Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

"There was an issue looking up your account. Tap Next to try again" error when logging in

June 19, 2019, 5:59 pm
$
0
0

We've been using Azure AD in our ASP.Net web application for a few years via what is now the legacy app registration (and SAML). Just recently, when the web application redirects to the Microsoft login page and we key in our Azure AD credential we get:

There was an issue looking up your account. Tap Next to try again.

Clicking Next will keep triggering the message.

It's like the login landing page can't access our directory to look up the account... although we've not changed anything in our configuration. 

We created a new app registration (as opposed to the legacy app registrations), but we still get the same error. I can't enable 'advance diagnositcs' on the sign in page, either, and I can't find any further information on this error message. 

Anyone have any ideas?


Search

Removing the Exchange Server after setting up a hybrid environment with AD sync

June 19, 2019, 6:09 pm
$
0
0

Hello,

I have an exchange 2013 server.  I've set up ad sync and it is working.    I'm about to set up a hybrid environment so I can start migrating all the mailboxes over.     When it is done, I'd like to keep adsync for authentication but get rid of the exchange server completely.

I saw on a few videos that a couple of years ago this was a bad option as it would mess up email settings for the office365 cloud email accounts.    Is this still the case that you have to keep an on prem exchange server or have they made it so you can get rid of it?

Configuring LDAP??

June 18, 2019, 7:31 am
$
0
0
Researching options on the best way to configure some software in a Windows Server 2016 environment on Azure.  I'm installing "NoMagic's TeamWork Cloud, not their TeamWork Server" software and plan on configuring LDAP within that software.  What would be the best way of accomplishing this?  Deploying AD services on the server 2016 instance or can I utilize azure ad domain services?  Definitely new to the whole Azure thing so any help/guidance would be greatly appreciated!!  

How to get information from Azure Active Directory using Graph API

June 13, 2019, 2:01 am
$
0
0

Hi,

I am calling Microsoft Graph API for getting clientId, ApplicationId and ObjectID based on Name(AAD name). Below is the Graph API which am trying to call :

"https://graph.windows.net/myorganization/<DisplayName>/<ResourceGroupName>/getMemberObjects?api-version"

When I am calling it then it is not giving any response neither any error.

Can anyone help to fix this or is there any better solution instead of calling an API?

Thanks in advance

Ramandeep

Create Client-Secret - User Not Found

June 12, 2019, 7:51 am
$
0
0

Using the below to create the new registered app...

$subId = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
$tenantId = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
$appDisplayName = 'myappnamehere'
$dataLakeStoreName =  'datalakestorenamehere.azuredatalakestore.net'
$startDate = Get-Date
$endDate = $startDate.AddYears(3)
$credentials = New-Object Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential -Property @{ StartDate=Get-Date; EndDate=Get-Date -Year 2099; Password='passw0rd'}
$app = New-AzADApplication -DisplayName $appDisplayName -IdentifierUris "https://localhost/$appDisplayName" -PasswordCredentials $credentials
$objId = $app.ObjectId
#Connect-AzureAD -Credential $psCred
$aadAppsecret01 = New-AzureADApplicationPasswordCredential -ObjectId $objId -CustomKeyIdentifier "secret01" -StartDate $startDate -EndDate $endDate
The last line fails with an error:
New-AzureADApplicationPasswordCredential : Error occurred while executing GetApplication
Code: Authentication_Unauthorized
Message: User was not found.
RequestId: e13fd953-6655-44c5-b10c-1731421def65
DateTimeStamp: Wed, 12 Jun 2019 14:42:34 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At line:1 char:19
+ ... psecret01 = New-AzureADApplicationPasswordCredential -ObjectId $objId ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureADApplicationPasswordCredential], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD.Graph.PowerShell.Custom.NewAzureADApplicationPasswordCredential

How to prevent browser SSO for AAD joined machines?

June 20, 2019, 1:23 am
$
0
0

Hi,

When a machine is joined to Azure AD and the user authenticates to Windows using AAD credentials, it will automatically insert the primary refresh token (PRT) into the x-ms-RefreshTokenCredential header of HTTP requests sent to login.microsoftonline.com. This results in SSO to the service using my Windows AAD credentials. Usually this is desirable, howeverI do not always want to authenticate to the service using this credential!

I need to know how to prevent this SSO from being attempted. The specific case is an application that uses the WebBrowser Control to render the web pages used for an Azure AD authentication.

In Internet Explorer 11 I have observed that I can produce the behaviour I expect by:

  1. Browse to https://login.microsoftonline.com which signs in automatically
  2. Sign out
  3. Browse to https://login.microsoftonline.com again and this time logon form is displayed as expected

However in my case the application does not expose a URL bar and there is no way for me to explicitly Sign out from AAD, therefore I cannot work out how to prevent the SSO and therefore cannot authenticate to the application with any credentials other than my Windows AAD credentials.

I have found however that the logon form is displayed on some computers, so there must be a way to prevent the auto-logon via the web browser control in this application. Any ideas?

Thanks,
Simon.

Azure B2C - WebSite and API Security,

June 20, 2019, 2:49 am
$
0
0

Hi All, 

I have Azure B2C configured for a Web Site with two Web API's. After user logged in I am getting the logged in user information with the help of System.Security.Claims namespace. 

As mentioned, API endpoints also secured using below code 

 options.Events = new JwtBearerEvents
                {
                    OnTokenValidated = context =>
                    {
                        if (context.SecurityToken is JwtSecurityToken token)
                        {
                            if (context.Principal.Identity is ClaimsIdentity identity)
                            {
                                identity.AddClaim(new Claim("access_token", token.RawData));
                            }
                        }

                        return Task.FromResult(0);
                    },
                    OnAuthenticationFailed = AuthenticationFailed
                }; 

Questions :

1. which token I suppose to pass to access this API endpoints ?

2. How do I get those tokens ?

3. How do I refresh the token ?

4. In that access token can I able to get the website's logged in email address?

Selvakumar Rathinam

Azure AD SSO for internal applications access

June 18, 2019, 2:14 am
$
0
0

I want to use Azure AD SSO to grant SSO access to internal applications but access from internal corporate users not remotely. I understand Application proxy can be used to grant remote access to internal applications with SSO but i read that it is not recommended to use application proxy for internal access. What is the best solution to use Azure SSO if i want to grant internal users internal access to on -premise applications with SSO (examples would be password-based on saml applications that are accessed only by users from the corporate network)

thank you

MM

Search

Azure B2C - SAML Imeplementation

June 15, 2019, 7:26 pm
$
0
0

Hi All,

We have applications using SAML 2.0 open standard for the authentication .

we wanted to integrate those applications with Azure B2C AD.

Can you guys please help me how to do the implementation ?

 

Selvakumar Rathinam

Integrating the 3rd Party Application with Azure AD Logins

June 20, 2019, 3:45 am
$
0
0

Hi All, 

I have other 3rd party application being used in my organization. We want that application to use Azure AD employee credentials to login. Most of the applications uses the OpenID Oauth standard token. 

Can you please let me know How can I integrate those applications to our Organization Azure AD. The benefit is employee need not use their credential to login they can use same login credential what they are using for Windows, Office 365. 

 

Selvakumar Rathinam

MFA/2FA Windows login with Intune & Azure

May 28, 2019, 2:16 am
$
0
0

Hey guys !

I wondered if there is a way to provide 2FA on windows login (every time) with Intune enrolled device (without any local AD), and all this without using a third party soft like DUO :3

Thanks !

How to merge Azure Active Directory/Azure Instance with Office 365 AAD

July 2, 2014, 6:48 am
$
0
0

We recently have been working on getting our Office 365 Instance up and running.  We have successfully activated some of the services, and got DirSync/ADFS properly syncing to our onsite Active Directory.

However, separate from this installation, we have an existing Azure Instance that we have been using for over a year now.  It contains various servers and data.  

When attempting to get Azure Active Directory working on the Azure side of things, I found that it seems to be a completely separate instance of AAD.  However, if I try to log in to the Azure Portal with my usernames/passwords from the Office 365 side it works, but they are unassociated with our existing Azure subscription.  (I receive a message saying that there is no subscription  associated with the account)

Long story short, my question is how can I merge my Office 365 Instance of AAD with my Azure instance of AAD without impacting what we already have running on Office 365 and/or Azure?

Microsoft Graph API permissions issue

June 20, 2019, 6:44 am
$
0
0

Good morning

I am trying to add and remove users from a directory role (Guest Inviter) based on a user's ID.  My client ID has Directory,ReadWrite All  for the Microsoft Graph application.  I am using the ID for the directory role and the ID for the user.  Using an HTTP Client call (verb is DELETE) I use the format suggested by Microsoft:

DELETE /directoryRoles/{id}/members/{id}/$ref

https://docs.microsoft.com/en-us/graph/api/directoryrole-delete-member?view=graph-rest-1.0&tabs=cs

When I make the HTTP call I get an "Insufficient privileges to complete the operation." error.  Our admins say that the client ID that I am using should be able to do this.  I don't see any syntax errors - only privilege.  I can perform other non delete tasks succesfully using that ID.  Any insight would be appreciated.

Update

I see reference to having to pass credentials for a user with an Admin role but I am not certain how I would do that in the context of calling the api endpoint.

Thank you.


Adding a second AD sync domain controller

June 20, 2019, 7:30 am
$
0
0

Hello,

We have a company with multiple offices.   We have Domain Controllers in more than one office location.   I'm concerned that if internet goes down at our HQ people won't be able to log into office365 since we have ad sync enabled.   I figure I could put AD sync on another domain controller in another office but I'm not sure if the customization filters I've set up automatically go to the second server or if there is a way to set primary vs. secondary or anything else.   Are there any good videos or articles on this?   I haven't found any yet.

Azure AD Auth Reply Url Issue

June 19, 2019, 6:11 am
$
0
0

Hi, I have a .net core web app that utilises Azure AD for it's auth using the NuGet package.  It is hosted in kubernetes and passed via the Azure Application Gateway for SSL.

Now when going to the url, I get the prompt to sign in to Azure AD but it fails with the below error.  The url of the site is added in the reply urls of the app registration and appended with "/signin-oidc", and I am passing "/signin-oidc" as the reply url to the auth module

Is there any way in azure to see what reply url is getting passed with the sign in attempt?  

Error:

Sorry, but we’re having trouble with signing you in.

AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: 

Search

Lift and Shift Migration in Azure using Tool

March 21, 2019, 10:11 pm
$
0
0

We have on-premises workload of few J2E/.NET apps, batches and DB2 database. We are planning to move the workloads as lift and shift into Azure cloud using some migration tool.

What is the Microsoft recommended  tool for lift and shift migration into Azure cloud? 

What is the Microsoft recommended tool for DB2 databse lift and shift into Azure environment?

I know about Azure Site Recovery which can replicate the same environment in cloud. But is ASR the standard approach for lift and shift migration? What are the limitations of lift and shift migration approach with ASR?

Creating new Azure account when part of larger global company?

June 20, 2019, 8:18 am
$
0
0

Apologies if this isn't in the exact right forum. I suppose this is an architecture question, but this is the closest subforum I could find.

I work for a small multinational software company, I'm based in the US, our HQ is in Australia. Our company-wide Azure/Office365/AD account is administered through the HQ office. Our North American division (which I run) wants to have our own, independent Azure cloud for development, testing, etc.

 

I just created a new Azure trial account using my company email address, and it automatically synced with our global AD and has populated my credentials directly off the AD. I don't have admin rights, etc. I'm just a regular user with access to the various projects I already have access to, but interestingly, I don't see any of our VMs, SQL DBs, etc. I can only see them if log in to Dev Ops through our "xxx.com.au" Australian domain. All the American staff have a "xxx.com" American domain.

 

I need to be able to run this separate Azure environment as an admin, make other people admins, etc. This doesn't appear to be currently possible because I am not set as an Admin within our global AD.

 

Can I conveniently/easily accomplish this by creating a new subsidiary "organization" within DevOps? Or am I better off just creating a brand new Azure account with a non-company email for the time being? At some point down the road we will need to bring this new account "into the fold" when my azure engineers are off their current project and can devote time to this, but I'm kinda flying solo on this one for the next month and running up against deadlines. Thanks so much for any thoughts/help you can provide!

 


Transition from On-prem AD to Azure Active Directory Domain Services

June 17, 2019, 7:56 am
$
0
0

Hello Experts,

Considering this scenario below

Customer A has on-prem Active Directory with Azure Active Directory Connect that synched to Azure AD. Most applications are O365 based, however, there are domain joined workstations, file servers and Print servers.

Customer wants to transition to full cloud architecture, and consideration replacing On-prem file servers with Azure files and also get a cloud based solution for the print solution and then consider Azure AD join for the Windows 10 workstation.

These are questions  below:

  1. If the customer on-prem environment has contoso.com has the domain name (in Windows Active Directory), can a managed domain be created in Azure Active Directory as contoso.com?
  2. Can Azure Active Directory Directory Domain Services support a VM with print services, if having a cloud based print services is not available?
  3. Do we need to consider hybrid connectivity between the customer site and Azure for connectivity to Azure Active Directory Domain Services?

How to get information from Azure Active Directory using Graph API

June 13, 2019, 2:01 am
$
0
0

Hi,

I am calling Microsoft Graph API for getting clientId, ApplicationId and ObjectID based on Name(AAD name). Below is the Graph API which am trying to call :

"https://graph.windows.net/myorganization/<DisplayName>/<ResourceGroupName>/getMemberObjects?api-version"

When I am calling it then it is not giving any response neither any error.

Can anyone help to fix this or is there any better solution instead of calling an API?

Thanks in advance

Ramandeep

Sync Error

June 20, 2019, 9:42 am
$
0
0

I keep getting

the SMTP:dabcd@consorto.com is the current On Prem AD admin and O365/ admin (dabcd@consorto.com). I do have a user on prem and in cloud for On-Premises Directory Synchronization Service Account.

I have read the KB's and am totally confused on what to do.

Identity

Error Description

sourceAnchor

dabcd6681@consorto1.onmicrosoft.com

Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:dabcd@consorto.com;]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.

GgbsuX/+5E+DUUoLp6vQ6g==

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>