Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

SAML SSO with MsAzure

June 4, 2019, 10:21 pm
$
0
0

Hi,

  We have client registered with MsAzure. ( Idp).  

SP - have SAML but not register with MsAzure. Is it possible to connect both these two. 



Search

ADFS locked our ussers

June 7, 2019, 12:03 am
$
0
0

We have accounts that periodically get locked out an times when the user is not using their PC; sometimes in the middle of the night.  The lockouts are showing coming from an AD server that hosts the Azure AD Connect service.  On ADSF server, only can view logs similar of this:

Token validation failed. See inner exception for more details. 

Additional Data 

Activity ID: 00000000-0000-0000-0000-000000000000 

Token Type: 
http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName  

Client IP: 
ip,ip (the first ip is our global static ip, the second we don't know who is it)

Error message: 
username@domain.com-The user name or password is incorrect 

Exception details: 
System.IdentityModel.Tokens.SecurityTokenValidationException: username@domain.com---> System.ComponentModel.Win32Exception: The user name or password is incorrect
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)

System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)


Any thoughts on what might be causing the lockouts and how to prevent them? Some Azure AD app troubleshooting or Power shell code to do something?

Gerardo,

Mobile device token refreshes after password changes. Why does iOS require credentials but not Android?

June 7, 2019, 6:11 pm
$
0
0

'm looking at the access and refresh tokens with mobile devices enrolled into Intune and how they work with password changes.  My experience so far has been that when I change the password of a user account in AD, Office apps on both iOS and Android will prompt that we must sign in again.  The difference being that Android, after tapping sign in appears to just sign in. No prompt for credentials.  iOS on the other hand takes me to our ADFS website to provide credentials again.

Why does each behave the way they do and is there something to set to allow iOS to behave the same as Android?

I was also looking at using the authentication app.  Can you bypass password prompts if you have the app installed?  What I'm seeing is the first time you have to update your password on iOS you have to enter your credentials but it seems like after that, it just updates automatically for a password change.  Is this correct and if yes, can someone explain to me why it happens?

Is there also a best practice as to what the refresh rate should be set for each?

AD B2C Custom Policy - User creation issue - Block Sign In set to Yes

May 28, 2019, 4:48 am
$
0
0
When we created user using custom policy ,  (authentication source - is local account authentication and have set accountenabled = true as well after MFA), The user is getting created but the Block Sign In is set to yes and because of this user is not able to log in, Any fixes on the same. 

CSOM application with ADAL token. Problem when calling Web.CreateOrganizationSharingLink

May 28, 2019, 8:53 am
$
0
0

I have a simple CSOM application that runs in a desktop computer. It simply uploads a file and it calls Web.CreateOrganizationSharingLink.

When that application logins to OneDrive using the standard way (providing the user name and password using the SharePointOnlineCredentials class) everything works fine. But if I run that exact application in the same PC but the login uses tokens (I use the ExecutingWebRequest event) the upload goes OK but when sharing the file I get:

Microsoft.SharePoint.Client.ServerUnauthorizedAccessException: Access denied. You do not have permission to perform this action or access this resource.

It is strange... if I list the ObjectSharingSettings properties for this file I get (using the token):

AccessRequestMode=True
BlockPeoplePickerAndSharing=False
CanCurrentUserManageOrganizationReadonlyLink=False
CanCurrentUserManageOrganizationReadWriteLink=False
CanCurrentUserManageReadonlyLink=False
CanCurrentUserManageReadWriteLink=False
CanCurrentUserRetrieveOrganizationReadonlyLink=False
CanCurrentUserRetrieveOrganizationReadWriteLink=False
CanCurrentUserRetrieveReadonlyLink=False
CanCurrentUserRetrieveReadWriteLink=False
CanCurrentUserShareExternally=True
CanCurrentUserShareInternally=False
CanSendEmail=True
CanSendLink=False

while with the standard login process (user name and password) they are true... .it's like if that user has a kind of bad setting where when the login is used from ADAL then it lacks from many sharing features.

If I run this exact program but using another user in the same organization (using the token too) then it works OK (sharing is well done) so it's not something bad in the application I created in the server but it's something for this user... either a OneDrive setting or a user restriction or a site permission.

Any clue?

Thanks

Getting Access Token(jwt token) for Azure AD using Powershell

June 4, 2019, 2:36 am
$
0
0

I am trying to get the access token from the azure AD using PowerShell script.
I have registered an app in the azure id and trying to use that app's client id and secret to retrieve the jwt token from the azure AD. 
In postman i am giving the following details to get the access token:

How to do the same in Powershell? 
I have tried different powershell scripts refered online including https://www.shawntabrizi.com/aad/azure-ad-authentication-with-powershell-and-adal/ this post. The Powershell Script it referred https://github.com/shawntabrizi/Azure-AD-Authentication-with-PowerShell-and-ADAL/blob/master/Native%20Client/RESTwithNATIVECLIENT.ps1 does not contain all the details i am using in postman to acquire the new access token. Can anybody help me in this?

Oracle Cloud Infrastructure Console not listed in Enterprise Applications of Azure AD

June 5, 2019, 8:31 am
$
0
0

Hi 

As per oracle documentation https://docs.cloud.oracle.com/iaas/Content/Identity/Tasks/federatingADFSazure.htm

the "Oracle Cloud Infrastructure Console" is part of Gallery application of Azure AD.

I could not locate this while searching, can you please help here ?

AD Backup

June 11, 2019, 11:59 am
$
0
0

Does Microsoft provide any guidance or best practices for backing up and restoring your AD database in an Active Directory hybrid environment with Azure AD Connect? we are trying to put together a disaster recovery plan for AD recovery.

Any inputs\suggestions please.

Thanks.

Search

Replicate PowerShell's Add-MsolRoleMember using Microsoft Graph

June 11, 2019, 6:21 am
$
0
0

Good morning

I have been asked to take an existing powershell script and make direct Microsoft Graph Calls.  The command(s) is Add-MsolRoleMember (also Remove-MsolRoleMember).  The pattern powershell uses 

Add-MsolRoleMember -RoleObjectId [GUID] -RoleMemberEmailAddress [EMAIL ADDRESS]

I am trying to build this using C# and the Microsoft Graph API.  I don't seem to see documentation for how to do this (or at least what to call it).  I see some directory roles examples but I didn't think that they were the same thing.  I have seen it stated that Powershell is leveraging the Microsoft Graph API but I don't see it outside of the BETA version.  Any help would be appreciated.

Update.

I keep seeing references to having to use Azure Graph instead because Microsoft Graph still has functionality in Beta and not supported.  I can pull all role assignments using Azure Graph this way

$"https://graph.windows.net/{settings.TenantID.value}/users/[ID}/appRoleAssignments?api-version=1.6";

I don't see how to add or remove from the list I get back.  They in fact look on the surface like applications to me.  I assume that these are different from directory roles so I cannot seem to find the correct call.  At this point if I could add and remove roles using Azure Graph I would be pleased because I presume that is what the powershell command is doing.  

Thank you




Azure B2C - How to get user signed up for which application initially

June 12, 2019, 6:10 pm
$
0
0

Dear All,

I have configured Azure B2C AD with asp.net core 2.1 applications (multiple application registered in the B2C AD).

After user signup, I wanted to know initially which application the user is signed up for.

How do I get it ? it should not be entered by the user.

Thanks,

Selva

Selvakumar Rathinam

Office 365 Group Naming Policy's reflection

June 12, 2019, 7:40 pm
$
0
0

I set "Groups - Naming policy" in Azure Active Directory.

Current policy is "O365-<Group name>

But after 24 hours, I can't find the policy reflection when creating Office 365 Group in Teams and Outlook on the web as a user.

I have a Azure AD Premium P1 License for this setting.

Would you tell me what I should add something?

Azure Active Directory: "Access denied You do not have access" on my own account

May 18, 2019, 3:17 am
$
0
0

Hi

I've just logged into the Azure portal and clicked Azure Active Directory in the left-hand menu.

I immediately got the error message

Access denied

You do not have access

I am the account owner, I created the account about 5-6 years ago and nobody else has ever had access to this account. I don't understand how I can't have access.

Any suggestions?

I don't think I've ever used Azure AD on this account but now I need to use it for a new web site that I'm developing.

Thanks

How to get information from Azure Active Directory using Graph API

June 13, 2019, 2:01 am
$
0
0

Hi,

I am calling Microsoft Graph API for getting clientId, ApplicationId and ObjectID based on Name(AAD name). Below is the Graph API which am trying to call :

"https://graph.windows.net/myorganization/<DisplayName>/<ResourceGroupName>/getMemberObjects?api-version"

When I am calling it then it is not giving any response neither any error.

Can anyone help to fix this or is there any better solution instead of calling an API?

Thanks in advance

Ramandeep

Create Client Secret for registered App in AAD using Powershell

June 10, 2019, 12:08 am
$
0
0

Using Powershell, how do I create a Client Secret for an App I have registered in Azure Active Directory. I need the Client-Secret in order to authenticate my app to push data to Data Lake Gen 1


Why am I getting "Token does not exist error" whenever I am trying to call https://graph.microsoft.com/v1.0/me

June 7, 2019, 7:40 pm
$
0
0

Created Bearer Token using the following steps

<< Unable to paste link >>

client_id: {{client_id}}
scope:https: //graph.microsoft.com/.default
client_secret: {{secret}}
grant_type: client_credentials

Response
{
"token_type": "Bearer",
"expires_in": 3600,
"ext_expires_in": 3600,
"access_token": {{token}}
}

When I tried using the token in the following way , it gave me error, some say I am supposed to have Office 365 account with a subscription , is that the reason ? I am able to log into Office 365 account with my email id , not sure about subscription stuff though .

Please let me know how can I solve things here.

GET Microsoft Graph Url with *me* [ Unable to paste link as MSDN doesn't allow ]

Authorization : <<Bearer_Token>>

{
"error": {
"code": "OrganizationFromTenantGuidNotFound",
"message": "The tenant for tenant guid 'db404958-8858-4f05-8a8c-91cbd9d89b21' does not exist.",
"innerError": {
"request-id": "7048cf60-92d1-4514-86e9-a061c68b2238",
"date": "2019-06-08T01:58:58"
}
}
}

not sure why is it failing in user specific api call . Do I need to have a O365 account with subscription ?

I do have a )365 account but not sure about the subscription .

Search

Azure AD Connect - Password sync Warning: no recent synchronization

November 7, 2017, 1:11 am
$
0
0

Hi All,

I wonder if someone can help?

I have an AD Connect Server running Win Serv 2012 R2. I have had Azure AD Connect now running for the best part of 10 months. I came into work the other day and I found that the Password Sync has stopped.

I have gone and done a manual sync, deselected and reselected the PWD attribute, restarted the services and machine, but I still can't get passwords to sync.

Here is the error; Azure AD Connect - Password sync  Warning: no recent synchronization.

Can anyone assist? I am sure I am not the only one who's had this.

My Azure Ad Connect is : 1.1.281.0

As always, thanks very much,

AD Connect password writeback Passwordresetservice error 33008

June 13, 2019, 8:07 am
$
0
0

Hi all

I can't figure out why the Azure password reset isn't working anymore. Our users get the message that their new password doesn't fit the company policy.

On the AD connect I keep getting this error

Reason: Synchronization Engine returned an error hr=80230619, message=A restriction prevents the password from being changed to the current one specified., Context: cloudAnchor: User_xxx, SourceAnchorValue: xxx==, UserPrincipalName: xxx, unblockUser: True, Details: Microsoft.CredentialManagement.OnPremisesPasswordReset.Shared.PasswordResetException: Synchronization Engine returned an error hr=80230619, message=A restriction prevents the password from being changed to the current one specified.

Minimum password age in password policy GPO is 0, so we should be able to change the passwords anytime.

When I check net user testuser /domain I can also see that the password can be changed

The account we use to sync the AD forest has reset password, change password and write permissions on lockouttime and pwdreset on all the users

Anyone any ideas?

Edit: No same passwords were used, needed password complexity was used

Direct Reports Dynamic Group?

June 13, 2019, 11:08 am
$
0
0
Heya all,

I came across instructions on creating a dynamic group based off of direct reports (under 'Other Properties and Common Rules'):

(Turns out I can't post a URL, the article is called "Create a dynamic group and check status" on Microsoft's website)

The problem is that I don't see any criteria in my AzureAD portal (when creating/modifying a dynamic group) even remotely similar to "direct report" or "manager"

Is the 'direct report' criteria something that is no longer available?


Azure Dev-Ops Tenant Move. Will it preserve the source code data?

June 13, 2019, 1:38 pm
$
0
0

Hi,

We need to move our tenant from our organization to a new enterprise organization. Our Developers are concerned that when we disconnect the tenant and then connect to a new organization. Will this keep the source code in tact? It is important to keep this data and it be unmodified. If someone could point me to some information about this or that they have had experience doing this it would be greatly appreciated. 

We are combining organizations at the enterprise level. 

Thanks for the help in advance!

Apollo



Cannot Resolve Azure AD domain after move to new registrar

June 13, 2019, 1:42 pm
$
0
0

Hello

We have an azure AD setup using a custom domain name. This Azure AD hosts a series of virtual machines and we connect to this network via P2S VPN. Previously we have always been able to ping and RDP to these VMs using FQDN, however since we have recently moved our domain to a new registrar this function no longer works. Internal IPs still work, but this is not ideal. When we now ping a virtual machine it comes back with the new registrar DNS IP address. 

Can anyone shed some light on this? I am not a DNS or domain expert, but I am not sure what would have happened during a simple domain move that would cause our internal lookups to go out to an external IP.

Thank you

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>