I have been using PowerShell to query details of my O365 users. Therein, I get a property called LiveId which appears to be the PUID. I want to get away from PowerShell. So, I used the Azure AD Graph API Helper:http://code.msdn.microsoft.com/windowsazure/Windows-Azure-AD-Graph-API-a8c72e18
This does give me my user list. But the User object does not have the PUID and a few more details which the PowerShell cmdlet is able to give me. Can you please help me with this one?
Thanks,
We're beginning to build a product that will have internal customers to start but hope to evolve to a SaaS offering to other companies.
The first challenge is planning directory services. We'd like to stick with resources available in Azure out of the box but we're struggling to determine if Azure AD, Azure AD B2B or Azure AD B2C can accomplish this.
Requirements:
My understanding is only one AzureAD per tenant, using Azure B2B the external users will be in the same directory as internal company employees (which won't work of this company's IT group). Do we need to look at some non-Azure directory product like ForgeRock to accomplish this? Or would we need to have a separate deployment of the application for external users in another subscription so all external users have their own Azure AD?
I am working with complex XML files and want to use Azure Data Factory for ingestion and further processing of data. I have tried to use Azure File Storage as well as Blob storage and both are not working in my case.
Can you please recommend any solution on this?
Hi
We have Azure AD connect (1.2.7) installed, and it's syncing user accounts and password hashes to 5 different domains more or successfully. We do not use password writeback.
We have added a further domain, with the same settings as the other ones. The domain has a single 2012r2 DC.
For this domain, password sync does not work.
I think I can see a possible reason for this, but not sure how to fix it. When I run the AADconnect troubleshooting tool, it says this specific domain has password writeback enable. (the others do not say this)
| SourceConnector: | troublesomedomain.internal |
| TargetConnector: | publicdomain.com - AAD |
| Enabled: | True |
| LatestHeartBeatTime: | N/A |
I have rerun the wizard, ensuring password writeback is off. It is. Run the script here to reset sync on that connector: https://social.technet.microsoft.com/wiki/contents/articles/28433.how-to-use-powershell-to-trigger-a-full-password-sync-in-azure-ad-sync.aspx
but still it says password writeback is enabled on that connector.
Any ideas on how to turn it off? I suspect that's why the password sync is not working.
I remember reading that some Windows 10 features only work if the device is native Azure-Joined (not hybrid AD) and other features or use cases require hybrid AD. I can't find the page where I read that.
Where can I see of which current Windows 10 features require hybrid join and which features require direct join to Azure AD?
We use O365, and for the last year have a local AD server that is sync'ed to AAD via Azure AD Connect. All works as it should.
We're doing a trial of AAD Premium, and decided to try joining local machines to Azure AAD instead of to our local domain controller.
Much to my shock and dismay, when an existing domain user joins a machine to AAD and logs in (using his domain credentials, which are being properly replicated by AD connect)... he's getting a different assigned a different SID, than if that same user domain joins his machine and logs in using his same domain credentials.
THAT doesn't work very well, when we have files living on a local file server that list him as owner via his *other* (original) SID.
To be clear, this user is "MyDomain\MyName" -- He has a password. When he domain joins his machine and logs in using username and password, he gets one SID associated with his account. When he joins his machine to AAD and logs in with the same credentials, he gets a different SID associated with his account.
The authorities for the SIDs are different: His domain-joined SID is the local domain authority, and his AAD-joined SID is AAD.
I'm at a loss to explain this... and, if there's nothing we can do to "fix" this, this could prevent us from moving from migrating our domain completely to AAD (and eventually decomissioning on on-prem DC).
Help?? Please??
Peter
Peter OSR @OSRDrivers -- http://www.osr.com Designers, implementers, and teachers of Windows drivers for more than 20 years
HI Team,
Urgent need your support, As I am facing issue to implement Azure AD connect setup. I have successfully installed Azure AD connect but unable configure properly.
While syncing object from on-prem to O365, found all object shows in Disconnects ( Internal domain connector) and not able to found in export connector for O365. While am searching object in metaverse shows only one internal connector not for Azure Connector.
Could you please suggest where is the problem why object does to disconnector and now shows azure connector in AAD connect.
Even I fixed all object from IDFIX tool, re-install azure ad connect even install new machine but result are same.
Thanks
Rajesh Kumar
It seems that when using PHS if an on prem account expires or the password expires they can still logon at the Azure AD. I'm struggling to understand why this is implemented in this manner? I see that the accountExpires attribute in not synced and password expiration is driven by domain policy rather than a direct flag on the user.
Any way around this i.e. when an account or password expires on prem it is reflected in the cloud?
Hi all. new to AD Connect and Azure AD. We would like to start syncing a few on-prem accounts to Azure AD premium. I would prefer to control the users that are synced using group memberships i.e. sync a list of user based on their membership in group X rather than their location in the directory (OU).
Is this possible?
We are deploying an application which will be accessed by business partners and we want to secure this using Cloud MFA. What i am unsure of is whether we need Azure AD Premium P1 or P2. I think we can use P1 but am not sure, any help would be appreciated.
For paid Azure AD features that are extended to guest users, the inviting tenant will need the appropriate number of Basic or Premium P1 or Premium P2 licences to cover guest users in the ratio of one licence to five users as described above. For example, one Azure AD Basic licence will allow up to five guest users to be set up for Group-based Access Management and Provisioning. For the 6<sup style="box-sizing:border-box;font-size:8.66px;line-height:0px;;top:-4.33px;vertical-align:baseline;">th</sup> guest user, you will need another Azure AD Basic licence. Similarly, one Azure AD Premium P1 licence will allow up to five guest users to use the Multi-factor authentication feature (as well as any Azure AD Basic features). For the sixth guest user who uses MFA, you will need a second Azure AD Premium P1 licence.
Hi,
I have a goal to set up local office Synology NAS for users to autentificate with Office365 logins.
We do not have VPN to Azure, so I am trying to set up secure LDAP over internet with XXX.onmicrosoft.com domain.
I have set up Azure Domain Services using XXX.onmicrosoft.com domain, created self signed certificate, enabled Secure LDAP and LDAP over internet also I have opened port 636.
I have no problems to join domain or connect to LDAP using LDP.EXE from VM in Azure, but I can not connect to LDAP from my local office using LDP.EXE with SSL.
How do I need to connect to LDAP from my local office? Do I need to use secure LDAP external IP or domain name?
Here is error code from LDP tool when I try to connect to LDAP:
ld = ldap_sslinit("bnpfinance.onmicrosoft.lt", 636, 1);
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3);
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to bnpfinance.onmicrosoft.lt.
I have a question regarding Azure MFA Server On-Premises. I work for a company where they have rolled out Office 365 in the US, but we are going to be migrating our UK users to Office 365 within the next 6-12 months.
In the meantime, I would like to enable MFA on our VPN users so one of the solutions we have been looking at is Azure MFA Server. My question is, can we buy 150 Active Directory P1 licenses to cover the VPN users but not assign the license to a user in Azure AD? Does the Azure MFA Server on-premises check who is authenticating against on-premises AD and then check if the user has a license in Azure AD to MFA against Azure MFA Server?
The reason for doing this is, I don't want to sync the users or create them manually in Azure AD until we are ready to start migrating to Office 365.
Thanks in advance for any advice.
Robert Milner | Website: http://www.remilner.co.uk | Twitter: @robm82
I am having difficulty joining an Azure Windows Server 2016 VM to an “Azure AD Domain Services” domain. I think the problem may be that I am not getting my credentials entered correctly when I get prompted for the name and password of an account with permission to join the domain. I have referenced the following document to assist: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-join-windows-vm-portal
Per this note in the document I have tried both the UPN and SAM account name format but I always get “the user name or password is incorrect”:
Tip - We recommend using the UPN format to specify credentials. If a user's UPN prefix is overly long (for example, joehasareallylongname), the SAMAccountName might be auto-generated. If multiple users have the same UPN prefix (for example, bob) in your Azure AD tenant, their SAMAccountName format might be auto-generated by the service. In these cases, the UPN format can be used reliably to log on to the domain.
Domain name is like: thisnamexxxxxx.onmicrosoft.com (14 characters prefix the “.onmicrosoft.com”)
User name is like: myname@whatever.com
When the credential dialog box comes up I have tried all of the following:
None of these work.... They all get a NetJoin 1326 error (the user name or password is incorrect)
- thisnamexxxxxx.onmicrosoft.com is listed as my default directory
- I have enabled password synchronization as these accounts are Azure AD only accounts.
- I am using an account that is in the AAD DC Administrators group
- I have verified and re-verified I am using the correct password....
- I have searched and read many answers to this question but can’t seem to find the needed solution
Any help would be greatly appreciated. Thanks.
Hi Experts,
An organization with less than 200 users is currently migrating all windows clients to Windows 10 and thinking about using Azure AD and Azure AD Domain Services and becoming an "only cloud infrastructure"...however, this organization also currently has an active directory domain integrated with DNS and also doing AD sync with Azure AD and all traditional server applications will be porting to SaaS based model. My questions, can the on-premise AD infrastructure be decommission once they are ready to switch over to Azure?
Hi,
We are using Azure AD Application Proxy for over a year now and it started to return 302 randomly since the last 2 days.
We are accessing our internal WebApi hosted on-premise through the App Proxy's external url and we use access token for authorization.
Starting on last Sunday, it started to return 302 Found randomly, similar a response that look like this:
HTTP/1.1 302 Found
Content-Length: 0
Location: https://login.microsoftonline.com/<tenantId>/oauth2/authorize?response_type=id_token&client_id=<clientId>&scope=openid&nonce=e7a73a84-926a-4666-a9b8-bae143c0ad08&response_mode=form_post&redirect_uri=https%3a%2f%2f<externalName>.msappproxy.net%2f&state=AppProxyState%3a%7b%22InvalidTokenRetry%22%3atrue%2c%22IsMsofba%22%3afalse%2c%22OriginalRawUrl%22%3a%22https%3a%5c%2f%5c%2f<externalName>.msappproxy.net%5c%2f<path>%22%2c%22RequestProfileId%22%3a%2269a6ba6c-268e-4ede-9dd8-bdf57c31479c%22%7d%23EndOfStateParam%23
Server: Microsoft-HTTPAPI/2.0
Set-Cookie: AzureAppProxyAnalyticCookie_<......>; path=/
Date: Tue, 05 Mar 2019 16:39:37 GMT
When hitting the url directly in the browser, we can see the redirect to login.microsoftonline.com for a second, then it redirects back to the original url and the request is processed, then we get our expected WebApi response.
There was no redirect before, this is new.
The issue is when we're making the call programmatically, we set the Authorization: Bearer <access_token> header but we also receive the 302, this is breaking all our applications.
Anyone aware of an update with potentially a breaking changes happening on Azure side last Sunday?
Maybe something related to Set-Cookie: AzureAppProxyAnalyticCookie being required now?
Any ideas?
hello - our SSO's work GREAT however not on our kiosk computers. (locked down to limited sites)
I setup a simple test and have it down to the proxy settings.
I have *.ultipro.com and *.microsoftonline.com allowed only.
when I go to the site it correctly redirects me to logon.microsoftonline.com...........for SSO Authentication, I'm expecting to see the SSO logon instead it just SPINS, no error, nothing.
if I try another address I get the 127.0.0.1:80 error which is normal
I hope this makes sense. In short does SSO not like proxy?
Greetings all. We are getting a weird error trying to set up a second domain for federation. I already opened a case with MS but am getting nothing helpful so far. Anyone have any additional thoughts?
This URL links to the instructions provided by Gemalto for this solution.
(https://resources.safenetid.com/help/Office%20365/Index.htm#SPInstallation)
These are the steps we followed last fall to successfully federate our other domain domain.online. We are now trying to federate domain.ab.xyz and that is when we receive the error in the attached screen shot.
The commands that I ran are listed below. The variables for this operation came from our instance in Gemalto’s cloud.
Namely Issuer Entity ID ishttps://idp.safenetid.com/auth/realms/R8UCZTEN7I-STA and SingleSignOnService URL ishttps://idp.safenetid.com/auth/realms/R8UCZTEN7I-STA/protocol/saml.
The script that I am attempting to run is listed below along with the variables. There is a cert also provided by Gemalto that is used to authenticate the session to the Safenet cloud. That cert is in the c:\temp\scdoi.crt file.
$dom = “domain.ab.xyz"
$fedBrandName = "SC-DOI"
$url = “https://idp.safenetid.com/auth/realms/R8UCZTEN7I-STA/protocol/saml”
$uri = “https://idp.safenetid.com/auth/realms/R8UCZTEN7I-STA”
$logouturl = “https://idp.safenetid.com/auth/realms/R8UCZTEN7I-STA/protocol/saml”
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 “c:\temp\scdoi.crt”
$certData = [system.convert]::tobase64string($cert.rawdata)
After these variables are set the command we are instructed to run is:
set-msoldomainauthentication -domainname $dom -authentication federated -federationbrandname $fedbrandname -passivelogonuri $url -issueruri $uri -logoffuri $logouturl -preferredauthenticationprotocol SAMLP -signingcertificate $certdata
I believe this is the correct command because it includes the variables that tell O365 to refer auth requests to the portal dictated by the $url, $uri, and $logouturl variables. It is when we run this command that we receive the error in the screenshot. When we performed this identical procedure last September we received no errors and have been using the test domain doamin.online successfully.
Thanks all.
We added on-premises applications for remote access through Application Proxy in Azure Active Directory and integrated MFA on ADFS.
After registering applications on Azure, applications are throwing "Access to XMLHttpRequest at'https://login.microsoftonline.com/**/oauth2/authorize?response_type=code&client_id=**&scope=openid&nonce=**&redirect_uri=https//abc.com%2fAB%2f&
state=AppProxyState%3a%7b%22InvalidTokenRetry%22%3anull%2c%22IsMsofba%22%3afalse%2c
%22OriginalRawUrl:https//abc.com/**RequestProfileId:**EndOfStateParam%23'
(redirected from https://abc.xyz.com/......) from origin (redirected from https://abc.xyz.com) has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
This error is coming after 20-30 minutes of actively/inactively usage of applications. User opens the applications work on it for around 20-30 minutes and suddenly on AJAX request from application, user receives afore stated error in console.