I've spent a week or so now trying to find this info, as I'm new to dealing with Azure/Hybrid Azure. We currently have our Recovery Keys being saved out to the "Cloud Account". Is there a way to port this info back down to the Bitlocker section of the related computer objects in the on premise AD? Or can we set GPO to pull it into the on premise without it preventing it from going to the Cloud as well?

Thanks

Hello,

I've just set up a test environment - Win2016 with AD and a working exchange server on site.   I got the very basics of AD sync working but am coming up with lots of questions now that the very basics are working

1 Can you create a second login for the Microsoft account that controls the ADsync?   I certainly can create more global admins in the azure portal but wouldn’t the owner of the MS account have ultimate control?   What if that person leaves?

2 How do you sync all the accounts from the cloud down to a new on premise AD server (no previous on site active directory server)?

3 Can I specify users or OUs I do or don’t want to sync from on prem?   For example I have an OU of disabled accounts - former employees we keep in AD but disabled until they've been gone for a bit just in case we want to check anything out e.g. their old workstation or email).   

Hi,

I think I'm the administrator, however I have no idea what this means. I did have to recently apply an update to Office 365 apps on the desktops and laptops our small business has.

It seems that through that process I managed to delete my work desktop from being recognised as an 'official' work computer by our organisation.

It seems that I need to someow go into Azure Active Directory and get the device readded. However, it seems that the options that should be selected are selected.

Thank you for any assistance.

Russell

After this installation of Azure AD Connect on a Windows Server 2012 R2 machine, the AD Connect health agent doesn't register. The services on the machine stay disabled and not started. I've read that I need to run the Powershell command: 

Register-AzureADConnectHealthSyncAgent -AttributeFiltering:$false -StagingMode:$false

However, this doesn't work as it comes back with "Configuration failed"

2018-04-17 01:40:54.893 Aquiring Monitoring Service certificate using tenant.cert


Configuration Failed

To retry configuration, type:
Register-AzureADConnectHealthSyncAgent

Monitoring will not start until configuration is successful.

To review installation steps and requirements, please visit:
http://go.microsoft.com/fwlink/?LinkID=518643

Detailed log file created in temporary directory:
C:\Users\admin.inova\AppData\Local\Temp\AdHealthAadSyncAgentConfiguration.2018-04-16_19-40-21.log

Register-AzureADConnectHealthSyncAgent : Failed configuring Monitoring Service using command: C:\Program
Files\Microsoft Azure AD Connect Health Sync
Agent\Monitor\Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe sourcePath="C:\Program Files\Microsoft
Azure AD Connect Health Sync Agent\tenant.cert" version="1.1.751.0"
At line:1 char:1+ Register-AzureADConnectHealthSyncAgent -AttributeFiltering:$false -St ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : NotSpecified: (:) [Register-AzureADConnectHealthSyncAgent], InvalidOperationException+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.Identity.AadConnect.Health.AadSync.PowerShell
   .ConfigurationModule.RegisterAzureAdConnectHealthSyncAgent

There is no Proxy server used, which can be seen in the log files too:

2018-04-17 01:40:21.175 User Context outbound connections to https://management.azure.com/providers/Microsoft.ADHybridHealthService/ will use proxy address https://management.azure.com/providers/Microsoft.ADHybridHealthService/ (if equal, no proxy is used)
2018-04-17 01:40:21.175 Service Context: Outbound connections to https://management.azure.com/providers/Microsoft.ADHybridHealthService/ will use proxy address https://management.azure.com/providers/Microsoft.ADHybridHealthService/ (if equal, no proxy is used)

So, when I try to run the test-azureadconnecthealthconnectivity, I get the following:

PS C:\Windows\system32> Test-AzureADConnectHealthConnectivity -Role Sync
Test-AzureADConnectHealthConnectivity's execution in details are as follows:
Starting Test-AzureADConnectHealthConnectivity ...

Connectivity Test Step 1 of 3: Testing dependent service endpoints begins ...
AAD CDN connectivity is skipped.
Connecting to endpoint https://login.microsoftonline.com
Endpoint validation for https://login.microsoftonline.com is Successful.
Connecting to endpoint https://login.windows.net
Unhandled exception occurred: The operation has timed out
Connecting to endpoint https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc
Endpoint validation for https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc is Successful.
Connecting to endpoint https://policykeyservice.dc.ad.msft.net/policymanager.svc
Endpoint validation for https://policykeyservice.dc.ad.msft.net/policymanager.svc is Successful.
Connectivity Test Step 1 of 3 - Failed to connect some service endpoints, please investigate.

Connectivity Test Step 2 of 3 - Blob data upload procedure begins ...
Unhandled exception occurred: System.Security.Cryptography.CryptographicException: The parameter is incorrect.

   at System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionS
cope scope)
   at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.TestAzureADConnectHealthConnectivity.LoadI
dentityInfo()
   at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.TestAzureADConnectHealthConnectivity.TestI
nsightServiceDataUploadProcedure()
   at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.TestAzureADConnectHealthConnectivity.Proce
ssRecord()

I've used the same account with the registration command as I used with installation of the Azure AD Connect software, of which the sync is running without problems.

There is MFA enabled on that account, but I do not see an issue there.

Hope somebody can assist.

I have a simple web forms app which uses standard windows integrated authentication. I need to migrate this to the Azure App Service and have enabled OWIN support to authenticate against Azure AD. This is all working however when I inspect the claims I am not seeing the SAMAccountName. 

I have looked at the following articles and found that I can extend AD connect with Directory Extensions and sync the users SAMAccountName to Azure AD. Again this is working OK and if I query the graph explorer I can see my attribute...

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims

 "extension_3cb1857501cc42a79dfc94edbee4c244_sAMAccountName": "valuemasked",

I have added the following optional claims section within my manifest of my Azure AD App however when I launch my app in Visual Studio and inspect the claims returned I am not seeing the claim which shows me the attribute value.

foreach (System.Security.Claims.Claim claim in ClaimsPrincipal.Current.Claims)

Can anyone advise what I am missing here?

Thanks

Manifest below

Hello,

We are a small clinic with 10 doctors. We use sql server on Azure to store crypted medical data.

We use in house software, Windows forms application with crypted sql server connection containing the sql server login and password. 

We have a "Pay per use" subscription and we pay about 50$ per month. 

We Don't have a budget to pay much more to add some features about the security. 

My question is, how can we use Azure Active Directory for 10 simultaneous users to protect our applications without paying too much ?

We can create groups and users with our subscription, is this without additionnal cost ?

How can we use these active directory users in the login string in our C# applications ?

Thanks in advance for further informations,

Jean-Marie Polain

Hello,

I was wondering if there is a way to prevent importing of certain objects based on their attribute value? Let's say in my AD, I have users that are disabled, what can I do in order to prevent importing them to 'Connector Space'? Note that I do not want these users get imported in CS and then I prevent syncing them based on Sync Rules to MV, simply I would like to have a filter before everything happens and prevent importing the object in CS.

Mahdi Tehrani | | www.mahditehrani.ir
Make sure to download my free PowerShell scripts:

• Find computers where a user logged on, in last X days (with guide!)
• Query members of Local Administrators group in all Domain Computers (with guide!)

Hi, 

I have an issue with revoking permissions on a Service principal created in our Azure AD environment. The spn has been created under the App Registrations section in the Azure Portal. Granting the permissions to the Azure AD Graph API is working after confirming the consent. Permissions granted are Read All Directory Data and Read All Applications Owned By. 

This has been tested with different calls via PostMan and Powershell. 

When I want to revoke the permission (not removing the spn), I see the permissions have been removed from the application, but my calls to Azure AD Graph API are still working. Permissions have been revoked via the Azure Portal under App Registrations and consent has been confirmed again. 

Analyzing the Bearer token tells me the roles are not assigned anymore, but when doing calls to Azure AD Graph, I still get results from my queries. 

Can someone explain this to me? 

Steps I have taken:

1. Added users and created groups in Azure

2. In Visual Studio I have created a web api which automatically creates an app registration in Azure. 

3. In Visual Studio web api I have created an App service which automatically shows in Azure. 

4. In Visual Studio web api I have created a connection to Azure Active directory by passing in the "AppId Uri" which you get from the app registration. 

5. In Azure portal, in the app service I have turn on and set up advanced settings for Azure active directory.

6. In Azure portal, in app service I have given roles to users and groups in the "Access Control"

7. In Azure go to App Registration and build the app in android.

8. Open the app in Android studio and it allows you to log in and log out with the Active directory.

9. In the Android app once you have logged in, active directory returns an access token. I am passing the access token into the http request header to access the api which needs authentication, this gives me a 401. 

here is my http request:

RequestQueue queue = Volley.newRequestQueue(this);
JSONObject parameters = new JSONObject();

try {
    parameters.put("key", "value");
} catch (Exception e) {
    Log.d(TAG, "Failed to put parameters: " + e.toString());
}

JsonObjectRequest request = new JsonObjectRequest(Request.Method.GET, "https://garethtesterwebapi20190618012925.azurewebsites.net/api/values",
parameters,new Response.Listener<JSONObject>() {
@Override
public void onResponse(JSONObject response) {
/* Successfully called graph, process data and send to UI */
Log.d(TAG, "Response: " + response.toString());

updateGraphUI(response);

}
}, new Response.ErrorListener() {
@Override
public void onErrorResponse(VolleyError error) {
        Log.d(TAG, "Error: " + error.networkResponse.statusCode);
Log.d(TAG, "Error: " + error.networkResponse.allHeaders);
}
}) {
@Override
public Map<String, String> getHeaders() {
        Map<String, String> headers = new HashMap<>();
//headers.put("Content-Type", "application/json; charset=UTF-8");
headers.put("Authorization", "Bearer " + authResult.getAccessToken());
        return headers;
}
};

Log.d(TAG, "Adding HTTP GET to Queue, Request: " + request.toString());

request.setRetryPolicy(new DefaultRetryPolicy(
3000,
DefaultRetryPolicy.DEFAULT_MAX_RETRIES,
DefaultRetryPolicy.DEFAULT_BACKOFF_MULT));
queue.add(request);

Can anyone tell me why I am getting a 401 and how to solve this??

Any help would be greatly apprenticed.

Thanks

Gareth 

I perform the following steps:
1. Create and register a Service Principal in the portal (from Azure Active Directory -> App Registration). Have the token Key
2. Use REST API to create a Management Group using this Service Principal (view the code below)
3. Use REST API to grant 'Contributors' or 'Owner' or 'User Access Administrator' to an identity but keep getting error: 
'Tenant ID, application ID, principal ID, and scope are not allowed to be updated.'.

How I can get over with this?

More REST API codes as below
For creating the management group, i call:
PUT https://management.azure.com/providers/Microsoft.Management/managementGroups/gary2?api-version=2018-03-01-preview

Body: 
{
'id': '/providers/Microsoft.Management/managementGroups/gary2',
'type': '/providers/Microsoft.Management/managementGroups',
'name': 'gary2',
'properties': {
'tenantId': '20000000-0000-0000-0000-000000000000',
'displayName': 'gary2'
}
}
}


For REST API to grant access to the newly created group:
PUT https://management.azure.com/providers/Microsoft.Management/managementGroups/gary1/providers/Microsoft.Authorization/roleAssignments/b24988ac-6180-42a0-ab88-20f7382dd24c?api-version=2015-07-01

Body: 

{
'properties': {
'roleDefinitionId': '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c',
'principalId': '804cb9e6-8adc-48f6-9f76-3d93b3c1792c'
}
}


Keep getting the response error as:
{
'error': {
'code': 'RoleAssignmentUpdateNotPermitted',
'message': 'Tenant ID, application ID, principal ID, and scope are not allowed to be updated.'
}
}

Hi, I have a .net core web app that utilises Azure AD for it's auth using the NuGet package.  It is hosted in kubernetes and passed via the Azure Application Gateway for SSL.

Now when going to the url, I get the prompt to sign in to Azure AD but it fails with the below error.  The url of the site is added in the reply urls of the app registration and appended with "/signin-oidc", and I am passing "/signin-oidc" as the reply url to the auth module

Is there any way in azure to see what reply url is getting passed with the sign in attempt?  

Error:

 I have tried random password generators. I have tried passwords that have been accepted by one user but will not be accepted then for another user. As mentioned the passwords meet the criteria. The same standard is set in regular AD and passwords are accepted there no problem.

Has anyone else experienced this? Can anyone advise?

Thanks in advance

I have set up a web api in Visual Studio with active directory authentication but when I make a https request with token returned from active directory, I get this error:

Any help would be greatly appreciated.

Thanks

Gareth

Hi

I am fairly new to AZURE and installed Azure AD Domain Services with a custom domain.

I have cinfigure LDAP and can varify and browse the default domain but I can not see any users created in the custom domain. i.e

Dafault AAD domain ABC.local - able to browse the directory

Custom directory XYZ.co.za and unable to browse this or see this directory?

Any ideas welcome.

Thanks

We are using the "free" AzureAD level that comes when using Office365 (not any P level).

In readying a PC to go to a future (as yet unknown) staff member, the PC is still attached to the old user in the Azure console. This is an issue because the Bitlocker key is stored under the old employee, and we will soon remove that employee's Office365/Azure subscription. OF COURSE, we have already printed the Bitlocker key to be safe :)

The PC was joined to Azure initially as employeeA.
ItDesk was an additional work or school user.
EmployeeA has been deleted from the PC.

ItDesk is now the only account on the PC.
Currently "Work and School" for the ITDesk shows it is connected to the company Azure.

I gather there is some difference between JOIN and CONNECT.
How do I unjoin employeeA and join via ItDesk in the interim then later future employeeB?

If we remove employeeA from Office365/Azure NOW, will the PC info in Azure automatically move to another user detected on the PC ( itDesk ) or show with generic 'user deleted' or something ? Or it will just disappear?

We will often keep a PC in the same department - so just remove the user and personal content, keep the departmental info intact and save having to reconfigure at least the non-user/PC-wide settings again - i.e we do not reset Windows between users. What kind of consequence does this have with Azure? when you UNJOIN a PC - what info will be lost on the PC itself?

I noticed that when a PC is renamed, the name change never makes it back to Azure. Is there any command that can be run on the PC to update the info or a function I am just not finding in the Azure admin console to request updated info from the PC ? The field is not editable.

I've spent a week or so now trying to find this info, as I'm new to dealing with Azure/Hybrid Azure. We currently have our Recovery Keys being saved out to the "Cloud Account". Is there a way to port this info back down to the Bitlocker section of the related computer objects in the on premise AD? Or can we set GPO to pull it into the on premise without it preventing it from going to the Cloud as well?

Thanks

Hello

We are testing the new combined registration for SSPR in Azure and force our users to register for self-service password reset. It works correctly for users who have never logged in to Office365 before.

However, users who have already logged in bevor to Office365 are strangely not prompted to register the security information.

Self-service password reset assigned by AD group
Require registration of users at login is enabled
Pass-Through Authentication Enabled
Single Sign-On activated
Azure AG P1 License assigned
password write back is activated

Is this a known bug? Who can help?

Thx

I'm setting up an application on AzureAD to enable SSO via OIDC.

We want to receive some more claims on the id token, so we've followed the indications at https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping .

Currently, after applying the policy, SSO fails with "AADSTS50146: This application is required to be configured with an application-specific signing key"

We've tried adding an application specific key to the service principal, but no success.

When we try to edit the application manifest to change "acceptMappedClaims" to true, it fails with "Error detail: Insufficient privileges to complete the operation"

What am I doing wrong?

Hi folks,

We've been looking into using B2C as our user database and authentication layer for our Azure-based software. On a high level, it looks like it might work just fine for us, but I have two questions that I can't seem to find the solution or answers to.

1. When I first create by B2C tenant, my Azure account is added to the tenant as a Member and is also set as the Global Administrator role. The account is pulled in from, what I assume is, the parent subscription's directory. The username takes the form of "rcole_my-email-domain.com#EXT#@my-subscription-directory.onmicrosoft.com". The source for this account says "External Azure Active Directory". This is great and fine - I want this account to come in automatically as an admin. My question though is how do I add other accounts from that same external Azure AD? I have a few other accounts that I'd love to pull in from there, so I don't have to go through the process of re-inviting them every time we create a new B2C tenant. I've tried using the"New User" button, but it doesn't seem to accept any input that I type in. The "New Guest User" seems to only add people from outside of the directory - it invites them, which isn't what I'm looking for. How can I add more users just like the one that is automatically created for me?

2. Initially, my user account that I mention above, in step 1, cannot sign in to this B2C tenant - it says user not found. Additionally, users that I invite via the "New guest user" button cannot sign in, either. The only users that appear to be able to sign in, via my B2C policies, are users that signed up through the B2C policies - not invited. Surely there is a way to allow these accounts to sign in, without explicitly signing up through the B2C policy, correct? Am I just missing a permission, group or role?

Thanks! These two questions will help me a lot if I can understand them deeper.