All, 

Want to implement custom login page that accepts user name and password insted of azure ad login page.Its an asp.net core mvc application . 

.

The ability to CREATE and DISABLE Dropbox Accounts via the Provisioning Services works, but if I delete an in-scope Azure User Account, it will not delete, the associated Dropbox Account.

An Azure Security Group, is used to control whether an Azure User Account is in scope.

First, I tried removing the user account, from the Security Group. Nothing.

Then, the user account was deleted in Azure. Nothing. 

I have set up a web api in Visual Studio with active directory authentication but when I make a https request with token returned from active directory, I get this error:

Any help would be greatly appreciated.

Thanks

Gareth

I want to have 2 login providers for my app. Customers would connect with B2C and employees would connect with our AAD by SSO. Currently the B2C login for customers works with a SignIn V2 user flow, and our SSO works just fine for any other applications.

I followed these 2 pages to get started, using the exact same names:

 - https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom
 - https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom

They could be clearer but I think I got everything right as far as the XML goes.  When I run my custom policy, I get a page with a login form and a button to connect with the AD. If I click the button, I'm redirected to the SSO page and I log in with my user. The first time I'm asked to accept the permissions. So far so good, but after that I get redirected to https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/oauth2/authresp, which gives a generic error 500 page. In the B2C Audit log, I see an event"Federate with an identity provider" with "Status: success" for the same datetime as my login so I believe the login works. Similarly, I can see a successful sign-in in the user's page in the AAD.

Is there something more I need to do that the MSDN pages missed? I should be getting redirected to jwt.ms with a token.

Relevant xml files (redacted):
TrustFrameworkBase.xml (only the parts I've modified):

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><TrustFrameworkPolicy
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
  PolicySchemaVersion="0.3.0.0"
  TenantId="mytenant.onmicrosoft.com"
  PolicyId="B2C_1A_TrustFrameworkBase"
  PublicPolicyUri="http://mytenant.onmicrosoft.com/B2C_1A_TrustFrameworkBase"><!-- snip default building blocks --><ClaimsProviders><ClaimsProvider><DisplayName>Local Account SignIn</DisplayName><TechnicalProfiles><TechnicalProfile Id="login-NonInteractive"><DisplayName>Local Account SignIn</DisplayName><Protocol Name="OpenIdConnect" /><Metadata><Item Key="UserMessageIfClaimsPrincipalDoesNotExist">We can't seem to find your account</Item><Item Key="UserMessageIfInvalidPassword">Your password is incorrect</Item><Item Key="UserMessageIfOldPasswordUsed">Looks like you used an old password</Item><Item Key="ProviderName">https://sts.windows.net/mytenantguid/</Item><Item Key="METADATA">https://login.microsoftonline.com/mytenant.onmicrosoft.com/.well-known/openid-configuration</Item><Item Key="authorization_endpoint">https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/token</Item><Item Key="response_types">id_token</Item><Item Key="response_mode">query</Item><Item Key="scope">email openid</Item><!-- Policy Engine Clients --><Item Key="UsePolicyInRedirectUri">false</Item><Item Key="HttpBinding">POST</Item></Metadata><InputClaims><InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username" Required="true" /><InputClaim ClaimTypeReferenceId="password" Required="true" /><InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="password" /><InputClaim ClaimTypeReferenceId="scope" DefaultValue="openid" /><InputClaim ClaimTypeReferenceId="nca" PartnerClaimType="nca" DefaultValue="1" /></InputClaims><OutputClaims><OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="oid" /><OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid" /><OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" /><OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" /><OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" /><OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="upn" /><OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" /></OutputClaims></TechnicalProfile></TechnicalProfiles></ClaimsProvider><!-- snip other default claim providers--><!-- snip default user journeys-->	   </TrustFrameworkPolicy>

TrustFrameworkExtension.xml

<?xml version="1.0" encoding="utf-8" ?><TrustFrameworkPolicy
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
  PolicySchemaVersion="0.3.0.0"
  TenantId="mytenant.onmicrosoft.com"
  PolicyId="B2C_1A_TrustFrameworkExtensions"
  PublicPolicyUri="http://mytenant.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions"><BasePolicy><TenantId>mytenant.onmicrosoft.com</TenantId><PolicyId>B2C_1A_TrustFrameworkBase</PolicyId></BasePolicy><BuildingBlocks></BuildingBlocks><ClaimsProviders><ClaimsProvider><DisplayName>Local Account SignIn</DisplayName><TechnicalProfiles><TechnicalProfile Id="login-NonInteractive"><Metadata><Item Key="client_id">ProxyIdentityExperienceFramework_AppId</Item><Item Key="IdTokenAudience">IdentityExperienceFramework_AppId</Item></Metadata><InputClaims><InputClaim ClaimTypeReferenceId="client_id" DefaultValue="ProxyIdentityExperienceFramework_AppId" /><InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="IdentityExperienceFramework_AppId" /></InputClaims></TechnicalProfile></TechnicalProfiles></ClaimsProvider><ClaimsProvider><Domain>Mycompany</Domain><DisplayName>Login using Mycompany</DisplayName><TechnicalProfiles><TechnicalProfile Id="MycompanyProfile"><DisplayName>Mycompany Employee</DisplayName><Description>Login with your Mycompany account</Description><Protocol Name="OpenIdConnect"/><OutputTokenFormat>JWT</OutputTokenFormat><Metadata><Item Key="METADATA">https://login.windows.net/mytenant.onmicrosoft.com/.well-known/openid-configuration</Item><Item Key="ProviderName">https://sts.windows.net/mytenantguid/</Item><Item Key="client_id">AzureADB2CApp_AppdId</Item><Item Key="IdTokenAudience">AzureADB2CApp_AppdId</Item><Item Key="UsePolicyInRedirectUri">false</Item><Item Key="response_types">code</Item><Item Key="scope">openid</Item><Item Key="response_mode">form_post</Item><Item Key="HttpBinding">POST</Item></Metadata><CryptographicKeys><Key Id="client_secret" StorageReferenceId="B2C_1A_MycompanySecret"/></CryptographicKeys><OutputClaims><OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid"/><OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/><OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" /><OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" /><OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" /></OutputClaims><OutputClaimsTransformations><OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/><OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/></OutputClaimsTransformations></TechnicalProfile></TechnicalProfiles></ClaimsProvider></ClaimsProviders><UserJourneys><UserJourney Id="SignUpOrSignInMycompany"><OrchestrationSteps><OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signinwithpassword"><ClaimsProviderSelections><ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" /><ClaimsProviderSelection TargetClaimsExchangeId="MycompanyExchange" /></ClaimsProviderSelections><ClaimsExchanges><ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" /></ClaimsExchanges></OrchestrationStep><!-- Check if the user has selected to sign in using one of the social providers --><OrchestrationStep Order="2" Type="ClaimsExchange"><Preconditions><Precondition Type="ClaimsExist" ExecuteActionsIf="true"><Value>objectId</Value><Action>SkipThisOrchestrationStep</Action></Precondition></Preconditions><ClaimsExchanges><ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" /><ClaimsExchange Id="MycompanyExchange" TechnicalProfileReferenceId="MycompanyProfile" /></ClaimsExchanges></OrchestrationStep><!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId). 
          This can only happen when authentication happened using a social IDP. If local account was created or authentication done
          using ESTS in step 2, then an user account must exist in the directory by this time. --><OrchestrationStep Order="3" Type="ClaimsExchange"><Preconditions><Precondition Type="ClaimsExist" ExecuteActionsIf="true"><Value>objectId</Value><Action>SkipThisOrchestrationStep</Action></Precondition></Preconditions><ClaimsExchanges><ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social" /></ClaimsExchanges></OrchestrationStep><!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent 
          in the token. --><OrchestrationStep Order="4" Type="ClaimsExchange"><Preconditions><Precondition Type="ClaimEquals" ExecuteActionsIf="true"><Value>authenticationSource</Value><Value>socialIdpAuthentication</Value><Action>SkipThisOrchestrationStep</Action></Precondition></Preconditions><ClaimsExchanges><ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" /></ClaimsExchanges></OrchestrationStep><OrchestrationStep Order="5" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" /></OrchestrationSteps><ClientDefinition ReferenceId="DefaultWeb" /></UserJourney></UserJourneys></TrustFrameworkPolicy>

SignUpOrSigninMycompany.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><TrustFrameworkPolicy
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
  PolicySchemaVersion="0.3.0.0"
  TenantId="mytenant.onmicrosoft.com"
  PolicyId="B2C_1A_signup_signin_mycompany"
  PublicPolicyUri="http://mytenant.onmicrosoft.com/B2C_1A_signup_signin_mycompany"><BasePolicy><TenantId>mytenant.onmicrosoft.com</TenantId><PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId></BasePolicy><RelyingParty><DefaultUserJourney ReferenceId="SignUpOrSignInMycompany" /><TechnicalProfile Id="PolicyProfile"><DisplayName>PolicyProfile</DisplayName><Protocol Name="OpenIdConnect" /><OutputClaims><OutputClaim ClaimTypeReferenceId="displayName" /><OutputClaim ClaimTypeReferenceId="givenName" /><OutputClaim ClaimTypeReferenceId="surname" /><OutputClaim ClaimTypeReferenceId="email" /><OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/><OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" /></OutputClaims><SubjectNamingInfo ClaimType="sub" /></TechnicalProfile></RelyingParty></TrustFrameworkPolicy>

In the Identity Experience Framework panel, I run B2C_1A_signup_signin_mycompany and choose testapp1 with https://jwt.ms as the repyl url.

Hi,

I found lot of threads regarding this but not sure if they are still valid at this point of time i.e. Jun 2019

This link which was updated on Jul 2017 says You must use Azure AD Graph API'to manage users in Azure AD B2C directory

But at the same time this link says As of February 2019, we started the process to deprecate some earlier versions of Azure Active Directory Graph API in favor of the Microsoft Graph API.

I found this link which has road map for AAD Graph and Micorsoft Graph. But still not clear weather we should use Microsoft Graph or Azure AD Graph for B2C tenant. I couldn't find any example how to fetch User attributes using Microsoft Graph

Question

Should I still keep on using 'Azure AD Graph'if I am dealing with B2C tenant?

Regards, Hemant Shelar

Hi All, 

I have Azure B2C configured for a Web Site with two Web API's. After user logged in I am getting the logged in user information with the help of System.Security.Claims namespace. 

As mentioned, API endpoints also secured using below code 

Questions :

1. which token I suppose to pass to access this API endpoints ?

2. How do I get those tokens ?

3. How do I refresh the token ?

4. In that access token can I able to get the website's logged in email address?

Selvakumar Rathinam

("Auth URL", AUTHORITY1)("Access Token URL", ACCESSURL)("Client ID", CLIENT_ID)("Client Secret", CS)("Scope","read")("Grant Type","Client Credentials")
Where and how to find these values?

Hi,

I'm trying to understand if it's possible to give users in an Azure B2C directory access to Azure Resources like blob storage through RBAC (or any other method). 

Azure B2C users are created in the Azure AD within the Azure B2C directory, which does not have a subscription, so resources cannot be created within that tenant. I haven't tried adding a subscription to the Azure B2C directory, but I can try that if that's the only way to accomplish this.

I also considered inviting the B2C users into another directory with a subscription where I can create an Storage Account, but as far as I can tell, the B2C users are not Active Directory users that can be invited or added to other Azure directories. 

Thanks,
Carlos

Hi, 

We are trying to figure out pricing option for Azure B2C. Few questions:

1. Is it possible to have access_Token expiry time set to 30 days(without usage of refresh token) 

2. If we use Azure B2C as IDAM for securing Azure APIs, does the token validation (offline or online) is also charged by Azure B2C? 

3. If we have refresh token setup for 90 days and we use it to request for access token (if point 1 is invalid), will it be charged? 

4. If accesstoken is setup for 24 hrs and we use refresh token for fetching new access token, will it 2 authentication request on Azure B2C. 

Regards,
Mohit

I am trying to use the cmdlet Get-AzRoleAssignment using a service principal as advised. But I am receiving an error when doing this: Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown. 

I tried to add API Graph permission but that did not help, maybe I am missing something but I can't find the requirments for this cmdlet.

I already added:
Besides the API permissions the account is owner and is able to perform other cmdlets without error.

Version:

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Get-AzRoleAssignment                               1.3.0      Az.Resources

Bart Scheltinga | www.bartsp34ks.nl | MCSA

We've been using Azure AD in our ASP.Net web application for a few years via what is now the legacy app registration (and SAML). Just recently, when the web application redirects to the Microsoft login page and we key in our Azure AD credential we get:

There was an issue looking up your account. Tap Next to try again.

Clicking Next will keep triggering the message.

It's like the login landing page can't access our directory to look up the account... although we've not changed anything in our configuration. 

We created a new app registration (as opposed to the legacy app registrations), but we still get the same error. I can't enable 'advance diagnositcs' on the sign in page, either, and I can't find any further information on this error message. 

Anyone have any ideas?

Is there any provision to create azure active directory programmatically by using sdk or api or even powershell

i had tried powershell and graph api and management sdk but i was unsuccessful.

Please provide some resolution for this

On a Windows 10 Pro Machine I have joined a Azure AD.
So in case I block the user for the Login in the Azure AD Portal, it is not working. This User is still able to login with his credentials on the Windows 10 Pro machine. So How does the Azure AD Join influence my complete Client behaviour. I know that it will not reflect exactly the onPrem Active Domain Controller, but I think some of the functions should work.

So does the Windows 10 Client not takeover the Settings from Azure?
What is wrong here. Possibly my view is wrong and this constellation works completely different?

Many Thanks.

Hi,

So I'm writing a POC for my company where we are fetching and using an app-only access token. Everything seems fine while we're fetching the user access token until we try to fetch the service principal id after permissions have been allowed by the user. If the user is authenticating the app for the first time, 100% percent of the time we're seeing the call to graphwindowsnet/{tenant id}/servicePrincipals fail with 2 different outcomes

Scenario 1

After the user accepts the permissions from my service, we get this error back from the service principals api

{  
   "odata.error":{  
      "code":"Authorization_IdentityNotFound",
      "message":{  
         "lang":"en",
         "value":"The identity of the calling application could not be established."
      },
      "requestId":"xxxxxxxx-3287-4622-b4d0-32a735cfe178",
      "date":"2019-06-19T12:26:31"
   }
}

BUT if I re-initiate the OAuth process (user doesn't sign in or need to verify permissions because of cookies), I get back a 200 with the correct response.

Scenario 2

Same exact set up, but with a different response

{  

   "odata.metadata":".../xxxxxxxx-83b4-43dd-b859-e14673c1665b/$metadata#directoryObjects",
   "value":[  

   ]
}

But again if I re-initiate the OAuth process, I get the correct object data back. 

I will note that I've seen request throttling warnings on my account. Could this possibly be related to this behavior? Not sure how or why, I'm just curious. Anyway, any help is appreciated thank you!

PS I had to remove the domain from odata.metadata because my account is not verified yet.

EDIT: Just to clarify - I'm seeing the throttling warnings on the test user account that is approving access to my service.

Is it possible to join Azure VM to Azure AD so that server is in same AD tenant with corporate user?

I'm looking that SQL Server in VM could use AD users.

Kenny_I

Edit: Just stopped and started it for a second time and it worked... Well nevermind.

Hi all, I have a hybrid Microsoft AD and Azure AD system and when starting a Sync Cycle I get an error stating 'ADD busy'

I've just received an email stating that it hasn't been synced in 28 hours. This hasn't happened before and I assume it could be due to a number of things but from all the solutions I've seen online they don't seem to fix the issue.

Any help would be appreciated and if you need more details please let me know. Thank you

So, we’re currently trialing Microsoft EMS in our organization and have set up a trail environment for a pilot program. Our estate is made up of standalone PC’s or a group of PC’s in a LAN/Workgroups and we do not have any on-prem ADDS or ADFS in place. In short, a cloud only setup.

With that said, we have been trying to set up Self Provisioning and Out-of-Box Enrolment /AD join for our Windows 10 Pro devices (laptops and desktops), in line with the guidance notes provided on the Docs & Technet portal for setting up Azure AD join for devices, but have had no luck so far.

Here are the key issues we’re facing:

-       IF we let the employees perform Azure AD Join for their corporate owned devices, then the employee is made Administrator and then after the joining happens, rest of MDM Enrolment process kicks in… with all the polices set in the MDM, restrictions etc. The challenge here is, we cannot let the end user/ non IT staff have elevated permissions as administrator on their work laptops/desktops.

Leaving employee with Admin premissions on the device has 2 key issues:

1.     The user can install ANY application from anywhere online and run it on the device with elevated permissions, which is a major risk and there is NO way to prevent this using Intune or any other MDM out there. This is a risk we cannot take.
2.     Any IT company / Managed Servcie Provider would not take resposibilty if aything happens because they’re not comfortable with the end user left with Admin permissions on the machine.

OR

-       IF we have an IT Admin perform the AD Join (and MDM enrolment) for all of our devices (before a device is handed over to the end user), then the issue we’re facing when the device is given to the enduser and he logs in as Other User with his Office365 credentials, is that, the user is not able to access the office365 resources which require conditional access (devcies must be compliant or domain joined).

When attepting to access, say Exchange Online, the user is presented with the error: “Your IT Admin is a ensuring this device is compliant and this may take some time. To check the status check the company portal”. Now, in the company portal, it says “you must Enrol this device” and shows and Enrol button which is basically a link to download Intune Client. And when we try to download Intune Client, again we’re presented with an error message: “This device is already managed by an MDM”, i.e. the built in MDM of Windows 10”.

Any guidance / help with this conundrum, will be highly appreciated. Many thanks. 

Hello,

I've just set up a test environment - Win2016 with AD and a working exchange server on site.   I got the very basics of AD sync working but am coming up with lots of questions now that the very basics are working

1 Can you create a second login for the Microsoft account that controls the ADsync?   I certainly can create more global admins in the azure portal but wouldn’t the owner of the MS account have ultimate control?   What if that person leaves?

2 How do you sync all the accounts from the cloud down to a new on premise AD server (no previous on site active directory server)?

3 Can I specify users or OUs I do or don’t want to sync from on prem?   For example I have an OU of disabled accounts - former employees we keep in AD but disabled until they've been gone for a bit just in case we want to check anything out e.g. their old workstation or email).   

Hello,

I have an exchange 2013 server.  I've set up ad sync and it is working.    I'm about to set up a hybrid environment so I can start migrating all the mailboxes over.     When it is done, I'd like to keep adsync for authentication but get rid of the exchange server completely.

I saw on a few videos that a couple of years ago this was a bad option as it would mess up email settings for the office365 cloud email accounts.    Is this still the case that you have to keep an on prem exchange server or have they made it so you can get rid of it?