Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Strange behavior after moving App Registration from localhost to a server.

March 15, 2019, 10:56 am
$
0
0

I have a web application connecting to Azure for Authentication.

This has been running fine on my local IIS Express instance.

I'm trying to deploy the application out to a server, but I'm running into issues updating the App Registration in Azure.

I've changed the "Homepage URL" and the "Reply URL" from "https://localhost:44343/" to "https://{mySite}/{myApplication}/"

Everything saves fine and the app seems to load correctly, as I'm presented with the Microsoft login page as expected.

In Chrome, after logging in, I'm still redirected back to "https://localhost:44343/". Not sure how that's possible.

In Firefox and IE, after logging in, I'm given an error:

AADSTS500112: The reply address 'http://{mySite}/{myApplication}/' does not match the reply address 'https://{mySite}/{myApplication}/' provided when requesting Authorization code.

It seems to be switching from https to http. But I don't know why this is happening. 

Search

Azure AD Identity Protection

March 6, 2019, 6:53 pm
$
0
0

I am trying to "onboard" Azure AD Identity Protection. 

I invoked the Azure AD P2 trial and assigned the licence to my user account. When I look in O365 as well as Azure, it shows the license to be active on my account.

While being in Azure, I am trying to onboard Azure AD IP, but I receive a msg "You need an Azure AD Premium2 license to use Azure AD Identity Protection. Click here to learn more." It is behaving like I do not have an Azure P2 license but I do. I logged out, logged back on, no change.

Any advice?

Named Locations / IP Ranges / Configuration

March 18, 2019, 2:16 pm
$
0
0

Hi all, I want to set up the Azure web application proxy to expose an internal website to the internet to a specific set of IP addresses. There's about 5 Class C networks and about 3 hosts that I want the websites restricted to, all else should be denied access.

For this type of azure app proxy set up, should I set up 'Named Locations' and then use Conditional Access to restrict access only to these locations? Going into this, I figured that I could set up one Named Location and add all of the Class C networks and hosts. It looks like a Named Location only supports 1 ip address or one network. Do I have to create a Named Location for each Class C and each host that I want to restrict the website to?

Is there a better way to have the Azure web app proxy do what I want to do?

Any feedback much appreciated. Thanks all.

ADCoNNECT / Hybrid Azure AD Joined / Group policy's

March 15, 2019, 6:16 am
$
0
0

  • Hi,

    Since a few weeks we have Microsoft 365 E3 licenses.

    To make it possible to activate the windows10 Enterprise license on our pc's , we must setup a sync between our local AD and Azure AD.

    I did the configuration ( with ADCONNECT ), sync both users and device from local AD to azure AD

    Everything is working fine, and the license is activated on  my Windows 10 PC   (Windows 10 Enterprise subscription is active, Windows is activated.

    Problem that i have,  on my local AD , there are group policy's who prevent that devices can run windows update, because i do the updates via System Center.

    When i run RSOP on my pc , i still can see that the local group policy's are in place and active.

    Despite of that, when i run 'check for updates' on the pc's, the updates are coming in ( not from sccm ), any idea where my local group policy is overrruled?    

    I only have this problem from the moment the pc is 'hybrid Azure AD joined' in azure AD.

    Regards,

    1 hour 10 minutes ago
    Avatar of wapdv
    0 Points

Unable to authenticate Azure Api's for different tenant

March 4, 2019, 11:34 pm
$
0
0

I am not able to authenticate the Azure API's though my application with the email id registered under different domain name. It works for me company email address.

Steps I followed to register the application in AD:
1.Registered an app in Azure Active Directory.
2.Set permission requests to allow the client to access the Azure Resource Manager API.
3.Also, enabled the Multi tenanted option.

Authorize URL:
/common/oauth2/authorize?
client_id=XXXXXXXXXXXXXXXXXXXXX
&response_type=code
&redirect_uri=calBackURL
&response_mode=query
&resource=https%3a%2f%2fmanagement.azure.com
&state=12345&prompt=consent

Token URL
/common/oauth2/token?
grant_type=authorization_code
&client_id=xxxxxxxxxx
&code={Code}
&redirect_uri={calBackURL}
&client_secret=xxxxxxxxxx

Could you please help up to authenticate to Azure Api's for different tenant/multi-tenant.

Conditional access blocks onedrive from within another app

March 19, 2019, 12:58 am
$
0
0

Something I can't seem to wrap my head around:

Enabled CA for Exchange Online and Sharepoint online to be accesible only from Intune compliant devices, works great.

On my iPhone I downloaded the Sharepoint app, logged in, and that works great. Same for the Onedrive app.

But when I try access either Sharepoint or Onedrive from another app (PDF-Expert to edit PDF's), it gives an error message:

Login failed, please try again later.

When I look at the user sign-ins, I see a successful login from the PDF-exert app, and when I turn off CA for Sharepoint online, I can successfully add both the Onedrive and Sharepoint source in the PDF-expert app. I've experimented with the "client apps" and selected everything and nothing, but that makes no difference.

Any ideas where to look further?


Note: currently it's one user who uses this, but exempting that user from CA beats the purpose of having CA, so that's not an option.

Azure Active Directory (Azure AD) powers Office 365 and Dynamics 365 for Customer Engagement services for employee or internal authentication.

March 19, 2019, 1:08 am
$
0
0
We are carrying out a project, there are two scenarios in this project that allow employees to submit cases to CRM.
One way is to sent a email to the public mailbox that has been connected with CRM, and then the email converts to a case in CRM.
In this scenario, if the sender doesn't exist in CRM, a contact will be automatically created. But the contact doesn't have a username and password to log in to Portal. So the employee can't log in to Portal.
The other way is to submit a case in Portal. Employees need log in to Portal in this scenario.
Because these employees are users of O365, I I came up with a solution, employees can log in to Portal by Azure AD. 
When employees log in to Portal by Azure AD, a contact will be automatically created in CRM, and the username is the guid of Azure AD. However, there has a problem too. Before employee logs in to Portal by Azure AD, if the employee has sent a email to the public mailbox, it will create a contact without username in CRM. Then he(or she) logs in to Portal by Azure AD, it will hint that 'the email is already taken'.
And the CRM is  Dynamics 365 for Customer Engagement(Online).
So do you know the solution? Please tell me, thanks a lot.

Is it ok to delegate password reset permission to helpdesk on users OU which is AAD sync enabled ?

March 19, 2019, 4:18 am
$
0
0

Hi folks,

Is it ok to delegate password reset permission to helpdesk on users OU which is AAD sync enabled ?

Thanks

Atul

Search

Can custom password filters be installed on Azure AD instances?

March 19, 2019, 7:21 am
$
0
0
Working on a possible solution for application password synchronization with AD (AD password changes pushed to legacy application which can't use AD/LDAP for authentication). Using a password filter to capture the password to push to the application was our original plan, but several customers are using Azure AD and it's not clear that we would be able to have them install the password filter on a managed Azure AD instance. Is this possible?

get-azureaduser or get-msoluser - unable to query msExchHideFromAddressLists

March 19, 2019, 8:08 am
$
0
0

We are in Exchange Hybrid mode. I have a need to query the property msExchHideFromAddressLists using get-msoluser or get-azureaduser. I checked Azure Ad Connect and the property setup to sync. If I hide the mailbox in the on-premise exchange tool, the mailbox gets hidden online.

Neither of these commands bring back a result;

get-msoluser -userprincipalname user.name@mycomany.com | Select msexchhidefromaddresslists

get-azureaduser -objectID user.name@mycomany.com | select DisplayName, msexchhidefromaddresslists

I am able to see the mailbox is hidden using;

get-mailbox -identity user.name@mycompany.com | Select HiddenFromAddressListsEnabled


 

 

Azure AD Connect - Errors enabling SSO

August 24, 2018, 6:27 am
$
0
0

I am in the process of enabling Seamless SSO via Azure AD Connect. AD Connect was already setup and functioning, but without SSO functionality enabled. I have followed the Quick Start guide, but have been halted with an unknown error. 

I can't post links apparently, so 'Bing' Azure AD Connect Quick Start for the documentation link.

The AD Connect client is the latest and greatest, 1.1.880.0. When following Step 2 (enable the feature), I'm immediately given an error after checking 'Enable single sign on' > Next. The wizard throws the error "Cannot retrieve single sign-on status."

I ran through all the troubleshooting guides and haven't found a similar scenario, or explanation for the error. I've now decided to bypass the AD Connect client, and complete this through PS. Again, more errors without much explanation.

When running Get-AzureADSSOStatus, I get no status returned. This I'm guessing is expected, as SSO has not been enabled yet. I then run 'Enable-AzureADSSOForest' with some success...until it deletes the newly created AZUREADSSOACCT object and throws and error. 

PS C:\Windows\system32> Enable-AzureADSSOForest -OnPremCredentials $creds -ParentDN "DC=mydomain,DC=com"
[07:20:25.271] [  9] [INFORMATIONAL] CreateComputerAccount: Making sure 'DC=mydomain,DC=com' exists...
[07:20:25.286] [  9] [INFORMATIONAL] No conflicts found for the reserved SPNs and computer account display name.
[07:20:25.286] [  9] [INFORMATIONAL] Creating computer account in DC=mydomain,DC=com (mydomain.com)...
[07:20:25.818] [  9] [INFORMATIONAL] Setting password for computer account with DN 'CN=AZUREADSSOACC,DC=mydomain,DC=com'...
[07:20:25.880] [  9] [INFORMATIONAL] Successfully created computer account with DN 'CN=AZUREADSSOACC,DC= mydomain,DC=com'.
[07:20:26.021] [  9] [INFORMATIONAL] DeleteComputerAccount: Locating SSO computer account with name 'AZUREADSSOACC'...
[07:20:26.036] [  9] [INFORMATIONAL] DeleteComputerAccount: AZUREADSSOACC found in mydomain.com. Deleting...
Enable-AzureADSSOForest : One or more errors occurred.
At line:1 char:1+ Enable-AzureADSSOForest -OnPremCredentials $creds -ParentDN "DC= mydomain,DC=com"+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : NotSpecified: (:) [Enable-AzureADSSOForest], AggregateException+ FullyQualifiedErrorId : System.AggregateException,Microsoft.KerberosAuth.Powershell.PowershellCommands 
   .EnableAzureADSSOForestCommand

I currently have a ticket open with support, but I haven't gotten any traction yet. Hoping somebody else has experienced this and can shed some light on the problem.

Implementing oAuth2 proxy for secure MS Open Graph API calls.

March 12, 2019, 4:29 am
$
0
0

Hello,

I would like to create a “proxy” application with Visual Studio 2015 (C#) able to get Access & Refresh Token from the follow endpoints (resource=https%3A%2F%2Fgraph.microsoft.com)

Auth: https://login.microsoftonline.com/[TenantID]/oauth2/authorize?resource=https%3A%2F%2Fgraph.microsoft.com

Token: https://login.microsoftonline.com/[TenantID]/oauth2/token

I have already configured the App on my Azure portal and tested with Postman, grant_type = Authorization Code (see picture) and it works ! For using Microsoft Open Graph for Planner API I need to get access as delegate user … so Postman asked me for inserting “user & pass” credentials and after 3600 sec. it ask me to refresh the token again. This is the same behavior I would like to replicate on my “proxy” application, avoid for requesting me to insert credentials anytime because is not a GUI application.

It has to act like a “proxy” between a frontend who will send REST call to my “proxy” and MS Open Graph API which will get back response.

Could you please suggest me which is framework / packages (Owi, DotNetOpenAuth, simple HttpWebRequest, others) better for my specific case and a valid step by step tutorial ?

Thanks.

R. Marco.      

Marco

Azure Identity Questions

March 19, 2019, 11:45 am
$
0
0

I have two questions from the scenario below.

      • How does Azure AD track the authentication methods that the user has set at time of registration?
      • Is there a way to pre-stage MFA authentication methods?

    Customer is moving to Office 365, they have AD and Exchange on premise today.  Customer is going to use AAD Connect to synchronize identities to Azure.   Customer will perform password hash synchronization for authentication.

    Customer wants to use MFA through Azure Conditional Access for all users who access Microsoft cloud applications externally.

    Customer is concerned with prestaging MFA.  Basically their security team does not want any user to set up their MFA settings from an external network with their username and password.  Customer wants to force users to use their work phone or their cell phone as the MFA default authentication method.  They want the default MFA authentication method then to be preset on all user accounts.

    Thank you in advance.

    missing goup claim in jwt token when using guest user

    March 19, 2019, 2:01 pm
    $
    0
    0

    I created an application in azure ad created several security groups. know every group id is know in the application (dotnet core)

    eg.:

    appsetings.json

    in azure ad a have 3 users

    ad users

    when i login using bart i have the group claims included in the jwt token.

    when i login with dries the groups are not included, dries is using teh same groups and application the only difference i can see is that dries is a guest user.

    do i need to enable something so the application receives the group id's for guest users as well.

    -Bart

    Secure LDAPS not sending intermediate chain to client

    March 19, 2019, 2:44 pm
    $
    0
    0

    I produced a pfx file using these instructions:

    https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap-export-pfx

    I've confirmed that my intermediate chain is included by running  openssl pkcs12 -nokeys -in mycertchain.pfx.  I imported it into the Secure LDAP page in the Azure portal and Azure reports that the it has enabled secure LDAP.  However, on my client if I use ldp.exe to test the connection it fails with "Error <0x51>: Fail to connect to myserver.domain.com".  I then tested using openssl s_client:

    openssl s_client -connect myserver.domain.com:636 -debug -CAfile ca.crt

    It is reporting that it can't verify the server's certificate and when I looked through the debug output it's showing that the server is only sending the server cert and not the intermediate.

    Search

    How to connect my domain controller to azure AD

    March 7, 2019, 7:22 am
    $
    0
    0

    I have my on premises domain controller and i have created a free tenant account in azure portal, and created azure AD. so how to use my own premises domain controller to connect with azure AD???

    AD Connect Multiple Forest SSO

    March 14, 2019, 7:10 pm
    $
    0
    0

    Trying to figure out how to deploy SSO into a web application for the following scenario.

    Domain A (contoso.local): Syncing identities to Azure via adconnect and leveraging pass-through authentication for various applications.

    Domain B (contoso.dom): Hosts web application that I want users from domain A to be able to SSO into. The web application is published using azure app proxy.

    -Users have identities in both domains (ie testuser@contoso.local & testuser@contoso.dom) 

    -Web Application supports IWA

    Looking for guidance around the identity portion specifically. IE How to tie in both identities into the sole AzureAD instance? What impact if any will this have on PSA in Domain A? Is a Domain Trust required at all?  

     

    Does AAD SSO not work for Office ?

    March 19, 2019, 4:04 pm
    $
    0
    0

    We have SSO enabled and it works for signing users into office.com.

    It doesn't work for Office 365 desktop. We are still getting the login prompt. My understanding is that it should auto activate and sign in the user in, right?

    Skype for Business Online (v2016) is being reported as 'Other Client' in AAD logs despite ADAL and Modern Auth enabled

    March 15, 2019, 12:23 pm
    $
    0
    0

    We are working with Conditional Access policies and found that Skype for Business client is showing up in AAD logs as 'Skype for Business Online' and as 'Other Client'  We've enabled ADAL and Modern Auth across the board.

    I saw mention of AllowAdalForNonLyncIndependentOfLync but it was referencing Office 2013.

    https://support.microsoft.com/en-us/help/3082803/allowadalfornonlyncindependentoflync-in-sfb-lync-exchange-online

    Unable to add directory in Azure AD Connect because Port 53 on one of the DC's is unavilable

    March 18, 2019, 5:47 am
    $
    0
    0

    I am trying to install a staging AADC (v1.2.70.0) with Password Hash Synchronization for a company that has 1 AD forest, 5 domains and about 200 DC's across all domains. 

    I get to the part where I add the directory and after a short while it fails and reports that it can't connect to one of the DC's on port 53.  I have confirmed that Port 53 is indeed not available on that DC (possibly because of issues on that DC itself). 

    I believe this check is only being performed during initial install because we have another production AADC server for the same company that is working well, albeit with a lower version of AADC. 

    Is there a way to bypass this check for this particular DC?  Thanks....

    Viewing all 16000 articles
    Browse latest View live
    Search
    <script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>