Hi, 

I want to give access to a selected users from AAD. Say there are 100 users in AAD - but I want to give access to only 24 selected users. I created a group for this in AAD. But even after giving access to only group - it is giving access to all users in AAD. 

Any solution. The solutions and options proposed in Microsoft document does not work. 

Snehal. 

What are the main reasons to not use Azure AD?

The ones I can think of are for managing desktop PCs and servers etc.

SCCM requires local AD.

Enterprise PKI requires local AD.

Centrally managing Windows servers in general requires local AD. 

It may be technically possible to manage Windows 10 desktops in a large office that are only Azure AD joined, but why would you want to do this?  If you have hundreds or thousands of desktop PCs all located in the same building, why would you manage them and have all these users authenticating into their workstations through a WAN connection to the cloud instead of from your gigabit local LAN connection? Why only have the more limited management capabilities of Intune vs AD group policy and then also have the extra licensing costs of Intune on top of all that?

Are there workarounds for any of the issue listed above?

Are there any other scenarios not mentioned that require at least hybrid AD instead of full Azure AD?

We have users with Azure AD Premium (P1) licenses, and MFA status on account will remain Disabled (not Enabled or Enforced) but rather we will use the Conditional Access policies in specific applications to require MFA to sign-in. 

We would like a route via Microsoft Graph API (preferably, or through predecessor Azure AD Graph API in the meantime) that we can put into our intranet and other in-house apps of choice. Our primary use-case is during a new campaign to pre-enroll many users of a particular SSO app, so our Intranet could see if a user is a member of a group, then API call to check if the user has enrolled in MFA. If they haven't enrolled in MFA, provide a specific alert/banner that reminds them of the upcoming deadline for the app requiring MFA and click here to enroll and setup MFA for their account. 

Again, this is not about whether the account is enabled for MFA, but rather if the user has gone through the enrollment process and setup their account. 

As admins, we'd like to also be able to pull this data via API and perhaps in PowerBI show what percentage of our users have enrolled, and why what means they have setup their primary method (text, phone call, Microsoft Authenticator app). 

Thanks in advance, hoping this is possible or will be very soon. Would be great to get some better messaging internally from Microsoft Graph API on this. We also would like this for Self-Service Password Reset (SSPR) but that's a post for another day. :)

Chris

Hi,

I was trying to delete my b2c tenant and now can not access my azure b2c.   Tried restoring as per documentation but received.

Selected user account does not exist in tenant 'graphExplorerMT' and cannot access the application 'xxxxxxx' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.

Searched through various help articles but seem to be stuck in a state where I can't delete the tenant, and I can not add any new ones.   Any help would be appreciated.

Thanks

Cramerstream

Hi All,

Trying to setup a new AAD Connect on a DC using the administrator (tried other enterprise admin accounts as well) Logs as follows. I have xxx out the domain

[17:55:20.239] [  1] [INFO ] 
[17:55:20.241] [  1] [INFO ] ================================================================================
[17:55:20.241] [  1] [INFO ] Application starting
[17:55:20.241] [  1] [INFO ] ================================================================================
[17:55:20.241] [  1] [INFO ] Start Time (Local): Fri, 22 Feb 2019 17:55:20 GMT
[17:55:20.241] [  1] [INFO ] Start Time (UTC): Fri, 22 Feb 2019 09:55:20 GMT
[17:55:20.243] [  1] [INFO ] Application Version: 1.2.70.0
[17:55:20.243] [  1] [INFO ] Application Build Date: 2018-12-17 07:19:47Z
[17:55:21.414] [  1] [INFO ] Telemetry session identifier: {82bbfdf2-3a42-489d-b95a-532a5d388c08}
[17:55:21.414] [  1] [INFO ] Telemetry device identifier: AV8mjaQGze1L1EzqRB5RVBs4FGfblc1f9QHKWP56aYI=
[17:55:21.415] [  1] [INFO ] Application Build Identifier: AD-IAM-HybridSync master (590693a40)
[17:55:21.541] [  1] [INFO ] machine.config path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config.
[17:55:21.542] [  1] [INFO ] Default Proxy [ProxyAddress]: <Unspecified>
[17:55:21.542] [  1] [INFO ] Default Proxy [UseSystemDefault]: Unspecified
[17:55:21.542] [  1] [INFO ] Default Proxy [BypassOnLocal]: Unspecified
[17:55:21.542] [  1] [INFO ] Default Proxy [Enabled]: True
[17:55:21.542] [  1] [INFO ] Default Proxy [AutoDetect]: Unspecified
[17:55:21.596] [  1] [VERB ] Scheduler wizard mutex wait timeout: 00:00:05
[17:55:21.596] [  1] [INFO ] AADConnect changes ALLOWED: Successfully acquired the configuration change mutex.
[17:55:21.699] [  1] [INFO ] RootPageViewModel.GetInitialPages: Beginning detection for creating initial pages.
[17:55:21.733] [  1] [INFO ] Loading the persisted settings .
[17:55:21.797] [  1] [INFO ] Checking if machine version is 6.1.7601 or higher
[17:55:21.836] [  1] [INFO ] The current operating system version is 10.0.14393, the requirement is 6.1.7601.
[17:55:21.836] [  1] [INFO ] Password Hash Sync supported: 'True'
[17:55:21.876] [  1] [INFO ] DetectInstalledComponents stage: The installed OS SKU is 7
[17:55:21.890] [  1] [INFO ] DetectInstalledComponents stage: Checking install context.
[17:55:21.899] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Visual C++ 2013 Redistributable Package
[17:55:21.904] [  1] [VERB ] Getting list of installed packages by upgrade code
[17:55:21.920] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {20400cf0-de7c-327e-9ae4-f0f38d9085f8}: verified product code {a749d8e6-b613-3be3-8f5f-045c84eba29b}.
[17:55:21.921] [  1] [VERB ] Package=Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005, Version=12.0.21005, ProductCode=a749d8e6-b613-3be3-8f5f-045c84eba29b, UpgradeCode=20400cf0-de7c-327e-9ae4-f0f38d9085f8
[17:55:21.924] [  1] [INFO ] Determining installation action for Microsoft Visual C++ 2013 Redistributable Package (20400cf0-de7c-327e-9ae4-f0f38d9085f8)
[17:55:21.924] [  1] [INFO ] Product Microsoft Visual C++ 2013 Redistributable Package (version 12.0.21005) is installed.
[17:55:21.925] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Directory Sync Tool
[17:55:21.935] [  1] [VERB ] Getting list of installed packages by upgrade code
[17:55:21.936] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {bef7e7d9-2ac2-44b9-abfc-3335222b92a7}: no registered products found.
[17:55:21.936] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {dc9e604e-37b0-4efc-b429-21721cf49d0d}: no registered products found.
[17:55:21.936] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {545334d7-13cd-4bab-8da1-2775fa8cf7c2}: no registered products found.
[17:55:21.950] [  1] [INFO ] Determining installation action for Microsoft Directory Sync Tool UpgradeCodes {bef7e7d9-2ac2-44b9-abfc-3335222b92a7}, {dc9e604e-37b0-4efc-b429-21721cf49d0d}
[17:55:21.950] [  1] [INFO ] DirectorySyncComponent: Product Microsoft Directory Sync Tool is not installed.
[17:55:21.950] [  1] [INFO ] Performing direct lookup of upgrade codes for: Azure AD Sync Engine
[17:55:21.951] [  1] [VERB ] Getting list of installed packages by upgrade code
[17:55:21.951] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {545334d7-13cd-4bab-8da1-2775fa8cf7c2}: no registered products found.
[17:55:21.951] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {dc9e604e-37b0-4efc-b429-21721cf49d0d}: no registered products found.
[17:55:21.951] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {bef7e7d9-2ac2-44b9-abfc-3335222b92a7}: no registered products found.
[17:55:21.960] [  1] [INFO ] Determining installation action for Azure AD Sync Engine (545334d7-13cd-4bab-8da1-2775fa8cf7c2)
[17:55:22.407] [  1] [INFO ] Product Azure AD Sync Engine is not installed.
[17:55:22.408] [  1] [INFO ] Performing direct lookup of upgrade codes for: Azure AD Connect Synchronization Agent
[17:55:22.408] [  1] [VERB ] Getting list of installed packages by upgrade code
[17:55:22.408] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {3cd653e3-5195-4ff2-9d6c-db3dacc82c25}: no registered products found.
[17:55:22.408] [  1] [INFO ] Determining installation action for Azure AD Connect Synchronization Agent (3cd653e3-5195-4ff2-9d6c-db3dacc82c25)
[17:55:22.408] [  1] [INFO ] Product Azure AD Connect Synchronization Agent is not installed.
[17:55:22.408] [  1] [INFO ] Performing direct lookup of upgrade codes for: Azure AD Connect Health agent for sync
[17:55:22.408] [  1] [VERB ] Getting list of installed packages by upgrade code
[17:55:22.408] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {114fb294-8aa6-43db-9e5c-4ede5e32886f}: no registered products found.
[17:55:22.408] [  1] [INFO ] Determining installation action for Azure AD Connect Health agent for sync (114fb294-8aa6-43db-9e5c-4ede5e32886f)
[17:55:22.408] [  1] [INFO ] Product Azure AD Connect Health agent for sync is not installed.
[17:55:22.408] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Azure AD Connect Authentication Agent
[17:55:22.408] [  1] [VERB ] Getting list of installed packages by upgrade code
[17:55:22.408] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {0c06f9df-c56b-42c4-a41b-f5f64d01a35c}: no registered products found.
[17:55:22.408] [  1] [INFO ] Determining installation action for Microsoft Azure AD Connect Authentication Agent (0c06f9df-c56b-42c4-a41b-f5f64d01a35c)
[17:55:22.408] [  1] [INFO ] Product Microsoft Azure AD Connect Authentication Agent is not installed.
[17:55:22.408] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft SQL Server 2012 Command Line Utilities
[17:55:22.408] [  1] [VERB ] Getting list of installed packages by upgrade code
[17:55:22.408] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {52446750-c08e-49ef-8c2e-1e0662791e7b}: verified product code {89ca7913-f891-4546-8f55-355338677fe6}.
[17:55:22.409] [  1] [VERB ] Package=Microsoft SQL Server 2012 Command Line Utilities , Version=11.4.7001.0, ProductCode=89ca7913-f891-4546-8f55-355338677fe6, UpgradeCode=52446750-c08e-49ef-8c2e-1e0662791e7b
[17:55:22.409] [  1] [INFO ] Determining installation action for Microsoft SQL Server 2012 Command Line Utilities (52446750-c08e-49ef-8c2e-1e0662791e7b)
[17:55:22.409] [  1] [INFO ] Product Microsoft SQL Server 2012 Command Line Utilities (version 11.4.7001.0) is installed.
[17:55:22.409] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft SQL Server 2012 Express LocalDB
[17:55:22.409] [  1] [VERB ] Getting list of installed packages by upgrade code
[17:55:22.410] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {c3593f78-0f11-4d8d-8d82-55460308e261}: verified product code {72b030ed-b1e3-45e5-ba33-a1f5625f2b93}.
[17:55:22.410] [  1] [VERB ] Package=Microsoft SQL Server 2012 Express LocalDB , Version=11.4.7469.6, ProductCode=72b030ed-b1e3-45e5-ba33-a1f5625f2b93, UpgradeCode=c3593f78-0f11-4d8d-8d82-55460308e261
[17:55:22.410] [  1] [INFO ] Determining installation action for Microsoft SQL Server 2012 Express LocalDB (c3593f78-0f11-4d8d-8d82-55460308e261)
[17:55:22.410] [  1] [INFO ] Product Microsoft SQL Server 2012 Express LocalDB (version 11.4.7469.6) is installed.
[17:55:22.410] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft SQL Server 2012 Native Client
[17:55:22.411] [  1] [VERB ] Getting list of installed packages by upgrade code
[17:55:22.411] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {1d2d1fa0-e158-4798-98c6-a296f55414f9}: verified product code {b9274744-8bae-4874-8e59-2610919cd419}.
[17:55:22.412] [  1] [VERB ] Package=Microsoft SQL Server 2012 Native Client , Version=11.4.7001.0, ProductCode=b9274744-8bae-4874-8e59-2610919cd419, UpgradeCode=1d2d1fa0-e158-4798-98c6-a296f55414f9
[17:55:22.412] [  1] [INFO ] Determining installation action for Microsoft SQL Server 2012 Native Client (1d2d1fa0-e158-4798-98c6-a296f55414f9)
[17:55:22.412] [  1] [INFO ] Product Microsoft SQL Server 2012 Native Client (version 11.4.7001.0) is installed.
[17:55:22.412] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Azure AD Connect Authentication Agent
[17:55:22.412] [  1] [VERB ] Getting list of installed packages by upgrade code
[17:55:22.413] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {fb3feca7-5190-43e7-8d4b-5eec88ed9455}: no registered products found.
[17:55:22.413] [  1] [INFO ] Determining installation action for Microsoft Azure AD Connect Authentication Agent (fb3feca7-5190-43e7-8d4b-5eec88ed9455)
[17:55:22.413] [  1] [INFO ] Product Microsoft Azure AD Connect Authentication Agent is not installed.
[17:55:22.415] [  1] [INFO ] Determining installation action for Microsoft Azure AD Connection Tool.
[17:55:22.465] [  1] [WARN ] Failed to read DisplayName registry key: An error occurred while executing the 'Get-ItemProperty' command. Cannot find path 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MicrosoftAzureADConnectionTool' because it does not exist.
[17:55:22.467] [  1] [INFO ] Product Microsoft Azure AD Connection Tool is not installed.
[17:55:22.467] [  1] [INFO ] Performing direct lookup of upgrade codes for: Azure Active Directory Connect
[17:55:22.467] [  1] [VERB ] Getting list of installed packages by upgrade code
[17:55:22.467] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {d61eb959-f2d1-4170-be64-4dc367f451ea}: verified product code {b9170312-edaf-4e0c-9241-2407915b93ec}.
[17:55:22.468] [  1] [VERB ] Package=Microsoft Azure AD Connect, Version=1.2.70.0, ProductCode=b9170312-edaf-4e0c-9241-2407915b93ec, UpgradeCode=d61eb959-f2d1-4170-be64-4dc367f451ea
[17:55:22.468] [  1] [INFO ] Determining installation action for Azure Active Directory Connect (d61eb959-f2d1-4170-be64-4dc367f451ea)
[17:55:22.468] [  1] [INFO ] Product Azure Active Directory Connect (version 1.2.70.0) is installed.
[17:55:22.820] [  1] [INFO ] ServiceControllerProvider: GetServiceStartMode(seclogon) is 'Manual'.
[17:55:22.822] [  1] [INFO ] ServiceControllerProvider: verifying EventLog is in state (Running)
[17:55:22.824] [  1] [INFO ] ServiceControllerProvider: current service status: Running
[17:55:22.824] [  1] [INFO ] Checking for DirSync conditions.
[17:55:22.824] [  1] [INFO ] DirSync not detected. Checking for AADSync/AADConnect upgrade conditions.
[17:55:22.836] [  1] [INFO ] Initial configuration is incomplete.
[17:55:22.840] [  1] [INFO ] Resume Wizard from previous Azure service connectivity failure.
[17:55:22.859] [  1] [INFO ] SyncDataProvider:LoadSettings - loading context with persisted global settings.
[17:55:23.646] [  1] [ERROR] Configuration policy could not be retrieved (GetGlobalConfigurationParameters).  Details: System.Management.Automation.CommandNotFoundException: The term 'Get-ADSyncGlobalSettingsParameter' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
   at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
   at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)
   at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)
   at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings)
   at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
   at Microsoft.Online.Deployment.PowerShell.LocalPowerShell.Invoke()
   at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.TypeDependencies.InvokePowerShell(IPowerShell powerShell)
   at Microsoft.Online.Deployment.PowerShell.PowerShellAdapter.InvokePowerShellCommand(String commandName, InitialSessionState initialSessionState, IDictionary`2 commandParameters, Boolean isScript)
   at Microsoft.Azure.ActiveDirectory.Synchronization.PowerShellConfigAdapter.GlobalSettingsConfigAdapter.GetGlobalConfigurationParameters()
   at Microsoft.Online.Deployment.Types.Providers.SyncDataProvider.LoadSettings(IAadSyncContext aadSyncContext)
[17:55:23.763] [  1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.ExpressSettingsPageViewModel.GatherEnvironmentData in Page:"Express Settings"
[17:55:23.764] [  1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:11
[17:55:23.781] [ 19] [INFO ] Checking if machine version is 6.1.7601 or higher
[17:55:23.782] [ 19] [INFO ] The current operating system version is 10.0.14393, the requirement is 6.1.7601.
[17:55:23.782] [ 19] [INFO ] Password Hash Sync supported: 'True'
[17:55:24.254] [  1] [INFO ] Express Settings install is supported: domain-joined + OS version allowed.
[17:55:28.058] [  1] [INFO ] Express Settings:  Updating page flow for EXPRESS mode install.
[17:55:28.061] [  1] [INFO ] Called SetWizardMode(ExpressInstall, True)
[17:55:28.065] [  1] [WARN ] MicrosoftOnlinePersistedStateProvider.Save: zero state elements provided, saving an empty persisted state file
[17:55:28.068] [  1] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: False
[17:55:28.077] [  1] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: True
[17:55:28.114] [  1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.ExpressSettingsPageViewModel.StartPrerequisiteInstallation in Page:"Express Settings"
[17:55:28.114] [  1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:1130
[17:55:28.197] [ 19] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.InstallSyncEnginePageViewModel.StartNewInstallation in Page:"Install required components"
[17:55:28.198] [ 19] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:1155
[17:55:28.261] [ 20] [INFO ] SyncEngineSetupViewModel: Validating sync engine settings.
[17:55:28.269] [ 20] [INFO ] Enter ValidateSqlVersion.
[17:55:28.269] [ 20] [INFO ] Exit ValidateSqlVersion (localdb).
[17:55:28.273] [ 20] [INFO ] Enter ValidateSqlAoaAsyncInstance.
[17:55:28.273] [ 20] [INFO ] Exit ValidateSqlAoaAsyncInstance (localdb).
[17:55:28.275] [ 20] [INFO ] The ADSync database does not exist and will be created.  serverAdmin=True.
[17:55:28.275] [ 20] [INFO ] Attaching to the ADSync database: SQLServerName=DoesNotExist SQLInstanceName= ServiceAccountName=, state=, Collation=, /UseExistingDatabase=False.
[17:55:28.275] [ 20] [INFO ] Starting Sync Engine installation
[17:55:28.278] [ 20] [INFO ] Starting Prerequisite installation
[17:55:28.280] [ 20] [VERB ] WorkflowEngine created
[17:55:28.283] [ 20] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Visual C++ 2013 Redistributable Package
[17:55:28.284] [ 20] [VERB ] Getting list of installed packages by upgrade code
[17:55:28.284] [ 20] [INFO ] GetInstalledPackagesByUpgradeCode {20400cf0-de7c-327e-9ae4-f0f38d9085f8}: verified product code {a749d8e6-b613-3be3-8f5f-045c84eba29b}.
[17:55:28.285] [ 20] [VERB ] Package=Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005, Version=12.0.21005, ProductCode=a749d8e6-b613-3be3-8f5f-045c84eba29b, UpgradeCode=20400cf0-de7c-327e-9ae4-f0f38d9085f8
[17:55:28.285] [ 20] [INFO ] Determining installation action for Microsoft Visual C++ 2013 Redistributable Package (20400cf0-de7c-327e-9ae4-f0f38d9085f8)
[17:55:28.285] [ 20] [INFO ] Product Microsoft Visual C++ 2013 Redistributable Package (version 12.0.21005) is installed.
[17:55:28.292] [  1] [INFO ] Page transition from "Express Settings" [ExpressSettingsPageViewModel] to "Connect to Azure AD" [AzureTenantPageViewModel]
[17:55:28.329] [  1] [INFO ] Property Password failed validation with error A valid domain must be selected.
[17:55:38.353] [ 17] [INFO ] AzureTenantPage: Beginning Windows Azure tenant credential validation for user - xxxxxxxxxxxxx_admin@xxxxxxxxxxxxx.com.au
[17:55:38.401] [ 17] [INFO ] AzureConfigurationFromPrincipalName: Successfully resolved UPN (xxxxxxxxxxxxx_admin@xxxxxxxxxxxxx.com.au) to the Worldwide Azure instance. 
Resolution Method [Registry Configuration]: Worldwide.
[17:55:38.419] [ 17] [INFO ] ResolveAzureInstance [Worldwide]: authority=HTTPS://LOGIN.WINDOWS.NET/xxxxxxxxxxxxx.COM.AU, 
Resolution Method [Registry Configuration]: Worldwide.
[17:55:38.440] [ 17] [INFO ] Authenticate-ADAL [Acquiring token]: STS endpoint (HTTPS://LOGIN.WINDOWS.NET/xxxxxxxxxxxxx.COM.AU), resource (https://graph.windows.net), userName (xxxxxxxxxxxxx_admin@xxxxxxxxxxxxx.com.au).
[17:55:38.456] [ 17] [INFO ] ADAL: 2019-02-22T09:55:38.4540451Z: 00000000-0000-0000-0000-000000000000 - LoggerBase.cs: Clearing Cache :- 0 items to be removed
[17:55:38.456] [ 17] [INFO ] ADAL: 2019-02-22T09:55:38.4560620Z: 00000000-0000-0000-0000-000000000000 - LoggerBase.cs: Successfully Cleared Cache
[17:55:38.481] [ 17] [INFO ] ADAL: 2019-02-22T09:55:38.4810434Z: 9bcef4df-871f-49d9-b98f-d47c2a0fa3c4 - LoggerBase.cs: ADAL PCL.Desktop with assembly version '3.19.6.14301', file version '3.19.50523.1839' and informational version '1ae77ee16c2204403e53d7e652ddc8f4d315cfb1' is running...
[17:55:38.482] [ 17] [INFO ] ADAL: 2019-02-22T09:55:38.4820431Z: 9bcef4df-871f-49d9-b98f-d47c2a0fa3c4 - LoggerBase.cs: === Token Acquisition started: 
CacheType: null
Authentication Target: User
, Authority Host: login.windows.net
[17:55:39.164] [ 16] [INFO ] ADAL: 2019-02-22T09:55:39.1640474Z: 9bcef4df-871f-49d9-b98f-d47c2a0fa3c4 - LoggerBase.cs: No matching token was found in the cache
[17:55:39.164] [ 16] [INFO ] ADAL: 2019-02-22T09:55:39.1640474Z: 9bcef4df-871f-49d9-b98f-d47c2a0fa3c4 - LoggerBase.cs: No matching token was found in the cache
[17:55:39.164] [ 16] [INFO ] ADAL: 2019-02-22T09:55:39.1640474Z: 9bcef4df-871f-49d9-b98f-d47c2a0fa3c4 - LoggerBase.cs: No matching token was found in the cache
[17:55:39.164] [ 16] [INFO ] ADAL: 2019-02-22T09:55:39.1640474Z: 9bcef4df-871f-49d9-b98f-d47c2a0fa3c4 - LoggerBase.cs: No matching token was found in the cache
[17:55:39.164] [ 16] [INFO ] ADAL: 2019-02-22T09:55:39.1640474Z: 9bcef4df-871f-49d9-b98f-d47c2a0fa3c4 - LoggerBase.cs: No matching token was found in the cache
[17:55:39.164] [ 16] [INFO ] ADAL: 2019-02-22T09:55:39.1640474Z: 9bcef4df-871f-49d9-b98f-d47c2a0fa3c4 - LoggerBase.cs: No matching token was found in the cache
[17:55:39.200] [ 16] [INFO ] ADAL: 2019-02-22T09:55:39.2000509Z: 9bcef4df-871f-49d9-b98f-d47c2a0fa3c4 - LoggerBase.cs: Sending request to userrealm endpoint.
[17:55:40.358] [ 13] [INFO ] ADAL: 2019-02-22T09:55:40.3580527Z: 9bcef4df-871f-49d9-b98f-d47c2a0fa3c4 - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 2/22/2019 10:55:40 AM +00:00
[17:55:40.359] [ 17] [INFO ] Authenticate-ADAL: successfully acquired an access token.  TenantId=9f6b161d-2543-4744-bfb6-60239033100a, ExpiresUTC=2/22/2019 10:55:40 AM +00:00, UserInfo=xxxxxxxxxxxxx_admin@xxxxxxxxxxxxx.com.au, IdentityProvider=https://sts.windows.net/9f6b161d-2543-4744-bfb6-60239033100a/.
[17:55:40.362] [ 17] [INFO ] AzureTenantPage: attempting to connect to Azure via AAD PowerShell.
[17:55:40.370] [ 17] [INFO ] DiscoverServiceEndpoint [AzurePowerShell]: ServiceEndpoint=https://provisioningapi.microsoftonline.com/provisioningwebservice.svc, AdalAuthority=HTTPS://LOGIN.WINDOWS.NET/xxxxxxxxxxxxx.COM.AU, AdalResource=https://graph.windows.net.
[17:55:40.370] [ 17] [INFO ] AcquireServiceToken [AzurePowerShell]: acquiring service token.
[17:55:40.370] [ 17] [INFO ] Authenticate-ADAL [Acquiring token]: STS endpoint (HTTPS://LOGIN.WINDOWS.NET/xxxxxxxxxxxxx.COM.AU), resource (https://graph.windows.net), userName (xxxxxxxxxxxxx_admin@xxxxxxxxxxxxx.com.au).
[17:55:40.371] [ 17] [INFO ] ADAL: 2019-02-22T09:55:40.3710553Z: 362d3836-4d9f-4831-a47a-ba4809127306 - LoggerBase.cs: ADAL PCL.Desktop with assembly version '3.19.6.14301', file version '3.19.50523.1839' and informational version '1ae77ee16c2204403e53d7e652ddc8f4d315cfb1' is running...
[17:55:40.371] [ 17] [INFO ] ADAL: 2019-02-22T09:55:40.3710553Z: 362d3836-4d9f-4831-a47a-ba4809127306 - LoggerBase.cs: === Token Acquisition started: 
CacheType: null
Authentication Target: User
, Authority Host: login.windows.net
[17:55:40.371] [ 17] [INFO ] ADAL: 2019-02-22T09:55:40.3710553Z: 362d3836-4d9f-4831-a47a-ba4809127306 - LoggerBase.cs: An item matching the requested resource was found in the cache
[17:55:40.373] [ 17] [INFO ] ADAL: 2019-02-22T09:55:40.3730545Z: 362d3836-4d9f-4831-a47a-ba4809127306 - LoggerBase.cs: 59.99875031 minutes left until token in cache expires
[17:55:40.373] [ 17] [INFO ] ADAL: 2019-02-22T09:55:40.3730545Z: 362d3836-4d9f-4831-a47a-ba4809127306 - LoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache
[17:55:40.373] [ 17] [INFO ] ADAL: 2019-02-22T09:55:40.3730545Z: 362d3836-4d9f-4831-a47a-ba4809127306 - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 2/22/2019 10:55:40 AM +00:00
[17:55:40.373] [ 17] [INFO ] Authenticate-ADAL: successfully acquired an access token.  TenantId=9f6b161d-2543-4744-bfb6-60239033100a, ExpiresUTC=2/22/2019 10:55:40 AM +00:00, UserInfo=xxxxxxxxxxxxx_admin@xxxxxxxxxxxxx.com.au, IdentityProvider=https://sts.windows.net/9f6b161d-2543-4744-bfb6-60239033100a/.
[17:55:40.379] [ 17] [INFO ] PowerShellHelper.ConnectMsolService: Connecting using an AccessToken. AzureEnvironment=0.
[17:55:41.791] [ 17] [INFO ] AzureTenantPage: successfully connected to Azure via AAD PowerShell.
[17:55:43.957] [ 17] [INFO ] AzureTenantPage: Successfully retrieved company information for tenant 9f6b161d-2543-4744-bfb6-60239033100a.  Initial domain (xxxxxxxxxxxxx.onmicrosoft.com).
[17:55:43.962] [ 17] [INFO ] AzureTenantPage: DirectorySynchronizationEnabled=False
[17:55:43.968] [ 17] [INFO ] AzureTenantPage: DirectorySynchronizationStatus=Disabled
[17:55:43.973] [ 17] [INFO ] PowershellHelper: lastDirectorySyncTime=10/23/2018 5:46:50 AM
[17:55:44.912] [ 17] [INFO ] AzureTenantPageViewModel.GetSynchronizedUserCount: number of synchronized users (max 500) - 37
[17:55:45.571] [ 17] [INFO ] AzureTenantPageViewModel.GetSynchronizedUserCount: number of synchronized users (max 500) - 37
[17:55:46.158] [ 17] [INFO ] AzureTenantPage: Successfully retrieved 5 domains from the tenant.
[17:55:46.158] [ 17] [INFO ] AzureTenantPage: Calling to get the last dir sync time for the current user
[17:55:47.121] [ 17] [INFO ] DiscoverServiceEndpoint [AdminWebService]: ServiceEndpoint=https://adminwebservice.microsoftonline.com/provisioningservice.svc, AdalAuthority=HTTPS://LOGIN.WINDOWS.NET/xxxxxxxxxxxxx.COM.AU, AdalResource=https://graph.windows.net.
[17:55:47.190] [ 17] [INFO ] DiscoverServiceEndpoint [AdminWebService]: ServiceEndpoint=https://adminwebservice.microsoftonline.com/provisioningservice.svc, AdalAuthority=HTTPS://LOGIN.WINDOWS.NET/xxxxxxxxxxxxx.COM.AU, AdalResource=https://graph.windows.net.
[17:55:47.190] [ 17] [INFO ] AcquireServiceToken [AdminWebService]: acquiring service token.
[17:55:47.190] [ 17] [INFO ] Authenticate-ADAL [Acquiring token]: STS endpoint (HTTPS://LOGIN.WINDOWS.NET/xxxxxxxxxxxxx.COM.AU), resource (https://graph.windows.net), userName (xxxxxxxxxxxxx_admin@xxxxxxxxxxxxx.com.au).
[17:55:47.190] [ 17] [INFO ] ADAL: 2019-02-22T09:55:47.1900986Z: 80daf311-870b-478a-bf08-4e60cc2d92d7 - LoggerBase.cs: ADAL PCL.Desktop with assembly version '3.19.6.14301', file version '3.19.50523.1839' and informational version '1ae77ee16c2204403e53d7e652ddc8f4d315cfb1' is running...
[17:55:47.190] [ 17] [INFO ] ADAL: 2019-02-22T09:55:47.1900986Z: 80daf311-870b-478a-bf08-4e60cc2d92d7 - LoggerBase.cs: === Token Acquisition started: 
CacheType: null
Authentication Target: User
, Authority Host: login.windows.net
[17:55:47.191] [ 17] [INFO ] ADAL: 2019-02-22T09:55:47.1910985Z: 80daf311-870b-478a-bf08-4e60cc2d92d7 - LoggerBase.cs: An item matching the requested resource was found in the cache
[17:55:47.191] [ 17] [INFO ] ADAL: 2019-02-22T09:55:47.1910985Z: 80daf311-870b-478a-bf08-4e60cc2d92d7 - LoggerBase.cs: 59.8851162433333 minutes left until token in cache expires
[17:55:47.191] [ 17] [INFO ] ADAL: 2019-02-22T09:55:47.1910985Z: 80daf311-870b-478a-bf08-4e60cc2d92d7 - LoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache
[17:55:47.191] [ 17] [INFO ] ADAL: 2019-02-22T09:55:47.1910985Z: 80daf311-870b-478a-bf08-4e60cc2d92d7 - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 2/22/2019 10:55:40 AM +00:00
[17:55:47.191] [ 17] [INFO ] Authenticate-ADAL: successfully acquired an access token.  TenantId=9f6b161d-2543-4744-bfb6-60239033100a, ExpiresUTC=2/22/2019 10:55:40 AM +00:00, UserInfo=xxxxxxxxxxxxx_admin@xxxxxxxxxxxxx.com.au, IdentityProvider=https://sts.windows.net/9f6b161d-2543-4744-bfb6-60239033100a/.
[17:55:48.748] [ 17] [INFO ] GetCompanyConfiguration: tenantId=(9f6b161d-2543-4744-bfb6-60239033100a), IsDirSyncing=False, IsPasswordSyncing=False, DomainName=, DirSyncFeatures=41016, AllowedFeatures=None.
[17:55:48.748] [ 17] [INFO ] AzureTenantPage: AdminWebService returned the company information for tenant 9f6b161d-2543-4744-bfb6-60239033100a.
[17:55:48.748] [ 17] [INFO ] AzureTenantPage: AzureTenantSourceAnchorAttribute is mS-DS-ConsistencyGuid
[17:55:48.758] [ 17] [INFO ] MicrosoftOnlinePersistedStateProvider.Save: saving the persisted state file
[17:55:48.759] [ 17] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: False
[17:55:48.761] [ 17] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: True
[17:55:48.762] [ 17] [INFO ] AzureTenantPage: Windows Azure tenant credentials validation succeeded.
[17:55:48.774] [  1] [INFO ] Page transition from "Connect to Azure AD" [AzureTenantPageViewModel] to "Connect to AD DS" [ConfigOnPremiseCredentialsPageViewModel]
[17:55:48.780] [  1] [INFO ] Property Username failed validation with error Enterprise Administrator credentials are required
[17:55:52.108] [  1] [INFO ] Property Username failed validation with error The username format is incorrect. Specify the username in the format of DOMAIN\username.
[17:55:55.867] [  1] [INFO ] Property Password failed validation with error A password is required - unless using a Virtual or Managed Service Account .
[17:56:05.213] [ 21] [INFO ] ConfigOnPremiseCredentialsPage: Validating credentials for user - xxxxxxxxxxxxx\admin2
[17:56:05.244] [ 21] [INFO ] ConfigOnPremiseCredentialsPage: LogonUser succeeded for user xxxxxxxxxxxxx\admin2
[17:56:05.250] [ 21] [INFO ] ActiveDirectoryProvider.GetRootDomainName: getting user root domain name
[17:56:05.303] [ 21] [INFO ] ActiveDirectoryProvider.GetRootDomainName: user root domain - xxxxxxxxxxxxx.com.au
[17:56:05.308] [ 21] [INFO ] ActiveDirectoryProvider.IsUserGroupMember: checking if xxxxxxxxxxxxx\admin2 has AccountEnterpriseAdminsSid privileges in xxxxxxxxxxxxx.com.au
[17:56:05.588] [ 21] [INFO ] ActiveDirectoryProvider.IsUserGroupMember: domain sid - S-1-5-21-3624718830-1735865960-2013706303, group sid - S-1-5-21-3624718830-1735865960-2013706303-519
[17:56:05.593] [ 21] [INFO ] ActiveDirectoryProvider.GetGroupMembershipSidsForUser: retrieving group membership SIDs from AD
[17:56:05.614] [ 21] [INFO ] ActiveDirectoryProvider.IsUserGroupMember: found membership - user is a member of the group
[17:56:05.649] [ 21] [INFO ] ValidateCredentials UseExpressSettings: The domain name 'xxxxxxxxxxxxx.com.au' was successfully matched.
[17:56:05.658] [ 21] [INFO ] ConfigOnPremiseCredentialsPage: Validating forest
[17:56:05.667] [ 21] [INFO ] Validating forest with FQDN xxxxxxxxxxxxx.com.au
[17:56:05.746] [ 21] [INFO ] Examining domain xxxxxxxxxxxxx.com.au (:0% complete)
[17:56:05.751] [ 21] [INFO ] ValidateForest: using RH-DC-01.xxxxxxxxxxxxx.com.au to validate domain xxxxxxxxxxxxx.com.au
[17:56:05.754] [ 21] [INFO ] Successfully examined domain xxxxxxxxxxxxx.com.au GUID:e49842d8-026c-4125-8aa3-d1ca5a13c06a  DN:DC=xxxxxxxxxxxxx,DC=com,DC=au
[17:56:05.799] [ 21] [INFO ] ConfigOnPremiseCredentialsPageViewModel: Credentials will be used to administer the AD MA account (New Install).
[17:56:05.874] [ 21] [VERB ] MsolDomainExtensions.ConnectMsolService: Connecting to MSOL service.
[17:56:05.874] [ 21] [INFO ] DiscoverServiceEndpoint [AzurePowerShell]: ServiceEndpoint=https://provisioningapi.microsoftonline.com/provisioningwebservice.svc, AdalAuthority=HTTPS://LOGIN.WINDOWS.NET/xxxxxxxxxxxxx.COM.AU, AdalResource=https://graph.windows.net.
[17:56:05.874] [ 21] [INFO ] AcquireServiceToken [AzurePowerShell]: acquiring service token.
[17:56:05.874] [ 21] [INFO ] Authenticate-ADAL [Acquiring token]: STS endpoint (HTTPS://LOGIN.WINDOWS.NET/xxxxxxxxxxxxx.COM.AU), resource (https://graph.windows.net), userName (xxxxxxxxxxxxx_admin@xxxxxxxxxxxxx.com.au).
[17:56:05.874] [ 21] [INFO ] ADAL: 2019-02-22T09:56:05.8743882Z: 6b086559-a1cf-4cd9-adf9-bc15b417d5e7 - LoggerBase.cs: ADAL PCL.Desktop with assembly version '3.19.6.14301', file version '3.19.50523.1839' and informational version '1ae77ee16c2204403e53d7e652ddc8f4d315cfb1' is running...
[17:56:05.874] [ 21] [INFO ] ADAL: 2019-02-22T09:56:05.8743882Z: 6b086559-a1cf-4cd9-adf9-bc15b417d5e7 - LoggerBase.cs: === Token Acquisition started: 
CacheType: null
Authentication Target: User
, Authority Host: login.windows.net
[17:56:05.874] [ 21] [INFO ] ADAL: 2019-02-22T09:56:05.8743882Z: 6b086559-a1cf-4cd9-adf9-bc15b417d5e7 - LoggerBase.cs: An item matching the requested resource was found in the cache
[17:56:05.874] [ 21] [INFO ] ADAL: 2019-02-22T09:56:05.8743882Z: 6b086559-a1cf-4cd9-adf9-bc15b417d5e7 - LoggerBase.cs: 59.5737280816667 minutes left until token in cache expires
[17:56:05.874] [ 21] [INFO ] ADAL: 2019-02-22T09:56:05.8743882Z: 6b086559-a1cf-4cd9-adf9-bc15b417d5e7 - LoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache
[17:56:05.875] [ 21] [INFO ] ADAL: 2019-02-22T09:56:05.8753861Z: 6b086559-a1cf-4cd9-adf9-bc15b417d5e7 - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 2/22/2019 10:55:40 AM +00:00
[17:56:05.875] [ 21] [INFO ] Authenticate-ADAL: successfully acquired an access token.  TenantId=9f6b161d-2543-4744-bfb6-60239033100a, ExpiresUTC=2/22/2019 10:55:40 AM +00:00, UserInfo=xxxxxxxxxxxxx_admin@xxxxxxxxxxxxx.com.au, IdentityProvider=https://sts.windows.net/9f6b161d-2543-4744-bfb6-60239033100a/.
[17:56:05.875] [ 21] [INFO ] PowerShellHelper.ConnectMsolService: Connecting using an AccessToken. AzureEnvironment=0.
[17:56:07.247] [ 21] [INFO ] Page transition from "Connect to AD DS" [ConfigOnPremiseCredentialsPageViewModel] to "Configure" [PerformConfigurationPageViewModel]
[17:56:07.252] [ 21] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.BackgroundInitialize in Page:"Ready to configure"
[17:56:07.252] [ 21] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:5110
[17:56:08.262] [ 20] [VERB ] PerformConfigurationPageViewModel:ExecuteAutoUpgradeCheck: context.WizardMode ExpressInstall.
[17:56:08.287] [ 20] [WARN ] DetermineAutoUpgradeState: AutoUpgrade entering ENABLED mode for express installation.
[17:56:08.287] [ 20] [VERB ] PerformConfigurationPageViewModel:ExecuteAutoUpgradeCheck: autoUpgradeState set to Enabled.
[17:56:08.292] [ 20] [INFO ] SetAutoUpgradeViaAdhealthRegistrykey: Updated SOFTWARE\Microsoft\ADHealthAgent\Sync\UpdateCheckEnabled registry value to 1
[17:56:08.296] [ 20] [INFO ] Restarting Monitoring Agent service.
[17:56:08.298] [ 20] [INFO ] ServiceControllerProvider: InvalidOperationException on serviceController.Status property means the service AzureADConnectHealthSyncMonitor was not found
[17:56:08.298] [ 20] [WARN ] Monitoring Agent service is not installed, so the service cannot be restarted.
[17:56:09.911] [  1] [INFO ] MicrosoftOnlinePersistedStateProvider.Save: saving the persisted state file
[17:56:09.911] [  1] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: False
[17:56:09.913] [  1] [INFO ] MicrosoftOnlinePersistedStateProvider.UpdateFileProtection: updating file protection from the persisted state file: C:\ProgramData\AADConnect\PersistedState.xml, isAddProtection: True
[17:56:09.920] [  1] [INFO ] PersistAzureAffinity: Azure affinity was previously persisted as Worldwide (0).
[17:56:09.920] [  1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Start background task Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.ExecuteADSyncConfiguration in Page:"Configuring"
[17:56:09.921] [  1] [INFO ] ProgressWizardPageViewModel:StartProgressOperation Started Background Task Id:5733
[17:56:09.922] [ 22] [INFO ] PerformConfigurationPageViewModel.ExecuteADSyncConfiguration: Preparing to configure sync engine (WizardMode=ExpressInstall).
[17:56:09.924] [ 22] [INFO ] PerformConfigurationPageViewModel.ExecuteSyncEngineInstallCore: Preparing to install sync engine (WizardMode=ExpressInstall).
[17:56:09.929] [ 22] [INFO ] Starting Sync Engine installation
[17:56:15.523] [ 22] [INFO ] ServiceControllerProvider: service ADSync exists
[17:56:15.528] [ 22] [INFO ] ServiceControllerProvider: processing StopService request for: ADSync
[17:56:15.529] [ 22] [VERB ] ServiceControllerProvider:Initial service status: Stopped
[17:56:15.529] [ 22] [INFO ] ServiceControllerProvider: StopService status: Stopped
[17:56:15.532] [ 22] [INFO ] ServiceControllerProvider:DeleteService - serviceName:ADSync
[17:56:25.542] [ 22] [INFO ] ServiceControllerProvider: InvalidOperationException on serviceController.Status property means the service ADSync was not found
[17:56:25.543] [ 22] [INFO ] ServiceControllerProvider:DeleteService successful - serviceName:ADSync
[17:56:25.552] [ 22] [INFO ] ServiceControllerProvider:CreateService - serviceName:ADSync, username:xxxxxxxxxxxxx\AAD_618f8bece031, assemblyPath:C:\Program Files\Microsoft Azure Active Directory Connect\ADSyncBootstrap.exe
[17:56:25.584] [ 22] [INFO ] ServiceControllerProvider: Processing StartService request for: ADSync
[17:56:25.584] [ 22] [VERB ] ServiceControllerProvider:Initial service status: Stopped
[17:56:25.584] [ 22] [VERB ] ServiceControllerProvider:Starting service and waiting for completion.
[17:56:25.625] [ 22] [WARN ] ServiceControllerProvider: StartService failed to start service (ADSync), attempt (1).
Exception Data (Raw): System.InvalidOperationException: Cannot start service ADSync on computer '.'. ---> System.ComponentModel.Win32Exception: The service did not start due to a logon failure
   --- End of inner exception stack trace ---
   at System.ServiceProcess.ServiceController.Start(String[] args)
   at Microsoft.Online.Deployment.Framework.Providers.ServiceControllerProvider.StartService(String serviceName, TimeSpan timeout, Boolean verifyStart, String[] args)
[17:56:25.629] [ 22] [VERB ] ServiceControllerProvider:Initial service status: Stopped
[17:56:25.629] [ 22] [VERB ] ServiceControllerProvider:Starting service and waiting for completion.
[17:56:25.671] [ 22] [WARN ] ServiceControllerProvider: StartService failed to start service (ADSync), attempt (2).
Exception Data (Raw): System.InvalidOperationException: Cannot start service ADSync on computer '.'. ---> System.ComponentModel.Win32Exception: The service did not start due to a logon failure
   --- End of inner exception stack trace ---
   at System.ServiceProcess.ServiceController.Start(String[] args)
   at Microsoft.Online.Deployment.Framework.Providers.ServiceControllerProvider.StartService(String serviceName, TimeSpan timeout, Boolean verifyStart, String[] args)
[17:56:25.672] [ 22] [VERB ] ServiceControllerProvider:Initial service status: Stopped
[17:56:25.672] [ 22] [VERB ] ServiceControllerProvider:Starting service and waiting for completion.
[17:56:25.710] [ 22] [WARN ] ServiceControllerProvider: StartService failed to start service (ADSync), attempt (3).
Exception Data (Raw): System.InvalidOperationException: Cannot start service ADSync on computer '.'. ---> System.ComponentModel.Win32Exception: The service did not start due to a logon failure
   --- End of inner exception stack trace ---
   at System.ServiceProcess.ServiceController.Start(String[] args)
   at Microsoft.Online.Deployment.Framework.Providers.ServiceControllerProvider.StartService(String serviceName, TimeSpan timeout, Boolean verifyStart, String[] args)
[17:56:25.711] [ 22] [ERROR] ServiceControllerProvider: StartService unable to start service (ADSync). The system event log may contain more details for this issue.
[17:56:25.819] [ 22] [ERROR] PerformConfigurationPageViewModel: Caught exception while installing synchronization service.
Exception Data (Raw): System.Exception: Unable to install the Synchronization Service.  Please see the event log for additional details. ---> System.InvalidOperationException: ADSync Bootstrap Service failed to Start
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.CreateAndStartBootstrapService(SyncServiceAccount syncServiceAccount)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InstallCore(String logFilePath, String logFileSuffix)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.ExecuteWithSetupResultsStatus(SetupAction action, String description, String logFileName, String logFileSuffix)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
   --- End of inner exception stack trace ---
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.ThrowSetupTaskFailureException(String exceptionFormatString, String taskName, Exception innerException)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
   at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstallCore(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
   at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstall(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.ExecuteSyncEngineInstallCore(AADConnectResult& result)
[17:56:29.080] [  1] [INFO ] Opened log file at path C:\ProgramData\AADConnect\trace-20190222-175520.log
[18:13:47.479] [  1] [INFO ] Opened log file at path C:\ProgramData\AADConnect\trace-20190222-175520.log

We use O365, and for the last year have a local AD server that is sync'ed to AAD via Azure AD Connect. All works as it should.

We're doing a trial of AAD Premium, and decided to try joining local machines to Azure AAD instead of to our local domain controller.

Much to my shock and dismay, when an existing domain user joins a machine to AAD and logs in (using his domain credentials, which are being properly replicated by AD connect)... he's getting a different assigned a different SID, than if that same user domain joins his machine and logs in using his same domain credentials.

THAT doesn't work very well, when we have files living on a local file server that list him as owner via his *other* (original) SID.

To be clear, this user is "MyDomain\MyName" -- He has a password.  When he domain joins his machine and logs in using username and password, he gets one SID associated with his account.  When he joins his machine to AAD and logs in with the same credentials, he gets a different SID associated with his account.

The authorities for the SIDs are different: His domain-joined SID is the local domain authority, and his AAD-joined SID is AAD.

I'm at a loss to explain this... and, if there's nothing we can do to "fix" this, this could prevent us from moving from migrating our domain completely to AAD (and eventually decomissioning on on-prem DC).

Help??  Please??

Peter

---

Peter OSR @OSRDrivers -- http://www.osr.com Designers, implementers, and teachers of Windows drivers for more than 20 years

Hello, 

In case of scaling out an application is the data stored in Azure Redis cache available for multiple instances of the same api/web app? 

Regards,

Snehal

I have a web API and when I fetch an access token for it, using MSAL.js, the <g class="gr_ gr_75 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" data-gr-id="75" id="75">aud</g> property is set to be the APP ID.

I need it to be the app URI id instead, how can I configure this?

The app URI id is set in the manifest under 

indetifierUris:[

 ""

]

Best regards,

Hello,

I'm trying to test ROPC with a native application and my username and pasword (just for test) ... but always get back the error above even if those are credentials I'm using every day to get acces to my domain ... I start tought user credentials it refer to are different ones, maybe new user has to be created or something missing on app side configuration settings.

Which are the primary settings to check for this error ? I'm not using B2C, is that needed ? Again only federate authentication is configured on AD Azure not single sign on or passtroght ... 

Thanks.

R.

Marco.

---

Marco

I am attempting an OAuth 2.0 code grant flow via electron native desktop client, using PKCE method to I am following the medium article titled: "Azure AD OAuth 2.0 Authorization Code Grant Flow in Electron"

I get an access_token, but not seeing a refresh token in the response: {"token_type":"Bearer","scope":"openid profile email https://graph.microsoft.com/User.Read","expires_in":3600,"ext_expires_in":3600,"access_token":"xxx"}

Hi

We have Azure AD connect (1.2.7) installed, and it's syncing user accounts and password hashes to 5 different domains more or successfully. We do not use password writeback.

We have added a further domain, with the same settings as the other ones. The domain has a single 2012r2 DC.

For this domain, password sync does not work.

I think I can see a possible reason for this, but not sure how to fix it. When I run the AADconnect troubleshooting tool, it says this specific domain has password writeback enable. (the others do not say this)

Azure AD Connect Password Writeback - Status

SourceConnector:	troublesomedomain.internal
TargetConnector:	publicdomain.com - AAD
Enabled:	True
LatestHeartBeatTime:	N/A

I have rerun the wizard, ensuring password writeback is off. It is. Run the script here to reset sync on that connector: https://social.technet.microsoft.com/wiki/contents/articles/28433.how-to-use-powershell-to-trigger-a-full-password-sync-in-azure-ad-sync.aspx

but still it says password writeback is enabled on that connector.

Any ideas on how to turn it off? I suspect that's why the password sync is not working.

I have a setup with Azure as IDP and Weblogic as SP. 
I am able to get the user information in the SAML token and SSO is successful, However, I am not able to get the group this user belongs to (as a SAML attribute) in <g class="gr_ gr_20 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="20" id="20">token</g>. 

Looks like "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" is a restricted claim : 

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization 

So how do I get the group information of a user in SAML token?

Hello,

I was following this tutorial docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-add-identity-providers but when i go to test it i get the following message:

Application with identifier 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' was not found in the directory 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

where xxxx... is the "Azure Active Directory application" i created in my default subscription directory where Ihave my Azure AD

and yyyy... is the directory I created for my AD B2C tenant

The tutorial doesn't mention anything about permissions and I created everything using the MS account that is the admin for all of my azure accounts.  I am not really sure how to resolve this issue, can someone point me in the right direction? 

We are in Exchange Hybrid mode. I have a need to query the property msExchHideFromAddressLists using get-msoluser or get-azureaduser. I checked Azure Ad Connect and the property setup to sync. If I hide the mailbox in the on-premise exchange tool, the mailbox gets hidden online.

Neither of these commands bring back a result;

get-msoluser -userprincipalname user.name@mycomany.com | Select msexchhidefromaddresslists

get-azureaduser -objectID user.name@mycomany.com | select DisplayName, msexchhidefromaddresslists

I am able to see the mailbox is hidden using;

get-mailbox -identity user.name@mycompany.com | Select HiddenFromAddressListsEnabled

 

 

Trying to figure out how to deploy SSO into a web application for the following scenario.

Domain A (contoso.local): Syncing identities to Azure via adconnect and leveraging pass-through authentication for various applications.

Domain B (contoso.dom): Hosts web application that I want users from domain A to be able to SSO into. The web application is published using azure app proxy.

-Users have identities in both domains (ie testuser@contoso.local & testuser@contoso.dom) 

-Web Application supports IWA

Looking for guidance around the identity portion specifically. IE How to tie in both identities into the sole AzureAD instance? What impact if any will this have on PSA in Domain A? Is a Domain Trust required at all?  

 

I am trying to "onboard" Azure AD Identity Protection. 

I invoked the Azure AD P2 trial and assigned the licence to my user account. When I look in O365 as well as Azure, it shows the license to be active on my account.

While being in Azure, I am trying to onboard Azure AD IP, but I receive a msg "You need an Azure AD Premium2 license to use Azure AD Identity Protection. Click here to learn more." It is behaving like I do not have an Azure P2 license but I do. I logged out, logged back on, no change.

Any advice?

We are using Azure AD Connect version 1.2.70.0. Recently we had noticed that Azure AD Connect Health Sync Insights Service is getting terminated frequently since the memory utilization exceeds configured value. Event viewer alert as shown below

"Description: The application requested process termination through System.Environment.FailFast(string message). 
Message: The agent shutdown because the Health module detected that its memory utilization (Private Bytes) is 426.1640625, which is above our configured Threshold of 409.5 MB. MachinePhysicalMemory: 4095, MaxMemoryUsageRatio: 0.1"

The available physical memory is 4 GB. As per the configuration file on the location "C:\Program Files\Microsoft Azure AD Connect Health Sync Agent\Insights" the <add key="MaxPercentageMemoryUsage" value="10"/>. It seems to be configured as 10 % of 4 GB. Is it safe to increase this value ? Are there any conditions we have to keep in mind?

Regards,

Anish

---

Anish Sam Johnes

I'm looking to setup MFA for external accounts that are granted access to my organizations Teams channel.  Is this a possibility?  

I have MFA disabled on AzureAD and on o365 portal for any users.   However when user joins PC to AzureAD it asks for Additional Security Verification

Any suggestions how to turn this off for newly joined PCs to Azure AD?

---

Eimis

I am struggling to register devices to the Azure Ad through windows 10 pro. When trying to access the work/school sign on option I get a 'something went wrong error 80072ee2'. Please help...