Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Remote Join Challenges

May 28, 2019, 2:20 am
$
0
0

Hi,

Im new to Azure AD and have been struggling with join on linux machines.

I started using Azure AD with windows machines where a simple account email ID allowed my office employees to join easily using their Azure OnMicrosoft ID. But this has not worked for our linux terminals.

I have set up Azure AD Domain Services but I am unable to use the same domain which is xxxx.onmicrosoft.com to work. I am getting the error "realm not found".

Can someone please provide me a solution to this or step by step instructions for the same?

Thanks

Sid

Search

salesforce campaign creation using azure

May 28, 2019, 4:03 am
$
0
0

Hi,

Is there any way to create a campaign in salesforce from Azure app? As I know we can access the data of salesforce database from AZure. can we create using Azure appa or from any source like API?

Thanks,

Ram

Additional domain controller in Azure

May 28, 2019, 4:38 am
$
0
0

We are planning deploying additional domain controller in Azure , We require to go with VM or Azure AD domain Services .

AD B2C Custom Policy - User creation issue - Block Sign In set to Yes

May 28, 2019, 4:48 am
$
0
0
When we created user using custom policy ,  (authentication source - is local account authentication and have set accountenabled = true as well after MFA), The user is getting created but the Block Sign In is set to yes and because of this user is not able to log in, Any fixes on the same. 

How to customize 'user is not assigned to a role' message in SAML SSO configuration

May 28, 2019, 6:16 am
$
0
0
Hello! We are utilizing Azure AD Enterprise Applications to configure SAML SSO as a non-gallery application to manage authentication and authorization to our web application. We are using an AD group to authorize users to have access to the application. When a user that is not in the group attempts to log in, they correctly receive the message "The signed in user 'email@foo.bar' is not assigned to a role for the application 'GUID'..." along with a second message with IDs, timestamps, etc. This is not a user friendly message and we would like to customize it or if possible send the user to the application with a "Sign-in Failure" response indicating the user is not authorized so the application can display an appropriate message.  Is this possible and if so can I be pointed to the document or steps to configure this in Azure? Thank you!

Azure Application Ent. Provisioning Mapping - The button "Restore Default Mappings" is not working and we cannot restore the user mappings.

May 28, 2019, 6:38 am
$
0
0

Hi guys,

We just enabled Single Sign-on for an Enterprise Application ( Atlassian Jira). However, when we tried to configure Provisioning for users from Azure AD to the app, we turned off the Mapping for Users.

Now we can see the Group mapping only. The button "Restore default mappings" is not doing anything. It is not giving the option to Save. Groups are provisioned OK though.  How do we get the User mapping again?

Thanks.

Secure LDAP configuration failed

May 21, 2019, 10:29 am
$
0
0
  Hello,

I am trying to configure Azure Active Directory Secure LDAP with Public CA, but getting error

Secure LDAP configuration failed. The certificate’s subject does not match the managed domain name

I have followed the instruction as given in Azure official doc. Please suggest.

is there a way to export azure ad connect settings

May 23, 2019, 1:25 am
$
0
0
I am wondering is there a way to export the azure ad connect configuration settings so i can setup a failover azure ad connect on a secondary server.
Search

CSOM application with ADAL token. Problem when calling Web.CreateOrganizationSharingLink

May 28, 2019, 8:53 am
$
0
0

I have a simple CSOM application that runs in a desktop computer. It simply uploads a file and it calls Web.CreateOrganizationSharingLink.

When that application logins to OneDrive using the standard way (providing the user name and password using the SharePointOnlineCredentials class) everything works fine. But if I run that exact application in the same PC but the login uses tokens (I use the ExecutingWebRequest event) the upload goes OK but when sharing the file I get:

Microsoft.SharePoint.Client.ServerUnauthorizedAccessException: Access denied. You do not have permission to perform this action or access this resource.

It is strange... if I list the ObjectSharingSettings properties for this file I get (using the token):

AccessRequestMode=True
BlockPeoplePickerAndSharing=False
CanCurrentUserManageOrganizationReadonlyLink=False
CanCurrentUserManageOrganizationReadWriteLink=False
CanCurrentUserManageReadonlyLink=False
CanCurrentUserManageReadWriteLink=False
CanCurrentUserRetrieveOrganizationReadonlyLink=False
CanCurrentUserRetrieveOrganizationReadWriteLink=False
CanCurrentUserRetrieveReadonlyLink=False
CanCurrentUserRetrieveReadWriteLink=False
CanCurrentUserShareExternally=True
CanCurrentUserShareInternally=False
CanSendEmail=True
CanSendLink=False

while with the standard login process (user name and password) they are true... .it's like if that user has a kind of bad setting where when the login is used from ADAL then it lacks from many sharing features.

If I run this exact program but using another user in the same organization (using the token too) then it works OK (sharing is well done) so it's not something bad in the application I created in the server but it's something for this user... either a OneDrive setting or a user restriction or a site permission.

Any clue?

Thanks

Devices joined to Azure Active Directory show join status of "registered"

May 23, 2019, 4:31 pm
$
0
0

Good day, 

I'm hoping that someone can offer some guidance as this really has me stumped. Here is my scenario: 

I have a total of 35 laptop devices in my org. Prior to rolling out Azure AD users were logging into these laptops with a local account under which they had installed Office365 using their O365 credentials. 

As we have rolled out Azure AD I have been working with each user individually to join the device to Azure AD by taking the following steps: 

1) Log into the device as the local administrator

2) User Accounts

3) Connect to work or school

4) Join this device to Azure Active Directory

5) Enter the users domain user name (and password when prompted) 

6) Validate that this is in fact the domain we want to join. 

7) At this point we configure additional verification measures for self-password reset such as mobile phone number, alternate email, configure PIN, etc. 

8) Once completed, I log out of the device as local admin and we log back in as the users domain account and configure their applications. 

Out of the 35 devices that we have, I have completed this process on about 20 of them. Out of those 20, there are 5 or 6 that within the Azure Active Directory Admin Center still show a "Join Type" of "Azure AD Registered" while the rest of the devices indicate that they are "Azure AD joined". 

Following a recent attempt to join a device this morning I reviewed the audit logs and found that the Add device activity failed with the following status reason: "Microsoft.Online.Workflows.ObjectAlreadyExistsException"

There is no difference between Windows versions of devices that were succesfully joined and those that were not, and there are no duplicate device names within our domain. 

I was advised to ensure that the Azure AD join was being completed under a local admin account which I verified during the attempt this morning (although I do not believe that any local user other than local admin even has the option to join a device to Azure AD). 

Does anyone have any ideas as to what I am doing wrong here and/or suggestions as to how to best troubleshoot? 

Thank you! 

Azure AD B2C - "invalid_grant" when accessing "/token" authorization endpoint

July 15, 2016, 1:05 am
$
0
0

I thoroughly followed this guide in order to create an active directory and an application:

https://azure.microsoft.com/en-us/documentation/articles/resource-group-create-service-principal-portal/

I added full application permissions for: Windows Azure Service Management API, Windows Azure Active Directory and Microsoft Graph. 

In the Microsoft Azure Portal, in Azure AD B2C settings, I added a Sign in and Sign up policy.



The '/authorize' endpoint is accessed as follows:

https://login.microsoftonline.com/2d779d37-.../oauth2/authorize?p=[my_sign_in_policy]&client_Id=[application_client_id]&nonce=defaultNonce&redirect_uri=http://www.localhost:9000/&scope=openid&response_type=code+id_token&prompt=login

The [application_client_id] is copied from the CLIENT ID box in my application configuration.

The user I'm authenticating has Global Admin role.

After successful login I receive as hash parameters: "code" and "id_token".





The '/token' endpoint is accessed as follows:

Method: POST

https://login.microsoftonline.com/2d779d37-.../oauth2/token?grant_type=authorization_code

&client_id=[application_client_id]&code=[code_from_previous_step]&redirect_uri=http://localhost:9000/&resource=https://graph.windows.net/&client_secret=[application_client_secret]

I get the [application_client_secret] from the "keys" section in my application configuration.



When accessing the '/token' endpoint, I get the following error response:

400, Bad request

{"error":"invalid_grant","error_description":"AADSTS70000: Authentication failed: Authorization Code is malformed or invalid.\r\nTrace ID: 94f3ca04-2f33-402e-a80e-dc1147b1b49b\r\nCorrelation ID: 8fb2aebd-53ec-4c0b-8852-71fc8c6849ea\r\nTimestamp: 2016-07-15 07:11:13Z","error_codes":[70000],"timestamp":"2016-07-15 07:11:13Z","trace_id":"94f3ca04-2f33-402e-a80e-dc1147b1b49b","correlation_id":"8fb2aebd-53ec-4c0b-8852-71fc8c6849ea"}



What I have tried:

Removing application write permissions for Windows Azure Service Management API, Windows Azure Active Directory and Microsoft Graph.

Adding scope=openid%20offline_access parameter to '/token' endpoint.

Adding p=[my_signin_policy]   parameter to '/token' endpoint.

None of which had any effect on the response.



Error AADSTS50020 - Minecraft for Nintendo Switch

May 28, 2019, 3:50 pm
$
0
0
Hi, I was just trying to set up the Nintendo Switch Cross Platform version of Minecraft, and when asked to submit the code to verify the Microsoft account, (aka.ms/remoteconnect) it starts saying that my account doesn't exist in Microsoft, with the error AADSTS50020, but when I go to Microsoft's main page my account still exists just fine. Any idea what's going on? Thanks in advance!

Azure AD Connect Health for AD FS - How to export usage analytics?

May 10, 2019, 10:14 am
$
0
0

I have set up Azure AD Connect Health agents on some AD FS and WAP servers, and all is working well.

In the Usage Analytics area of the portal, it shows you a list of the top applications using AD FS for authentication. Lesser used applications are lumped into an 'Other' category.

It is the Other category I am interested in. I cannot find any hooks into AADC Health that will allow me to find the applications that belong to Other.

Does anyone know of a way to export a comprehensive report of every application using AD FS, including Other?

We have a long list of RP trusts and are just trying to identify which ones are in use.

conditional accress

May 16, 2019, 11:35 am
$
0
0

hello - I need to setup CA for one of my ent apps so that it only allows users inside the company.

I went thru the CA steps but don't see it.

condition - outside the domain (from home or public IP)

action - block

Can I do this?

FederationMetaData Service account in Azure AD

May 24, 2019, 9:53 am
$
0
0

We are having a question from Security team that, does FederationMetaData Service account in Azure AD needs a global administrator permission? Can we revoke global admin privileges for FederationMetaData Service account and assign some lease permissions? 

Can someone please help me to answer this?  Thanks for your help. 


Search

Remote Join Challenges

May 28, 2019, 2:20 am
$
0
0

Hi,

Im new to Azure AD and have been struggling with join on linux machines.

I started using Azure AD with windows machines where a simple account email ID allowed my office employees to join easily using their Azure OnMicrosoft ID. But this has not worked for our linux terminals.

I have set up Azure AD Domain Services but I am unable to use the same domain which is xxxx.onmicrosoft.com to work. I am getting the error "realm not found".

Can someone please provide me a solution to this or step by step instructions for the same?

Thanks

Sid

Password reset inconsistencies between O365 and Azure portal. Identifying federated domains.

May 23, 2019, 1:20 am
$
0
0 
Hi,
I have some questions around B2B guest accounts.

1. Should we able to reset guest passwords in our Azure AD? We have an option to do so within O365, but AAD says this is not possible. Why is this?
2. Why do guest accounts appear as _hotmail.com#EXT#@contoso.onmicrosoft.com within O365, but @hotmail.com within Azure AD?
3. How can we identify if a partner domain is federated with O365 already?
4. Some of our partners have not completed O365 migration, so they're in a semi migrated state with some users in AAD and others still on premise. This causes issues with B2B. What's the best way to deal with this?
Thanks

Azure AD B2C can we get email verification in next screen similar to Mobile MFA

May 23, 2019, 10:10 am
$
0
0

Hi

Is it possible to display email verification box capture of code in next screen, similar to mobile OTP capture, instead of having it display below the email id. We are trying through Custom Policy

Looking for option where send verification code button comes in a separate screen.

Cannot delete the directory, annoying.

May 23, 2019, 8:01 pm

salesforce campaign creation using azure

May 28, 2019, 4:03 am
$
0
0

Hi,

Is there any way to create a campaign in salesforce from Azure app? As I know we can access the data of salesforce database from AZure. can we create using Azure appa or from any source like API?

Thanks,

Ram

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>