SingleSignOnService URL ishttps://idp.safenetid.com/auth/realms/R8UCZTEN7I-STA/protocol/saml.

               The script that I am attempting to run is listed below along with the variables. There is a cert also provided by Gemalto that is used to authenticate the session to the Safenet cloud. That cert is in the c:\temp\scdoi.crt file.

$dom = “domain.ab.xyz"

$fedBrandName = "SC-DOI"

$url = “https://idp.safenetid.com/auth/realms/R8UCZTEN7I-STA/protocol/saml

$uri = “https://idp.safenetid.com/auth/realms/R8UCZTEN7I-STA

$logouturl = “https://idp.safenetid.com/auth/realms/R8UCZTEN7I-STA/protocol/saml

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 “c:\temp\scdoi.crt”

$certData = [system.convert]::tobase64string($cert.rawdata)

               After these variables are set the command we are instructed to run is:

set-msoldomainauthentication -domainname $dom -authentication federated -federationbrandname $fedbrandname -passivelogonuri $url -issueruri $uri -logoffuri $logouturl -preferredauthenticationprotocol SAMLP -signingcertificate $certdata

               I believe this is the correct command because it includes the variables that tell O365 to refer auth requests to the portal dictated by the $url, $uri, and $logouturl variables. It is when we run this command that we receive the error in the screenshot. When we performed this identical procedure last September we received no errors and have been using the test domain doamin.online successfully.

Thanks all.



Different SID When on AAD Joined Machine?

March 2, 2019, 6:27 pm
$
0
0

We use O365, and for the last year have a local AD server that is sync'ed to AAD via Azure AD Connect. All works as it should.

We're doing a trial of AAD Premium, and decided to try joining local machines to Azure AAD instead of to our local domain controller.

Much to my shock and dismay, when an existing domain user joins a machine to AAD and logs in (using his domain credentials, which are being properly replicated by AD connect)... he's getting a different assigned a different SID, than if that same user domain joins his machine and logs in using his same domain credentials.

THAT doesn't work very well, when we have files living on a local file server that list him as owner via his *other* (original) SID.

To be clear, this user is "MyDomain\MyName" -- He has a password.  When he domain joins his machine and logs in using username and password, he gets one SID associated with his account.  When he joins his machine to AAD and logs in with the same credentials, he gets a different SID associated with his account.

The authorities for the SIDs are different: His domain-joined SID is the local domain authority, and his AAD-joined SID is AAD.

I'm at a loss to explain this... and, if there's nothing we can do to "fix" this, this could prevent us from moving from migrating our domain completely to AAD (and eventually decomissioning on on-prem DC).

Help??  Please??

Peter

Peter OSR @OSRDrivers -- http://www.osr.com Designers, implementers, and teachers of Windows drivers for more than 20 years

Azure | Script to list licensing mode (Direct or Group)

February 26, 2019, 9:23 am
$
0
0
I am going crazy trying to find a way to document the day my users are licensed.
I cannot find a script on MS or online that will provide username, license mode.
The closest I found was this one from MS which doesn't show me the username or assigned license:
#the license SKU we are interested in. use Msol-GetAccountSku to see a list of all identifiers in your tenant
$skuId = "contoso:EMS"

#find all users that have the SKU license assigned
Get-MsolUser -All | where {$_.isLicensed -eq $true -and $_.Licenses.AccountSKUID -eq $skuId} | select `
ObjectId, `
@{Name="SkuId";Expression={$skuId}}, `
@{Name="AssignedDirectly";Expression={(UserHasLicenseAssignedDirectly $_ $skuId)}}, `
@{Name="AssignedFromGroup";Expression={(UserHasLicenseAssignedFromGroup $_ $skuId)}}
Anything you guys can help me with?
M

Maelito

azure ad b2c multi tenant

March 3, 2019, 3:24 am
$
0
0

Hi all,



Just wondering whether you can help with my question below? O

Does Microsoft Azure AD B2C support multi tenant application? For example,

I created an Azure B2C service call Tenant A, link the service to my subscription account. Then I create the user TenantAAdmin as an admin (global administrator) for this tenant. This admin user be able to assign or create other user in the Azure AD B2C.

I created another Azure B2C service call Tenant B, link the service to my subscription account. Then I create the user TenantBAdmin as an admin (global administrator) for this tenant. This admin user be able to assign or create other user in the Azure AD B2C.

I had an service API e.g. monitor patient health services , this service API will be used for all tenants. How can I register this web API so that users in Tenant A and users in Tenant B are able to access and use the service?

Regards

Thomas

Mulrtiple IP Addresses on failed sign in attempt

February 26, 2019, 12:43 am
$
0
0

Hi All

I've been reviewing Bad Password Attempts on my work Azure AD tenant and I'm seeing a lot of bad password attempts in the Azure AD Connect Health - AD FS Services blade

For many of these failures there are 2 addresses (1 is external to my LAN and the other is a LAN IP - all the same due to the way that we NAT traffic)

My question is, what is the scenario that would show 2 IP addresses for a single sign-in attempt?

Thanks

Danny

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>