Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

User name does not exist Failed Login Attempts from Azure AD Sync server on Domain Controller

February 1, 2019, 9:15 am
$
0
0

Hello All,

Im seeing failed login attempts on our One of our domain controller and all them are originating from Azure AD Sync server. It says that user name "O" does not exist. 

The failed login event is coming from C:\Program Files\Microsoft Azure AD Sync\Bin\miiserver.exe. For some reason it's using partial username and domain. 

Username: O

Event Code: 4625
Subject: User name does not exist

Both domain controller and Azure AD sync server running on Windows 2008 R2. AD Sync client running on 1.2.69

Thank you,
Gopi

Search

Password Protection in Preview Mode

February 19, 2019, 6:13 am
$
0
0
I want to try out the new Azure AD Password Protection service on-prem, but when I go to configure it, everything is greyed out. I do notice that the greyed out values are consistent with the settings in my on-prem Domain Controllers.  Does this mean I have Azure AD in read-only mode? do I have to allow Azure AD to write to my domain controllers first?

Azure AD Hybrid Joined Devices single forest multiple child domains

March 4, 2019, 8:58 am
$
0
0
Hello,

We are about to configure hybrid azure ad join for our client and seems to have some issues on the way.
I tried to contact Microsoft and have not got any answer if our current infrastructure is working as is it today.

We have one forest, lets call it Forest.Local with multiple child domains that we have for our customers for exampel test1.forest.local, test2.forest.local

Most of the client have azure ad connect, syncing device and users etc.
one of our customers want to have hybrid azure ad join with auto enroll in Intune and looks like it gets conflict with wrong SCP since we have one single forest and multiple child domains and we cannot give the azure_adconnect service account enterprise admin since it will be enterprise admin on the whole forest.

What I've done - 
Configuring Hybrid azure ad join in Azure ad Connect
Created GPO to auto enroll in intune
The test machine is 1803
I can see the device in azure ad portal as hybrid azure ad but with no enrollment and no user associate to it.

When I use Enterprise admin for setup is it only for one time use or will it always use Enterprise admin as service account?

Windows 10 Enterprise Azure AD Joined vs Hybrid AD Pro/Cons?

March 4, 2019, 9:24 am
$
0
0


I remember reading that some Windows 10 features only work if the device is native Azure-Joined (not hybrid AD) and other features or use cases require hybrid AD.  I can't find the page where I read that.

Where can I see of which current Windows 10 features require hybrid join and which features require direct join to Azure AD?


Application Proxy Hostnames are Not Guaranteed to be Unique

February 19, 2019, 6:15 pm
$
0
0

When using a custom domain with Azure AD Application Proxy (e.g. "example.com"), the hostnames that Azure AD generates for each application is based off a combination of thesubdomain for the application and the Azure AD tenant name, but does not include the custom domain. This means it's possible for two Azure AD Application Proxy configurations to have the same CNAME with different external URLs.

For example, let's say my Azure AD tenant is registered for "contoso.com", and I have two applications using Azure AD proxy:

  • www.example.com
  • www.sample.com

So, example.com and sample.com are both custom domains registered in my "contoso.com" Azure AD tenant.

Despite this, Azure AD Application Proxy will indicate that I need to create the following CNAME records:

  • "www.example.com" that points to "www-contoso.msappproxy.net".
  • "www.sample.com" that points to "www-contoso.msappproxy.net".

This means that both applications have CNAMEs that point to the same application proxy subdomain and domain, which does not seem correct.

I would think that the way to resolve this is to include the application name or custom domain as a component of the hostname that application proxy generates. So, for example:

  • "www.example.com" that points to "www-example-contoso.msappproxy.net".
  • "www.sample.com" that points to "www-sample-contoso.msappproxy.net".

Access Token Audience is set to Microsoft Graph

March 4, 2019, 10:27 am
$
0
0
Our Access Token's Audience is set to Microsoft Graph(https://graph.microsoft.com00000003-0000-0000-c000-000000000000)
instead of our App's client id. Not sure how that is happening, but the token is being rejected.

How to register a centralized application with multiple deployments with Azure AD for Single Sign On

February 27, 2019, 3:03 am
$
0
0
So I am implementing this single sign on feature using Azure AD as the authentication provider. My question is : is it possible to register just one centralized application for potentially multiple deployments?

doc

Scenario: I have one core app for potentially multiple deployments, and they all have their unique urls.

 1. abc.com
 2. abc1.com 
 3. abc2.com

The list will go longer, so it is painful if I need to set up the application for each one. Can I get around by just setting one centralized app? 

For the `redirect url` I think I can set up multiple `reply urls`. Or can I?

The difficult part is the `logouturl`: `AAD` only allow to set up one value, so I need to set up a centralized endpoint (logout.com/logout) to receive the logout call, and then redirect the call to the associated deployment. ( a user log out from abc.com, `logout.com/logout` is fired, it will then need to identify that the logout happens in abc.com, then it direct the call to abc.com so abc.com can receive and perform cleanups.)


  [1]: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

Pass Azure AD API Key via URL

February 26, 2019, 11:19 am
$
0
0

Use Azure AD

User Azure Web App

Azure app is registered with Azure AD

Created API Key

How do I pass the API key via URL to the web app to permit authentication? 


Search

Azure B2C - PFX for SAML applications

February 28, 2019, 8:37 am
$
0
0

I am having trouble generating a PFX according to the document. 

I am trying to use Okta as the Idp and Azure AD B2C as the SP and following the Salesforce documentation. https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-sf-app-custom

I may not have generated a PFX correctly. I tried the Powershell commands on Azure but it did not recognize the New-SelfSignedCertificate as a command and threw back an error. 

I've also tried to generate a PFX without a key and then I get an error when I test the application that said "no private key"

Then, I tried to create a key and PEM: 

openssl req -outform PEM -x509 -nodes -days 365 -newkey rsa:2048 -keyout newkey.key -out certificate.pem

And then used this site to generate a PFX: https://www.sslshopper.com/ssl-converter.html

And get this error after logging into Okta.  "AADB2C: An exception has occurred" Server Alert and no other details.

Do I have to use a PFX instead of just the Okta certificate? How can I generate the PFX and link it to the application?


Windows 10 hybrid azure ad device name appended with $

February 22, 2019, 11:04 am
$
0
0

have a number of Win10 computers joined to my on prem domain and sync'd to Azure AD via AAD Connect.  They are hybrid Azure AD joined via group policy.  I have 1 computer that has a $ appended at the end of it's name on the Intune/Azure AD portal.

What could be the cause for the "$" sign at the end of the name?

Thanks

Christian

Azure hybrid authentication and accounts stored in a database.

March 4, 2019, 7:23 am
$
0
0
Hello, good day to everyone.

I need to develop an app that allows me to authenticate users with their Azure AD account @ mydomain.com, it is also necessary to identify when the account does not belong to the domain search in a BD if the registration exists and generate access to the application in this case I already have a token so that I can access multiple apps on my intranet and mobile apps without having to log in to each of them simply by inheriting the credentials with which I identify myself.

Hervin De La Cruz Bentancourt.

Facing an error configuring Azure Site recovery - VMware to Azure - Insufficient privileges to configure server identity in Active Directory

October 1, 2018, 10:08 am
$
0
0

The long title says it all. Can't upload the screenshot but, I have downloaded the configuration server OVA file, and have installed the server. The Azure Site Recovery tool starts up, and wants me to sign in with an ID to register my server with Azure. I keep getting the error: 

Configuring identity for server in Azure Active Directory 

Insufficient privileges to complete the operation. 

Have tried with many different forms of IDs. It doesn't seem to follow any set pattern. Can anyone tell me exactly WHAT role does an ID require, to be able to create this identity in AAD? I have had no luck with our orginization's ID. I don't want to ask for a global administrator account. 

Any help would be great. 

Can we run paralllel synchronization in AD connect by adding custom connector

February 27, 2019, 4:29 am
$
0
0

Hi All,

In our environment , we have single forest multiple domain AD model , currently AD user and computer sync is configured for 3 domains and one of the domain delta sync activity is taking sometime longer time for more than 2- 3 hours , because of that one of the other domain sync is waiting till the previous domain sync is completed , pls find below sync operation order 

Single synchronisation connector 

domain 1 - 30 mins

domain 2 - 2- 3 hours 

domain 3  - 20 -30 mins 

so to avoid the dependencies , we are creating new sync connector and selecting the required domain and OU and create schedule for the new connector and excluding the OU in the existing connector 

The expected outcome is 

AD sync connector 1 - domain 1, domain 2 

AD sync connector 3 - domain 3 

So can parallel sync schedules can run simultaneously ?? is this supported 

Portal confusion

March 1, 2019, 6:30 am
$
0
0
Hi there, we created a new site called cloud-services@hoodgroup.net, as this was owned by us, it automatically added it to our tenant, and AD users were available. We didnt actually expect this, and wanted the site self contained. I wanted to create 'local users' for the domain management, because if I login to azure.portal.com with my AD login, i cant see any of the apps we have built on cloud-services@hoodgroup.net, we wanted to know if we could login to this without AD passwords, by modifying the URL somewhat to point to the cloud-services. Otherwise we just login to our Office 365 tenant, and no apps. Thanks

Azure MFA Server On-Premises Question

March 1, 2019, 2:46 am
$
0
0

I have a question regarding Azure MFA Server On-Premises.  I work for a company where they have rolled out Office 365 in the US, but we are going to be migrating our UK users to Office 365 within the next 6-12 months.

In the meantime, I would like to enable MFA on our VPN users so one of the solutions we have been looking at is Azure MFA Server.  My question is, can we buy 150 Active Directory P1 licenses to cover the VPN users but not assign the license to a user in Azure AD?  Does the Azure MFA Server on-premises check who is authenticating against on-premises AD and then check if the user has a license in Azure AD to MFA against Azure MFA Server?

The reason for doing this is, I don't want to sync the users or create them manually in Azure AD until we are ready to start migrating to Office 365.

Thanks in advance for any advice.

Robert Milner | Website: http://www.remilner.co.uk | Twitter: @robm82

Search

Unable to Synchronize users from Azure AD to ServiceNow user directory

March 4, 2019, 3:11 pm
$
0
0
I've followed all the instructions for Azure AD to ServiceNow integration and steps for the automatic provisioning. I am able to sync users from Azure AD to ServiceNow prior and somehow it stopped working now. For some unknown reason it is not working and there are no logs to check this. When i create a user in Azure AD and assign ServiceNow application to the user it is not appearing in ServiceNow UD as it appears before even on force sync. Please help.

azure ad b2c multi tenant

March 3, 2019, 3:24 am
$
0
0

Hi all,



Just wondering whether you can help with my question below? O

Does Microsoft Azure AD B2C support multi tenant application? For example,

I created an Azure B2C service call Tenant A, link the service to my subscription account. Then I create the user TenantAAdmin as an admin (global administrator) for this tenant. This admin user be able to assign or create other user in the Azure AD B2C.

I created another Azure B2C service call Tenant B, link the service to my subscription account. Then I create the user TenantBAdmin as an admin (global administrator) for this tenant. This admin user be able to assign or create other user in the Azure AD B2C.

I had an service API e.g. monitor patient health services , this service API will be used for all tenants. How can I register this web API so that users in Tenant A and users in Tenant B are able to access and use the service?

Regards

Thomas

Redirect Portal.azure.com to my own domain

February 28, 2019, 11:17 pm
$
0
0

Hi Team,

Always I am getting More technical things from you guys.

Thanks for your help.

Now I got one request from my team,regarding I have to redirect from Portal.azure.com to my.domain.com.

1st I am going to entered my username on Portal.azure.com that page redirect to my.domain.com then I have to entered my password.

How can I do that and Where I have to enable this?

So please do the needful ASAP.

Thanks & Regards,

  Ravikumar P

Ravikumar Porappan

Azure AD Connect fails to syncronise local changes

February 28, 2019, 9:47 pm
$
0
0

Howdy one and all,

I am having issues getting my local AD to sync changes to Azure. When I change properties of local users, they fail to sync with a rather generic error (ma-extension-error, 0x80230703) that I have thus far been unable to find any concrete information on.

I found one thread referencing it (https://social.technet.microsoft.com/Forums/en-US/d45fc87f-e30b-45e7-97bc-f11439bdfb8c/need-helpuser-profile-sync-error-maextensionerror?forum=sharepointadminprevious) but there seemed to be no real resolution.

I'm hoping someone has seen this error before and might be able to assist.

I am running Windows Server 2012 R2 and have updated AD Connect to the latest version (1.2.70).


Get user profile

January 13, 2019, 10:18 pm
$
0
0

Hello,

We have registered an app by following the document https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code to implement the oAUth 2.0. We are able to integrate the OAuth 2.0 for our application. Now, we want to display the user details[user name, user-id] who logged into our application. Could you please provide us with the API details to fetch the user profile who logged using MSA .

We also tried the document https://docs.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0 , which is throwing below error:

{
    "error": {
        "code": "InvalidAuthenticationToken",
        "message": "Access token validation failure.",
        "innerError": {
            "request-id": "1eb4daaa-6b50-4d9f-b9c9-0cb7f0223a93",
            "date": "2019-01-14T05:41:11"
        }
    }
}

We have not taken permissions for Graph API's which is not required for us.

Kindly provide us with the API details where/How we can fetch user profile.

Note: It's a fresh account where  there is no resurcegroup/resources are exists.


Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>