I have a VM created in Azure with MSI (Managed Service Identity) enabled and I also grant the contributor role of my subscription to the VM, so from this VM, I am able to call "localhost:50342" to get the access token and then use Azure Resource Manager API (endpoint: management.azure.com) to access Azure resources. Now when I tried to use the same way to access Azure Graph API (endpoint: graph.microsoft.com), I kept getting "[code] => Authorization_RequestDenied [value] => Insufficient privileges to complete the operation". So how am I able to grant permissions to the VM to access Azure Graph API when MSI is enabled? Thank you very much!

↧

how to open 'forgot password' link directly.

May 21, 2019, 1:57 am

≫ Next: Getting AADSTS50020 when trying to sign in to feedback.azure.com

≪ Previous: Does Azure MSI support accessing Graph API?

I am developing an application,in which I need to give the 'forget password' link on my web page. On clicking this link, I want the user to see the 'forgot password' page on the browser. I understand that, there is a 'forgot password' link in the login page of the Azure AD. I also copied the underlying link which looks like below. I am sure this is not the right URL. Could anyone help me understand a direct link to the 'forgot password' page.?

https://passwordreset.microsoftonline.com/?ru=https%3a%2f%2flogin.microsoftonline.com%2fcommon%2freprocess%3fctx%3drQIIAY3SPW_bVhQGYFFyVMcI0qDo0GwegqIIQOnyU6IBo5D1SUYkTYkUJS0CdXkl0RLvpclLfRD9AR2DjFladHS3DEXhn-AlWYoCBboVSNGlRaaOpQt073KGc870vs_JY64CKiIQgFzhJEl8XuIq3NkzKIpzEdQFVpjPASsqkGPnYs1nlZqIJAHO_YUAtbIEOFEA8ScnT942Qg2-_b75g3_85-Pw5_c3zOcrSqPkrFqNSEy9TcXL0hhVIAmrSbDEAa4G2Ef76o8M845hfmeYm2IiC7LC1xVFUDge1JUaL1bM1vqgtyaZcbWkE34QGAcATFfd913tamI7dBrqmdl1pKmb31wVGK4lTUItNDJIjZa6M5oAGJm26dubtcFbVM8GK8OdHKa2s9ez9f6X4sdmI6Ur_n6QOMjQh-LDBYnDWUAB-rr0vmhGCKt-k2CMIK3cvyFMA-jRgODLmEQopgFKzgWc9IG0OvC1i7a0tZasxOPGpboYaO51u-uYM2c0UgDy4tFi2AHJghtmjSvVVgxtTFNkyXTJXu_1WVcnHccL2IAMxu5hRMfh2GDnSWNIbM_ab2XDGbczaNVUfukhznwRm0RBWitsDseCES2FRNACEzodLK9Nfq-N0gil3Lar9iwH5LHNY4Ufz5Od4EmXq95Vqy8JS3Ggso3O0BfCSwhTe0NqrjyzI3H5YiRFguFwdsYnEwnXODJfb_tTNR1daAPQVEWyMPrB1raVyXQVYY7fxKJL040_HOntpg6pu7Y80cv8iz2Fq9mIdNVGaE1YtXtAsOPCkO8Gigh0cr1bDG9Kz_4DE3rYW6IwjznnkpvZ5VLILqlgRKtvSuWcUEjwXelpmqB4FoR5AwnB__ZxmteBA__dEfPH0dNj5knhsw-3xdNXj774FJTOjo9P8kXhtPD3EfPdg9zsufHr85_M4843dSb57atvC3cPqlOrcyFH8Lo39vrqQLYsmPaAu25o2FlxXr-OkykEfb3Wc8C5fMa9LDMvy-W7clltzYy2_VeZ-fqjwu3D3v-j_-UCefT-QhH2ME3gPSbkB3EO7XzhbRL0Dw2&mkt=en-IN&hosted=0&device_platform=Windows+10

↧

Getting AADSTS50020 when trying to sign in to feedback.azure.com

May 7, 2019, 6:46 am

≫ Next: Audit usage and/or usage of registered applications

≪ Previous: how to open 'forgot password' link directly.

Hi,

I'm trying to sign in to https://feedback.azure.com using my MS account to post some feedback, but sign in fails with the following message.

Request Id: 0454e37c-25a3-4b22-a42e-d8873a9b7d00

Correlation Id: 5fcdc32e-cd52-4af9-8583-921beb138b91

Timestamp: 2019-05-07T13:26:36Z

Message: AADSTS50020: User account '****@*******.com' from identity provider 'live.com' does not exist in tenant 'UserVoice, Inc.' and cannot access the application '91a42e81-999b-4cf1-aa36-bb33f25ff53b'(windowsazure.uservoice.com) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

I think that I was able to sign in to feedback.azure.com in the past. I'm able to sign in to other MS services (like https://azure.microsoft.com, or https://microsoft.com itself) using my MS account, but for https://feedback.azure.com it fails.

Not sure if I ask in the right place. Please direct me where should I ask, if it would it be better to ask it in the different place.

↧

Audit usage and/or usage of registered applications

May 21, 2019, 3:30 am

≫ Next: Azure Active Directory Connect error trying to federate wtih AD FS. Object reference not set to an instance of an object.

≪ Previous: Getting AADSTS50020 when trying to sign in to feedback.azure.com

I am trying to find a way to determine usage of registered application in Azure Active Directory. Challenge is there is a number of applications registered and I should determine usage level of them. What options do I have? I prefer free ones

↧

Azure Active Directory Connect error trying to federate wtih AD FS. Object reference not set to an instance of an object.

January 15, 2019, 2:39 pm

≫ Next: Users can only see office 365 apps in the office 365 portal

≪ Previous: Audit usage and/or usage of registered applications

I've tried to configure this trust multiple times using Azure AD Connect Wizard and it fails ever time. I tried pasting the output of the install log while trying Federate an Azure AD Domain but it was too long.

Can the trust be created not using Azure AD Connect?

↧

Users can only see office 365 apps in the office 365 portal

May 17, 2019, 5:52 am

≫ Next: AzureAD -> Pass-through authentication + Seamless SSO -> PowerBi

≪ Previous: Azure Active Directory Connect error trying to federate wtih AD FS. Object reference not set to an instance of an object.

In AAD under Enterprise Applications->User Settings there is an option which says, users can only see office 365 apps in the office 365 portal. I set it toyes but still the users are able to see the apps from the MyApps panel. Whay is it so?

Thanks

↧

AzureAD -> Pass-through authentication + Seamless SSO -> PowerBi

May 20, 2019, 5:23 am

≫ Next: Login failed for user

≪ Previous: Users can only see office 365 apps in the office 365 portal

Hi,

Fundamentally this is a PowerBi.com question but somehow i thought it would reach more AAD+SSO specific knowledge by posting here.

We have PTA+SSO implemented and portal.office.com, myapps etc SSO's fine. Our issue is when people share PowerBI dashboards. If the browser session is currently unauthenticated PBi.com sends the user to the Common login endpoint which gives the user a prompt for username (not password).

Is anyone aware of a way to inject a domain hint into a static PowerBI report URL or does anyone have any other ideas as to how we can accomplish SSO to PBI reports?

Thanks in advance,

Chris

↧

Login failed for user

May 21, 2019, 8:52 am

≫ Next: AAD Auth Failures - using POSTMAN - obtaining token

≪ Previous: AzureAD -> Pass-through authentication + Seamless SSO -> PowerBi

I am using Azure for the first time & trying to read from an Azure SQL Database.

Since connecting directly to the database is said to be bad, I've followed this tutorial from microsoft
https://
github
.com/Azure-Samples/app-service-msi-entityframework-dotnet

I am using the provided project & have changed nothing in it except for the details in the connection string (i.e. server name & db name)
I have setup an azure API App, Db & Db Server as suggested in the tutorial ("WebApp2105", "WebAppDb", "webapp2105dbserver"). I have then created a managed identity (AAD Admin: "WebAppManagedAdmin", "WebAppAdmin" is the admin of the SQL Server) & altered the connection string using the power shell as suggested.

Now when debugging or publishing the app, the error "Login failed for user" is thrown. (see: https://
webapp2105
.azurewebsites
.net/ )

Something else I noticed:
Before creating the AAD Admin I can connect (Authentication: Active Directory PW) to the db via SSMS using my normal AAD account (the standard AAD domain that was created when I signed up for azure with my microsoft account, btw. is this normal ? I pretty much have 2 accounts now. My email signed up microsoft account + the azure domain account, azure is only active for my email microsoft account though)

After creating the managed ID, I can no longer connect using Active Directory authentication. Neither with my AAD domain nor the my WebAppManagedAdmin id.

Any clues why the login fails & why I can't connect to the db anymore after creating the managed identity ?
I've checked the trouble shooting paragraph of the tutorial, both environment variables do exist when publishing.

Edit:
I've added empty lines because I wasn't allowed to post links...

↧

AAD Auth Failures - using POSTMAN - obtaining token

May 21, 2019, 9:18 am

≫ Next: Option with MFA

≪ Previous: Login failed for user

Getting error: The application asked for scope 'read' that dosen't exist on the resource .

Investigating Web API for dynamics365.

↧

Option with MFA

May 21, 2019, 6:52 am

≫ Next: Secure LDAP configuration failed

≪ Previous: AAD Auth Failures - using POSTMAN - obtaining token

Here what I understand:

There a 2 MFA Option with Office 365: MFA in clound(via Office 365 or Azure, and a MFA Server.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-whichversion

Is there a way to force a groupe of user( or case user with itune device) to use Microsft Authenticator as second factor and force another groupe of user to use Voici/SMS as second factor?

Thank you

Sebastien

↧

Secure LDAP configuration failed

May 21, 2019, 10:29 am

≫ Next: Azure AD Connect one way sync from AAD

≪ Previous: Option with MFA

Hello,

I am trying to configure Azure Active Directory Secure LDAP with Public CA, but getting error

Secure LDAP configuration failed. The certificate’s subject does not match the managed domain name

I have followed the instruction as given in Azure official doc. Please suggest.

↧

Azure AD Connect one way sync from AAD

May 21, 2019, 11:42 am

≫ Next: Azure Active Directory - ADDS - VM Windows Server 2016 ADAC - Domain join account

≪ Previous: Secure LDAP configuration failed

Hello,

We have our AD in Azure AD, and for few reasons I need to synchronize the Azure AD with one server on-premise. I want to sync from Azure AD to this server and it must be a one way sync.

From what I've seen, Azure AD Connect only offers two ways sync when syncing from Azure AD to a server.

Do you have any recommendations for this specific case?

Thank you

↧

Azure Active Directory - ADDS - VM Windows Server 2016 ADAC - Domain join account

May 21, 2019, 6:00 pm

≫ Next: Global Banned Password List Azure - Existing Passwords

≪ Previous: Azure AD Connect one way sync from AAD

Hi,

I'am trying to plug Horizon Cloud VMware with Azure.

I must create domain join account requires requires the following Active Directory permissions: List Contents, Read All Properties, Read Permissions, Reset Password, Create Computer Objects, Delete Computer Objects, and Write All Properties.

The account is well created but I am not able to give him permission to reset the passwords. But I add the other rights, and when Horizon tries to use the account it tells me that this right is required.

I use Control Delegation on OU but even if i give the right to reset user password nothing happens.

Any suggestions

Thank you

↧

Global Banned Password List Azure - Existing Passwords

May 21, 2019, 9:00 am

≫ Next: directory and tenant and account

≪ Previous: Azure Active Directory - ADDS - VM Windows Server 2016 ADAC - Domain join account

Hi All

If we turn on custom banned passwords will this force users with passwords in the list to change there existing passwords ?

Thanks

↧

directory and tenant and account

May 21, 2019, 7:50 pm

≫ Next: Connect To Azure AD

≪ Previous: Global Banned Password List Azure - Existing Passwords

hi guys,

I have a little bit confuse on the definition of azure directory, tenant and account.

on my understanding:

tenant = directory

when you login your account, will shown all the tenant which you have access. in above screenshot, my account have 2 tenant access ?

is that correct ?

thanks

↧

Connect To Azure AD

May 21, 2019, 1:24 pm

≫ Next: Can't delete never used directories

≪ Previous: directory and tenant and account

I have a server 2016 data center stand alone with an Domain promoted as example.com and i need connect this domain wsith my azure active directory sucursal.com to sync the user i have there,so I am installing " Azure AD Connect" as express settings and when i set the username and password of my global administrator show up this message " Unable to validate credential. only Azure and user accounts synchronized from your on-premises directory are supported for administration [accessing_ws_metada_exchange_failed]" i cannot find anything in Microsoft about this error, some one can give me a hand?

↧