I repeat my question because problem is still exist!
Currently portal configurations prevent me from using an "http" schema in Reply URL field. This restriction I don't see in other(I already worked with okta, auth0 and onelogin) identity providers only in Azure. More than that SAML specification doesn't describe this restriction! My intranet application has "http" prefix and I need ability to configure that kind of urls! I don't see any reason to require only urls with "https" schema.
When trying to get the access token, got the following error
AADSTS650057: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: 82e16f0f-5b86-4631-98bf-57e62628c9e0(test.app.fhir). Resource value from request: https://azurehealthcareapis.com. Resource app ID: 4f6778d8-5aef-43dc-a1ff-b073724b9495. List of valid resources from app registration: 392cc82d-7740-4bc9-ae40-71fbbdf1aa8a
I didn't registry my app for the resource appID: "4f6778d8-5aef-43dc-a1ff-b073724b9495", is "4f6778d8-5aef-43dc-a1ff-b073724b9495" for https://azurehealthcareapis.com?
I only list "392cc82d-7740-4bc9-ae40-71fbbdf1aa8a" as my API permission.
according to Azure FHIR document https://docs.microsoft.com/en-us/azure/healthcare-apis/access-fhir-postman-tutorial, anything missed here?
| Auth URL | https://login.microsoftonline.com/{TENANT-ID}/oauth2/authorize?resource=<audience> | audience is https://azurehealthcareapis.com for Azure API for FHIR and https://MYFHIRSERVICE.azurewebsites.netfor OSS FHIR server |
working on APIM
Hi,
Just wondering if I add few Sub Groups (s1,s2) to main Group(m1) in Azure AD, Then would it authorize all the users within Sub Groups as well in .net core api controller method?
For Eg. Authorize [m1]
Thanks
Hi,
I'm trying to configure MFA through Conditional Access, but when I enable this myiOS Apple Mail app still works without requiring any additional authentication.
However, after trialling the policy for a few weeks, my Apple Mail app stopped working and I received an e-mail from my exchange server telling me that someone had tried to set up two step verification.
Can you explain why when I configured Conditional Access MFA it didn't affect my iOS Apple Mail app at all, then a few weeks later it seemed to break it (which I would have expected a lot sooner).
Can you also please confirm how I protect the Apple Mail app via Conditional Access MFA?
Thanks,
Will North
We are using tableau with azure application proxy and kerberos authentication.
it generally works, but fails on some browers and devices.
from my azure ad joined pc, tableau will not accept the SSO session from chrome.
from my intune supervised iphone i cannot get a SSO session to work from safari or chrome, but edge and the tableau app work
is there a list of devices and/or browsers that are supported? is it specific to the type of auth? windows integrated vs saml etc?
thanks
Application Proxy SAML vs Application Proxy Linked App (configured for SAML)
what is the difference of setting up the Application proxy for SAML vs setting up a Application Proxy Linked app to an existing App that is configured for SAML?
why do it one vs the other.
I have internal (domain users) and external users using the app, i'd prefer that my internal users don't go out to azure app proxy to come back in.
Has anybody here ever seen this?
Unable to install the Synchronization Service. Object reference not set to an instance of an object.
Thanks
Hi, I havepostedthis questiontoMS OfficeForum (under the same title), but the recommended on-prem blocking is not an optionin our use case.
I have the following Problem:
When I'm setting the sign-in status to blocked in the o365 admin center the Azure AD Sync overrides this value with the next synchronization. I tried to disable the sync of this attribute with the "Synchronization Rules Editor" but it still overrides the sign-in status.
The rule i created:
ScopingFilter: userAccountControl ISBITSET 16
Transformations: Constant Cloudfiltered True
Is this attribut matching the sign-in status? Or is there an other solution to block the sync from the on-prem ad to the azure ad (only for the sign-in status)?
I have been working to enable Hybrid Device Join using AD Connect (version 1.2.65.0).
My prior experience of ADHJ is that the SCP record is required but no changes to the AD DS Schema version.
When trying to configure this today the AD Connect wizard presented the warning below:
This has effectively stopped me progressing the deployment until I can get confirmation that the Schema update is not required for ADHJ.
Similar comment on the Docs.com documentation - https://github.com/MicrosoftDocs/azure-docs/issues/18242
Sam
We are trying to limit the endpoints that are able to call an on-premise (ASP.NET Web) API that is meant only for Azure's B2C service. We tried limiting to the FQDN, but the API calls were never successfully allowed because the service was not making those calls using the same IP address range.
Is there a way that we can know the IP addresses or FQDN's that the B2C service will use when calling the sign up/sign API?
We're trying to limit the attack vector, and allowing the entire Azure Data Center IP ranges seems like a less than ideal option. Preferably, limiting the API requests to a very narrow scope.
Thanks,
Brad
Hi,
I have a site that is a onsite Domain with Azure AD Sync to Office 365.
They used to have exchange on premise and we migrated them to Office 365.
Prior to the migration we had a user that was able to manage the distribution group memberships from within outlook, (clickTo in a new email then browse to the Global Address List,right click the group and select Properties and then edit the membership) since the migration to Office 365 this user has been unable to do that. We have found that apparently this is still possible we need to change the group join restriction from closed to open and the user will be able to perform this action.
I cannot change this in the group either through Powershell or the web as i am denied due to the fact that the group is AD synced. I have found an attribute in the group under ADSI edit called msExchGroupJoinRestriction and i have edited that (0=closed, 1 = open, 2 = owner approval) and when i change that to 1 this is not updated on O365.
Is there a way to set that attribute to be copied across from the onsite AD using Azure AD sync to the O365 group environment?
Also has anyone else had this request and been able to allow users in O365 to be able to edit AD Synced groups?
IBERNA
Hi, this is a crosspost from the Onedrive forums as recommended by their representative.
Office 365, Windows AD and hybrid AAD via Azure AD. Passwords are synced via password hash.
Win10 Education 1803 (same applies to 1809), Server 2016 at back end. Devices are shared, all users synced to local AD and of course to AAD.
Failing to get onedrive to sign in automatically for the logged on user, despite Office applications signing in automatically to currently logged on user instantly with no issues, as do all browsers when going to login.microsoftonline.com (or 365 email).
But Onedrive will not sign in automatically at all. I think I've got it to do it, accidentally once, but never again.
ADAL is enabled (although shouldn't be necessary any more if I understand correctly)
Onedrive is latest version (19.062)
Troubleshooting with dsregcmd the only thing that jumps out at me is under user state "WamDefaultSet" : Error. Everything else appears OK.
Group policy all appears to be OK, verified by the chap on MS support. The only things sticking out are WamDefaultSet being in error state; he doesn't believe it's related to alternate login ID or proxy, narrowing it down to authentication issue. He's suggested I ask here for support.
I appear unable to paste copy of my dsregcmd /status output due to having links it it though :(
Hi all,
I am planning a following task:
Windows 10 (1709 or later) devices are now joined to on-premises active directory. The desired state is to get device joined to Azure AD only, on-premises domain will be decommissioned. I assume this should be accomplished via hybrid AAD join, and then move
to AAD only. The devices will be enrolled to Intune while joining Azure AD.
I can find lots of documentation how to move to hybrid AAD, but how to move from Hybrid AAD to AAD only?
A minor detail: I am a bit confused when documents are talking about Hybrid AAD join: Some sentences talk about registering devices, and some about joining the devices, this in the same document.
Any ideas how to get to the desired state (AAD only) with least trouble?
P.S. I am aware about applications and authentication changes (and lots of other changes), and those will also be taken care of in the same time. First I am trying to figure out how to move Windows 10 devices to AAD with least trouble, so in this post I am concentrating only to Windows.
I am trying to customize the claims issued in the SAML token by Azure AD for single sign on. I am using the following Microsoft documentation:
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization
On one claim, I want to perform a Find and Replace transformation. For example:
If 'user.extensionattribute10' contains '@', then replace '@' with 'A'.
I don't see how to do this with the available claims transformation rules in the Azure portal.
How could I perform a Find and Replace in Azure AD for SAML token claims?
Hi Team,
We have an application registered with Azure AD B2C ,
business wants to set the customized Sign In and Sign Out screen for the application.
Can any body help by providing the right approach and solution for this requirement.
Thanks
Amit Dubey
I can do everything else to AAD DS through LDAPS, bind, read group members etc but not update passwords.
When I try and update another users' password, I get the message:
INSUFFICIENT_ACCESS: {'info': '00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0\n', 'desc': 'Insufficient access'}
The account I'm using is a member of AAD DC Administrators and has the 'Owner' on the Azure tenant.
The account I'm trying to update is a normal user.
Any ideas? ta
[EDIT] This page here https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-overview quotes "Directory-aware applications may rely on LDAP for read or write access to the corporate directory" so I'm assuming that it is possibleI'm trying to run the New-AzureADMSInvitation from powershell using the AzureAD module. I'm getting an "Object reference not set to an instance of an object" error when running the command when I connect with an SPN. When I run the same command but connect using my regular credentials for the Connect-AzureAD command, the New-AzureADMSInvitation works.
I've granted the SPN API permissions User.Invite.All but it still doesn't work. Does the New-AzureADMSInvitation command work when connecting with an SPN? If it does, what permissions and/or additional steps need to take place for it to work?
When I first created office 365 account, I did not use azure to sync AD. I manually created about 7 users. Now, my AD is syncing just fine with the exception of the 7 "in cloud" users. How can I convert those users to "Synced with AD" users now without deleting and resyncing them?
Thanks