How to generate Azure Active Directory (AAD) authentication token for Graph API without interactive login screen for console/native application?

May 28, 2019, 9:48 pm

≫ Next: Group Policy Management through Azure Active Directory Possible?

≪ Previous: salesforce campaign creation using azure

Details:

I am using Graph API to read emails with Azure Active Directory (AAD) with ‘’Delegated’’ permissions.

” Application” permission allows user to read other mailboxes and there is no admin consent for this approach due to security concerns, so I am using ‘’Delegated’’ permissions.

My console/native application is registered to AAD.

Since, AAD generates OAuth Authentication token for specific account using:

1. Client ID, 2. TenantID, 3. Client Secret, 4. Login credentials of specific account

I can generate token using interactive login screen.

However, I want a mechanism where I can generate AAD token for Graph API (resource) without interactive login screen within code using C# or .Net

↧

Group Policy Management through Azure Active Directory Possible?

August 9, 2018, 10:02 am

≫ Next: AD for Office 365

≪ Previous: How to generate Azure Active Directory (AAD) authentication token for Graph API without interactive login screen for console/native application?

Our company has a new entity that will consist of remote employees. There is no physical location with a physical server setup. These employees will be traveling a large portion of the time and all software they need to access will be cloud based. We want them to be able to connect to O365 and other microsoft cloud services, and so have made a custom domain for them in our Azure Tenant, and I have confirmed connectivity.

We want to know if it is possible to administer group policy to these computers. I have read the article (Administer Group Policy on an Azure AD Domain Services managed domain) that shows that this is possible, but I cannot get this to work. Does group policy through Azure AD DS or an Azure VM with AD DS only affect other VMs, or can it push group policy to physical devices?

↧

AD for Office 365

March 29, 2019, 1:57 am

≫ Next: Hybrid Azure AD join

≪ Previous: Group Policy Management through Azure Active Directory Possible?

Hi,

I have an on prem. DC running 2016 which also holds DCHP, And Print services along some legacy apps.

We run Office 365. We are not sync. AD - we have a storage acc. with file shares which users map a network drive to.

I would like to leverage the Current AD for office 365 and install a VM for file sharing in Azure and have users validated to the AD in Azure when they are traveling and use the on prem. dc when in the office.

Is there any feasible way to go about this?

Regards

Mads

↧

Hybrid Azure AD join

May 28, 2019, 11:55 pm

≫ Next: MFA/2FA Windows login with Intune & Azure

≪ Previous: AD for Office 365

Hi,

I'm seeing devices showing as pending for hybrid azure ad join but it shows azure ad registered okay for the devices.
Is there any reason why devices are in pending state for Hybrid Azure AD joined?
Or is it something that may get cleared once Azure AD connect is configured for Hybrid Azure AD join?

I've got a FIPS compliant TPM enabled on all devices for Bitlocker. I wonder if it's going to cause any drama to go down the path of Hybrid Azure AD join.

Cheers

John

↧

MFA/2FA Windows login with Intune & Azure

May 28, 2019, 2:16 am

≫ Next: Authenticating Angular SPA and WebAPI using MSAL

≪ Previous: Hybrid Azure AD join

Hey guys !

I wondered if there is a way to provide 2FA on windows login (every time) with Intune enrolled device (without any local AD), and all this without using a third party soft like DUO :3

Thanks !

↧

Authenticating Angular SPA and WebAPI using MSAL

April 20, 2019, 5:49 pm

≫ Next: How to check Azure AD edition

≪ Previous: MFA/2FA Windows login with Intune & Azure

I have an Angular SPA hosted at myangularapp.azurewebsites.net and a Web API hosted atmyangularappapi.azurewebsites.net in Azure as two app services.

Customer sign-up to access myangularapp.azurewebsites.net
Customer gets an email after he is approved manually by the application admin
Customer sign-in using the application specific sign-in form
App makes request to the myangularappapi.azurewebsites.net to get data

I'm planning to use Active Directory B2C and MSAL 2.0 to achieve this.

My questions are:

How can use custom application sign-in and sign-up forms instead of the AD specific UI? Can I have that as part of the Angular app that I have?
Can I use AD B2C to authenticate both the application and the API through the same AD? The API returns sensitive data and someone from the internet should not make a call to get the data.
How can I get a list of users belong to a group? Can I use MSAL to get the list of the users?

↧

How to check Azure AD edition

January 13, 2017, 3:11 am

≫ Next: How to create Dynamic Groups based on local AD OUs.

≪ Previous: Authenticating Angular SPA and WebAPI using MSAL

Hi all,

is there a way from the Azure portals of the bill to retrieve the edition of the Azure Active Directory? (Basic, Premium 1 or 2).

Thank you very much

↧

How to create Dynamic Groups based on local AD OUs.

May 29, 2019, 1:48 pm

≫ Next: Provisioning Atlassian Cloud application doesn't update group membership

≪ Previous: How to check Azure AD edition

Is there a filter I can use to create Dynamic Groups using the local AD OU attributes.

I am able to view the local OU in Azure AD attributes using powershell.

Get-AzureADUser -SearchString user1 | select -ExpandProperty extensionProperty)["onPremisesDistinguishedName"]

↧

Provisioning Atlassian Cloud application doesn't update group membership

May 29, 2019, 1:43 pm

≫ Next: Conditional Access with Apple Mail

≪ Previous: How to create Dynamic Groups based on local AD OUs.

HI,

I followed this tutorial to the letter

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/atlassian-cloud-provisioning-tutorial

User provisioning is working fine.

Groups are also created in my Atlassian Access application.

But the groups have no user. The members aren't syncronized.

I found this in the logs :

Status Reason: urn:ietf:params:scim:schemas:core:2.0:Group 'Jira-Administrator-AD' will be skipped. Skip reason: UnableToResolveReferenceAttributeValue

Details : urn:ietf:params:scim:schemas:core:2.0:Group details: Skip reason = UnableToResolveReferenceAttributeValue, Active = ?, Assigned = ?, Passed scope filter: ?;

Any help would be really appreciated into debugging this issue.

↧

Conditional Access with Apple Mail

May 8, 2019, 10:26 am

≫ Next: MFA and AD Connect on one server?

≪ Previous: Provisioning Atlassian Cloud application doesn't update group membership

Hi,

I'm trying to configure MFA through Conditional Access, but when I enable this myiOS Apple Mail app still works without requiring any additional authentication.

However, after trialling the policy for a few weeks, my Apple Mail app stopped working and I received an e-mail from my exchange server telling me that someone had tried to set up two step verification.

Can you explain why when I configured Conditional Access MFA it didn't affect my iOS Apple Mail app at all, then a few weeks later it seemed to break it (which I would have expected a lot sooner).

Can you also please confirm how I protect the Apple Mail app via Conditional Access MFA?

Thanks,

Will North

↧

MFA and AD Connect on one server?

May 2, 2019, 8:18 am

≫ Next: Verify Microsoft SignIn response

≪ Previous: Conditional Access with Apple Mail

We have azure Muti-Factor Authentication setup on a member server. Now we need to setup AD connect to sync our active directory to azure. Can both exist on the same member server without any conflict? What is the best way to approach this? Thanks.

↧

Verify Microsoft SignIn response

May 3, 2019, 7:26 am

≫ Next: AAD - The user ID you entered does not exist. Please check that you have typed your user ID correctly.

≪ Previous: MFA and AD Connect on one server?

Hi,

Sorry if this is not the right forum.

In our service (back-end in Java/Spring, front-end in React) we implemented Google Sign in.

The end result of the Sign In process is that the front-end receives an object from Google which it re-sends to the back-end. The back-end verifies (with a Google Library) that the object is valid and extracts user info from it. Like this:

public void authenticateGoogleUser(Object googleInfo){
        LinkedHashMap<String, String> map = (LinkedHashMap) googleInfo;
        String tokenId = map.get("tokenId");        
        GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(...).build();
        GoogleIdToken googleIdToken = verifier.verify(tokenId);// verify that the tokenId is valid
        GoogleIdToken.Payload payload = googleIdToken.getPayload();
        String userId = payload.getSubject();
String email = payload.getEmail();
// etc.
}
Now we want to implement the same functionality with Microsoft Sign in. 
The front end shows the Microsoft SignIn button, user signs in, 
front-end receives the Microsoft SignIn response object and re-sends it to the back-end server.
Our question is: How do we validate this response in the back-end server?
Is there a library that does it, like the GoogleIdTokenVerifier?
Thank you

↧

AAD - The user ID you entered does not exist. Please check that you have typed your user ID correctly.

May 3, 2019, 12:07 pm

≫ Next: HighAvilabilty (Primary site and DR Site) ADFS and Proxy server with office 365

≪ Previous: Verify Microsoft SignIn response

Hi,

I am not able to log into Azure portal and cannot reset my password by using SSPR.

When I try to reset the password, i got the error:The user ID you entered does not exist. Please check that you have typed your user ID correctly.

I have done a full sync on both our azure servers but it didn't help.

Does anyone knows why?

Thank you.

↧

HighAvilabilty (Primary site and DR Site) ADFS and Proxy server with office 365

May 4, 2019, 1:25 am

≫ Next: existing AD server and azure 365

≪ Previous: AAD - The user ID you entered does not exist. Please check that you have typed your user ID correctly.

Dear All,

Is it possible to configure secondary adfs and proxy server with office 365 for High Availability

Currently Direct Sync, ADFS and ADFS Proxy serves. I'm planning to add one more ADFS and proxy for HA. please advice.

↧

existing AD server and azure 365

May 5, 2019, 7:49 pm

≫ Next: Application Proxy Session timeout for On-Prem appliaction?

≪ Previous: HighAvilabilty (Primary site and DR Site) ADFS and Proxy server with office 365

Hi All

I have just taken over a site and I have one AD-DC and emails are on o365, if I go into azure ad 365 I can see all my ad accounts.

I would like to install and set up the ad sync mainly for password sync between local Ad and the email accounts. currently have about 20 users, and rapidly growing so would like to get sorted sooner than later.

if I install the sync tool, what am I likely to break? what do I need in place before I setup and start syncing... I assume the password for email in o365 will change to the local AD passwords..

would like this to go nice and smooth as possible,

thanks for your input

Cliff

↧

Application Proxy Session timeout for On-Prem appliaction?

May 6, 2019, 2:11 am

≫ Next: I am a new user and can't connect to office 365 with powershell

≪ Previous: existing AD server and azure 365

Is there a way to set the timeout for an On-Prem application published with Azure Application Proxy?

If I logon now to application using app-proxy, and leave the browser for a period of time, when I get back and want to start using it, the session seems to have timed out and I get redirected to azure app proxy, but session token is still valid so I don´t need to log on and get instantly redirected in to on-prem app. How can I prevent this from happening? Session token timeout is not the key here I think since token is still valid.

↧

I am a new user and can't connect to office 365 with powershell

May 7, 2019, 10:02 am

≫ Next: azure active directory domain services does not login in adicional custom domains

≪ Previous: Application Proxy Session timeout for On-Prem appliaction?

I am trying log into office 365 with the connect but somehow have another module loaded?

connect-msolservice
connect-msolservice : The 'connect-msolservice' command was found in the module 'MSOnlineExtended', but the module
could not be loaded. For more information, run 'Import-Module MSOnlineExtended'.
At line:1 char:1
+ connect-msolservice
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (connect-msolservice:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CouldNotAutoloadMatchingModule

PS C:\WINDOWS\system32> Import-Module MSOnlineExtended
Import-Module : Could not load file or assembly 'file:///C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\MSOnlineExt
ended\Microsoft.Online.Administration.Automation.PSModule.Resources.dll' or one of its dependencies. The system cannot
find the file specified.
At line:1 char:1
+ Import-Module MSOnlineExtended

PS C:\WINDOWS\system32> $PSVersionTable

Name Value
---- -----
PSVersion 5.1.17134.590
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17134.590
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

I am new to this and just want to run some commands. Help?

↧

azure active directory domain services does not login in adicional custom domains

May 2, 2019, 4:59 am

≫ Next: Azure AD Sync installation issue

≪ Previous: I am a new user and can't connect to office 365 with powershell

I Have several custom domains in Azure

I have installed Azure Active Directory Domain Services.

I can login inside the virtual machines in azure if the upn is the domain *.onmicrosoft.com or the domain is the domain of azure ad domain services. but the other custom domains is not posible to login to the machines.

I've tested with a user demo, is the demo login is demo@principal.onmicrosoft.com, login fine

Is the demo login is demo@principal.com, login fine

But other domains, as:

demo@secondari.com, demo@terciari.com, ...., does not login to the services of the virtual machines. This login Works fine on Azure Domain Services, but is not recognised in Azure Active Directory Domain Services.

Do you know if is posible to allow login to he other domains?, and how?

Thank you.

↧

Azure AD Sync installation issue

May 8, 2019, 11:31 am

≫ Next: Outlook Group Member Changes

≪ Previous: azure active directory domain services does not login in adicional custom domains

Has anybody here ever seen this?

Unable to install the Synchronization Service. Object reference not set to an instance of an object.

Thanks

↧

Outlook Group Member Changes

May 8, 2019, 11:45 pm

≫ Next: Azure Domain Join Error 80180018

≪ Previous: Azure AD Sync installation issue

Hi,

I have a site that is a onsite Domain with Azure AD Sync to Office 365.

They used to have exchange on premise and we migrated them to Office 365.

Prior to the migration we had a user that was able to manage the distribution group memberships from within outlook, (clickTo in a new email then browse to the Global Address List,right click the group and select Properties and then edit the membership) since the migration to Office 365 this user has been unable to do that. We have found that apparently this is still possible we need to change the group join restriction from closed to open and the user will be able to perform this action.

I cannot change this in the group either through Powershell or the web as i am denied due to the fact that the group is AD synced. I have found an attribute in the group under ADSI edit called msExchGroupJoinRestriction and i have edited that (0=closed, 1 = open, 2 = owner approval) and when i change that to 1 this is not updated on O365.

Is there a way to set that attribute to be copied across from the onsite AD using Azure AD sync to the O365 group environment?

Also has anyone else had this request and been able to allow users in O365 to be able to edit AD Synced groups?

↧