Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Windows 10 Azure AD with username domain change

March 17, 2016, 8:40 pm
$
0
0

We have recently setup office365 along with Azure AD.

We started out using the usernames with default domain names, e.g. bob@ourcompany.onmicrosoft.com, while we were working on validating our domain, e.g. ourcompany.com

I setup a few Windows 10 Pro PCs with Azure AD join from the start, signed in as the user above, e.g. bob@ourcompany.onmicrosoft.com.

We finally had our company domain approved/recognized by Office365/AzureAD, so now we can setup users like bob@ourcompany.com.

So in Office365 user admin, I changed bob@ourcompany.onmicrosoft.com to bob@ourcompany.com. I observed this also propagated to AzureAD control panel.

Now on my users Windows 10, the username still shows up as bob@ourcompany.onmicrosoft.com in several places, and in fact, It does not seem possible to change this. I did go into users panel (settings, accounts, your email and accounts), and I can add the new username to the "accounts used by other apps" list, but it seems that I cannot change the account to use the new username for login, and get rid of the old one. It also wants to auto-sign the user in as the old username, which no longer seems valid for office365 sign-in.

I do not want to lose the users account data. I just want the domain username to reflect the new selection in office365/AzureAD.

Does anyone know how to accomplish this seemingly basic task? Do I unjoin/rejoin AzureAD (I fear this might actually wipe out the users local account storage - which is absolutely not what I want.)

Is there some way to trick Windows 10 to "re-sync" the account data for the user?

Help is appreciated,

Jens

Search

Azure AD + Devices

March 6, 2019, 4:10 am
$
0
0

Hi there,

I'll expose my scenario:

I have an Azure AD premium P2 and started a free trial of Mobility + Security E5 this week.

I have registered a device with MS Intune with an user of the AD.

I have a WebApp, and configured it to log in from the AD.

Now, I need to know if an user is logging in the app through a device, and which one (maybe getting the deviceid).

But the provided claims in the object ClaimsPrincipal does not retrieve that info.

I have tried to change the AAD -> Application Registers -> Manifest -> OptionalClaims(and "acceptMappedClaims":true).

I 've tried things like adding "deviceid" or "platf", but nothing changed.

I also tried, to connect to Graph Api, and get the logs with /beta/auditLogs/signIns, but it is not instant. So I don't know critical info.

Kind Regards.



Azure AD Connect Health Sync Insights Service service terminating frequently !

March 18, 2019, 9:34 pm
$
0
0

We are using Azure AD Connect version 1.2.70.0. Recently we had noticed that Azure AD Connect Health Sync Insights Service is getting terminated frequently since the memory utilization exceeds configured value. Event viewer alert as shown below

"Description: The application requested process termination through System.Environment.FailFast(string message). 
Message: The agent shutdown because the Health module detected that its memory utilization (Private Bytes) is 426.1640625, which is above our configured Threshold of 409.5 MB. MachinePhysicalMemory: 4095, MaxMemoryUsageRatio: 0.1"

The available physical memory is 4 GB. As per the configuration file on the location "C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\Insights" the <add key="MaxPercentageMemoryUsage" value="10"/>. It seems to be configured as 10 % of 4 GB. Is it safe to increase this value ? Are there any conditions we have to keep in mind?

Regards,

Anish

Anish Sam Johnes


Upgraded Azure AD Connect - now getting 8344 errors on Export of local directory

September 4, 2017, 12:41 pm
$
0
0

performed in place upgrade of Azure AD Connect to 1.1.561.0   

Export stage of synchronization is throwing an error on 400+ user objects.

Status: Completed - export errors

Permission Issue - Export tab shows error 8344 - Insufficient access rights to perform the operation.

MFA auto approve from incoming calls

March 20, 2019, 6:10 am
$
0
0

Hi ,

when I set my account to <Call my authentication phone> for MFA, if I don’t answer the phone when call enter, automatically the message go to my voicemail and the connection was approved.
The Microsoft message is “Your signing was successfully verified” . This is not for all my users , generally if the user doesn’t answer , the connection is rejected but some user have this issue, like me.

Thank you in advance for your reply !

Conditional access not prompting users for MFA

May 17, 2018, 1:16 am
$
0
0
Hi,

Hoping someone has seen this and can point me in the right direction.

We have a couple of conditional access policies set up in AAD, one that blocks users that arent on a trusted site and another that allows users access from untrusted locations if MFA is applied. Users are assigned one policy or the other not both. The block policy works fine, but the MFA policy allows the user to connect regardles of location.

The What IF tool shows the users getting the policy correctly based on IP:

Windows10_Allow_Untrusted_MFA
Require multi-factor authentication

And according to the sign in log MFA was required and done, the result says:
  • USER
     
    Kathryn Janeway
  • USERNAME
     
    kat.janeway@blahblahblah.com
  • APPLICATION ID
     
    00000006-0000-0ff1-ce00-000000000000
  • APPLICATION
    Microsoft Office 365 Portal
  • CLIENT
     
    ;Windows 10;Edge 16.1629;
  • LOCATION
     
    Somewhere
  • IP ADDRESS
     
    ::Untrusted IP::
  • DATE
     
    5/17/2018, 8:44:37 AM
  • MFA REQUIRED
     
    Yes
  • MFA AUTH METHOD
     
  • MFA AUTH DETAIL
     
  • MFA RESULT
    MFA requirement satisfied by claim in the token
  • SIGN-IN STATUS
     
    Success

I'm obviously missing something but we need the users to be prompted for MFA every time they sign in when not on once of our sites.

AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token.

March 20, 2019, 9:50 am
$
0
0

Hello Developers i'm using office 365 Authentification  previously the authentification works fine but when i checked this day i couldn't authentificat and i receive this message 

 5e2eaa6b-f138-xxxxxxx-90bda0701e79 - LoggerBase.cs: ADAL PCL.iOS with assembly version '3.19.8.16603', file version '3.19.8.16603' and informational version '60156f308468ccbe517904fbb43a8a763434aee' is running...
 5e2eaa6b-f138-xxxxxxxxf-90bda0701e79 - LoggerBase.cs: === Token Acquisition started: 
CacheType: null
Authentication Target: User
, Authority Host: login.windows.net
5e2eaa6b-xxxxxxxx-8a7f-90bda0201e76 - LoggerBase.cs: Loading from cache.
5e2eaa6b-xxxxxxxx-8a7f-90bda0201e76 - LoggerBase.cs: Looking up cache for a token...
5e2eaa6b-xxxxxxxx-8a7f-90bda0201e76 - LoggerBase.cs: No matching token was found in the cache
5e2eaa6b-xxxxxxxx-8a7f-90bda0201e76 - LoggerBase.cs: Looking up cache for a token...
5e2eaa6b-xxxxxxxx-8a7f-90bda0201e76 - LoggerBase.cs: No matching token was found in the cache
5e2eaa6b-xxxxxxxx-8a7f-90bda0201e76 - LoggerBase.cs: Looking up cache for a token...

5e2eaa6b-xxxxxxxx-8a7f-90bda0201e76 Retrying one more time..

5e2eaa6b-xxxxxxxx-8a7f-90bda0201e76 Retry Failed, Exception type: System.Net.Http.HttpRequestException

ntityModel.Clients.ActiveDirectory.AdalServiceException, ErrorCode: invalid_grant, StatusCode: 400 ---> Exception type: System.Net.Http.HttpRequestException ---> Exception type: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException, ErrorCode: {"error":"invalid_grant","error_description":"AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token.\r\nTrace ID: b650aa5e-d131-453d-9ed2-f9b6aa60c500\r\nCorrelation ID: 5e2eaa6b-f138-xxxxxxxx-90bda0701e79\r\nTimestamp: 2019-03-20 16:18:22Z","error_codes":[54005],"timestamp":"2019-03-20 16:18:22Z","trace_id":"b650aa5e-xxxxxxxxxx-9ed2-f9b6aa60c500","correlation_id":"5e2eaa3b-f138xxxxxxx-90bda0701e79"}

some help please Thank you .

Azure AD Identity Providers

March 20, 2019, 11:18 am
$
0
0

I have been tinkering with the Azure AD API and it has been fairly simple to use via the MS documentation. The API calls are around user management, add/update/remove, in addition to granting users access to our PowerBI footprint by adding this into a specific Azure AD Group. I noticed there is also an API for Identity Providers and I am wondering what that is capable of.

Specifically, is it possible to configure Azure AD to use an external Idp for user authentication? For example, if I wanted to support an SSO scenario where a user is already logged into an external web application but then wants to SSO into the PowerBI Dashboard to manage reports. The thought is that when the user navigates to the Power BI Dashboard, Power BI would hit Azure AD and Azure AD (maybe via a configured Identity Provider??) would redirect the authentication to the external <g class="gr_ gr_883 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="883" id="883">IdP</g> to authenticate the user. If the user was not already authenticated, then they would be redirected to the login page managed by the IdP.

I apologize if I am not explaining this enough for anyone to provide an answer so if there are other questions that can help reduce confusion please let me know. This is a bit of a new area for me so I have been trying to figure out as much as <g class="gr_ gr_1265 gr-alert gr_tiny gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling multiReplace" data-gr-id="1265" id="1265">i</g> can prior to posting this question.

Kind regards.

Search

AD Application was not found in the AD B2C directory

March 20, 2019, 11:37 am
$
0
0

Hello,

I was following this tutorial docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-add-identity-providers but when i go to test it i get the following message:

Application with identifier 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' was not found in the directory 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

where xxxx... is the "Azure Active Directory application" i created in my default subscription directory where Ihave my Azure AD

and yyyy... is the directory I created for my AD B2C tenant

The tutorial doesn't mention anything about permissions and I created everything using the MS account that is the admin for all of my azure accounts.  I am not really sure how to resolve this issue, can someone point me in the right direction? 


Users and Roles for Native Applications

March 9, 2019, 2:55 pm
$
0
0
Why is the Users and Groups feature turned off for Native Applications?

Authorize User against Azure AD Group in SPA (React JS)

March 20, 2019, 12:51 pm
$
0
0

We want to authorize User against Azure AD group in SPA (React JS); i.e. User allows to access API from SPA if he/she belongs to a Particular group (e.g. testgroup). Found sample code in Msal.JS.

I'm following

  • Create UserAgentApplication object
  • Call Loginpopup (here graph scope is - "Directory.Read.All")
  • Call acquireTokenSilent (get access token to call MS Graph Api)

  • Call MS Graph to retrieve all AD Groups where User belong to

    Url to get AD Groups - https://graph.microsoft.com/v1.0/me/memberOf

  • After receiving the Ad Groups (user belong to), validating whether User belong to that AD groups ( here - testgroup)

Please suggest me whether I am going in Right direction or any other options are available. Appreciate any sample code on group claims in Azure AD for SPA (react js).

Thanks for your suggestion.

Regards,

Deb

Can Not enable Azure SSO

March 20, 2019, 1:41 pm
$
0
0

Hi,

I'm trying to enable Azure Seamless Sign-on. But I can't get it work using the AD Connect or through PowerShell.

If I try it through AD Connect, after I enter my domain Admin credentials I get the error: An Error occurred while locating computer account.

If I try it through Power shell I get this error, and I know it's not a bad username/password, MFA is enabled for my admin account, but MFA is not active when I'm working inside the network.

PS C:\Program Files\Microsoft Azure Active Directory Connect> Enable-AzureADSSOForest

cmdlet Enable-AzureADSSOForest at command pipeline position 1
Supply values for the following parameters:
(Type !? for Help.)
OnPremCredentials
[16:38:08.316] [  8] [INFORMATIONAL] GetDefaultWellKnownContainer: Attempting to look up the default well-known containe
r...
Exception Data (Raw): System.Security.Authentication.AuthenticationException: The user name or password is incorrect.
 ---> System.DirectoryServices.DirectoryServicesCOMException: The user name or password is incorrect.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_AdsObject()
   at System.DirectoryServices.PropertyValueCollection.PopulateList()
   at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
   at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
   at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry
 directoryEntry, String propertyName)
   --- End of inner exception stack trace ---
   at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry
 directoryEntry, String propertyName)
   at System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext context)
   at Microsoft.KerberosAuth.KerberosAuthInterface.OnPremiseOperations.LdapClientProvider.GetDomainDistinguishedName(OnP
remAuthenticationContext onPremAuthenticationContext)
Enable-AzureADSSOForest : The user name or password is incorrect.
At line:1 char:1
+ Enable-AzureADSSOForest
+ ~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Enable-AzureADSSOForest], AuthenticationException
    + FullyQualifiedErrorId : System.Security.Authentication.AuthenticationException,Microsoft.KerberosAuth.Powershell
   .PowershellCommands.EnableAzureADSSOForestCommand

Is it ok to delegate password reset permission to helpdesk on users OU which is AAD sync enabled ?

March 19, 2019, 4:18 am
$
0
0

Hi folks,

Is it ok to delegate password reset permission to helpdesk on users OU which is AAD sync enabled ?

Thanks

Atul

Change passthrough authentication to use login.microsoftonline.com instead of login.windows.net

May 30, 2018, 5:50 pm
$
0
0

I have an Azure App Service based website that calls an Azure App Service based API (both Node.js based), but fails due to CORS issues.    Both App Services are protected by Azure Active Directory but have no authentication code, rather relying on implicit passthrough authentication.   

This issue is almost identical to what is raised below:

https://github.com/Azure-Samples/active-directory-java-webapp-openidconnect/issues/7

However, in that case authentication was explicitly written into the code and was apparently resolved by simply changing reference to login.windows.net to use login.microsoftonline.com instead.

So my question is, is it possible to get the App Services/AAD to redirect to login.microsoftonline.com for passthrough authentication instead of login.windows.net?

is the data stored in Azure Redis cache available for multiple instances of the same api/web app?

March 21, 2019, 1:39 am
$
0
0

Hello, 

In case of scaling out an application is the data stored in Azure Redis cache available for multiple instances of the same api/web app? 

Regards,

Snehal

Search

Cloud design patterns

March 21, 2019, 1:46 am
$
0
0
 

 Is there any uniformity when it comes to cloud architecture and design patterns across multiple cloud vendors/Platforms ( say Microsoft Azure, AWS and Google cloud)? 

 As per Cloud Design patterns - the names are different than Cloud Architectural Patterns .

What is the standard name for cloud architecture patterns ? 

 Regards,

Snehal.

Azure B2C MFA for a controller/action

March 5, 2019, 2:13 pm
$
0
0

The documentation for Azure B2C MFA says..

"You don't require multi-factor authentication to access an application in general, but you do require it to access the sensitive portions within it. For example, the customer can sign in to a banking application with a social or local account and check the account balance, but must verify the phone number before attempting a wire transfer."

There is also an earlier question Azure B2C Step up, but neither of these gives concrete examples of how to code an application e.g. ASP.NET Core so that the MFA authentication is enforced for a particular method of a controller.

Paul

Can't give external user access

March 21, 2019, 3:39 am
$
0
0

Hi!

I have setup a windows VM on azure, and now I need to share access to some items in the portal with someone else.

I have added them as a user in azure active directory, set a role for them, added them in the IAM pannel of the resource, but nothing seems to work: his portal is still empty

What am I doing wrong?

Sign-ins Report - "MFA requirement satisfied by claim provided by external provider"

March 21, 2019, 6:22 am
$
0
0

What this MFA result  "MFA requirement satisfied by claim provided by external provider" means?  I cannot find any documentation to properly explain this.

Azure MFA is applied through conditional access. 

Is it regarding hybrid joined devices/Windows Hello or anything of such sort?

Thank you.


2 Factor Authentication login in Azure Active Directory in my MVC Web App

March 21, 2019, 6:23 am
$
0
0

Hello Team,

I want to know the easiest possible code to handle 2 factor authentication using user credentials in my MVC Web App.

Currently I have registered the app as a native app on azure portal as I need to authenticate using username and password.

I am using the AAD CLient Graph Library and ADAL for authentication.Please find the below code for your reference.

                                                  

public async Task<string> AuthenticateAADUser(string UserName, string Password)
        {
            try
            {
                             return await GetAppTokenAsync(UserName, Password);
            }
            catch (AdalException ex)
            {
                var errorCode = ((Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException)(ex)).ErrorCode;    
                if(errorCode == "invalid_grant")
                {
                    loginStatus = "Invalid Username or Password";
                }
                else
                {
                    loginStatus = "Invalid Active Directory Settings";
                }
                return string.Empty;
            }
        }
        private static async Task<string> GetAppTokenAsync(string UserName, string Password)
        {            
            string clientID = ConfigurationManager.AppSettings["AADAppID"];
            string authString = ConfigurationManager.AppSettings["AADAuthURL"];
            string resAzureGraphAPI = ConfigurationManager.AppSettings["AADGraphAPI"];
            // Instantiate an AuthenticationContext for my directory (see authString above).

            AuthenticationContext authenticationContext = new AuthenticationContext(authString, false);
            authenticationContext.TokenCache.Clear();

            //UserPasswordCredential credentials = new UserPasswordCredential("ashish@ohmintl.com","mypass@1950");
            UserPasswordCredential credentials = new UserPasswordCredential(UserName, Password);            
            // Acquire an access token from Azure AD to access the Azure AD Graph (the resource)
            // using the Username and Password as credentials.

            AuthenticationResult authenticationResult = await authenticationContext.AcquireTokenAsync(resAzureGraphAPI, clientID, credentials);





            // Return the access token.
            return authenticationResult.AccessToken;
        }

This code works fine but throws an exception "User Interaction required" when 2 Factor Authentication is enabled on the user.I have searched every possible microsoft blog but didnt find any concrete solution. Please if anybody can help as I need to deliver it urgently.

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>