Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Changes to ACS? Unauthorized identity providers allowed to pass-through ACS.

September 4, 2014, 7:30 am
$
0
0
I used to get transferred to a page to logout when I would try to login to my multi-tenant application if I was already logged in with a live.com account, (not authorized as an identity provider for any of my relying parties setup in ACS). However, within the last few weeks, my live.com SAML principal gets passed on through to my application without getting blocked by ACS or login.windows.net.  What's up? Is there a change log for ACS?

Joseph Nielsen

Search

Can the new AAD Sync tool take source 'users' and sync as destination 'contacts'?

September 4, 2014, 11:15 pm
$
0
0

we have a specific scenario we are trying to design for our O365 migration.
We will have a single Forest / Domain, with multiple regional O365 tenants. 

Each Tenant will receive user sync data by using a filter by OU, such as OU1/users > Tenant1, etc.
I understand we can install multiple AAD Sync servers in the source AD (one for each Tenant connection), still true?

Our specific question is, with the new AAD Sync, along with syncing OU specific users directly to the Tenant (1), can we also select other OU's which contain users syncing to other Tenants (2,3,4), and sync those users as Contacts to the Tenant (1), via some type of transformation with AAD Sync?

Example, OU1/Users1 >> Sync to Tenant 1 as a provisioned user for O365.  and also sync OU2/Users2 >> Sync to Tenant 1 as a mail enabled Contact.  We are trying to find a way to build a Global Address list across 4 Tenants from a single Source domain (we will have 4 regional Tenants)

Unable to delete Active Directory User using the graph rest api

September 5, 2014, 5:49 am
$
0
0

Hi,

I am unable to delete azure Active Directory User using the graph rest api though while configuring my application i have given both read and write access to the active directory. so my question is is there any seperate authentication or permission which has to be additionally given to delete active directory user.

Delete api reference used:

http://msdn.microsoft.com/en-us/library/azure/dn151676.aspx

Output error on invoking delete User:

401 - Unauthorized: Access is denied due to invalid credentials.</h2>  <h3>You do not have permission to view this directory or page using the credentials that you supplied.


Note: I am able to execute other Rest api calls and get the output successfully like creating the users in active directory with the same symmetric key and client id.

Azure AD User Management

September 5, 2014, 4:32 am
$
0
0

Hi All,

Can anyone help me to create usermanagement on Azure.

Like I have GroupName : Admin. I want that group associated to my application so that only that group ( users) can access my application.

Thanks

Problems accessing ACS response content from https website

September 5, 2014, 7:56 am
$
0
0

I have ACS setup for several providers including custom ADFS.

It works fine when accessing my website over http.  However, when I use ssl for my website, the requests to ACS get cancelled.

Is there a way to call ACS from https website?

URL's for newly created objects do not contain the API version

September 5, 2014, 12:55 pm
$
0
0

When a new object is created using the Graph API e.g. a user, the URL that is returned in the Location header does not contain the API version that was used.

As such when the object is accessed using the URL, any operations on the new object fail with the error when using an OData library (e.g. WCF Data Services, Olingo, etc.):

{"odata.error":{"code":"Request_DataContractVersionMissing","message":{"lang":"en","value":"The specified api-version is invalid. The value must exactly match a supported version."}}}

Installing an Additional Domain Controller for an existing Domain in azure

September 6, 2014, 1:16 am
$
0
0

Hi

I have created 2 virtual machine i.e RAHULDC01 and RAHULDB01 in same affinity group and in same sub net on microsoft azure.I installed active directory domain services and DNS on RAHULDB01.Every thing is installed properly.So domain controller is installed on it.My domain name is  ArabITPro.local.

As in azure vm  gets automatic its IP addresses from vnet.

Here is network details of RAHULDB01.

IP    192.168.28.36

gateway 192.168.28.33.

When i try to add rahuldc01 as a domain controller in ArabITPro.local.It is showing error.

So my question is:-

1)Do i have to give static ip and loopback address(FOR DNS) to RAHULDB01 as we usually do in our office environment

and RAHULDB01's IP as a dns to RAHULDC01.If so then please help me out to configure static ip and dns to vm.

2)or, just assist me how to add Domain Controller for an existing Domain in azure.

note: both machines are in azure environment(microsoft windows 2012 r2)

Can not verify custom domain

August 20, 2014, 11:16 pm
$
0
0

Hello,

up with following error "Could not verify this domain because it was previously configured for your tenant or for another tenant"

I know that the message clearly say that its been previously configured with other tenant.
The big question is, how can I search which tenant use the same custom domain? In my situation, I manage many subscriptions in Azure and Office 365.

Fyi, I have clear any previous TXT / MX entries in my DNS entry.

Thanks to give me shed of light to solve this issue.

Best regards,

Riwut Libinuko
SharePoint Architect, Singapore
Microsoft MVP | SharePoint Server | Singapore
Blog : http://blog.libinuko.com

Search

Azure AD Graph Get Users REST API call fails to return User entity thumbnailPhoto

September 8, 2014, 6:00 am
$
0
0

I am trying to integrate Office 365/Windows Azure AD in to iOS application. I was able to do authentication with common consent framework and also able to access list of users in my active directory. Format of my request, URL: https://graph.windows.net/mytenantdomain/users?api-version=2013-04-05 , HTTP Method: GET, HTTP Header: Authorization: Bearer <'access token'>

For retrieving the user profile photo I make one more REST API request with following URL,

HTTP GET https://graph.windows.net/<directory_name_or_id>/users/<users_upn_or_objectid>/thumbnailPhoto?api-version=2013-11-08

But i got the following response

{ "odata.error": {"code": "Request_ResourceNotFound", "message": { "lang": "en", "value": "Resource 'thumbnailPhoto' does not exist or one of its queried reference-property objects are not present." } } }

I am able to see the profile picture for the same user in Office 365 login. Do I need to do anything else to sync the office 365 profile picture with Active Directory. I don't know why it returns "reference-property objects are not present". Any way to solve this issue 




Azure Active Directory Duplicate Token Error

September 8, 2014, 3:52 am
$
0
0
We are using Azure Active Directory with Graph API extensions.     Periodically we run into a problem where we get the error "Duplicate Token Found"...

We neither understand what the issue is that is causing this nor how to prevent it from happening or what to do when it happens.  Can anyone offer pointers to any resources?

Dirsync / AAD Sync. - but without EMC on prem...

September 8, 2014, 3:54 am
$
0
0

I would find it highly useful for not only us but our customers, to enable password sync but leave exchange attributes editable in the 365 portal for users who wish not to have any exchange products on premise.

Almost like filter out all mail related attributes from the sync, soft match users via another method and enable people to edit mail attributes from the 365 ECP

many customers we have are migrating from IMAP systems to 365. but then get most upset with us when they want DirSync and realize they either need to use unsupported tools to edit user email settings such as ADSI edit, or install exchange EMC onsite.. when the whole point of moving to 365 was to get rid of dependency on on premise installations.

I wondered if this is something Microsoft acknowledge and will look into resolving for SMB's with a small server base (one or two physical boxes) who want Dirsync but without an onprem requirement for exchange.

Thanks

Ben

____**EDIT**____

Also, just to make clear, most our customers would be happy with something as simple as extending the Schema and then a dll addin to add a "365" tab to ADDS. just like the old acctinfo.dll - basically anything to make 365 with Dirsync but no on prem EMC a supported scenario, which looking at all the previous questions and responses Microsoft must see is something people want and need?

Ben Harris

How do I create a custom address list in Active Directory which has an Extension Attribute to it?

September 8, 2014, 2:46 am
$
0
0
I want to create a custom address list (for example an Address List called Malaysia Address List) in Active Directory with an ExtensionAttribute1 as Malaysia. The reason why I want this ExtensionAttribute1 is because I have assigned an ExtensionAttribute1 to all users from Malaysia in Active Directory which is "Malaysia" so that I can repopulate their address details in the address list called Malaysia Address List. I have done this in office 365 and it works. But the problem is I can't do in Active Directory. Does anyone know how to do it? 

Sign up new tenant not working

September 9, 2014, 6:08 am
$
0
0

Using Visual Studio 2013, we can create application to integrate azure active directory and we can perform sign up, sign in and sign out operations. 

In same way we have created sign up functionality for new customers using active directory. After login with admin user and granting access, customer can sign in our applications. For all other scenarios its working fine, but its not working in below scenario.

1) When Customer try to sign up directly after creating new active directory and new user, Microsoft redirects user to change password.

2) After changing password,, user again needs to enter new password.

3) After that "Grant Access" page will be displayed and customer will grant access.

4) Now Error page is displayed from Microsoft with below error in right bottom corner 

"Additional technical information:
Correlation ID: 2dc5bfcd-0c32-4863-8338-e2021a56780f
Timestamp: 2014-09-09 08:50:26Z
AADSTS50001: "Value of Realm Url(i.e. http://XXX/XX)" is not registered for the account." Can anyone help us to solve this issue?

Centralize Azure Active Directories

September 9, 2014, 6:34 am
$
0
0

Hi,

I have a Office 365 tenant, and 3 Azure Active Directories: Prod,PreProd, Dev,

I have also a on-premise AD.

As i cannot federate my domain with all environment in cloud (off365, AAD prod, AAD preprod and AAD dev), I have to centralize my accounts in one AAD  (Ex: Prod) and connect the others AAD and Office 365 to this central repository.

The Central AAD ( Prod) will be Sunchronized and federated (ADFS) with my on-premise AD

I can connect my AAD to Office365, but I need a connection in the other sens: use Synchroinzed accounts to Prod AAD in Office 365.

My question, if it'S possible to implement this scenario where all environments are connected to a central AAD who will be provisioned from on-premise AD .

Thanks

Lourh

Google as ACS Identity Provider

August 27, 2014, 9:29 am
$
0
0

I see that Google is no longer an option as an Identity Provider for ACS. Is there any chance it will become an option again in the near future? Yes I realize it was Google that made the change that deprecated this feature, but is it generally accepted that either Google or Microsoft will provide some way for it to work again? Or are there relatively easy workarounds to make this work?

For me the value of ACS is eroded significantly without Google as an identity provider.

Search

Azure Back-End Edge

September 9, 2014, 8:09 am
$
0
0
As I'm currently looking into the possibility of using ExpressRoute, I'm a bit curious as to how it works on the back-end. I understand we need to connect to ExpressRoute through either a network service provider or an exchange provider. But after ExpressRoute, the Azure documentation shows that the data passes through "Azure Edge" and from there to Azure public and private services. This is seen in the diagram here: http://msdn.microsoft.com/en-us/library/azure/dn606309.aspx

My question is if anyone can describe the key elements of the network architecture for Azure? Specifically what does the Azure edge do, and how does it connect to the cloud services? Also, would I as the customer need to provide any equipment (a router) at the edge?

How to SAML 2.0 federate with a domain that is already being used for Office 365?

August 27, 2014, 7:11 am
$
0
0

I need to federate a SAML-P 2.0 Identity Provider with Azure Active Directory so I can pass a federated claim back to ACS and then to my application.  This is appears to be fully supported by looking at the commands on the Oracle Identity Federation (OIF) Server website and other MSDN Azure sources.  My problem is that the client is already using Office 365 and ADFS integration on their side. They do not want to use ADFS for SSO integration with our application. The problem is that when I enter a userid for logging in at the login.windows.net page, it redirects to their ADFS SSO provider instead of the integration I setup with their OIF identity provider. 

How can I work with this? It looks like this used to be supported on ACS, but it looks like ACS is no longer supported by Microsoft. (Powershell cmd-lets and other tools have been pulled from Codeplex.) I need to have a UPN domain suffix that can be setup for multiple domains. I would think that the service should know this based on my relying party, no? 

Joseph Nielsen

This is the article I used to setup the SAML 2.0 federation with Azure AD.

http://msdn.microsoft.com/en-us/library/azure/dn641269.aspx

Azure RMS required attribute

September 9, 2014, 3:07 am
$
0
0

Hi,

I am looking for the minimum attribute required for Azure RMS which needs to be sync to AAD. Related TechNet/MSDN link will be very helpful.

Thanks

How can a global admin for a Azure AD tenant can manage only that AD instance?

September 10, 2014, 4:41 am
$
0
0

I have a custom Azure AD in which Bob is a global admin (global admin for that AD). How do I allow him to manage Azure AD without making him a global admin for the subscription? Is it possible? What happened to activedirectory.windowsazure.com? It is getting redirected to manage.windowsazure.com and then states that there is no active subscription assigned.

Azure AD - Assign Users and Groups to App

September 10, 2014, 6:26 am
$
0
0

I'm using Azure AD:
 - I've added users via Microsoft Account IDs.
 - I have activated "Azure AD Premium" trial
 - I've assigned each user a license

Now I want to assign users access to my Web App (A cloud service), however, I'm not seeing the "Users and Groups" tab described in this article:
> Important:
> You will only see the Users and Groups tab once you have enabled Azure AD Premium.
http://msdn.microsoft.com/en-us/library/azure/dn621141.aspx

And even demonstrated in this video:
http://azure.microsoft.com/en-us/documentation/videos/configure-and-assign-groups-azure-ad/

Finally, when I go to:
https://account.activedirectory.windowsazure.com/applications/default.aspx
I'm not seeing any "Apps" - I assume once I've been able to assign access the Apps should show here.

What am I missing?

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>