Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Confusion about using AADDS and Azure Active Directory + On premise

May 4, 2019, 11:46 am
$
0
0

Hello all,

I believe I have pretty good knowledge how to use AADDS and Azure AD, however I have some difficulties to put the parts in the puzzle. I know how to do sync between on prem and azure AD and how the sync between Azure AD and AADDS works, however I am struggling finding the main reason why you will need AADDS when you have on - premise?

I know that people are using AADDS instead of Azure AD when they need Kerberos or LDAP or need some "kind of DC" solution, however since they have On-prem why they will need AADDS?

Will be the main reason using the apps ? but having all those accounts synced in azure AD those users still will be able to use SAAS applications.  So do you have any ideas guys?

Thanks in advance! 

Cheers . SS

Search

Incorrect Attributes/Claims sent in SAML Response for SSO

May 6, 2019, 12:09 am
$
0
0

We have set up a SP Initiated SAML based SSO with a client. The client claims to have set up the outgoing claims/attributes in Azure. However, in our system, we still continue to receive the claims in the URI pattern. Further, the client claims to have set up only six (6) outgoing claims; however, the SAML Response shows multiple claims. 

Below are the claims set up by the cleint in their system:

Name identifier value: user.onpremissesaccountname [name-format:emailAddress]

CLAIM Name        VALUE

emailaddress        user.mail
givenname           user.givenname
mail                     user.mail
name                   user.userprincipalname
surname              user.surname

However, this is an example of how the claims are sent in the SAML Response:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

We just need givenname and not the entire URI. Any help will be appreciated. Thank you!

Multiple domains under one Azure AD domain

May 7, 2019, 7:46 am
$
0
0

Hello There,

I am situation were there are multiple small companies have been acquired by a large company. 

they all have their own domains names and exchange servers. some have azure tenants and O365 some are local AD and exchange.

primary company will be ABC.com 

we would like to bring all these a.com , x.com, y.com companies under one Azure AD domain ( "ABC.com") 

can anyone give me an idea where I can bring them all under one and manage under one tenant? so all users authenticate and managed by one portal and all have the same domain name?

Thanks in advance. 

Sham 

How to securly get secret from Azure keyvault for application running on VM in Azure?

May 7, 2019, 7:58 am
$
0
0

Hello, could please someone help to clarify possibility of following scenario:

Given: We have an application which is running inside the Azure Windows VM. This application needs to use a symmetric encription key to contact with DB server on other VM in Azure.

Goal: We need to prevent access to this encryption key for any person except the person who is responsible to generate it and security admins. The key whet it is in use will be stored in RAM encrypted by application algorithm with random.

We tried to put this key to a key vault but we still need to store somewhere credentials for access to it. We cannot put it somewhere locally, but application must have possibility to access that key when it required.

We tried to research Management Identity but it provides possibility toget auth token for any script and user who is logged it to VM. I know there it is possible to set a private key as vm secret, but we need to keep exact a string as a secret. 

Could you please advice something what could help to achieve the goal?

MFA external accounts for Azure

December 3, 2018, 11:20 am
$
0
0
I'm looking to setup MFA for external accounts that are granted access to my organizations Teams channel.  Is this a possibility?  

OpenLDAP sync to Office 365

May 4, 2019, 7:49 pm
$
0
0

We have a client using Open LDAP and would like to migrate mailboxes from Zimbra to Office 365. 

Is it possible to synchronize the Open LDAP users to Office 365 using Azure AD Connect?

What is the best method to sync Open LDAP to Office 365? Is there any step by step guide or detailed document available?

Thanks in advance for your help.

Tek-Nerd

I am a new user and can't connect to office 365 with powershell

May 7, 2019, 10:02 am
$
0
0

I am trying log into office 365 with the connect but somehow have another module loaded? 

connect-msolservice
connect-msolservice : The 'connect-msolservice' command was found in the module 'MSOnlineExtended', but the module
could not be loaded. For more information, run 'Import-Module MSOnlineExtended'.
At line:1 char:1
+ connect-msolservice
+ ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (connect-msolservice:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CouldNotAutoloadMatchingModule

PS C:\WINDOWS\system32> Import-Module MSOnlineExtended
Import-Module : Could not load file or assembly 'file:///C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\MSOnlineExt
ended\Microsoft.Online.Administration.Automation.PSModule.Resources.dll' or one of its dependencies. The system cannot
find the file specified.
At line:1 char:1
+ Import-Module MSOnlineExtended

PS C:\WINDOWS\system32> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.17134.590
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17134.590
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

I am new to this and just want to run some commands.  Help?

SAML Multiple Reply URL (Assertion Consumer Service URL)

May 7, 2019, 10:12 am
$
0
0
With SAML SSO. Azure appears to accept multiple reply URLs. but only sends the saml to the primary that is checked off in the list. looking for help on allowing multiple requester's with same entity id.  

Help tip > "The reply URL is where the application expects to receive the authentication token. This is also referred to as the “Assertion Consumer Service” (ACS) in SAML. A maximum of 250 reply URLs are allowed."



Trying to enable SSO with Cisco Unified Communications, Cisco has instructions for Okta and talks about Okta's ability to handle multiple ACS with option named - "Requestable SSO URLs" that takes in ACS index's from the SP metadata file.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/SAML_SSO_deployment_guide/okta/12_0_1/cucm_b_saml-sso-okta-identity-provider.html





-Siva

Search

How can AzureAD set user fields such as hireDate and birthday without AADConnect or schema extensions?

May 7, 2019, 1:07 pm
$
0
0

Hello,

MicrosoftGraph api allows setting user fields like hireDate and birthday. Is it possible to manage these fields in AzureAD without AzureAD connect or schema extensions? If so, how can we do this.

Some internet research on this issue seems to indicate this is only possible with AzureADConnect or using schema extensions which are difficult to set up.

Thanks. 


Firewall Policies to support secure, on-premise API's through Azure's B2C Custom Policies

May 7, 2019, 1:23 pm
$
0
0

We are trying to limit the endpoints that are able to call an on-premise (ASP.NET Web) API that is meant only for Azure's B2C service. We tried limiting to the FQDN, but the API calls were never successfully allowed because the service was not making those calls using the same IP address range. 

Is there a way that we can know the IP addresses or FQDN's that the B2C service will use when calling the sign up/sign API?

We're trying to limit the attack vector, and allowing the entire Azure Data Center IP ranges seems like a less than ideal option. Preferably, limiting the API requests to a very narrow scope.

Thanks,

Brad

What are the advantages of using power bi embedded with Service Principal than Master Account?

May 7, 2019, 3:04 pm
$
0
0

I registered a Native App and used the client id to generate access token and used it for Power BI Embedded.

Now I want to try embedding using service principal. 

What are the advantages of embedding using service principal than using a master account? 

I understood that we can use api key and api secret instead of power bi master account credentials but is there any other advantages apart from that? 

Thanks in advance.



Azure AD join fails following upgrade to Microsoft 365 Business

April 5, 2019, 11:23 am
$
0
0

Small org which has been using Office 365 Business Premium for a year. Was previously able to join (not register) new Win 10 Pro desktops to Azure AD. Following upgrade to Microsoft 365 Business, device join now fails.​
​-----

Details:​
1. Set up new desktops with local admin user (not built-in administrator account)​
2. Settings > Access work or school > Connect > Join this device to Azure Active Directory > enter domain admin full address (with @company.com)​
3. "Looks like we can't connect to the URL for your organization's MDM terms of use."​
Error: invalid_client​
description: failed to authenticate user​

Environment: Local AD domain with Server 2012 R2 that synchronizes users with Azure AD using Azure AD Connect (latest version 1.2.70.0). New desktops are not joined to local domain - joined to Azure AD only. Have not changed or used either MDM or Intune settings on Azure admin.​ Slowly migrating to Azure-focused environment.

Verified: Azure AD > Devices > Device Settings > Users may join devices to Azure AD > All​

Auto enrollment is not enabled, as this is not available for Microsoft 365 Business.​

Troubleshooting attempted:​
1. Removed DNS CNAME entries for EnterpriseEnrollment and EnterpriseRegistration​
result: no change, so added CNAME entries back in.
CNAMEs validated with Device enrollment > Windows enrollment > CNAME Validation.​

2. Created new Global Admin user in Azure AD.​
result: Used to initiate Azure AD join. Join process noted that this was a new user and successfully performed password update. Proceeded to join process and failed with same error.​

Not yet attempted:​
1. Downgrade Microsoft 365 Business to Office 365 Business Premium (not sure this is possible)​
2. Free trial of Premium (wary of this - cost, and probably no easy downgrade)​

I have seen many posts with refer to settings for Azure MDM and Intune which don't seem to apply - most assume Azure AD Premium.​

Pages I have read for guidance:​
https://social.msdn.microsoft.com/Forums/en-US/b055957b-ecbb-469b-9b33-85fd5c7b2cb8/mdm-terms-of-use-endpoint-is-not-correctly-configured​

https://docs.microsoft.com/en-us/intune/troubleshoot-device-enrollment-in-intune​

https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current​

https://docs.microsoft.com/en-us/azure/active-directory/devices/faq

MSAL 3x : AcquireTokenByUsernamePassword not working as documented : Microsoft.Identity.Client.MsalServiceException

May 6, 2019, 9:57 am
$
0
0

Hi 

WPF, VS2017, MSAL 3x version.

I am trying an sample to test function AcquireTokenByUsernamePassword().  Following is the code example.I am getting error 

Error Acquiring Token:
Microsoft.Identity.Client.MsalServiceException: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

  private async void MSALUsingScopeUserNamePasswordVersion3_Click(object sender, RoutedEventArgs e)
        {
            string[] scopes = new string[] { "<ResourceID XXXXXX>/user_impersonation" };
            string targetAPIUrl = string.Format("https://xxxxxxxxx.azurewebsites.net/api/TestFunction1");

            string ClientId = "3c278a32-0202-111c-8b03-xxxxxxxxxx";   
            string Tenant = "xxxxxx-7665-xxxx-8ce2-xxxxxxxxxxxx";


            IPublicClientApplication _clientApp;
            AuthenticationResult authResult = null;

            _clientApp = PublicClientApplicationBuilder.Create(ClientId)
               .WithAuthority(AzureCloudInstance.AzurePublic, Tenant)
               .Build();

            try
            {
                var securePassword = new SecureString();
                foreach (char c in "RealPassword123")        // you should fetch the password
                    securePassword.AppendChar(c);  // keystroke by keystroke

                authResult = await _clientApp.AcquireTokenByUsernamePassword(scopes, "ADUser@CompanyName.com", securePassword)
                    .ExecuteAsync();

                outputBox.Text = await GetHttpContentWithToken(targetAPIUrl, authResult.AccessToken);
            }
            catch (MsalException msalex)
            {
                outputBox.Text = $"Error Acquiring Token:{System.Environment.NewLine}{msalex}";
            }
        }

Please Advice.

Regards

Azure Intune Client Name

May 7, 2019, 6:57 am
$
0
0

Hi everybody,

is there a solution for the Devicename within Azure Intune?

I gonna make hybrid join (Azure & localdomain) and I want that each Device got a prefix (e.g. Notebook) and than as suffix something like a consecutive number (e.g. 001).

Are there any posibilites to configurate this?

Many regards

AZURE AD B2C Setting Customized Sign In and Sign Out Screens

May 8, 2019, 1:53 am
$
0
0

Hi Team,

We have an application registered with Azure AD B2C ,

business wants to set the customized Sign In and Sign Out screen for the application.

Can any body help by providing the right approach and solution for this requirement.

Thanks

Amit Dubey

Search

Authorize User against Azure AD Group in SPA (React JS)

March 20, 2019, 12:51 pm
$
0
0

We want to authorize User against Azure AD group in SPA (React JS); i.e. User allows to access API from SPA if he/she belongs to a Particular group (e.g. testgroup). Found sample code in Msal.JS.

I'm following

  • Create UserAgentApplication object
  • Call Loginpopup (here graph scope is - "Directory.Read.All")
  • Call acquireTokenSilent (get access token to call MS Graph Api)

  • Call MS Graph to retrieve all AD Groups where User belong to

    Url to get AD Groups - https://graph.microsoft.com/v1.0/me/memberOf

  • After receiving the Ad Groups (user belong to), validating whether User belong to that AD groups ( here - testgroup)

Please suggest me whether I am going in Right direction or any other options are available. Appreciate any sample code on group claims in Azure AD for SPA (react js).

Thanks for your suggestion.

Regards,

Deb

Password reset - Button not enabled when page translated by web browser

October 15, 2018, 8:14 am
$
0
0

Hi!

For the record, I think this might be a bug:

In Azure AD B2C, when the user clicks the "Can't access your account" link, receives a code to verify the e-mail address and types in the verification code in the text box, then the "Next" button is still disabled and there is no way to continue IF the page is automatically being translated to another language (at least for Spanish) by Chrome. It seems that the translation somehow messes up whatever enables the "Next" button.

I don't know if this is more of a Chrome problem or Azure AD B2C problem, but maybe it could help somebody out there to understand why it is not possible to set a new password or if someone from Microsoft would like to look at it or file it as a possible bug report.

Problem with 'Reply URL (Assertion Consumer Service URL)' parameter in SAML SSO configurations!

May 8, 2019, 3:47 am
$
0
0

I repeat my question because problem is still exist!

Currently portal configurations prevent me from using an "http" schema in Reply URL field. This restriction I don't see in other(I already worked with okta, auth0 and onelogin) identity providers only in Azure. More than that SAML specification doesn't describe this restriction! My intranet application has "http" prefix and I need ability to configure that kind of urls! I don't see any reason to require only urls with "https" schema.


Can't run AD Sync - Start-ADSyncSyncCycle : System.InvalidOperationException: Sync is already running. Cannot start a new run till this one completes.

May 8, 2019, 5:36 am
$
0
0

I received an e-mail that a sync hasn't been done in 24 hours.

If I run Azure AD Connect, I get the following error:

Synchronization is currently in progress. Azure Active Directory Connect cannot proceed further as configuration changes cannot be made at this time.

If I try running a sync through powershell I also get an error.

Start-ADSyncSyncCycle -PolicyType Delta

Start-ADSyncSyncCycle : System.InvalidOperationException: Sync is already running. Cannot start a new run till this one completes.

If I try to disable the sync scheduler:

Set-ADSyncScheduler -SyncCycleEnabled $false

Set-ADSyncScheduler : System.InvalidOperationException: Scheduler::RequestCurrentRunToStop : Current run of scheduler has already being cancelled.

How can I solve this mess?

Azure Intune Client Name

May 7, 2019, 6:57 am
$
0
0

Hi everybody,

is there a solution for the Devicename within Azure Intune?

I gonna make hybrid join (Azure & localdomain) and I want that each Device got a prefix (e.g. Notebook) and than as suffix something like a consecutive number (e.g. 001).

Are there any posibilites to configurate this?

Many regards

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>