Very new to Azure AD and a very basic question I am sure. But after 2 hours of calling various MS teams and losing the will to live, I still am no closer to an answer.
Does anyone know, is it possible to restrict traffic to and from an Azure AD instance using an Azure App Firewall eg Check Point CloudGuard.
Many thanks!
Hi,
I have tried to deploy the package using Release pipeline it gives me following error.
Error in the release pipeline step uploading package to LCS projects library
2019-04-15T06:58:04.9203959Z Uploading 'D:\a\r1\a\Unified Operations platform - Build Main\Packages\AXDeployableRuntime_7.0.5179.35390_2019.4.10.3.zip' as '10' to asset library of project '1350888'Hi all, I hope this is the righthe forum for the topic...I'm wondering if this design is possible.
We have 1 B2C service with many app registrations requiring a standard username and password. We have another app that we want to register and use the same identity, but for this one we need MFA.
So if a user is already logged in through one app, then they can open another app and be already logged in. But if they come to this new app that needs MFA then they get a redirect to the MFA login screen.
Vice versa, if they already have a logon asserted with MFA, then they should be able to navigate to all other apps that need the same level of MFA or lower without the need to authenticate again.
Is this scenario possible? And any documentation that supports it?
Hi everibody someone can help me to solve this exception.
the exception shows only in some computers in QA ENV, after login successfully, the page dont redirect to my main page, if i change manually the URI the user is successfully logged in.
this is my configuration on AppSettings.json, in azure portal i´m registered the calbackpath.
"AzureAd": {The Exception
Exception: Correlation failed. Unknown location Exception: An error was encountered while handling the remote login. Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler<TOptions>.HandleRequestAsync() Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler<TOptions>.HandleRequestAsync() Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) Microsoft.AspNetCore.Builder.Extensions.MapWhenMiddleware.Invoke(HttpContext context) Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context) Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
Hi everyone,
due to company policy external users shouldn't be able to read AAD Groups. I am not able to find the possibility to block access to the following page: https://account.activedirectory.windowsazure.com/r#/groups for Guest Users or normal users.
How can I block this. I followed the below steps:
Thank you in advance for any tips
I keep getting "The Registry Key SetupFiles was not found." when I try installing Azure Active Directory Connect on a 2012 r2 server. Anyone have any ideas?
here is the error log:
at Microsoft.Online.Deployment.PowerShell.LocalPowerShell.Invoke()
at Microsoft.Online.Deployment.PowerShell.PowerShellHelper.InvokeCommand(IPowerShell powerShell, Command command)
at Microsoft.Online.Deployment.PowerShell.PowerShellHelper.GetRegistryValue(IPowerShell powerShell, String keyPath, String valueName, Object& data)
[08:06:19.349] [ 1] [ERROR] Caught an exception while creating the initial page set on the root page.
Exception Data (Raw): System.Exception: The Registry Key SetupFiles was not found.
at Microsoft.Online.Deployment.Types.Providers.EnvironmentProvider.GetSetupFilesPath()
at Microsoft.Online.Deployment.Types.SoftwareComponents.AzureADSyncEngineComponent.InitializeMinimumVersion()
at Microsoft.Online.Deployment.Types.SoftwareComponents.AzureADSyncEngineComponent.CheckInstallationState(IEnumerable`1 installedPackages)
at Microsoft.Online.Deployment.Framework.SoftwareComponents.DependentSoftwareProduct.CheckInstallationState()
at System.Collections.Generic.List`1.ForEach(Action`1 action)
at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.DetectInstalledComponents.Execute(String& message, GlobalContext globalWizardContext, Boolean& isPasswordSyncSupported)
at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.RootPageViewModel.GetInitialPagesCore()
at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.RootPageViewModel.GetInitialPages()
so other than the Subscription owners and a backup application "ComVault" which has an App ID no one should have access to these Storage Accounts. Initially all the users have been provided access at the subscription level and the access to the storage accounts are by default inherited. We have tried the following:
1. Created an AD Group and Added all the users and Application to which we did not wanted to access the storage account and then we applied the following Custom Role to the same :
{
"Name":"Custom - Microsoft.Storage.DenyAccess",
"Id":"",
"IsCustom":true,
"Description":"Deny permissions to Commvault Storage Accounts v20190409.",
"Actions": [
"*"
],
"NotActions": [
"Microsoft.Storage/*/Read",
"Microsoft.Storage/*/Write",
"Microsoft.Storage/*/Delete"
],
"NotDataActions": [
"Microsoft.Storage/*/Read",
"Microsoft.Storage/*/Write",
"Microsoft.Storage/*/Delete"
],
"AssignableScopes": [
"/subscriptions/<sub-id>"
]
}
Logically this should work but it doesn't. Kindly suggest what we can do to achieve the above requirements.
I'm getting the following error on sending POST request to https://login.microsoftonline.com/common/instrumentation/dssostatus .I have correctly set the header cxontent what i am getting from previous GET request.
'hpgrequestid'
'Origin'
'User-Agent'
'client-request-id'
'canary'
'Content-type'
'hpgid'
'Accept'
'hpgact'
{"error":{"code":6000,"correlationId":"24231c9a-7388-479c-9554-a57eb7740c09","timestamp":"2019-04-16 12:44:27Z","isFatal":true,"message":"AADSTS1659001"}}
Help me figure out the solution
Hi,
I have an On-Premises AD with a domain .local and on Azure I have the domain .org. For each user we created in in local AD and Azure we respect the same username for future synchronization. Before the ADSync installation I run IDFix and change the UserPrincipalName from %username%@domain.local to %username%@domain.org for the Soft sync, I also added on the local AD the ProxyAddresses I have in Azure (SMTP, smtp, etc.), I also have on the users I tried the email field with the principal email address because our ticketing system requires that information to import the users.
I Installed ADSync without issues and setup the sync for only one OU just for testing, I added to users to the OU and the synchronization tried to create new users on Azure like%username%7455@domain.onmicrosoft.com and I got on the event viewer event ID 6941.
I already tried removing the Proxyaddresses, I have the UserPrincipalName on the Local AD the same as the User in Azure, I checked documents and notes and I don't know what could happened. could be something I missing to do with the .local domain?
Thanks in advance.
Juan Pablo Barahona
Juan Pablo Barahona
Here is an interesting case. First of all it seems that restriction for this field that says that URL should start with "https" only is redundant because SAML protocol do not require this. Seconly you can(!) set URL with "http" prefix when you push save button before error under text field appear. More than that you can set even "ht" that is obviously incorrect.
Hi,
we have a 365 E3 subscription and an Azure subscription. in our 365 we have a custom domain (say mycustomdomain.com).
now we like to join servers (Azure VM's) to our custom 365 domain (like server01.mycustomdomain.com) and use the domain services from within that server.
we have one custom domain within our 365 subscription controlled by our provider name servers and one custom domain controlled by MS name servers.
questions:
I have tried to get answers from documentation but i got lost. i hope someone can point me to the right direction.
thanks very much
Paul.
Hi All,
I am attempting to install Azure AD Sync but I'm getting errors in the event log during install regarding the "ADSync Bootstrap" service. In the end, the error message displayed on the install wizard GUI says "Unable to install the Synchronization Service. Please see the event log..."
I see this in the event logs
Service cannot be started. System.ServiceModel.CommunicationObjectFaultedException: The communication object, System.ServiceModel.ServiceHost, cannot be used for communication because it is in the Faulted state.
at System.ServiceModel.Channels.CommunicationObject.Close(TimeSpan timeout)
at Microsoft.Azure.ActiveDirectory.ADSyncBootstrap.ADSyncBootstrap.OnStart(String[] args)
at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)
I have AD Connect installed on a different server, I'm moving it to a new server with the intent of retiring the current server. But, I can't get it running on the new server.
Any advice would be greatly appreciated.
My apologies if this has been answered previously. I am attempting to install Azure Active Directory Connect on my stand-alone DC for the sole purpose of simplifying password management with Office365. I have followed theprerequisites guide, and have installed and completed the 365 IdFix tool. I am installing this on a nonroutable domain, however I have performed the requisite steps so that my users resolve to a routable suffix.
When I go through the AAD Connect Wizard, the required component installation fails every time with the message "Unable to install the Synchronization Service". Looking at the trace log, I see "Error 906 ADSync Bootstrap Service Failed to Start. I have tried to uninstall AD Sync which required manually removing the AD Sync Service in the Registry. Installation failed with same message.
Here is the relevant log entry from my latest attempt. Any help would be greatly appreciated!
[13:20:43.752] [ 4] [INFO ] Starting Sync Engine installation
[13:20:51.174] [ 4] [INFO ] ServiceControllerProvider: service ADSync exists
[13:20:51.177] [ 4] [INFO ] ServiceControllerProvider: processing StopService request for: ADSync
[13:20:51.178] [ 4] [VERB ] ServiceControllerProvider: Initial service status: Stopped
[13:20:51.178] [ 4] [INFO ] ServiceControllerProvider: StopService status: Stopped
[13:20:51.179] [ 4] [INFO ] ServiceControllerProvider:DeleteService - serviceName:ADSync
[13:20:56.197] [ 4] [INFO ] ServiceControllerProvider:CreateService - serviceName:ADSync, username:MPMI\AAD_bd95d0763fac, assemblyPath:C:\Program Files\Microsoft Azure Active Directory Connect\ADSyncBootstrap.exe
[13:20:56.218] [ 4] [INFO ] ServiceControllerProvider: Processing StartService request for: ADSync
[13:20:56.218] [ 4] [VERB ] ServiceControllerProvider: Initial service status: Stopped
[13:20:56.218] [ 4] [VERB ] ServiceControllerProvider: Starting service and waiting for completion.
[13:21:16.421] [ 4] [WARN ] ServiceControllerProvider: StartService failed to start service (ADSync), attempt (1).
Exception Data (Raw): System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
at Microsoft.Online.Deployment.Framework.Providers.ServiceControllerProvider.StartService(String serviceName, TimeSpan timeout, Boolean verifyStart, String[] args)
[13:21:16.424] [ 4] [VERB ] ServiceControllerProvider: Initial service status: Stopped
[13:21:16.424] [ 4] [VERB ] ServiceControllerProvider: Starting service and waiting for completion.
[13:21:36.548] [ 4] [WARN ] ServiceControllerProvider: StartService failed to start service (ADSync), attempt (2).
Exception Data (Raw): System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
at Microsoft.Online.Deployment.Framework.Providers.ServiceControllerProvider.StartService(String serviceName, TimeSpan timeout, Boolean verifyStart, String[] args)
[13:21:36.549] [ 4] [VERB ] ServiceControllerProvider: Initial service status: Stopped
[13:21:36.549] [ 4] [VERB ] ServiceControllerProvider: Starting service and waiting for completion.
[13:21:56.671] [ 4] [WARN ] ServiceControllerProvider: StartService failed to start service (ADSync), attempt (3).
Exception Data (Raw): System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
at Microsoft.Online.Deployment.Framework.Providers.ServiceControllerProvider.StartService(String serviceName, TimeSpan timeout, Boolean verifyStart, String[] args)
[13:21:56.672] [ 4] [ERROR] ServiceControllerProvider: StartService unable to start service (ADSync).
[13:22:03.562] [ 15] [INFO ] Starting Telemetry Send
[13:22:03.566] [ 4] [ERROR] InstallSyncEnginePageViewModel: Error occurred while installing sync engine.
Exception Data (Raw): System.Exception: Unable to install the Synchronization Service. Please see the event log for additional details. ---> System.InvalidOperationException: ADSync Bootstrap Service failed to Start
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.CreateAndStartBootstrapService(SyncServiceAccount syncServiceAccount)
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InstallCore(String logFilePath, String logFileSuffix)
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.ExecuteWithSetupResultsStatus(SetupAction action, String description, String logFileName, String logFileSuffix)
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
--- End of inner exception stack trace ---
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.ThrowSetupTaskFailureException(String exceptionFormatString, String taskName, Exception innerException)
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstallCore(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstall(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.InstallSyncEnginePageViewModel.StartNewInstallation(Boolean skipSyncEngineInstall)
Hi team,
I am able to authenticate my application using twitter. However I want my application should be authenticated by twitter and facebook identity as well. However the current Authentication settings allow to select only one identity provider at a time.
Please guide/help me overcome this challenge.
Regards,
Snehal.
HI there
Hopefully this is the correct forum to post this in.. If not please move it to the correct one.
I am trying to get B2C working with Google authentication, i keep getting a 400: Error redirect_uri_mismatch error after the login with Google button has been pressed on the "sign in with your social account" page
this happens both in my Xamarin forms app (android, not bothering with iOS yet) and in the "Run User flow" of Azure B2C
Can someone point me in a useful direction to assist me with correctly setting things up...
FWIW im using Firebase not google's developer console.
Thank you
Bryce
I am building a SPA application that call multiple resources using Azure AD.
I reached the following documentation to have an application calling multiple resources:
https://docs.microsoft.com/en-us/previous-versions/azure/dn645538(v=azure.100)
I am using an authorization code with pkce to get the initial token and then using the refresh to get the other ones.
The main problem is that I am not comfortable in storing a longtime refresh_token on a SPA application. Although I can use the refresh_token to get the tokens that I want and then discard it, I think is a bad for governance decision leaving this responsibility to the SPA application.
So, I look for ways of customizing the token lifetime, and reached:
https://docs.microsoft.com/en-US/azure/active-directory/develop/active-directory-configurable-token-lifetimes
The problem here is that the configuration is per resource and not by client application.
Imagine that I have one SPA, one confidential client and distinct resources that both will access.
Makes sense to me, that the tokens given for client1 will expire more frequently than the tokens given for client2. The documentation listed say how to that on resource level, independently of the client.
If anyone can help with the following questions I will be glad:
Is there a way of doing that on a client application level?
Is possible to prevent refresh_tokens of generating new refresh_tokens?
In some pages of the documentation of token lifetime configuration there is a warning saying that it is about to change. Is There a date? Is there any preview or release notes to see what will change?
Learned that SSO logout can be done by using any of the below URL's.
https://login.windows.net/common/oauth2/logout?post_logout_redirect_uri=<<Application Reply URL>>
&
https://login.windows.net/<<Tenant ID>>/oauth2/logout?post_logout_redirect_uri=<<Application Reply URL>>
But, question is what is the core difference between both URL's if any.
Thanks
Siva Pokuri.
When using a custom domain with Azure AD Application Proxy (e.g. "example.com"), the hostnames that Azure AD generates for each application is based off a combination of thesubdomain for the application and the Azure AD tenant name, but does not include the custom domain. This means it's possible for two Azure AD Application Proxy configurations to have the same CNAME with different external URLs.
For example, let's say my Azure AD tenant is registered for "contoso.com", and I have two applications using Azure AD proxy:
So, example.com and sample.com are both custom domains registered in my "contoso.com" Azure AD tenant.
Despite this, Azure AD Application Proxy will indicate that I need to create the following CNAME records:
This means that both applications have CNAMEs that point to the same application proxy subdomain and domain, which does not seem correct.
I would think that the way to resolve this is to include the application name or custom domain as a component of the hostname that application proxy generates. So, for example:
Any time that I try to create an application proxy configuration with a subdomain of "dev" (so that, for example, the full domain is "dev.example.com"), I cannot save the Azure AD Application Proxy configuration. I can use variants like"www-dev" (e.g. "www-dev.example.com"), but we need the subdomain to match what we're using internally ("dev.example.com").
We need to expose our dev, test, and live environments for this particular application and want to use Azure AD pre-pre-authentication for it. Hence, we need "dev", "test", and "www" subdomains. Ideally, the live subdomain would be the apex domain (i.e. just "example.com") but it also appears that Application Proxy does not work with a blank subdomain.
Can anyone explain what the business rule is for why we can't use "dev" or a blank subdomain?
Hi,
I have created an application in Azure active directory under Enterprise applications->App you are developing->App Registrations
I have integrated my application with Azure AD authentication, but how do i add Single-Sign-on capability to my application. I don't see any option to add that capability from the azure portal.
I see that we can add the SSO option for apps which are registered under non-gallery applications, but i would like to know how do we choose which application type and if so, how do we configure SSO for the application.
