I have been testing Hybrid Join and successfully managed to get some devices joining Azure using the MS documentation here https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-control

Running the following shows that there is an issue with User State and hence I cannot get onedrive silent sync working.  The documentation point to issues but not with  WamDefaultSet : ERROR

Microsoft Windows [Version 10.0.17134.766]

(c) 2018 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>dsregcmd /status+----------------------------------------------------------------------+
| Device State                                                         |+----------------------------------------------------------------------+

             AzureAdJoined : YES
          EnterpriseJoined : NO
                  DeviceId : 259e7197-16e8-49ad-a5bb-208b721c7a62
                Thumbprint : A5BDC55F65822B880EB75E3430FF51810FC8213E
            KeyContainerId : b534ae78-bd44-4b83-8c22-2e5f02a54d09
               KeyProvider : Microsoft Software Key Storage Provider
              TpmProtected : NO
              KeySignTest: : PASSED
                       Idp : login.windows.net
                  TenantId : <tenantid>
                TenantName :
               AuthCodeUrl : https://login.microsoftonline.com/<tenantid>/oauth2/authorize
            AccessTokenUrl : https://login.microsoftonline.com/<tenantid>/oauth2/token
                    MdmUrl :
                 MdmTouUrl :
          MdmComplianceUrl :
               SettingsUrl :
            JoinSrvVersion : 1.0
                JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
                 JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net
             KeySrvVersion : 1.0
                 KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/
                  KeySrvId : urn:ms-drs:enterpriseregistration.windows.net
        WebAuthNSrvVersion : 1.0
            WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/<tenantid>/
             WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net
DeviceManagementSrvVersion : 1.0
    DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/<tenantid>/
     DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net
              DomainJoined : YES
                DomainName : <domainname>+----------------------------------------------------------------------+
| User State                                                           |+----------------------------------------------------------------------+

                    NgcSet : NO
           WorkplaceJoined : NO
             WamDefaultSet : ERROR
                AzureAdPrt : NO
       AzureAdPrtAuthority :
             EnterprisePrt : NO
    EnterprisePrtAuthority :

+----------------------------------------------------------------------+
| Ngc Prerequisite Check                                               |+----------------------------------------------------------------------+

             IsUserAzureAD : NO
             PolicyEnabled : NO
          PostLogonEnabled : YES
            DeviceEligible : YES
        SessionIsNotRemote : YES
            CertEnrollment : none
         AadRecoveryNeeded : NO
              PreReqResult : WillNotProvision

darren hitchen

I've added a guest users to my aad with the intention of allowing this user to access our Azure hosted web app. 

When the user clicks on the "getting started" button in the invitation email, he is brought to a screen that reads:

I am trying to build an app, exposing its services ONLY via Azure Functions

1. Without any ASP.NET Web pages (for now).

2. Support external login such as Google and Facebook.

3. Supports mobile devices (google and iOS) and other devices via javascript (post/get).

All is good, except when it comes to authentication. I found quite some articles, some of which contains obsolete information as the platform continues to evolve exponentially. There are Identity platform V1, Identity platform V2.0, Azure AD, AD B2C and a few more different terms. Given my situation, which should (and should not) I be looking at?

We are using the DirSync method for a IDirectory search in an Active Directory Domain Controller. Since the user credentials does not have administrative rights the search is not executed. But a replication error gets logged in the event viewer of the DC. Why is this happening? Can we prevent the event from being logged?

We are fine with the search not being able to execute and do not want to give the user the admin credentials or replicating directory changes permission. It is part of a scheduled search and is hence causing a lot of error logs in the event viewer. 

I am having trouble integrating Duo over Azure - I am getting the error code AADSTS50020.

I've tried logging in with various .onmicrosoft.com accounts, but then I received 'This account doesn't exist'.

jsmith@gmail.onmicrosoft.com

jsmith@jsmithgmail.onmicrosoft.com

This issue is time sensitive and I would appreciate any help!

Thank you!

Patrick

Hi, we are a new organisation that so far has no on prem devices apart from Surface Pro's which we enrol in AAD with the user that is going to use the device. We now have a server we want to enrol, but we are wanting to know best practice to enrol it in AAD, then use that account as its admin account.

We don't want to use a named user account in case that user leaves - is that a problem, can it be changed later?
Should we set up a 'server enroler' account that we use for this and any additional servers we want to enrol?
Could we use our tenant admin account? Not sure if this would even work.

Any hints or tips would be appreciated.

Thanks

Hello,

I hope this is the correct section for my question.

I set up a Webhook with Python that is subscribed to an Azure group resource and gets notified whenever a change occurs in MS Graph.

Our goal is to be able to send Email notifications to group owners whenever a user gets added to the respective group or removed from it.

Everything works when you manually add or remove a user, but if you completelydelete the user account and thereby indirectly remove them from the group, neither a group audit log entry gets created, nor is any notification sent for the subscribed group resource.

My question is: What is the best way to achieve this? Do I have to use delta queries or do I have to subscribe to "/users", get a user deletion notification and then check the user's group memberships, pull the owners of all those groups and go from there?

Or maybe there even is a much simpler way?

Thank you for any help in this matter.

Hi,

On Azure Board, I have few organizations and projects within those.

I want to move projects from one organization to another since I want to have only one organization containing all the projects.

Please advise if its possible to do this on Azure Board.

Regards

Sanjay Nipane

Sanjay Nipane

Hi,

I´m having trouble joining devices to my company Azure AD. Although the devices join the service and can access the resources with SSO, at login it always asks the user to create a PIN because our organization requires it. 

The problem is, we don´t. Or at least we don´t want to. 

I read that the policy could only be changed via Intune. So I grabbed a licence and chaged the policy to Disabled for all devices and users. Now it keeps asking the users to create a PIN, and the devices joined to the Azure AD do not appear to be joining Intune (they appear just in the Azure AD Devices section, not in the All Devices Tab).

So, two questions. How can we dissable Windows Hello for Bussiness for our devices joining Azure AD. And can someone point me in the direction to enroll them into Intune so we can manage the company policies from there? Any help is welcomed :)

Thanks a lot

We are using the "free" AzureAD level that comes when using Office365 (not any P level).

In readying a PC to go to a future (as yet unknown) staff member, the PC is still attached to the old user in the Azure console. This is an issue because the Bitlocker key is stored under the old employee, and we will soon remove that employee's Office365/Azure subscription. OF COURSE, we have already printed the Bitlocker key to be safe :)

The PC was joined to Azure initially as employeeA.
ItDesk was an additional work or school user.
EmployeeA has been deleted from the PC.

ItDesk is now the only account on the PC.
Currently "Work and School" for the ITDesk shows it is connected to the company Azure.

I gather there is some difference between JOIN and CONNECT.
How do I unjoin employeeA and join via ItDesk in the interim then later future employeeB?

If we remove employeeA from Office365/Azure NOW, will the PC info in Azure automatically move to another user detected on the PC ( itDesk ) or show with generic 'user deleted' or something ? Or it will just disappear?

We will often keep a PC in the same department - so just remove the user and personal content, keep the departmental info intact and save having to reconfigure at least the non-user/PC-wide settings again - i.e we do not reset Windows between users. What kind of consequence does this have with Azure? when you UNJOIN a PC - what info will be lost on the PC itself?

I noticed that when a PC is renamed, the name change never makes it back to Azure. Is there any command that can be run on the PC to update the info or a function I am just not finding in the Azure admin console to request updated info from the PC ? The field is not editable.

FAGOR

Using Powershell, how do I create a Client Secret for an App I have registered in Azure Active Directory. I need the Client-Secret in order to authenticate my app to push data to Data Lake Gen 1

I'm running the following code:

##### Getting fresh access token to Bing Ads API-----------------------------------------------

# Required
CLIENT_ID = 'XXXXXXX-XXXXX-XXXXX-XXXX-XXXXXXXXXX'
DEVELOPER_TOKEN='XXXXXXXXXXXXXXXXX'

ENVIRONMENT='production'
REFRESH_TOKEN="refresh.txt"

# Optional
CLIENT_STATE='ClientStateGoesHere'

def authenticate(authorization_data):

    customer_service=ServiceClient(
        service='CustomerManagementService', 
        version=12,
        authorization_data=authorization_data, 
        environment=ENVIRONMENT,
    )

    # You should authenticate for Bing Ads services with a Microsoft Account.
    authenticate_with_oauth(authorization_data)

    # Set to an empty user identifier to get the current authenticated Bing Ads user,
    # and then search for all accounts the user can access.
    user=get_user_response=customer_service.GetUser(
        UserId=None,
        IncludeLinkedAccountIds=True
    ).User
    accounts=search_accounts_by_user_id(customer_service, user.Id)

    # For this example we'll use the first account.
    for i in range(len(accounts)):
        authorization_data.account_id=accounts['AdvertiserAccount'][i].Id
        authorization_data.customer_id=accounts['AdvertiserAccount'][i].ParentCustomerId

def authenticate_with_oauth(authorization_data):

    authentication=OAuthDesktopMobileAuthCodeGrant(
        client_id=CLIENT_ID,
        env=ENVIRONMENT
    )

    # It is recommended that you specify a non guessable 'state' request parameter to help prevent
    # cross site request forgery (CSRF). 
    authentication.state=CLIENT_STATE

    # Assign this authentication instance to the authorization_data. 
    authorization_data.authentication=authentication   

    # Register the callback function to automatically save the refresh token anytime it is refreshed.
    # Uncomment this line if you want to store your refresh token. Be sure to save your refresh token securely.
    authorization_data.authentication.token_refreshed_callback=save_refresh_token

    refresh_token=get_refresh_token()

    try:
        # If we have a refresh token let's refresh it
        if refresh_token is not None:
            authorization_data.authentication.request_oauth_tokens_by_refresh_token(refresh_token)
        else:
            request_user_consent(authorization_data)
    except OAuthTokenRequestException:
        # The user could not be authenticated or the grant is expired. 
        # The user must first sign in and if needed grant the client application access to the requested scope.
        request_user_consent(authorization_data)

def request_user_consent(authorization_data):
    webbrowser.open(authorization_data.authentication.get_authorization_endpoint(), new=1)
    # For Python 3.x use 'input' instead of 'raw_input'
    if(sys.version_info.major >= 3):
        response_uri=input("You need to provide consent for the application to access your Bing Ads accounts. " \"After you have granted consent in the web browser for the application to access your Bing Ads accounts, " \"please enter the response URI that includes the authorization 'code' parameter: \n"
        )
    else:
        response_uri=input("You need to provide consent for the application to access your Bing Ads accounts. " \"After you have granted consent in the web browser for the application to access your Bing Ads accounts, " \"please enter the response URI that includes the authorization 'code' parameter: \n"
        )

    if authorization_data.authentication.state != CLIENT_STATE:
        raise Exception("The OAuth response state does not match the client request state.")

        # Request access and refresh tokens using the URI that you provided manually during program execution.
        authorization_data.authentication.request_oauth_tokens_by_response_uri(response_uri=response_uri) 

def get_refresh_token():
    ''' 
    Returns a refresh token if found.
    '''
    file=None
    try:
        file=open(REFRESH_TOKEN)
        line=file.readline()
        file.close()
        return line if line else None
    except IOError:
        if file:
            file.close()
        return None

def save_refresh_token(oauth_tokens):
    ''' 
    Stores a refresh token locally. Be sure to save your refresh token securely.
    '''
    with open(REFRESH_TOKEN,"w+") as file:
        file.write(oauth_tokens.refresh_token)
        file.close()
    return None

def search_accounts_by_user_id(customer_service, user_id):
    predicates={
        'Predicate': [
            {
                'Field': 'UserId',
                'Operator': 'Equals',
                'Value': user_id,
            },
        ]
    }

    accounts=[]

    page_index = 0
    PAGE_SIZE=100
    found_last_page = False

    while (not found_last_page):
        paging=set_elements_to_none(customer_service.factory.create('ns5:Paging'))
        paging.Index=page_index
        paging.Size=PAGE_SIZE
        search_accounts_response = customer_service.SearchAccounts(
            PageInfo=paging,
            Predicates=predicates
        )

        if search_accounts_response is not None and hasattr(search_accounts_response, 'AdvertiserAccount'):
            accounts.extend(search_accounts_response['AdvertiserAccount'])
            found_last_page = PAGE_SIZE > len(search_accounts_response['AdvertiserAccount'])
            page_index += 1
        else:
            found_last_page=True

    return {
        'AdvertiserAccount': accounts
    }

  
def main(authorization_data):

    try:
        output_status_message("-----\nGetUser:")
        get_user_response=customer_service.GetUser(
            UserId=None,
            IncludeLinkedAccountIds=True
        )
        user = get_user_response.User
        customer_roles=get_user_response.CustomerRoles
        output_status_message("User:")
        output_user(user)
        output_status_message("CustomerRoles:")
        output_array_of_customerrole(customer_roles)

        # Search for the accounts that the user can access.
        # To retrieve more than 100 accounts, increase the page size up to 1,000.
        # To retrieve more than 1,000 accounts you'll need to add paging.

        accounts=search_accounts_by_user_id(customer_service, user.Id)

        customer_ids=[]
        for account in accounts['AdvertiserAccount']:
            customer_ids.append(account.ParentCustomerId)
        distinct_customer_ids = {'long': list(set(customer_ids))[:100]}

        for customer_id in distinct_customer_ids['long']:
            # You can find out which pilot features the customer is able to use. 
            # Each account could belong to a different customer, so use the customer ID in each account.
            output_status_message("-----\nGetCustomerPilotFeatures:")
            output_status_message("Requested by CustomerId: {0}".format(customer_id))
            feature_pilot_flags=customer_service.GetCustomerPilotFeatures(
                CustomerId=customer_id
            )
            output_status_message("Customer Pilot flags:")
            output_status_message("; ".join(str(flag) for flag in feature_pilot_flags['int']))

    except WebFault as ex:
        output_webfault_errors(ex)
    except Exception as ex:
        output_status_message(ex)

# Main execution
if __name__ == '__main__':

    print("Loading the web service client proxies...")

    authorization_data=AuthorizationData(
        account_id=None,
        customer_id=None,
        developer_token=DEVELOPER_TOKEN,
        authentication=None,
    )

    customer_service=ServiceClient(
        service='CustomerManagementService', 
        version=12,
        authorization_data=authorization_data, 
        environment=ENVIRONMENT,
    )

    authenticate(authorization_data)

    main(authorization_data)

After I run this, I'm asked for the response URI which I'm copying from my browser. This is returning the following error:

NotImplementedError: OAuth access token hasn't been requested.
Any idea why this is happening? This code previously worked with another Application and Developer 
token.

        private static HttpClient ConnectToClient()
        {
            String BaseUrl = "https://mytest.azurewebsites.net/";
            String AdResource = "https://AADX.onmicrosoft.com/mytest";

            AzureServiceTokenProvider TokenProvider = new AzureServiceTokenProvider();
            String Token = TokenProvider.GetAccessTokenAsync(AdResource).Result;
            
            HttpClient Client = new HttpClient()
            {
                BaseAddress = new Uri(BaseUrl)
            };
            Client.DefaultRequestHeaders.Accept.Clear();
            Client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));

            Client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", Token);
            return Client;
        }
        private static String GetContent()
        {
            String Output = String.Empty;
            using (HttpClient Client = ConnectToClient())
            {
                HttpResponseMessage ResponseMessage = Client.GetAsync("api/Test/").Result;
                if (ResponseMessage.IsSuccessStatusCode)
                {
                    Output = ResponseMessage.Content.ReadAsStringAsync().Result;
                }
            }
            return Output;
        } 

_publicClientApplication = PublicClientApplicationBuilder.Create(ClientId)
#if B2C
  .WithB2CAuthority(AuthorityUri)
#endif  
  .WithLogging(MsalLogging, LogLevel.Info, false, true)
  .Build()

AuthResult = await
  _publicClientApplication.AcquireTokenInteractive(App.Scopes)
  .WithUseEmbeddedWebView(true)
    .WithParentActivityOrWindow(window)
    .ExecuteAsync();

We are wanting to stop our on premises AD from syncing to our Azure AD domain.
And be left with only our original created Azure AD domain.

I wanted to be sure on the order and steps to do this correctly.

This is what I have so far.

Step 1: From our on premises server we will stop the Azure Ad Connect.
"uninstall an Authentication Agent, uninstall both the Microsoft Azure AD Connect Authentication Agent and the Microsoft Azure AD Connect Agent Updater programs."

Step 2:  Delete from Azure Ad any users from the stopped on premises domain.

Step 3: Delete Custom Domain name in Azure (my on premises AD we were syncing from) and leave the original azure ad domains that are in use.

Hi folks,

We've been looking into using B2C as our user database and authentication layer for our Azure-based software. On a high level, it looks like it might work just fine for us, but I have two questions that I can't seem to find the solution or answers to.

1. When I first create by B2C tenant, my Azure account is added to the tenant as a Member and is also set as the Global Administrator role. The account is pulled in from, what I assume is, the parent subscription's directory. The username takes the form of "rcole_my-email-domain.com#EXT#@my-subscription-directory.onmicrosoft.com". The source for this account says "External Azure Active Directory". This is great and fine - I want this account to come in automatically as an admin. My question though is how do I add other accounts from that same external Azure AD? I have a few other accounts that I'd love to pull in from there, so I don't have to go through the process of re-inviting them every time we create a new B2C tenant. I've tried using the"New User" button, but it doesn't seem to accept any input that I type in. The "New Guest User" seems to only add people from outside of the directory - it invites them, which isn't what I'm looking for. How can I add more users just like the one that is automatically created for me?

2. Initially, my user account that I mention above, in step 1, cannot sign in to this B2C tenant - it says user not found. Additionally, users that I invite via the "New guest user" button cannot sign in, either. The only users that appear to be able to sign in, via my B2C policies, are users that signed up through the B2C policies - not invited. Surely there is a way to allow these accounts to sign in, without explicitly signing up through the B2C policy, correct? Am I just missing a permission, group or role?

Thanks! These two questions will help me a lot if I can understand them deeper.

I am retiring an old server and setting up the Azure AD Connect on a new 2019 Server. I have been running Azure AD Connect for a couple of years, after upgrading from DirSync. 

I set up the initial config on the new server and have it on staging mode. As suggested, I ran the AADConnectConfigDocumenter to compare the changes. All instances that list our verified domain mydomain.com - AAD are listed as being replaced by mydomain.onmicrosoft.com - AAD.

I can not see anywhere to have it retain the original value.

Thanks for any help,

Tony