Hi Team,
Is there any automated way or powershell script via which i can get the expiration date of the client secret of the service principal.
We want to trigger a mail 5 days before the expiration of the SP.
↧
Expiration date of client secret of service principal
↧
AAD conditional access and DUO
Good morning all:
I am new with Azure and DUO as well. I have configured the Conditional Access of the Azure AD to use the DUO MFA according with this video:
https://www.youtube.com/watch?v=eIP__C1NXho
Everything is working fine so far, the only thing is that I need to explain to the customer what I did, and the communication between Azure and Duo seems almost transparent to me. In the Conditional Access configuration there is a Json file, that uses OpenID Connect, but I don't understand which information is exchanged between Azure and DUO.
This is the json I see in Azure:
{"Name": "Duo Security","AppId": "xxxxxxxxxxxxxxx","ClientId": "yyyyyyyyyyyyyyyyyyyyyyy","DiscoveryUrl": "https://eu-west.azureauth.duosecurity.com/.well-known/openid-configuration","Controls": [
{"Id": "RequireDuoMfa","Name": "RequireDuoMfa","ClaimsRequested": [
{"Type": "DuoMfa","Value": "MfaDone","Values": null
}
],"Claims": null
}
]
}Can someone point out some information regarding this? So I would like to understand more about those claims, what data is passed to DUO, what data Azure get if the MFA succeed?, , etc.
Thanks
↧
↧
O365/M365/Azure Self-service reset and GAL
Hi,
Been googleing around and can't find an answer to my questions. Maybe you guys can help out.
- Authentication contact Info (for PW resets etc.) in Azure/O365/M365, are the details held within this section exposed to the GAL?
- Is there a way to force users to re-enter their Authentication contact Infodetails?
Thanks in advance for any help :-)
↧
Azure Domain Services
Hi we have just sent up a ADS and created a role based windows server and running GPO management. Created some GPO's and they work on VM's but have then added two physical pcs via AZure domain join but polices do not come down to those machines is that because Physical machines are not supported or is their something we are doing wrong?
Please enlighten me and not much documentation regarding this.
↧
using Azure AD to login to custom portal using Open ID connect
hi Team
I want to use Azure AD to login to my custom portal using OpenID Connect
Thanks
Priya
↧
↧
SAML2 response does not contain configured attributes
Hi support!
I have configured application with SAML2 to use with Azure AD Singe sign on.
Everything is OK . User successfully authentificated.
But attributes form AD not exported according to configuration.
Attributes : Emailaddress and Email2 has not included in user attributes.
Internal AD User has email from domain, verified on Azure AD.
Please help with configuration.
Thank you.
↧
Microsoft Azure ActiveDirectory SignIn page not appearing for Xamarin iOS
Hello,
I am using Microsoft ActiveDirectory for login in my xamarin forms project.
I am facing an issue for iOS.
1.I am on Login page.on click of signin it redirects me to microsoft signin page.
2.I signin to my application and then logout from app.It will redirect me to Login screen.
3.Now again if I signin then instead of showing me microsoft signin page, it shows blank screen with infinite loading.
I have cleared the token cache but still the issue persists.
Nudget Package I am using- Microsoft.IdentityModel.Clients.ActiveDirectory (version 3.19.0)
Can anyone help me on this?
Thanks
↧
AADSTS50011 Error during signing in to Graph Explorer
Hello!
I have problem during signing in to Graph Explorer https://developer.microsoft.com/en-us/graph/graphexplorer
When I choose "sign in" in the left column and enter valid credentials, I get error "AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: 'de8bc8b5-d9f9-48b1-a8ad-b748da725064'."
Tried different browsers, the result is always the same.
My colleagues don't have this problem event if they use same accounts as i'm
↧
Sync o365 user photo with AzureADUserThumbnailPhoto
Hello!
I can set user photo using the Microsoft online web portal or powershell using the following commands:
$UserCredential=Get-Credential
$Session=New-PSSession-ConfigurationName Microsoft.Exchange-ConnectionUrihttps://outlook.office365.com/powershell-liveid/?proxyMethod=RPS-Credential$UserCredential-AuthenticationBasic-AllowRedirection
Import-PSSession$Session-AllowClobber
Set-UserPhotoUserMailbox@contoso.com-PictureData ([System.IO.File]::ReadAllBytes("D:\Temp\123.jpg"))}
All works good. But I can’t understand, why the AzureADUserThumbnailPhoto is not updated after set user photo using Microsoft online web portal or powershell?
I check set user photo using the following commands:
Get-UserPhotoUserMailbox# This command return information that photo is set
Get-AzureADUser-Filter"UserPrincipalName eq 'UserMailbox@contoso.com'"|ForEach-Object {Get-AzureADUserThumbnailPhoto-ObjectId$_.ObjectId}# This command return error, that photo is no.
Help me, please.
↧
↧
What does Device Writeback Actually Do?
I have already seen this link on how to enable it:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-device-writeback
It has this explanation:
"
Device Writeback is used in the following scenarios:
- Enable conditional access based on devices to ADFS (2012 R2 or higher) protected applications (relying party trusts)."
That's much too vague of an explanation.
What does device write back do specifically?
What are examples of specific useful things you can do with device writeback that you can't do without it?
↧
AzureAD -> Pass-through authentication + Seamless SSO -> PowerBi
Hi,
Fundamentally this is a PowerBi.com question but somehow i thought it would reach more AAD+SSO specific knowledge by posting here.
We have PTA+SSO implemented and portal.office.com, myapps etc SSO's fine. Our issue is when people share PowerBI dashboards. If the browser session is currently unauthenticated PBi.com sends the user to the Common login endpoint which gives the user a prompt for username (not password).
Is anyone aware of a way to inject a domain hint into a static PowerBI report URL or does anyone have any other ideas as to how we can accomplish SSO to PBI reports?
Thanks in advance,
Chris
↧
No stopping brute force attack attemps?
I have several users accounts, some actual users and a few shared mailboxes that have been getting hammered with log in attempts from China for the past week. A few of these users have started to get regularly locked out and frustrated.
I have conditional access enabled and I am blocking access from everywhere but the United States, but it isn't stopping this attack at all. I also have MFA enabled for one of these accounts, and it's not stopping the log in attempts, or the account from getting blocked.
I have contacted Office 365 support twice and their answer the fist time was to open a ticket with Azure AD support, and not to worry about shared mailboxes because they can't be logged into. Second support call ended with the manager telling again to open a ticket with Azure AD support, and to open some kind of Azure trial to get access to support.
I'm disgusted that MS hold security support behind a paywall and that regular support makes excuses instead of offering real assistance.
What's the point of conditional access if it lets users in blocked countries hammer away at our tenant until they are able to guess a password? Same thing with MFA, why isn't this blocked outright instead of blocking my user?
Has anyone successfully stopped these types of attacks?
↧
What is the service in Azure that does VM instance profile/role
Is there an VM instance profile that you can pass the role information to VM instance when the instance starts? In AWS, there is something called "IAM instance profile for EC2"
↧
↧
Does Azure AD support back-channel binding for SAML SLO?
I see in metadata only logout url with HTTP-Redirect binding. Does it mean that Azure AD implement only front-end binding for single logout? And can I define more then one logout url for my application or one url is a restriction from SAML specification?
Or maybe I can define logout url when I expect to receive SAML logout request in authentication request?
↧
Workday SSO with Azure AD: Mobile App Login Redirect URL and Timeout Redirect URL?
I am trying to configure Workday to use Azure AD for Single Sign-On (SSO). I am following Microsoft guidance:
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/workday-tutorial
There are two settings on Workday that are not documented, and I would like some guidance on:Mobile App Login Redirect URL and Timeout Redirect URL.
Currently, my Login Redirect URLis set to https://impl.workday.com/<workdayTenantName>/login-saml2.html. This works just fine. However, when I try to set theMobile App Login Redirect URL to the same value, I get an error of “Invalid user name or password”. Why is this error happening? Should the Mobile App Login Redirect URL be different from the regular Login Redirect URL? And if so, and what should be the Mobile App Login Redirect URL?
Also, for testing purposes, I have tried setting our Timeout Redirect URLto both our Login Redirect URL (https://impl.workday.com/<workdayTenantName>/login-saml2.html) and ourLogout Redirect URL (https://login.microsoftonline.com/<azureAdTenantId>/saml2). None of these values seem to result
in a session timeout for a user logged into Workday. What should be the Timeout Redirect URL?
↧
Azure AD Sign-In errors with 3rd party Conditional Access (Duo)
I have an Azure conditional access policy that requires Duo for 2-factor authentication for All Cloud Apps. In the Azure AD sign-in logs, I see a repeatable pattern of 3 sets of logs for every 1 sign-in (screenshot
here)
- First log stating that the sign-in was a failure because "External security challenge was not satisfied" (screenshot)
- Second log stating that the sign-in was Interrupted because "this error occurred due to 'Keep me signed in' interrupt when the user was signing-in" (screenshot)
- Third log stating that the sign-in was actually a success (screenshot)
Is getting logs stating that there has been a sign-in failure during a successful sign-in an expected behavior of an Azure conditional access policy that requires a 3rd party app for 2-factor authentication?
↧
Azure AD Application Proxy to Internal SharePoint
I've been trying to make a configuration work with our iOS and Android devices to have internal SharePoint links in email get redirected through Azure AD Application Proxy. Before I walk through my setup I want to make sure that what I am trying to do is possible if I am managing the device with Intune and using the Edge mobile browser with application configuration policies.
Is this a supported scenario or does this redirection not work in the scenario above?
www.bighatgroup.com
↧
↧
Need admin approval page in azure has options to login as admin account, which is not working
"Need admin approval" page is shown when adminconsent url is logged in by user, which is fine. It has as options to login
with admin account.
1. On clicking "Have an admin account? Sign in with that account"
2. It redirect to login as admin, on login as global admin of the AD.
3. It shows an error "AADSTS50197: Sorry, we could not find the user, please sign-in again."
↧
Admin-initiated end-user password reset not working : Your new password doesn't meet your organization's password policy
I have an Azure AD tenant with Password Hash Synchronization (PHS - screenshot) and Password Writeback (screenshot) enabled.
I am trying to reset a test user's password through the Microsoft 365 admin portal (screenshot). This operation - administrator-initiated end-user password reset from the Microsoft 365 admin center - is explicitly listed as supported under Microsoft's public documentation regarding Password Writeback:
After I proceed on resetting this test user's password (screenshot, where I create a new password myself, with the flag to force the user to change the password on
next logon), the user can no longer log in with his old password (good). If the user inputs the new admin-generated password, the user is then prompted to change his password (screenshot
- good). However, when inputting (1) the admin-generated password as the "current password", and (2) a new complex password as the "new password", there is an error (screenshot):
Your new password doesn't meet your organization's password policy. Try something else, or ask your admin for tips.
This error does not make any sense for multiple reasons:
- My on-premises AD password policy is even disabled by GPO (screenshot).
- The error still shows up regardless of how complex my new password is. Error is repeatable after several different new passwords.
- The error persists even if, in the field for "current password", a completely incorrect password is typed in (i.e. neither the admin-generated new password, nor the original password).
Any idea of what is going on?
↧
Handling AD logout in React Native Apps
I am following the procedure given in AD Logout in graph docs.
It seemed to do sign out but despite including
post_logout_redirect_uri={{MYAPPIDENTIFIER}}the control was not redirected to app. Please note the {{MYAPPIDENTIFIER}} is same as I have set in App Registrations Portal for initialising the app for Azure AD. Are there any steps that I am missing while doing the logout?
I checked the chrome network tab and despite setting post_logout_redirect_uri in the initial request and it does not redirect to said URI.
Thanks
↧