Having implemented SSPR, how can the SSPR logs be analyzed to get Alerts / Risks in Azure AD Identity Protection or Azure Security Center based on use a case like large number of SSPRs from the same source or user, eg. 5 in 1 hour, and when such activity
is seen, to create an alert and e-mail notification and automatic locking of the account?
↧
Analyze SSPR Audit Log Events
↧
Azure AD: OpenId Connect v2 - UserInfo not returning username, etc.
Hi,
Everything works great except for the UserInfo results lacking fields like phone, userPrincipalName, etc that are available in endpointhttps://graph.microsoft.com/v1.0/me/. Most cases these fields are needed to setup users. You'd think the results would be same or have the option to add them to the UserInfo. On most third-party apps setting up OpenId Connect, we don't have an option to make the needless extra call to get the additional information which should be provided in the UserInfo.
Is there a way to add the missing fields to the UserInfo output?
Open Id Scopes: openid email profile
userinfo_endpoint:"https://graph.microsoft.com/oidc/userinfo"
Response:
{
"sub": "Y7pQ-Ra6FCwePudogNOjvjD3uTKHj9PEMoLtuyKYRxs",
"name": "Spoony, Jim",
"family_name": "Spoony",
"given_name": "Jim",
"picture": "https://graph.microsoft.com/v1.0/me/photo/$value",
"email": "Jim.Spoony@test.com"
}
Response: https://graph.microsoft.com/v1.0/me/
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
"businessPhones": [
"+0 (333) 333-3476"
],
"displayName": "Spoony, Jim",
"givenName": "Jim",
"jobTitle": "Senior Developer",
"mail": "Jim.Spoony@test.com",
"mobilePhone": "+3 (333) 333-3333",
"officeLocation": "US 333 Paramount DR",
"preferredLanguage": null,
"surname": "Spoony",
"userPrincipalName": "Jim.Spoony@test.com",
"id": "5c12eb03-5af9-47a2-9c4a-3a57ab8de41d"
}
Thank you in advance for your help!
↧
↧
SSPR voice call customisation.
Is there a way to customize the voice call for SSPR as the current default voice call asks for the user to press the pound key, we use the Hash (#) key in Australia. I thought I could upload a custom greeting for "Greeting (Standard)" and "Activation
Greeting (Standard)" under MFA settings but it wasn't changed.
↧
SSPR Registration enforce Auth methods
We would like the ability to enforce users to register for a number of methods before continuing for SSPR. We would like to enforce say Mobile, Authenticator and Alternative email before the user exits the workflow. We set our minimum number to 1 for SSPR
so the registration process only enforces 1 method, however we would like our users to enter more than 1 (eg in case of a lost phone or phone upgrade).
↧
B2C app acquire token error. "AADSTS7000215: Invalid client secret is provided." How to check keys?
I had created a B2C app with Facebook provider it was working for over a year.
Now, during the call to "authenticationContext.acquireTokenWithClientCredentials" from "adal-node" it throws an error.
Get Token request returned http error: 401 and server response:
{"error": "invalid_client",
"error_description": "AADSTS7000215: Invalid client secret is provided.\r\rTrace ID: 815e68c1-8108-40bb-b648-0c812f0c2600\r\rCorrelation ID: e52f6d3d-007e-41a2-94d6-b5827091f948\r\rTimestamp: 2019-06-02 07:22:21Z",
"error_codes": [
7000215
],
"timestamp": "2019-06-02 07:22:21Z",
"trace_id": "815e68c1-8108-40bb-b648-0c812f0c2600",
"correlation_id": "e52f6d3d-007e-41a2-94d6-b5827091f948"
}
More details on B2C app:
It has a Facebook provider and the implicit flow authentication to get a JWT token still seems to work correctly. However when I try to use a service retrieve the users list who have used the app / logged in with the `https://graph.windows.net` url is when it throws this error.
I saw this post about expired keys:
I wanted to make sure the key isn't expired and possibly regenerated it, but I can't find hwere these are managed in the Azure portal anymore.
I'm going to try to run through the process of where I look, hopefully you can see and point out where is the misstep is:
1. On my host subscription I see, and click the tenant
2. Then I click the "Azure AD B2C settings" link which opens a new tab with Azure changed to that directory.
3. Click "Azure Active Directory"
4. Click "Enterprise Applications"
5. Click the desired app with matching Application ID. In this case "Schultz Tables Api"
Then I see the app but don't see where to check the keys?
Is there documentation on how you can check keys for a B2C app?
I was expecting to see a "Keys" tab in this left nav bar similar to other Azure services.
Since I created this app long ago and the UI seems to have changed I can't quite remember is I explicitly created the Enterprise App / Service Principal or if it was implicitly created by created the BC2 app. Either way I would like to get this working again.
Thanks
↧
↧
SAML SSO with MsAzure
Hi,
We have client registered with MsAzure. ( Idp).
SP - have SAML but not register with MsAzure. Is it possible to connect both these two.
↧
Azure DevOps - Adding users to Project
Hi,
We are having account for Azure DevOps. We have created one organization and few projects inside it.
At organization level we can get 5 users with Basic features access level. I just wanted to know these 5 licenses with Basic features is available at organization level in spite of number of projects inside that organization.Please confirm on this.
Also I want to know when we invite any external user to our Azure DevOps project then that external user needs to be part of Azure AD tenant on which DevOps services are hosted.
At Project level we have 'Invite' option to invite users to our project. From Project Settings -> Security -> Add Member, we can also invite users to our project. I found that the Security Group can be searched and added when we navigate through later approach but not with the first one. Is there any type of restriction? Does both ways of adding user is same?
Regards
Sanjay
Sanjay Nipane
↧
MFA error: Sorry! We can’t process your request. Your session is invalid or expired.
I disabled MFA earlier today to do some troubleshooting & then re-enabled it. Every time I try to log on to anything in the MS world, I get this error now (first I get a message saying More information is required, then it prompts me to get a phone call, text message, use authentication app, etc. They all return the same error. To make it all more exciting, I'm the only admin and I can't log into the Azure Portal to reset MFA.
The Microsoft help about the topic isn't helpful at all - it says you waited more than 10 minutes to complete the setup process (?) but there's no fix or workaround. https://support.microsoft.com/en-us/help/2909939/sorry-we-can-t-process-your-request-error-when-you-try-to-set-up-secur
Anyone have any ideas about how I can get back onto my account?
Thanks!
↧
Unable to grant admin consent to an app
I am following this tutorial: https://docs.microsoft.com/en-us/graph/auth-v2-service
I have created an app at https://apps.dev.microsoft.com and granted certain app permissions. Now I need to grant admin consent for those permissions, so I went to https://login.microsoftonline.com/common/adminconsent?client_id=<app_id> and I got this error:
AADSTS500201: We are unable to issue tokens from this API version for a Microsoft account. Please contact the application vendor as they need to use version 2.0 of the protocol to support this.
What am I doing wrong?
↧
↧
Azure AD / Task Scheduler?
I am unable to create a Task Scheduler task. It has an issue creating one that “Run whether user is logged on or not”. the issue appears to be simple authentication. I can create when "Run only when user is logged on" without issue. any help is greatly appreciated.
Work Smarter Not Harder
↧
Smart lockout Subscription
Hello All
I would like to know what subscription do I need for Azure Smart lockout.
Do I need Azure P1 or P2?
Or a regular Azure subscription will do
Thank you
↧
Domain Name for an Azure VM
Hi,
I have created a new VM through a subscription that is not an Express Route Subscription. I have to host my application for a PoC in my company.
I would need a Domain Name to setup my application in the VM. Kindly help me in this regard.
Thank you.
Viyan
↧
Azure hosted site works well incognito mode but not in normal browser
Hi,
I am facing one issue where we have a site hosted on Azure with Google Authentication enabled does not work / load on normal browser but works well in incognito mode. Below is the error we face
Access to resource at 'https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=788183341030-htk2ipgs9ekkso8gpvrd4rst39klg7um.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Fpatientcare.somatus.com%2F.auth%2Flogin%2Fgoogle%2Fcallback&scope=openid+profile+email&state=redir%3D%252Fmanifest.json%26nonce%3D02d3faf3d1d5425781d72e4b79d75746_20190605152218' (redirected from 'https://patientcare.somatus.com/manifest.json') from origin 'https://patientcare.somatus.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
any help is appreciated.
↧
↧
Oracle Cloud Infrastructure Console not listed in Enterprise Applications of Azure AD
Hi
As per oracle documentation https://docs.cloud.oracle.com/iaas/Content/Identity/Tasks/federatingADFSazure.htm
the "Oracle Cloud Infrastructure Console" is part of Gallery application of Azure AD.
I could not locate this while searching, can you please help here ?
↧
Microsoft Teams with Azure Active Directory Authentications
I was referred by Office 365/Teams community to Azure Active Directory Forums with my odd Teams log in issues.
We are having problem when logging in to Teams with Azure Active Directory authentications.
Scenario 1:
UserA has a domain joined ComputerA on internal network (his own computer) and he can log on to Teams without any problems even completely close it and relaunching Teams.
UserA try to log on to a domain joined ComputerB on Internet Network (first time log on to that computer) and he will get a blank screen after putting his company username@domain.com sign-in address.
UserA can do two things after seeing the blank screen.
- UserA clicks two times to force close the blank log in screen then the following screen pop up. He can type in his company username@domain.com and password. It will sign in successfully all the way. However, he will get
the same blank log in screen again after relaunching Teams again.
- UserA can just wait for 10 minutes while seeing the blank screen. The following screen will auto pop up and ask for credential to sign in to Teams. UserA sign in with his company username@domain.com and he can successfully log in
to Teams. However, he will get the same blank log in screen after relaunching Teams again.
Scenario 2:
- UserA restart ComputerB and then connect ComputerB to a hotspot and connect to external network and launch Teams. He will then get the following log in screen.
UserA type in his company username@domain.com and he can successfully log in to Teams. He can even log in to Teams without asking for user name and password and after relaunching Teams. UserA then put the ComputerB back to internal network and he can log in with Teams just fine without asking for user name and password.
Scenario 3:
UserA changed his domain password on a domain joined computer and he will get the following error from Teams.
UserA then click on "Signing out" and trying to sign back in. Then he will encounter the following "Nor Responding" log in screen (very similar like the blank screen".
↧
Sql database management REST API
I am trying to call management REST API from Databricks. I've created a service principal, add it as Contributor for both an Azure Anaysis Service and an Azure SQL Database.
When I try to get a token for the analysis service it works perfectly.
When I try for SQL Db it fails with "resource principal not found ...".
Note that my SQL Db is connected to a VNet but interaction with Azure Service is enabled, furthermore I can write data to the DB from Databricks.
Can anyone help ?
↧
Sql database management REST API from Databricks
I am trying to call management REST API from Databricks. I've created a service principal, add it as Contributor for both an Azure Anaysis Service and an Azure SQL Database.
When I try to get a token for the analysis service it works perfectly.
When I try for SQL Db it fails with "resource principal not found ...".
Note that my SQL Db is connected to a VNet but interaction with Azure Service is enabled, furthermore I can write data to the DB from Databricks.
Can anyone help ?
↧
↧
Matching Azure UPN to on premise AD UPN
Hi,
I recently setup Azure AD sync, this is in readiness to move email to office 365.
I originally setup the mail accounts (Non active) in the O365 portal and then setup Azure AD connect.
The on premise UPN is domainname.local and the domain to move to O365 is emaildomain.co.uk. I completed the initial sync to Azure and the UPN is emaildomaincouk.onmicrosoft.com. I figured this may have been because I already had the users setup directly in O365 with emaildomain.co.uk
As the O365 email is not live yet I deleted all the mail users and then added the emaildomain.co.uk into AD on premise. I created a test user and then synced.
The new user took the UPN as the others emaildomaincouk.onmicrosoft.com.
I want the users in Azure to have the UPN emaildomain.co.uk is there any way that I can change this so there is fluidity throughout on premise login and azure / mail login.
On premise server farm is server 2016 with domain functional level at 2016 also.
Any guidance would be appreciated.
↧
Is it possible to enable 2 factor authentication or prompt for password(root) when deleting any azure resource?
This is the first time I'm dealing with access management in azure so, please don't mind the noob questions. I need info for following points,
- When deleting any resource (web app, resource group, app service plan, etc) is there a way to add an additional security that will restrict current user from deleting any resource without providing 2nd authentication?
- Can I revoke a user's create, modify and delete permissions without affecting the deployed resources?
- Can I add password/pin locks when the user tries to delete a resource?
Thanks!
↧
Self Service Password Reset for the user who have AD accounts
HI All,
Could you please let me know is there any option to enable so that AD user accounts with email address can do the Self Service Password Reset.
this is for AD user accounts. i have already enable the cloud users feature in azure AD
thank you in advance
↧
