Convert-MsolDomainToFederated : Service not available

April 25, 2019, 12:59 pm

≫ Next: Can't delete never used directories

≪ Previous: Updating of AppRole Assignment

I currently have a domain in Azure AD that is:

synchronized with an on-premises AD through AAD Connect
enabled with password hash synchronization (PHS), and
using managed authentication

I want to switch this domain from using managed authentication to using federated authentication. After properly running Connect-MsolService and Set-MsolAdfsContext, I try to run the PowerShell cmdlet Convert-MsolDomainToFederated -Domain $myDomain. However, I get a very undescriptive error message in "Service not available." Screenshot:

https://i.imgur.com/nOgsAYK.png

From the perspective of the Microsoft 365 Admin portal, this domain looks setup successfully:

https://i.imgur.com/A3jCOtZ.png

Any idea of what might be going on?

↧

Can't delete never used directories

May 1, 2019, 5:40 am

≫ Next: Install Azure AD Connect Error: ADSyncBootstrap Error: 906

≪ Previous: Convert-MsolDomainToFederated : Service not available

I am trying to clean up our Azure subscription in preparation for a new project. I am the global administrator for the subscription.

In the past a couple of directories were created and never used. I have tried to delete them and and be unable to do so. In both cases. I get a message that I should Delete all App registrations, even though there are no app registrations associated with either directory:

Does anyone know what is I am doing wrong?

Thanks in advance,

Rob

↧

Install Azure AD Connect Error: ADSyncBootstrap Error: 906

May 1, 2019, 6:35 am

≫ Next: How to verify Password Sync

≪ Previous: Can't delete never used directories

Hello

I tried to install the Azure AD Connect Server (1.3.20.0) on a Server 2016 standard with a running AD DS, and i got the following Error: Unable to install the Synchonization Service. ADSync Bootstrap Service failed to Start. Please see the event log......

log:

[15:29:09.025] [ 7] [ERROR] ServiceControllerProvider: StartService unable to start service (ADSync). The system event log may contain more details for this issue.
[15:29:09.062] [ 7] [ERROR] PerformConfigurationPageViewModel: Caught exception while installing synchronization service.
Exception Data (Raw): System.Exception: Unable to install the Synchronization Service. ADSync Bootstrap Service failed to Start Please see the event log for additional details. ---> System.InvalidOperationException: ADSync Bootstrap Service failed to Start
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.CreateAndStartBootstrapService(SyncServiceAccount syncServiceAccount)
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InstallCore(String logFilePath, String logFileSuffix)
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.ExecuteWithSetupResultsStatus(SetupAction action, String description, String logFileName, String logFileSuffix)
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
--- End of inner exception stack trace ---
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.ThrowSetupTaskFailureException(String exceptionFormatString, String taskName, Exception innerException)
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstallCore(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstall(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.ExecuteSyncEngineInstallCore(AADConnectResult& result)

and the ADSyncBootstrapl log:

ADSyncBootstrap Information: 904 : [13:28:49.037]In OnStart.
ADSyncBootstrap Error: 906 : [13:28:49.089]Exception occurred during OnStart: Cannot listen on pipe name 'net.pipe://localhost/' because another pipe endpoint is already listening on that name.

Can someone help me?

kind regards

Endurance

↧

How to verify Password Sync

May 1, 2019, 6:45 am

≫ Next: Workday SSO with Azure AD: Mobile App Login Redirect URL and Timeout Redirect URL?

≪ Previous: Install Azure AD Connect Error: ADSyncBootstrap Error: 906

I have enabled Password Synchronization from Azure AD Connect to be used when ADFS is unavailable since the domain is federated. Recently I had a situation when this was necessary and I converted the domain to Standard using:

Set-MsolDomainAuthentication -DomainName {domain} –Authentication Managed

However, no user could sign in, the password was not accepted. So, how can I be sure that the passwords are indeed synced? In the Admin portal I see the following:

There is no status after Password sync:. So, how can I be sure that the next time I need to switch it will work?

↧

Workday SSO with Azure AD: Mobile App Login Redirect URL and Timeout Redirect URL?

May 1, 2019, 6:55 am

≫ Next: Conditional Access Policy for Hybrid Domain Join

≪ Previous: How to verify Password Sync

I am trying to configure Workday to use Azure AD for Single Sign-On (SSO). I am following Microsoft guidance:

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/workday-tutorial

There are two settings on Workday that are not documented, and I would like some guidance on:Mobile App Login Redirect URL Timeout Redirect URL.

Currently, my Login Redirect URLis set to https://impl.workday.com/<workdayTenantName>/login-saml2.html. This works just fine. However, when I try to set theMobile App Login Redirect URL to the same value, I get an error of “Invalid user name or password”. Why is this error happening? Should the Mobile App Login Redirect URL be different from the regular Login Redirect URL? And if so, and what should be the Mobile App Login Redirect URL?

Also, for testing purposes, I have tried setting our Timeout Redirect URLto both our Login Redirect URL (https://impl.workday.com/<workdayTenantName>/login-saml2.html) and ourLogout Redirect URL (https://login.microsoftonline.com/<azureAdTenantId>/saml2). None of these values seem to result in a session timeout for a user logged into Workday. What should be the Timeout Redirect URL?

↧

Conditional Access Policy for Hybrid Domain Join

May 1, 2019, 12:07 pm

≫ Next: Multiple forests with no trust between - sync to single Azure AD tenant

≪ Previous: Workday SSO with Azure AD: Mobile App Login Redirect URL and Timeout Redirect URL?

Hi Team,

I have a scenario where we have created a conditional access policy for all cloud apps to a specific group.

Policy Details:

Assigned to a Group: XYZ
Application triggered: All Cloud applications
Grant Access: Required Hybrid Azure AD machine.

Policy is working as expected issue is new user needs to register for MFA to login to his VDI (Virtual desktop). Without setting up MFA it won't allow login to VDI. But user can't login from his personal laptop or other device to register for MFA as per the policy it requires Azure hybrid domain join device only.

So is there any way we can allow only registering of MFA for these users via conditional access policy keeping Hybrid domain join as primary ?

Consider these user should only access any application inside the company issued VDI which act as hybrid domain join

↧

Multiple forests with no trust between - sync to single Azure AD tenant

November 8, 2017, 5:07 am

≫ Next: self service password reset - restrict access

≪ Previous: Conditional Access Policy for Hybrid Domain Join

Hi all,

We have a situation where there are multiple on-premises forests without forest trust between them. Then we have one single Azure AD tenant where we would like to sync the users from those multiple forests.

Question is: do we need to set up Azure AD Connect to every one of those on-premises forests or can we use only one Azure AD Connect to achieve this?

Here it says that A) "Multiple forests, multiple sync servers to one Azure AD tenant is not supported" and B) "Multiple forests, separate topologies is supported". What is the real difference between A) and B)? Is there forest trust between the forests in A)? And what does it mean in the option B) that "all on-premises forests are treated as separate entities"? Does it mean there is no trust between the forests?

And what does "all forests must be reachable by a single Azure AD Connect sync server" actually mean in practise?

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-topologies

Our goal is to have every on-premises forest synced in one single Azure AD tenant. Is it really possible when the on-premises forests are totally seperated from each other without forest trust between them? Microsoft documentation is little bit confusing regarding this kind of scenario...

Thanks for the answers in advance!

Br, Teemu

↧

self service password reset - restrict access

April 30, 2019, 9:01 am

≫ Next: AuthNRequest signature validation, SAML, Enterprise Applications, Active Directory

≪ Previous: Multiple forests with no trust between - sync to single Azure AD tenant

The SSPR Deployment Plan
aka.ms/deploymentplans
has cases for SSPR portal being accessible from within & outside the corporate network (with option for corporate & personal devices) - suggests conditional access or similar is available for SSPR but no obvious cloud app or setting to configure against.

Can anyone advise if access to SSPR portal (I assume this is the reset at https://aka.ms/sspr) can be restricted e.g. based upon devices, named locations etc.

↧

AuthNRequest signature validation, SAML, Enterprise Applications, Active Directory

April 30, 2019, 1:20 pm

≫ Next: Wifi - Certificate Based Authentication - Intune

≪ Previous: self service password reset - restrict access

Hello, in order to create a new Enterprise app (SSO SAML) in Azure, we are required to populate the Identifier and ACS, we are not required to upload the Service Provider Certificate (the one they use to sign the authentication request in SAML).
Just wondering if Azure doesn't validate the authrequest signature.

In that case, if there is a certificate change from the Service Provider. This won't impact my SSO integration. Because I don't need to upload a new one if azure is not validating that. Is this correct??

↧

Wifi - Certificate Based Authentication - Intune

April 30, 2019, 6:41 am

≫ Next: Xamarin, Azure B2C, EF

≪ Previous: AuthNRequest signature validation, SAML, Enterprise Applications, Active Directory

Apologies if I haven't put this in the correct forum category, I was struggling to find a relevant category.

I'm just after a few pointers to get me in the right direction...

I have a number of Windows 10 devices that are auto enrolled utilising Intune. I will have an "Enrollment" SSID that will either be open (restricted) or shared key. This process will also deliver a "WiFi" profile to the devices to provide the permanent SSID detail.

I would like the authentication to be device (certificate) based, I don't want users to be authenticated using user/password. We are using Azure Active Directory (not hybrid).

What are the key steps to achieve this?

↧

Xamarin, Azure B2C, EF

May 1, 2019, 5:52 pm

≫ Next: Who will be announced as the next Azure Active Directory Guru? Read more about May 2019 competition!!

≪ Previous: Wifi - Certificate Based Authentication - Intune

Hi,

My code stopped working on the weekend, there has been no code/config changes.

Xamarin Forms App using Microsoft.Identity.Client 1.1.4-preview0002 for login, Azure Mobile App Service with Entity Framework.

Xamarin Login Code

                    AuthenticationResult authenticationResult = await App.PCA.AcquireTokenAsync(Constants.Scopes,
                        GetUserByPolicy(App.PCA.Users, Constants.PolicySignUpSignIn), App.UiParent);

                    accessToken = authenticationResult.IdToken;

                // Log in to the mobile services
                var payload = new JObject();
                payload["access_token"] = accessToken;

                var user = await DataManager.DefaultManager.CurrentClient.LoginAsync(
                    MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory,
                    payload);

Backend Code for database access

var principal = this.User as ClaimsPrincipal;

string provider = principal.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;

The above backend code now returns null, it was returning the oid of the Azure B2C user that was logged in via the Xamarin Forms app.

Any ideas on how to fix this, I have tried update to Microsoft.Identity.Client Version="2.7.1", with the same result.

Thank,

↧

Who will be announced as the next Azure Active Directory Guru? Read more about May 2019 competition!!

May 1, 2019, 9:18 pm

≫ Next: Unable to update extension using REST API

≪ Previous: Xamarin, Azure B2C, EF

What is TechNet Guru Competition?

Each month the TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!

One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. Winners will be announced in dedicated blog post that will be published in Microsoft Wiki Ninjas blog, a tweet from the Wiki Ninjas Twitter account, links will be published at Microsoft TNWiki group on Facebook, and other acknowledgement from the community will follow.

Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.

If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in May 2019 and must be in English. However, the original blog or forum content can be from beforeMay 2019.

Come and see who is making waves in all your favorite technologies. Maybe it will be you!

Who can join the Competition?

Anyone who has basic knowledge and the desire to share the knowledge is welcome. Articles can appeal to beginners or discusse advanced topics. All you have to do is to add your article to TechNet Wiki from your own specialty category.

How can you win?

Please copy/Write over your Microsoft technical solutions and revelations to TechNetWiki.
Add a link to your new article on THIS WIKI COMPETITION PAGE (so we know you've contributed)
(Optional but recommended) Add a link to your article at the TechNetWiki group on Facebook. The group is very active and people love to help, you can get feedback and even direct improvements in the article before the contest starts.

Do you have any question or want more information?

Feel free to ask any questions below, or Join us at the official MicrosoftTechNet Wiki groups on facebook. Read More about TechNet Guru Awards.

If you win, people will sing your praises online and your name will be raised as Guru of the Month.

PS: Above top banner came from Rajeesh Menoth.

↧

Unable to update extension using REST API

April 28, 2019, 8:56 pm

≫ Next: Policy/rbac overlapping

≪ Previous: Who will be announced as the next Azure Active Directory Guru? Read more about May 2019 competition!!

I try to create REST API to update extension companyName with new value but got error.

"message": "Extension with given id not found."

I not really understand code for this one if i refer to doc. Please advise.

How to find extension id?

https://graph.microsoft.com/v1.0/me/extensions/{extension-id}

I found new workaround for this,

PUT https://graph.microsoft.com/v1.0/users/{id}/manager/$ref

but a question, what means $ref? what value should i send

↧

Policy/rbac overlapping

May 1, 2019, 11:24 pm

≫ Next: AAD Ldap is syncing passwrord after 20 minutes, I need to lower sync times to 1 minute

≪ Previous: Unable to update extension using REST API

If I give user/group read access at MG level but at subscription level read/write, do user/group then have read or read/write access?

↧

AAD Ldap is syncing passwrord after 20 minutes, I need to lower sync times to 1 minute

April 30, 2019, 1:57 am

≫ Next: Azure AD Connect Pass-Through Authentication Error

≪ Previous: Policy/rbac overlapping

Hi All ! When when I change a password in Azure AD , this password is reflected in AAD Ldap after 20 minutes, users query Ldap all day and they SSH , I need to lower sync times to 1 minute , something like "Set-AZ-ADSync 00:00:01 Cmd " similar to ADConnect , but for Pure Azure Cloud

I've checked all documentation , forum and twwets to MS , community , etc !

Thanks !

Pablo

Pablo N Villaronga MCP, MCSA, MCTS:TS:Windows 7 , Configure Transcript: https://mcp.microsoft.com/authenticate/validatemcp.aspx Transcript ID (866993) Access Code (pvillaron)

↧

Azure AD Connect Pass-Through Authentication Error

September 27, 2017, 8:05 am

≫ Next: New Combined Registration (preview) - Enforcing to register for self-service password reset not working correctly

≪ Previous: AAD Ldap is syncing passwrord after 20 minutes, I need to lower sync times to 1 minute

I am attempting to update my Azure AD Connect to use Pass-through authentication and enable single sign-on. I am able to connect to Azure AD but when it asks me to Enable single sign-on and enter credentials for my domain I get an error back that says:

An error occurred while locating computer account

in the log it says:

[ 1] [ERROR] GetDesktopSsoComputerAccountDns exception caught: A referral was returned from the server.

[ 1] [ERROR] An error occurred while locating computer account.

I have had it go against all of my domain controllers so I am at a loss as to what is causing the error. I am on Azure AD Connect version 1.1.614.0. The computer is ion the domain and in AD and my user credentials are correct. Any help would be appreciated.

↧

New Combined Registration (preview) - Enforcing to register for self-service password reset not working correctly

May 2, 2019, 1:21 am

≫ Next: Authentication using a registered app

≪ Previous: Azure AD Connect Pass-Through Authentication Error

Hello

We are testing the new combined registration for SSPR in Azure and force our users to register for self-service password reset. It works correctly for users who have never logged in to Office365 before.

However, users who have already logged in bevor to Office365 are strangely not prompted to register the security information.

Self-service password reset assigned by AD group
Require registration of users at login is enabled
Pass-Through Authentication Enabled
Single Sign-On activated
Azure AG P1 License assigned
password write back is activated

Is this a known bug? Who can help?

Thx

↧

Authentication using a registered app

May 2, 2019, 3:43 am

≫ Next: Admin consent needed for an AAD app which doesn't have any permission requiring admin consent

≪ Previous: New Combined Registration (preview) - Enforcing to register for self-service password reset not working correctly

Hi Community,

My end goal is to be able to connect to PowerBI REST APIs and to that end, I have created an app in Azure.

I have an Azure Function App which does that for me, but I first need to be able to log in using the registered app.

I have tried all ( or most of the solutions available) that teach us how to log in using a user name and password, and I see that there are 2 errors that are thrown, depending on what sample I try out:

Failed to call the Web Api: Forbidden
Content: {"error": {"code": "Authorization_RequestDenied","message": "Insufficient privileges to complete the operation.","innerError": {"request-id": "d426325e-fae3-4da1-978e-18f4c4dcf689","date": "2019-05-02T09:20:47"
    }
  }
}

  Federated service at https://opal.abcd.com/adfs/services/trust/2005/usernamemixed returned error: ID3242: The security token could not be authenticated or authorized.
{Microsoft.Identity.Client.MsalClientException: Federated service at https://opal.abcd.com/adfs/services/trust/2005/usernamemixed returned error: ID3242: The security token could not be authenticated or authorized. ---> Microsoft.Identity.Client.MsalServiceException: Federated service at https://opal.abcd.com/adfs/services/trust/2005/usernamemixed returned error: ID3242: The security token could not be authenticated or authorized.
   at Microsoft.Identity.Client.WsTrust.WsTrustWebRequestManager.GetWsTrustResponseAsync(WsTrustEndpoint wsTrustEndpoint, String wsTrustRequest, RequestContext requestContext)
   at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.GetWsTrustResponseAsync(UserAuthType userAuthType, String cloudAudienceUrn, WsTrustEndpoint endpoint, String username, SecureString securePassword)
   --- End of inner exception stack trace ---
   at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.GetWsTrustResponseAsync(UserAuthType userAuthType, String cloudAudienceUrn, WsTrustEndpoint endpoint, String username, SecureString securePassword)
   at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler.PerformWsTrustMexExchangeAsync(String federationMetadataUrl, String cloudAudienceUrn, UserAuthType userAuthType, String username, SecureString password)
   at Microsoft.Identity.Client.Internal.Requests.UsernamePasswordRequest.FetchAssertionFromWsTrustAsync()
   at Microsoft.Identity.Client.Internal.Requests.UsernamePasswordRequest.ExecuteAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)
   at Microsoft.Identity.Client.ApiConfig.Executors.PublicClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenByUsernamePasswordParameters usernamePasswordParameters, CancellationToken cancellationToken)
   at up_console.PublicAppUsingUsernamePassword.GetTokenForWebApiUsingUsernamePasswordAsync(IEnumerable`1 scopes, String username, SecureString password) in C:\Users\dpradh1\Desktop\active-directory-dotnetcore-console-up-v2-master\active-directory-dotnetcore-console-up-v2-master\up-console\PublicAppUsingUsernamePassword.cs:line 96

Can someone please help !

TheStarSailor

↧

Admin consent needed for an AAD app which doesn't have any permission requiring admin consent

May 2, 2019, 4:01 am

≫ Next: AD Connect - Logging

≪ Previous: Authentication using a registered app

We have an AAD app which has some permissions associated with it. However, none of the permissions required has an admin consent required. It is running as expected for our tenant.

Nevertheless, for a different tenant, the authorization is denied with the popup “Only an admin can grant permission to this app” and the issue “AADSTS650057: Consenting not allowed for these application permissions for your company”.

It used to work earlier with multiple tenants without any role of the tenant admin and without even having the user account added as a guest to our tenant.

↧

AD Connect - Logging

May 2, 2019, 4:18 am

≫ Next: Add a app role using Microsoft Graph API

≪ Previous: Admin consent needed for an AAD app which doesn't have any permission requiring admin consent

Guys, trying to get a handle on what AADConnect logs? is there a way to centralize log locations i.e. some config files that can be modified or the like?

↧