I have read through a lot of Microsoft and 3rd party documentation regarding Azure B2C, OpenId connect, json, jwt acesss tokens ect.. I cannot find any documentation on using azure b2c with UWP app and CRUD operation with client data in a azure sql database. Everything leads me to asp.net. Has anyone accomplished this task and how?
Thanks
james
Team,
I have been looking into methods to automate Azure AD tenant creation. I did not find ARM template/Azure AD Graph/CLI support to accomplish creation of an active directory tenant.
Did I miss something here? Is there a way to automate this?
Thanks,
Sugendh
The device is seen on the Azure Portal but when checked on the device on the command prompt (dsregcmd /status)
Azure AD join : NO
WamDefaultSet : NO
AzureAdPrt : NO
newbie to AzureAD and things about conversion and JWT.
say, I managed to get a JWT as below from AzureAD using ADAL in Xamarin forms.
How do i convert the below JWT from Azure AD to SAML (or SMAL2) token. After conversion, I use this SAML2 token to gain access or call the Endpoints which reside in the System that uses SAML or SAML2 token.
1) JWT
{
"typ": "JWT",
"nonce": "x-x-x_x-x",
"alg": "RS256",
"x5t": "TioGywwlhvdFbXZxxx",
"kid": "TioGywwlhvdFbXZxxx"
}.{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/x-x-x-x-x/",
"iat": 1532080076,
"nbf": 1532080076,
"exp": 1532083976,
"acct": 0,
"acr": "1",
"aio": Axxxxxxx=",
"amr": [
"pwd",
"mfa"
],
"app_displayname": "myApp",
"appid": "x-x-x-x-x",
"appidacr": "0",
"e_exp": 262800,
"family_name": "xxx",
"given_name": "xxx",
"ipaddr": "x.x.x.x",
"name": "xxx",
"oid": "x-x-x-x-x",
"onprem_sid": "x-x-x_x-x-x-x-x",
"platf": "1",
"puid": "xxxxxxx",
"scp": "Directory.Read.All User.Read",
"sub": "yxxxxx,
"tid": "x-fb9a-x-x-x",
"unique_name": "xxx.x@xxx.com",
"upn": "xxx.xx@xxx.com",
"uti": "xxxxxx",
"ver": "1.0"
}.[Signature]
2) what is this SecurityTokenDescriptor, what are its usages? what parameters I must include?
What do the parameters mean?
a) AppliesToAddress ( Where to find this)
b) TokenIssuerName (Where to find this)
c) EncryptingCredentails
e) Subject
SecurityTokenDescriptor descriptor = new SecurityTokenDescriptor
{
AppliesToAddress = "",
TokenIssuerName = "",
EncryptingCredentials = null,
Subject = identity,
Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddDays(1))
};
3) What do I need to convert and how to convert this JWT to SAML2 Token and what are required?
4) How do I check the expiry in the JWT?
Your help is very important to me.
Thanks
In Azure Portal I can seem a few of our machined are registered pending.
I was looking into this because conditional access with MFA is not working properly with one of these "pending" machines. It is actually an RDS session host, so that may complicate it more. I do see a few standard workstations that are also in"pending" registered state.
Thanks in advance
Hi all
I can't figure out why the Azure password reset isn't working anymore. Our users get the message that their new password doesn't fit the company policy.
On the AD connect I keep getting this error
Reason: Synchronization Engine returned an error hr=80230619, message=A restriction prevents the password from being changed to the current one specified., Context: cloudAnchor: User_xxx, SourceAnchorValue: xxx==, UserPrincipalName: xxx, unblockUser: True, Details: Microsoft.CredentialManagement.OnPremisesPasswordReset.Shared.PasswordResetException: Synchronization Engine returned an error hr=80230619, message=A restriction prevents the password from being changed to the current one specified.Minimum password age in password policy GPO is 0, so we should be able to change the passwords anytime.
When I check net user testuser /domain I can also see that the password can be changed
The account we use to sync the AD forest has reset password, change password and write permissions on lockouttime and pwdreset on all the users
Anyone any ideas?
Edit: No same passwords were used, needed password complexity was usedHi,
I have set up my Azure AD so I can authenticate using the app it gives me to download and I am trying to change it so instead of calling the Graph API it calls my API with authentication.
I have tried many, many tutorials and after setting up the security of the API passing in the Token doesn't seem to be anough. It says I need the client_id and the service key. I pass in all three bits of data but it still says invalid token.
Should I be logging in via the API rather than directly to the AD?
Is the authority correct for the API?
Should I be passing my token to the API to exchange it for something else to show I have access to it?
The Azure system seem to have changes recently and now NONE of the documentation matches what I see in the portal. I'm not even sure Azure can do what I need it to!!!
Thanks in advance.
교육청 계정 또는 개인계정으로 Azure활성화 못하나요?
학교이메일의 경우, 학교에서 학교이메일을 보지 못 하게 해서..
따로 가입 할 수 없을까요? 학생인데..
답변 부탁드릴께요.
되도록 한글 부탁드리지만,
영어만 된다면, 번역기라도 쓰지요.
답변을 했다면, ab0389@naver.com로 남겨주세요.
Hi,
I have an issue with revoking permissions on a Service principal created in our Azure AD environment. The spn has been created under the App Registrations section in the Azure Portal. Granting the permissions to the Azure AD Graph API is working after confirming the consent. Permissions granted are Read All Directory Data and Read All Applications Owned By.
This has been tested with different calls via PostMan and Powershell.
When I want to revoke the permission (not removing the spn), I see the permissions have been removed from the application, but my calls to Azure AD Graph API are still working. Permissions have been revoked via the Azure Portal under App Registrations and consent has been confirmed again.
Analyzing the Bearer token tells me the roles are not assigned anymore, but when doing calls to Azure AD Graph, I still get results from my queries.
Can someone explain this to me?
Hello Experts,
Considering this scenario below
Customer A has on-prem Active Directory with Azure Active Directory Connect that synched to Azure AD. Most applications are O365 based, however, there are domain joined workstations, file servers and Print servers.
Customer wants to transition to full cloud architecture, and consideration replacing On-prem file servers with Azure files and also get a cloud based solution for the print solution and then consider Azure AD join for the Windows 10 workstation.
These are questions below:
###Check for and Install MSGraphif(Get-Module-ListAvailable-NamePSMSGraph){Write-Host"PSMSGraph Already Installed"}else{Install-Module-Name'PSMSGraph'-ScopeCurrentUserImport-Module-name 'PSMSGraph'-ScopeLocal}###Check for and Install MSOnlineif(Get-Module-ListAvailable-NameMSOnline){Write-Host"MSOnline Already Installed"}else{Install-ModuleMSOnline-ScopeCurrentUserImport-ModuleMSOnline-ScopeLocal} $username ="******************" $password ="******************" $secstr =New-Object-TypeNameSystem.Security.SecureString $password.ToCharArray()|ForEach-Object{$secstr.AppendChar($_)} $cred =new-object-typenameSystem.Management.Automation.PSCredential-argumentlist $username, $secstr $GraphAppParams =@{Name='******************'ClientCredential= $CredRedirectUri='https://localhost/'Tenant='******************'} $GraphApp =New-GraphApplication@GraphAppParams# This will prompt you to log in with your O365/Azure credentials.# This is required at least once to authorize the application to act on behalf of your account# The username and password is not passed back to or stored by PowerShell. $AuthCode = $GraphApp |Get-GraphOauthAuthorizationCode# see the following help for what resource to use.# get-help Get-GraphOauthAccessToken -Parameter Resource $GraphAccessToken = $AuthCode |Get-GraphOauthAccessToken-Resource'https://graph.windows.net '####Get User Credentials $UserCredential =Get-Credential###Connect to nThrive MSOnline services connect-msolservice -Credential $UserCredentialFunctionGet-GraphUserInfo{ $UserLastName =Read-Host-Prompt'Input the last name of the user you need account information on' $userlookupid =get-msoluser -SearchString $UserLastName -all |Out-GridView-PassThru-title "Please select correct user from list"|select-object objectid $UserUPN =get-msoluser -ObjectId $userlookupid.ObjectId|select-object userprincipalnameGet-AADUserByID-AccessToken $GraphAccessToken -ObjectId $UserUPN.userprincipalname |Select-Object displayname, jobtitle, city, country,Mobile,TelephoneNumber,UserPrincipalName,Mail,SignInName,ProxyAddresses,AccountEnabled, iscomprimised, deletiontimestamp, assignedlicenses,ImmutableID, objectid, passwordpolicies, physicaldeliveryofficename, state, streetaddress, extension_63f00f8ae3bb4135affd4f2f5cf41ceb_CustomAttribute1, extension_63f00f8ae3bb4135affd4f2f5cf41ceb_CustomAttribute5, extension_63f00f8ae3bb4135affd4f2f5cf41ceb_CustomAttribute11}
Hi All,
We have a Saas consisting of a Web app, desktop app and API that uses Azure AD. We need to update it and add some mobile apps. The user base has also outgrown the original specialist market. The original niche domain name is not appropriate for new users and and has become a problem to support.
We want to move the system to AD B2C, which would give us more flexibility. It looks possible to graft it the required bits into the existing system without too much disruption. However, we want to leave the existing users with their existing logins. Is it possible to implement AD B2C and bring in the existing AD users? Is the any information on how it can be done?
Thanks in advance,
Rob
I'm trying to add some bearer token verification to my ASP.NET web application. I'm using the built-in JWT authentication code, configured by using the following code ...
services.AddAuthentication(ConfigureAuthentication).AddJwtBearer(ConfigureJwt);
Which runs the following functions ...
private void ConfigureAuthentication(AuthenticationOptions options)
{
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
}
private void ConfigureJwt(JwtBearerOptions options)
{
var directoryId = Configuration["AzureAd:DirectoryId"];
var directoryName = Configuration["AzureAd:DirectoryName"];
var policy = Configuration["AzureAd:SigninPolicyName"];
options.Audience = Configuration["AzureAd:ApplicationId"];
options.Authority = $"https://{directoryName}.b2clogin.com/{directoryName}.onmicrosoft.com/v2.0";
}The `ConfigureJwt` method is the one I'm dealing with. I can't seem to get the underlying JWT code to fetch the `openid-configuration` from the appropriate URL. It's very close, but it's lacking the policy from the URL. Here is what my above code generates
and tries to fetch the `openid-configuration` from ...
https://example-directory.b2clogin.com/example-directory.onmicrosoft.com/v2.0/.well-known/openid-configuration
And here is what it is supposed to fetch the configuration from, as specified from the Azure portal ...
https://example-directory.b2clogin.com/example-directory.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_SignInPolicy
As you can see, my code above is lacking the policy name.
I can't seem to figure out how to specify this anywhere. Does anybody know how to configure `JwtBearerOptions` so that it includes this policy name?
Hi
I have tenant azure.It is synchronized with on-premises Active directory. I have granted the the user ( user listed as Windows server AD) global administrator and owner role. the user cannot see any azure resources.Why?
Hello
I have DC's on-premise and DC's in Azure. Every FMSO role is located on-premise. I would like to move every FMSO role to Azure DC's but I am not sure if I can do that.
Following this link: https://docs.microsoft.com/es-es/azure/architecture/reference-architectures/identity/adds-extend-domain
We can read:
We recommend you do not assign operations masters roles to the domain controllers deployed in Azure.
Only say "recommend" and does not say "don't do it" also no explanation about why is not recommended. Any Microsoft guy can please provide me with an answer? Can I move my roles to Azure or not? Also, why is not recommended?
Thanks a lot in advance
Regards
performed in place upgrade of Azure AD Connect to 1.1.561.0
Export stage of synchronization is throwing an error on 400+ user objects.
Status: Completed - export errors
Permission Issue - Export tab shows error 8344 - Insufficient access rights to perform the operation.
I have a simple web forms app which uses standard windows integrated authentication. I need to migrate this to the Azure App Service and have enabled OWIN support to authenticate against Azure AD. This is all working however when I inspect the claims I am not seeing the SAMAccountName.
I have looked at the following articles and found that I can extend AD connect with Directory Extensions and sync the users SAMAccountName to Azure AD. Again this is working OK and if I query the graph explorer I can see my attribute...
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims
"extension_3cb1857501cc42a79dfc94edbee4c244_sAMAccountName": "valuemasked",
I have added the following optional claims section within my manifest of my Azure AD App however when I launch my app in Visual Studio and inspect the claims returned I am not seeing the claim which shows me the attribute value.
foreach (System.Security.Claims.Claim claim in ClaimsPrincipal.Current.Claims)
Can anyone advise what I am missing here?
Thanks
Manifest below
We are using the "free" AzureAD level that comes when using Office365 (not any P level).
In readying a PC to go to a future (as yet unknown) staff member, the PC is still attached to the old user in the Azure console. This is an issue because the Bitlocker key is stored under the old employee, and we will soon remove that employee's Office365/Azure
subscription. OF COURSE, we have already printed the Bitlocker key to be safe :)
The PC was joined to Azure initially as employeeA.
ItDesk was an additional work or school user.
EmployeeA has been deleted from the PC.
ItDesk is now the only account on the PC.
Currently "Work and School" for the ITDesk shows it is connected to the company Azure.
I gather there is some difference between JOIN and CONNECT.
How do I unjoin employeeA and join via ItDesk in the interim then later future employeeB?
If we remove employeeA from Office365/Azure NOW, will the PC info in Azure automatically move to another user detected on the PC ( itDesk ) or show with generic 'user deleted' or something ? Or it will just disappear?
We will often keep a PC in the same department - so just remove the user and personal content, keep the departmental info intact and save having to reconfigure at least the non-user/PC-wide settings again - i.e we do not reset Windows between users. What kind of consequence does this have with Azure? when you UNJOIN a PC - what info will be lost on the PC itself?
I noticed that when a PC is renamed, the name change never makes it back to Azure. Is there any command that can be run on the PC to update the info or a function I am just not finding in the Azure admin console to request updated info from the PC ? The
field is not editable.