Hi,

I have set up my Azure AD so I can authenticate using the app it gives me to download and I am trying to change it so instead of calling the Graph API it calls my API with authentication.

I have tried many, many tutorials and after setting up the security of the API passing in the Token doesn't seem to be anough. It says I need the client_id and the service key. I pass in all three bits of data but it still says invalid token.

Should I be logging in via the API rather than directly to the AD?

Is the authority correct for the API? 

Should I be passing my token to the API to exchange it for something else to show I have access to it?

The Azure system seem to have changes recently and now NONE of the documentation matches what I see in the portal. I'm not even sure Azure can do what I need it to!!!

Thanks in advance.

I want to have 2 login providers for my app. Customers would connect with B2C and employees would connect with our AAD by SSO. Currently the B2C login for customers works with a SignIn V2 user flow, and our SSO works just fine for any other applications.

I followed these 2 pages to get started, using the exact same names:

 - https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom
 - https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom

They could be clearer but I think I got everything right as far as the XML goes.  When I run my custom policy, I get a page with a login form and a button to connect with the AD. If I click the button, I'm redirected to the SSO page and I log in with my user. The first time I'm asked to accept the permissions. So far so good, but after that I get redirected to https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/oauth2/authresp, which gives a generic error 500 page. In the B2C Audit log, I see an event"Federate with an identity provider" with "Status: success" for the same datetime as my login so I believe the login works. Similarly, I can see a successful sign-in in the user's page in the AAD.

Is there something more I need to do that the MSDN pages missed? I should be getting redirected to jwt.ms with a token.

Relevant xml files (redacted):
TrustFrameworkBase.xml (only the parts I've modified):

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><TrustFrameworkPolicy
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
  PolicySchemaVersion="0.3.0.0"
  TenantId="mytenant.onmicrosoft.com"
  PolicyId="B2C_1A_TrustFrameworkBase"
  PublicPolicyUri="http://mytenant.onmicrosoft.com/B2C_1A_TrustFrameworkBase"><!-- snip default building blocks --><ClaimsProviders><ClaimsProvider><DisplayName>Local Account SignIn</DisplayName><TechnicalProfiles><TechnicalProfile Id="login-NonInteractive"><DisplayName>Local Account SignIn</DisplayName><Protocol Name="OpenIdConnect" /><Metadata><Item Key="UserMessageIfClaimsPrincipalDoesNotExist">We can't seem to find your account</Item><Item Key="UserMessageIfInvalidPassword">Your password is incorrect</Item><Item Key="UserMessageIfOldPasswordUsed">Looks like you used an old password</Item><Item Key="ProviderName">https://sts.windows.net/mytenantguid/</Item><Item Key="METADATA">https://login.microsoftonline.com/mytenant.onmicrosoft.com/.well-known/openid-configuration</Item><Item Key="authorization_endpoint">https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/token</Item><Item Key="response_types">id_token</Item><Item Key="response_mode">query</Item><Item Key="scope">email openid</Item><!-- Policy Engine Clients --><Item Key="UsePolicyInRedirectUri">false</Item><Item Key="HttpBinding">POST</Item></Metadata><InputClaims><InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username" Required="true" /><InputClaim ClaimTypeReferenceId="password" Required="true" /><InputClaim ClaimTypeReferenceId="grant_type" DefaultValue="password" /><InputClaim ClaimTypeReferenceId="scope" DefaultValue="openid" /><InputClaim ClaimTypeReferenceId="nca" PartnerClaimType="nca" DefaultValue="1" /></InputClaims><OutputClaims><OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="oid" /><OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid" /><OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" /><OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" /><OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" /><OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="upn" /><OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" /></OutputClaims></TechnicalProfile></TechnicalProfiles></ClaimsProvider><!-- snip other default claim providers--><!-- snip default user journeys-->	   </TrustFrameworkPolicy>

TrustFrameworkExtension.xml

<?xml version="1.0" encoding="utf-8" ?><TrustFrameworkPolicy
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
  PolicySchemaVersion="0.3.0.0"
  TenantId="mytenant.onmicrosoft.com"
  PolicyId="B2C_1A_TrustFrameworkExtensions"
  PublicPolicyUri="http://mytenant.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions"><BasePolicy><TenantId>mytenant.onmicrosoft.com</TenantId><PolicyId>B2C_1A_TrustFrameworkBase</PolicyId></BasePolicy><BuildingBlocks></BuildingBlocks><ClaimsProviders><ClaimsProvider><DisplayName>Local Account SignIn</DisplayName><TechnicalProfiles><TechnicalProfile Id="login-NonInteractive"><Metadata><Item Key="client_id">ProxyIdentityExperienceFramework_AppId</Item><Item Key="IdTokenAudience">IdentityExperienceFramework_AppId</Item></Metadata><InputClaims><InputClaim ClaimTypeReferenceId="client_id" DefaultValue="ProxyIdentityExperienceFramework_AppId" /><InputClaim ClaimTypeReferenceId="resource_id" PartnerClaimType="resource" DefaultValue="IdentityExperienceFramework_AppId" /></InputClaims></TechnicalProfile></TechnicalProfiles></ClaimsProvider><ClaimsProvider><Domain>Mycompany</Domain><DisplayName>Login using Mycompany</DisplayName><TechnicalProfiles><TechnicalProfile Id="MycompanyProfile"><DisplayName>Mycompany Employee</DisplayName><Description>Login with your Mycompany account</Description><Protocol Name="OpenIdConnect"/><OutputTokenFormat>JWT</OutputTokenFormat><Metadata><Item Key="METADATA">https://login.windows.net/mytenant.onmicrosoft.com/.well-known/openid-configuration</Item><Item Key="ProviderName">https://sts.windows.net/mytenantguid/</Item><Item Key="client_id">AzureADB2CApp_AppdId</Item><Item Key="IdTokenAudience">AzureADB2CApp_AppdId</Item><Item Key="UsePolicyInRedirectUri">false</Item><Item Key="response_types">code</Item><Item Key="scope">openid</Item><Item Key="response_mode">form_post</Item><Item Key="HttpBinding">POST</Item></Metadata><CryptographicKeys><Key Id="client_secret" StorageReferenceId="B2C_1A_MycompanySecret"/></CryptographicKeys><OutputClaims><OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid"/><OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/><OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" /><OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" /><OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" /></OutputClaims><OutputClaimsTransformations><OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/><OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/></OutputClaimsTransformations></TechnicalProfile></TechnicalProfiles></ClaimsProvider></ClaimsProviders><UserJourneys><UserJourney Id="SignUpOrSignInMycompany"><OrchestrationSteps><OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signinwithpassword"><ClaimsProviderSelections><ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" /><ClaimsProviderSelection TargetClaimsExchangeId="MycompanyExchange" /></ClaimsProviderSelections><ClaimsExchanges><ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" /></ClaimsExchanges></OrchestrationStep><!-- Check if the user has selected to sign in using one of the social providers --><OrchestrationStep Order="2" Type="ClaimsExchange"><Preconditions><Precondition Type="ClaimsExist" ExecuteActionsIf="true"><Value>objectId</Value><Action>SkipThisOrchestrationStep</Action></Precondition></Preconditions><ClaimsExchanges><ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" /><ClaimsExchange Id="MycompanyExchange" TechnicalProfileReferenceId="MycompanyProfile" /></ClaimsExchanges></OrchestrationStep><!-- Show self-asserted page only if the directory does not have the user account already (i.e. we do not have an objectId). 
          This can only happen when authentication happened using a social IDP. If local account was created or authentication done
          using ESTS in step 2, then an user account must exist in the directory by this time. --><OrchestrationStep Order="3" Type="ClaimsExchange"><Preconditions><Precondition Type="ClaimsExist" ExecuteActionsIf="true"><Value>objectId</Value><Action>SkipThisOrchestrationStep</Action></Precondition></Preconditions><ClaimsExchanges><ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social" /></ClaimsExchanges></OrchestrationStep><!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent 
          in the token. --><OrchestrationStep Order="4" Type="ClaimsExchange"><Preconditions><Precondition Type="ClaimEquals" ExecuteActionsIf="true"><Value>authenticationSource</Value><Value>socialIdpAuthentication</Value><Action>SkipThisOrchestrationStep</Action></Precondition></Preconditions><ClaimsExchanges><ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" /></ClaimsExchanges></OrchestrationStep><OrchestrationStep Order="5" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" /></OrchestrationSteps><ClientDefinition ReferenceId="DefaultWeb" /></UserJourney></UserJourneys></TrustFrameworkPolicy>

SignUpOrSigninMycompany.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><TrustFrameworkPolicy
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
  PolicySchemaVersion="0.3.0.0"
  TenantId="mytenant.onmicrosoft.com"
  PolicyId="B2C_1A_signup_signin_mycompany"
  PublicPolicyUri="http://mytenant.onmicrosoft.com/B2C_1A_signup_signin_mycompany"><BasePolicy><TenantId>mytenant.onmicrosoft.com</TenantId><PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId></BasePolicy><RelyingParty><DefaultUserJourney ReferenceId="SignUpOrSignInMycompany" /><TechnicalProfile Id="PolicyProfile"><DisplayName>PolicyProfile</DisplayName><Protocol Name="OpenIdConnect" /><OutputClaims><OutputClaim ClaimTypeReferenceId="displayName" /><OutputClaim ClaimTypeReferenceId="givenName" /><OutputClaim ClaimTypeReferenceId="surname" /><OutputClaim ClaimTypeReferenceId="email" /><OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/><OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" /></OutputClaims><SubjectNamingInfo ClaimType="sub" /></TechnicalProfile></RelyingParty></TrustFrameworkPolicy>

In the Identity Experience Framework panel, I run B2C_1A_signup_signin_mycompany and choose testapp1 with https://jwt.ms as the repyl url.

I want to use Azure AD SSO to grant SSO access to internal applications but access from internal corporate users not remotely. I understand Application proxy can be used to grant remote access to internal applications with SSO but i read that it is not recommended to use application proxy for internal access. What is the best solution to use Azure SSO if i want to grant internal users internal access to on -premise applications with SSO (examples would be password-based on saml applications that are accessed only by users from the corporate network)

thank you

MM

I've registered a native app (for Power BI push operation) and added the necessary API permissions.
Global admin granted the consent. But the access token method fails.

equivalent PS script used to get access token

$authUrl = "https://login.windows.net/common/oauth2/token"
$body = @{
"resource" = “https://analysis.windows.net/powerbi/api";
"client_id" = "myclientid";
"grant_type" = "password";
"username" = "myuser";
"password" = "mypass";
"scope" = "openid"
}
$authResponse = Invoke-RestMethod -Uri $authUrl –Method POST -Body $body

$authResponse.access_token

But getting the same error:

Invoke-RestMethod : {"error":"invalid_grant","error_description":"AADSTS50126: Invalid username or password.

The master account used is synchronised to Azure AD from windows active directory server.

(The whole approach  works fine in a different tenant where the master account is create on Azure AD itself.

Blocked around this issue for a while. Any quick help is appreciated. Thanks in advance.

a few weeks ago, I register an Azure AD application, with the redirect_url as https://www.getpostman.com/oauth2/callback, at that time, it work. 

But now when I use my postman, I encounter the error

"OAuth2WindowManager~startLoginWith - URL did not match the registered callbackURL, so skipping"

any suggestions? 

working on APIM

I disabled MFA earlier today to do some troubleshooting & then re-enabled it. Every time I try to log on to anything in the MS world, I get this error now (first I get a message saying More information is required, then it prompts me to get a phone call, text message, use authentication app, etc. They all return the same error. To make it all more exciting, I'm the only admin and I can't log into the Azure Portal to reset MFA.

The Microsoft help about the topic isn't helpful at all - it says you waited more than 10 minutes to complete the setup process (?) but there's no fix or workaround. https://support.microsoft.com/en-us/help/2909939/sorry-we-can-t-process-your-request-error-when-you-try-to-set-up-secur

Anyone have any ideas about how I can get back onto my account?

Thanks!

I am experiencing an error during the "configure" phase when running the Microsoft Azure Active Directory connect utility. I have checked that the domain account is a member of "Domain Admins" and is a member "built-in" administrators group.

An error occured while retrieving the Active Directory Schema. The error was: A constraint violation occured.

And below is from the logs.

[11:39:06.592] [ 16] [ERROR] Caught exception while creating synchronization account.
Exception Data (Raw): System.DirectoryServices.DirectoryServicesCOMException (0x8007202F): A constraint violation occurred.

Is anyone able to give some suggestions as to what could be the cause?

Thanks

Hi everybody,

is there a solution for the Devicename within Azure Intune?

I gonna make hybrid join (Azure & localdomain) and I want that each Device got a prefix (e.g. Notebook) and than as suffix something like a consecutive number (e.g. 001).

Are there any posibilites to configurate this?

Many regards

Team,

I need to automate powershell scripts without interaction to manage my azure ad environment. By policy, all global admins must have MFA enabled for security reasons. When using app password in MSOnline/AzureAD module error is thrown. What is the solution to this?

 I'm using AD Connect 1.2.70.0 and have configured all steps outlined in "How-to: Configure password writeback".

Currently have a Hybrid AAD env. 

We are testing autopilot, intune with the goal of managing devices solely in Azure. 

We rely heavily on GPO.

I want Azure AD to eventually replace our on-prem AD. Since we currently do not have devices managed by Azure - but are testing deployment and piloting Azure AD, inTune MDM/MAM - my question is I dont want to proceed w/ autopilot and intune in a hybrid scenario if we plan on moving away eventually and going full Azure AD. 

Is there any reason why I cannot just move forward with device management in pure Azure AD join devices and managed the GPO via inTune? 

If you have any resources for research that would be helpful as well. All of the documents are hybrid - do this, Azure AD - do this. But nothing really clear on if you have hybrid (for SSO and AD on prem integration) but plan on moving to full Azure = you can proceed with Azure AD management (AutoPilot and inTune) with devices, keep hybrid in place for account management. 

Thanks,

SJMP

Is there a way to set the timeout for an On-Prem application published with Azure Application Proxy?

If I logon now to application using app-proxy, and leave the browser for a period of time, when I get back and want to start using it, the session seems to have timed out and I get redirected to azure app proxy, but session token is still valid so I don´t need to log on and get instantly redirected in to on-prem app. How can I prevent this from happening? Session token timeout is not the key here I think since token is still valid.

We have set up a SP Initiated SAML based SSO with a client. The client claims to have set up the outgoing claims/attributes in Azure. However, in our system, we still continue to receive the claims in the URI pattern. Further, the client claims to have set up only six (6) outgoing claims; however, the SAML Response shows multiple claims. 

Below are the claims set up by the cleint in their system:

Name identifier value: user.onpremissesaccountname [name-format:emailAddress]

CLAIM Name        VALUE

emailaddress        user.mail
givenname           user.givenname
mail                     user.mail
name                   user.userprincipalname
surname              user.surname

However, this is an example of how the claims are sent in the SAML Response:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

We just need givenname and not the entire URI. Any help will be appreciated. Thank you!

Hi!

Im reading Extend Active Directory Federation Services (AD FS) to Azure at docs

We're about to extend ADDS/ADFS.

I know i get more opportunities when i use 3 subnets regarding segmentation/nsg, but i also get more administration. 

if i use one subnet for WAP and one subnet for ADFS / ADDS  instead of 3 subnets, like a infraservices network onprem. 

Am i missing something ? 

Best Regards

I currently have a VPS hosting for two servers with Ubuntu outside Azure network and a free azure AD plan. I see this option here:

https://docs.microsoft.com/en-us/azure/virtual-machines/linux/login-using-aad

but it is only for azure VMs, so can I use azure ad for hosts outside of azure?

Hello all,

I believe I have pretty good knowledge how to use AADDS and Azure AD, however I have some difficulties to put the parts in the puzzle. I know how to do sync between on prem and azure AD and how the sync between Azure AD and AADDS works, however I am struggling finding the main reason why you will need AADDS when you have on - premise?

I know that people are using AADDS instead of Azure AD when they need Kerberos or LDAP or need some "kind of DC" solution, however since they have On-prem why they will need AADDS?

Will be the main reason using the apps ? but having all those accounts synced in azure AD those users still will be able to use SAAS applications.  So do you have any ideas guys?

Thanks in advance! 

Cheers . SS

Dear All,

Is it possible to configure secondary adfs and proxy server with office 365 for High Availability

Currently Direct Sync, ADFS and ADFS Proxy serves. I'm planning to add one more ADFS and proxy for HA. please advice.

I'm planning to move our Active Directory services to the Azure. Currently have done setup the Domain Services on Azure, what's the best practice for deploying to users (i want to authenticate the user desktop login on my site) ?

Do i need to create site-to-site VPN for every branch or just open ports to the public IP ?

Many thanks

Hi,

Sorry if this is not the right forum.

In our service (back-end in Java/Spring, front-end in React) we implemented Google Sign in.

The end result of the Sign In process is that the front-end receives an object from Google which it re-sends to the back-end. The back-end verifies (with a Google Library) that the object is valid and extracts user info from it. Like this:

public void authenticateGoogleUser(Object googleInfo){
        LinkedHashMap<String, String> map = (LinkedHashMap) googleInfo;
        String tokenId = map.get("tokenId");        
        GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(...).build();
        GoogleIdToken googleIdToken = verifier.verify(tokenId);// verify that the tokenId is valid
        GoogleIdToken.Payload payload = googleIdToken.getPayload();
        String userId = payload.getSubject();
String email = payload.getEmail();
// etc.
}
Now we want to implement the same functionality with Microsoft Sign in. 
The front end shows the Microsoft SignIn button, user signs in, 
front-end receives the Microsoft SignIn response object and re-sends it to the back-end server.
Our question is: How do we validate this response in the back-end server?
Is there a library that does it, like the GoogleIdTokenVerifier?
Thank you