Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

how to generate a token for Azure AD for scim Authentication.

July 2, 2019, 10:30 am
$
0
0

Hi, 

This document 

https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Fuse-scim-to-provision-users-and-groups

step 8 states : If the SCIM endpoint requires an OAuth bearer token from an issuer other than Azure AD, then copy the required OAuth bearer token into the optional Secret Token field.

I am using Azure AD as my identity provider, so I should not have to paste anything in it, but it doesnt let me proceed because the field is required. 

I cant find any information on how to generate the required oauth token for the directory as mentioned in step 8. Here is a url encoded link to an image on onedrive. (Forum doesnt allow links or images for new accounts). 

https%3A%2F%2F1drv.ms%2Fu%2Fs%21AgjZ1yvBvXt8kHWMKinpAF9Wi0mr%3Fe%3DWv0IXC

Search

How can you programatically get and patch custom user claims in B2C?

July 2, 2019, 10:54 am
$
0
0

Is this even possible and if so, how?

Requirements:

  • Store a list of user roles as a claim in B2C that is brought back in the users token but is NOT part of the signup experience. (aka a user should not define their own roles)
  • Be able to create/modify those roles.

I've tried everything I can think of in the Azure AD Graph API and MS Graph Api, but I cannot query to modify/manage these claims.

Unable to delete Ophaned Windows Server AD User accounts

July 2, 2019, 1:29 pm
$
0
0

I'm Trying to remove Orphaned User amounts from Azure AD

When trying to do this using the following procedure

Step 1

  Install-Module -Name MSOnline
  Connect-MsolService

Login Fails

Step 2

AZ

AZ Login

You have logged in. Now let us find all the subscriptions to which you have access...
[
  {
    "cloudName": "AzureCloud",
    "id": "cff169e3-xxxx-xxxx-88ef-e4d204d0e0ac",
    "isDefault": true,
    "name": "Free Trial",
    "state": "Enabled",
    "tenantId": "37bd401c-e353-xxxx-xxxx-e5eaebaab700",
    "user": {
      "name": "stuart.honour@xxx.org",
      "type": "user"
    }
  }
]

Step 3

$msolcred = get-credential connect-msolservice -credential $msolcred

Error

Get-Credential : A positional parameter cannot be found that accepts argument 'connect-msolservice'.
At line:1 char:13
+ $msolcred = get-credential connect-msolservice -credential $msolcred
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Get-Credential], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.GetCredentialCommand 

so i can never run this command Remove-MsolUser UserPrincipalName "account@account.com"



Azure Active Directory Graph API - Receive error on user update

July 1, 2019, 12:54 am
$
0
0

We use Azure AD B2C and Azure AD Graph API accordingly. On Friday (28.06.2019) we faced with issue on user update: "Invalid value specified for property 'creationType' of resource 'User'.". Values for this field was set to "LocalAccount" according to specification.

It seems that Graph API was updated last week, because previously it worked properly without any issues. Could you please confirm that API was updated and could you please also suggest how can we track this changes on time? Because it has big impact on our application.

Thanks, 

Yauheniya

AD FS and AD Connect

July 2, 2019, 9:04 pm
$
0
0
Hi, we are currenty migrating users to Office 365 via AD sync/AD Connect. We are planning on implementing AFS to block access to office 365 from outaide the corporate network. Are their any known risk involved connecting ADFS to Office 365  while migration of users are in thr process? Thanks.

Seamless SSO keeps asking for credentials

July 2, 2019, 11:12 pm
$
0
0
Hi,

We have implemented Seamless SSO in the company and it is working for some devices only.

To set this up, we have followed this page: docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start, and also reviewed known issues under here: docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sso#known-issues.

The result is following. The Seamless SSO is working on Windows 10 devices running on release earlier than 1809. For Windows 10 1809 we have additionally deployed Microsoft Security Baseline: blogs.technet.microsoft.com/secguide/2018/11/20/security-baseline-final-for-windows-10-v1809-and-windows-server-2019/. The IE Computer policies are amended so that for example IE Enhanced Protected Mode is set to Not Configured, as it is listed under Know Issues page.

Despite multiple tries, the SSO is not working as expected. It keeps asking for username and password. We are running out of ideas what other thing me should configure/amend when MS Security Baselines are also in place.

Maybe you have similar experience?

Best regards,

Marcin


Edit: Site note to add - when I set policy to deny apply, the SSO works. So some other setting is causing this, but not sure which one yet.

Azure Active Directory - Users - Source - Azure Active Directory (self-service)

July 3, 2019, 12:23 am
$
0
0

Hello everyone,

we just got a new Azure Tenant and are in the process of configuring everything the way we need it. 

After a while, we noticed that three users had been created without us doing anything. These users had the source "Azure Active Directory (self-service)". These users were not created by anyone of the three IT people in this project and it would be impossible anyway since only one of the IT staff has the password for the admin, which is the only active user currently in this Tenant.

We did not have Azure AD Connect running at the time of the creation of these three accounts. However, when synchronizing from our on-prem AD (we're filtering by attributes and only gave the corresponding IT accounts the attribute to sync), the accounts were changed to "Windows Server AD", which is ok.

What we did do before setting up Azure AD Connect, was an external take-over of a custom domain, which for some reason, had been connected to a Tenant no one here knew of and which obviously did not exist anymore.

Could the three automatically created accounts have come from the (non-existent) Tenant from which we took the custom domain? Where else could they have come from? Can anyone shed some light on this (I've searched for infos, but couldn't find any definitive answer)?

Thanks,

Fred

Set-MsolDomainAuthentication fails when trying to set a domain as federated

August 6, 2018, 3:08 am
$
0
0

I used this command to change authentication type of my domain to federated. Later had to change it back to managed. Now I cannot change it back to federated with the same parameters I used previously successfully. I looked for a solution all over the internet but no help. There were similar error reported in multiple places, yet no straightforward answer was found.

It gives the following error.


PS Azure:\> Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $BrandName -Authentication Federated -ActiveLogOnUri $ecpUrl -SigningCertificate $MySigningCert  -LogOffURI $logoutURL -IssuerUri $Issuer -PreferredAuthenticationProtocol $Protocol
Set-MsolDomainAuthentication : Unable to complete this action. Try again later.
At line:1 char:1
+ Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $B ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Set-MsolDomainAuthentication], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InternalServiceException,Microsoft.Online.Administration.Automation.SetDomainAuthentication

Any idea what gives the error?

Dinix195

Search

Azure Active Directory Graph API - Receive error on user update

July 3, 2019, 2:59 am
$
0
0

We use Azure AD B2C and Azure AD Graph API accordingly. On Today (03.07.2019) we faced with issue on user update: "Invalid value specified for property 'creationType' of resource 'User'.". Values for this field was set to "LocalAccount" according to specification.

It seems that Graph API was updated, because previously(02.07.2019) it worked properly without any issues . Could you please confirm that API was updated and could you please also suggest how can we track this changes on time? Because it has big impact on our application.

Thanks, 

SSPR from win10 login screen

December 10, 2018, 12:24 pm
$
0
0

We managed to add the SSPR link on the win10 login screen using GPO (the device is hybrid joined). However when we click on the link we have this error message :the sign in method you are trying to use isn’t allowed…

According to https://community.spiceworks.com/topic/849103-you-cannot-log-on-because-the-method-is-not-allowedwe have to allow log on locally

ð To fix that, we granted to the account the permission to log on locally.

Q1 : is that really necessary? we are using deny log on locally except for legitim accounts (admins).

Now when we click on the link, we have no more this error message and before accessing to the SSPR portal, adefaultuser1 account is created. is that normal? it seems that the problem is known : https://github.com/MicrosoftDocs/azure-docs/issues/15584

Q2 : is that normal? what is the default user used for? 

Thank you in advance.

Best regards,



Moving from Hybrid Azure AD to Azure AD Standalone

July 3, 2019, 5:33 am
$
0
0

I assume the logical conclusion of syncing your domain controllers to Azure AD using AADC is that, one day, the organisation will retire its on-premises domain controllers and move to cloud-only Azure AD for authentication. For example, because you have moved all your on-premises hosted apps and managed devices to the cloud. Is that assumption correct, and are there organisations which have completed this journey already?

Is there any literature explaining how this process is achieved? Presumably there's a process of switching your identity source to be Azure-only, before decommissioning your on-premises domain controllers. A bit like the process for moving from SCCM Hybrid Intune to Intune Standalone, presumably?

Any suggested reading would be welcome.

SSPR - Issues getting Reset Password link on logon screen

July 3, 2019, 6:00 am
$
0
0

Good morning all,

So I've been tasked with getting SSPR up and running on our hybrid-joined system. The portal, etc. is completely functional for multiple test users, but when using either InTune or GPO to add the "AllowPasswordReset" dword registry entry, at restart/different user login/lock screen all, the link does not appear below the password field. As best as I can tell our environment doesn't have any of the listed conflicts set, and as is, most of those seem to involve clicking on the link and nothing happens. I can't get the link to even appear. Does anyone have some insight/experience in troubleshooting that part?

I appreciate any and all help, thanks!

Azure role assignment Alerts

July 3, 2019, 6:05 am
$
0
0

how to configure the alert when someone changes any roles in azure for the user.

For example if currently my user is Global Admin now somebody changed him to som other admin

So how we can configure that alert whenever there is a change in any role

Azure cross-account access - Account_A --> Account_B

July 3, 2019, 8:10 am
$
0
0

Hello,

I am trying to send objects from one Azure account to another one one, lets say, fromAccount_A --> Account_B

I have been working on a coding example in Go. Here it is https://play.golang.org/p/zrgI-szGeR7 -

I have two different azure accounts. In Account_A I have an app registration where I pulled theclientID, clientSecret and tenantID for the coding example mentioned before.

In Account_B I ran the following PowerShell :

New-AzureADMSInvitation -InvitedUserEmailAddress "email"` `-InviteRedirectUrl "https://example.com"` `-SendInvitationMessage $false` `-InvitedUserType "Guest"

I did it that way because I do not want to redeem the invitation. The idea behind this is that a customer adds me as a guest for send them data from my Azure account. It might be only one customer or multiple ones so I do not want to be redeeming 1000 invitations for example..

I added the RBAC roles for the guest user in Account_B, however when I run the app I get:RESPONSE Status: 403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. andAuthenticationErrorDetail: Issuer validation failed. Issuer did not match.

Of course, I try to PUT objects in a storage account in Account_A then it works, but I change blob storageAccount in the code for one in Account_B then I get the error before.

Does it sound familiar to you?

Thanks!


Sync Error

June 20, 2019, 9:42 am
$
0
0

I keep getting

the SMTP:dabcd@consorto.com is the current On Prem AD admin and O365/ admin (dabcd@consorto.com). I do have a user on prem and in cloud for On-Premises Directory Synchronization Service Account.

I have read the KB's and am totally confused on what to do.

Identity

Error Description

sourceAnchor

dabcd6681@consorto1.onmicrosoft.com

Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:dabcd@consorto.com;]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.

GgbsuX/+5E+DUUoLp6vQ6g==

Search

Multiple apps using Shibboleth SP to a single Azure Active Directory tenant

July 3, 2019, 11:52 am
$
0
0
I have two applications hosted on a server using Shibboleth SP to authenticate against an AAD tenant. The issue is that while there are two application definitions in the AAD tenant for the applications the corresponding IDP metadata use the same entityID for both apps. This causes an issue in Shibboleth because the application definitions there use the IDP entityID to determine which metadata to use for the app and it cannot differentiate between the two. Either the applications in AAD need to use different IDP entityIDs or the same signing cert for both applications. It's the signing cert that's throwing the error.

Surface Headphones few feature not working, what should i do?

July 3, 2019, 12:28 pm
$
0
0

I recently purse a pair of surface headphones to read a review and via there link and there are a lot of things that I like about them. However, many of their basic features randomly stop working at least half of the time. These include the noise cancelation dial, and the touch commands (the volume dial always works). These features stop working unpredictably and this is very frustrating considering this device is $350.

When this occurs, the noise cancellation setting is stuck on whatever it was previously set to. I’ve tried updating using the pc app, disconnecting and reconnecting, forgetting and resyncing, and resetting to factory settings, but nothing has worked.

When these features DO work, they don’t work very well: The touch gestures are very inconsistent compared to say, apple air pods. One and two tap gestures are too often misinterpreted for one another and I have been unable to find a method of consistently getting the desired gesture. The ambient sound amplification seems to toggle between the highest setting and a slightly lower setting during phone calls so that I periodically can’t hear myself speaking as clearly.

I havent seen anyone else online mention any of these issues. I was wondering if any of you have experienced some of these and know a fix. VERY disappointed with this device :(

Windows 10 Web Sign-In Query

July 4, 2019, 12:31 am
$
0
0

we would like to clear out below queries for Windows 10 Web Sign-In Solution

1) Does Web Sign-In solution with windows 10 is implementation ready as Microsoft site states this is in "Preview" only. Can we roll it out in equate ? Pls provide some details.

2) For the Web Sign-In Solution with windows 10, one of the requirements states that all machines (laptop/tablet etc) to be joined with Azure AD, Equate users are using lots of on-prem domain AD connected services like printers, fileshare, Kerberos Authentication& other application with direct domain authentication. What would be the way forward for on-prem domain connected applications with Azure AD Joined PC.

Windows 10 Web Sign-In Query with Azure

July 4, 2019, 12:32 am
$
0
0

we would like to clear out below queries for Windows 10 Web Sign-In Solution

1) Does Web Sign-In solution with windows 10 is implementation ready as Microsoft site states this is in "Preview" only. Can we roll it out in equate ? Pls provide some details.

2) For the Web Sign-In Solution with windows 10, one of the requirements states that all machines (laptop/tablet etc) to be joined with Azure AD, Equate users are using lots of on-prem domain AD connected services like printers, fileshare, Kerberos Authentication& other application with direct domain authentication. What would be the way forward for on-prem domain connected applications with Azure AD Joined PC.

اقرب توكيل توشيبا الشرقية (01225025360) توكيل صيانة توشيبا (01014723434) شبرا

July 4, 2019, 12:49 am
Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>