Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Get-AzRoleAssignment : Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown.

June 20, 2019, 11:11 pm
$
0
0

I am trying to use the cmdlet Get-AzRoleAssignment using a service principal as advised. But I am receiving an error when doing this: Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown. 

I tried to add API Graph permission but that did not help, maybe I am missing something but I can't find the requirments for this cmdlet.

I already added:
Besides the API permissions the account is owner and is able to perform other cmdlets without error.

Version:

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Get-AzRoleAssignment                               1.3.0      Az.Resources

Bart Scheltinga | www.bartsp34ks.nl | MCSA


Search

Cannot reset a password

July 2, 2019, 5:46 am
$
0
0
Hello,

For authentication on our page we use Azure Active Directory B2C. We've received complaint from one user that he cannot login and cannot reset his password.

So I've entered the portal and clicked Reset Password:




I've generated a new temporary password...


I've tried to use it, but it didn't work. The result is this:



In the Sign-ins log I found this record:

Is this a bug or are we doing something incorrectly?

Thank you!

Resend a Guest Invite via Powershell

July 2, 2019, 9:46 am
$
0
0

Hello All,

We have a number of guests with expired invites (past 90 days) Is there a different CMDlet for the renewal or do I just use the New-AzureADMSInvitationonce more?

Thanks in advance

Josh

Azure AD. IDP initiated single logout

July 4, 2019, 5:50 am
$
0
0

Hihi,

I need to get IDP initiated SLO working without errors. I have configured my logout endpoint in azure and the on the SP, using the SLO url provided by the IDP metadata.

When I send the saml logout response I get:

Request Id: 7af0ad15-1452-4da5-8eda-fe62607d0300
Correlation Id: d341f8d7-8352-4d86-b0a3-3777154de06b
Timestamp: 2019-07-04T10:44:05Z
Message: AADSTS7500513: The message type 'Microsoft.AzureAD.Protocols.Saml2.LogoutResponse' is not a supported type of SAML request. Supported SAML requests are AuthnRequest and LogoutRequest.

I'm sending the logout response to:
https://login.microsoftonline.com/{id}/saml2

Is this correct url for the response SLO response? I grabbed it from the azure metadata for my app.

Here is copy of the SAML logout request from microsoft and my SAML response:

<samlp:LogoutRequest ID="_3b603b51-6fe6-4e51-ad00-4fe36d6037c9"
                     Version="2.0"
                     IssueInstant="2019-07-04T10:44:04.786Z"
                     Destination="https://example.com/sp/logout.php"
                     NotOnOrAfter="2019-07-04T11:44:04.786Z"
                     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/09fa5f0e-2118-4656-8529-677ed8fdbe78/</Issuer>
    <NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion">f0WO8-FtB9LJX_KZQxsJS4mWGvzhPfkJCHfMXglrBBU</NameID>
    <samlp:SessionIndex>_0e40640e-c37b-4d8f-8887-b16da25d0400</samlp:SessionIndex>
</samlp:LogoutRequest>






<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                      ID="ONELOGIN_bff897c0ccaa51b32e92ea44b9061344bce9432b"
                      Version="2.0"
                      IssueInstant="2019-07-04T10:43:57Z"
                      Destination="https://login.microsoftonline.com/{{id}}/saml2"
                      InResponseTo="_3b603b51-6fe6-4e51-ad00-4fe36d6037c9"
>
    <saml:Issuer>https://example.com</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
</samlp:LogoutResponse>






Azure Hybrid Join with Multiple Forests

February 10, 2019, 8:47 pm
$
0
0

Hi,

Currently we have 2 federated forests syncing to a single Azure tenant. And the devices are enrolled to classic Intune using the Intune Client. I am planning to implement Azure hybrid join to enable the existing bulk enrolment of devices to the Azure AD. And I just need some clarification on the following. 

1. Does Azure Hybrid Join support multi-forests typologies?

2. How do I re-enrol the existing pc's to the 'modern' Intune?

Thanks in advance.

Access Token missing Optional Claims that are Schema Extensions - Implicit Grant Flow

April 18, 2019, 2:28 am
$
0
0

We are trying to get a Schema Extension on a User object to appear in an Access Token acquired using the Implicit Grant Flow but have been unsuccessful.

We've successfully created the schema extension and updated a user to provide a value for that schema extension.

We've created an App Registration, and configured the Implicit Grant to incldue both Access Tokens and ID Tokens.  And the Supported Account Types are "Accounts in any organization".

The App Registration's Manifest has been updated to include the configuration of two optional claims per token.  We used the "UPN" and our schema extension.
The "UPN" appears in both the ID Token and the Access Token.
However, the schema extension only appears in the ID Token and NOT in the Access Token.

We know that user's schema extension value has been successfully set based on Graph API queries and by the fact it appears in the ID Token.  But is does not appear in the Access Token.

We have seen that acquiring a token via the Resource Owner Grant Flow results in the extension property appearing in the the access token in that flow.
However, when using the Implicit Grant Flow the schema extension is not included in the access token.

Here is the documentation referenced:

Creating the Schema Extension:
Used both of these methods for creating a Schema Extension.  First one uses the Azure AD Graph API and the second uses the MS Graph API.  Both successfully provide the ability to add properties to the User object.  But it does not matter which is used because niether one ends up in the access token when using the Implicit Grant Flow.

Directory schema extensions | Graph API concepts
https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions

Add custom data to groups using schema extensions
https://docs.microsoft.com/en-us/graph/extensibility-schema-groups

Followed this for providing the optional claims...
How to: Provide optional claims to your Azure AD app
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims

Used this quickstart app to test login and acquisition of tokens...
Quickstart: Sign in users and acquire an access token from a JavaScript single-page application (SPA)
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-javascript#option-1-register-and-auto-configure-your-app-and-then-download-your-code-sample

Question:

What additional configuration is necessary to successfully include a schema extension of a user object within an Access Token via the Implicit Grant Flow?

Help with Dynamic Groups in Azure AD (advanced query)

July 4, 2019, 8:15 am
$
0
0

Hello.

I would like to attain the following using Dynamic Groups in Azure AD

From a current Azure AD Group of users, I would like to populate another group with the device;s assigned/owned by the users.

I can see in Powershell, the following:

##Show All users in current group

$pusers = Get-AzADGroupMember -GroupDisplayName "Test_Windows10_Users"

##Get the device IDs for each device owned by the users in the group "Test_Windows10_Users"

$pusers | foreach {Get-msoldevice -RegisteredOwnerUpn $_.Userprincipalname} | ft DisplayName,deviceid -AutoSize     

So is there a way to use dynamic groups to add devices to a group when the users are added to another?

Cheers in advance

:) 

Self service password reset Implement according to General Data Protection Regulation

July 4, 2019, 8:20 am
$
0
0

Hi Team,

I am planning to implement Azure self service password on my environment according to General Data Protection Regulation process.

So can you please suggest me or help me how I can implement and before start is there any point which should be mark .

Please send me link also.

Thanks in advance.

Thanks & Regards,

Devendra Singh

Thanks Devendra B2-Consulate(Capgemini)

Search

Azure Active Directory Graph API - Receive error on user update

July 1, 2019, 12:54 am
$
0
0

We use Azure AD B2C and Azure AD Graph API accordingly. On Friday (28.06.2019) we faced with issue on user update: "Invalid value specified for property 'creationType' of resource 'User'.". Values for this field was set to "LocalAccount" according to specification.

It seems that Graph API was updated last week, because previously it worked properly without any issues. Could you please confirm that API was updated and could you please also suggest how can we track this changes on time? Because it has big impact on our application.

Thanks, 

Yauheniya

Do you want to be acknowledged as the next Azure AD Guru? Submit your work to July 2019 competition!

July 4, 2019, 8:57 am
$
0
0

What is TechNet Guru Competition?

Each month Microsoft TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!

One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. Winners will be announced in dedicated blog post that will be published inMicrosoft Wiki Ninjas blog, a tweet fromMicrosoft Wiki Ninjas Twitter account, links will be published atMicrosoft TNWiki group on Facebook, and other acknowledgement from the community will follow.

Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.

If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in July 2019 and must be in English. However, the original blog or forum content can be from beforeJuly 2019.

Come and see who is making waves in all your favorite technologies. Maybe it will be you!

Who can join the Competition?

Anyone who has basic knowledge and the desire to share the knowledge is welcome. Articles can appeal to beginners or discusse advanced topics. All you have to do is to add your article to TechNet Wiki from your own specialty category.

How can you win?

  1. Please copy/Write over your Microsoft technical solutions and revelations to TechNetWiki.
  2. Add a link to your new article on THIS WIKI COMPETITION PAGE (so we know you've contributed)
  3. (Optional but Recommended) Add a link to your article at the TechNetWiki group on Facebook to get feedback and tips from the council members and from the community. The group is very active and people love to help. You can even get direct improvements to your article before the contest starts.

Do you have any question or want more information?

Feel free to ask any questions below, or Join us at the official MicrosoftTechNet Wiki groups on facebook. Read More about TechNet Guru Awards.

If you win, people will sing your praises online and your name will be raised as Guru of the Month.

PS: Above top banner came from James van den Berg.

S.Sengupta,Microsoft MVP Windows and Devices for IT, Windows Insider MVP

Would setting "http_proxy" environment variable cause any problems on windows server 2012

July 4, 2019, 4:10 pm
$
0
0
       

I have a application on a Windows 2012 server in our environment.
I need to provide http/https connectivity to it to internet.
It is written in Go which uses environment variables to get proxy information.
The instructions from vendor are:-
1) Open “Properties” under “This PC”.
2) Select “Change Settings”.
3) Go to Advanced Tab, “Environment Variables".
4) Add a System variable called “HTTP_PROXY” and set the value to http://ipaddress:port
E.G. http://10.1.1.1:128/

The server has Azure AD connect on it as well.
Would setting this variable cause any problems and any things to keep in mind before setting this?

No tenant found in the context

July 1, 2019, 11:49 pm
$
0
0
Firstly I login to the azure with the cmd "Connect-AzAccount" through the powershell console  installed on my local machine. But when I use the command "New-AzResourceGroup", it returned error "No tenant found in the context.  Please ensure that the credentials you provided are authorized to access an Azure subscription, then run Connect-AzAccount to login." How should I solve this problem ?

IDX10214: Audience validation failed. Audiences: '[PII is hidden]'.

July 5, 2019, 12:23 am
$
0
0

I created a App in AAD, and i configured my WebApp service authentication to "Log in with Azure Active Directory" with the created App.

Account in my organization can login successfully via signing from Browser.

But when i tried to call the service from Postman after getting token successfully,

it returns following result:

{

    "code": 401,
    "message": "IDX10214: Audience validation failed. Audiences: '[PII is hidden]'. Did not match: validationParameters.ValidAudience: '[PII is hidden]' or validationParameters.ValidAudiences: '[PII is hidden]'."
}

Does anyone could help figure out what configuration I missed in my registered App??

Any suggestion would be appreciated.



Azure AD Connect

July 5, 2019, 1:17 am
$
0
0

Hi,

Would anybody know if there is a restriction on what OU's can be synced to Azure AD from the local on-prem AD?

I'm trying to sync:

CN=Application Contacts,CN=RTC Service,CN=Services,CN=Configuration,DC=***,DC=***

However, this doesn't show in the GUI to be chosen and when adding the path manually in via Advanced, it doesn't pick it up when running the Full Sync (no additions appear).

Does Azure AD connect not pick up this up by some default rule?

Thanks in advance.

Administrative Units in AAD - Add-MsolAdministrativeUnitMember : Invalid value for parameter.

June 6, 2019, 3:50 am
$
0
0

I am trying to add user to a Admin Unit, but i keep getting the following exception. I tried all combination, Any thoughts.

Add-MsolAdministrativeUnitMember -AdministrativeUnitObjectId 234803fa-674b-4f06-b99f-acdf1b5ab0c8                                  -AdministrativeUnitMemberObjectId 3375cc9c-fba3-446d-abb3-6f982a569d34 -TenantId a8f7fff8-b78b-4252-9017-de3846963668
Add-MsolAdministrativeUnitMember : Invalid value for parameter.  Parameter name: .
At line:1 char:1
+ Add-MsolAdministrativeUnitMember -AdministrativeUnitObjectId 234803fa ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Add-MsolAdministrativeUnitMember], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.PropertyValidationException,Microsoft.Online.Admin 
   istration.Automation.AddAdministrativeUnitMember

Search

Azure AD Password Reset Fails - ADAdminActionRequired ( Writeback & Pass Through AuthN Mode )

July 5, 2019, 3:46 am
$
0
0

When i try to reset password for on-prem account from azure ad, it fails with reason stating -ADAdminActionRequired

This is happening inconsistently for few accounts. Any solution would be appreciated.

Thanks in Advance

Audience validation failed.

July 5, 2019, 4:03 am
$
0
0

Something wrong with my token???

Failed to validate access token with following errors.

{
    "code": 401,
    "message": "IDX10214: Audience validation failed. Audiences: '[PII is hidden]'. Did not match: validationParameters.ValidAudience: '[PII is hidden]' or validationParameters.ValidAudiences: '[PII is hidden]'."
}

Azure cross-account access - Account_A --> Account_B

July 3, 2019, 8:10 am
$
0
0

Hello,

I am trying to send objects from one Azure account to another one one, lets say, fromAccount_A --> Account_B

I have been working on a coding example in Go. Here it is https://play.golang.org/p/zrgI-szGeR7 -

I have two different azure accounts. In Account_A I have an app registration where I pulled theclientID, clientSecret and tenantID for the coding example mentioned before.

In Account_B I ran the following PowerShell :

New-AzureADMSInvitation -InvitedUserEmailAddress "email"` `-InviteRedirectUrl "https://example.com"` `-SendInvitationMessage $false` `-InvitedUserType "Guest"

I did it that way because I do not want to redeem the invitation. The idea behind this is that a customer adds me as a guest for send them data from my Azure account. It might be only one customer or multiple ones so I do not want to be redeeming 1000 invitations for example..

I added the RBAC roles for the guest user in Account_B, however when I run the app I get:RESPONSE Status: 403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. andAuthenticationErrorDetail: Issuer validation failed. Issuer did not match.

Of course, I try to PUT objects in a storage account in Account_A then it works, but I change blob storageAccount in the code for one in Account_B then I get the error before.

Does it sound familiar to you?

Thanks!


Location based Azure Conditional Access policy doesn't work properly

July 5, 2019, 1:32 am
$
0
0 
I have some problems in configuring Azure Conditional Access.

I would like to restrict logon capabilities to one location (one external IP) - this is the case when users can only logon to their O365 accounts while being inside their office. And it works, but only partially.

1. Browser session. Let's say that the user bas logged in in the office and went home - to be precise: changed his external IP on which the policy is based. The user should not be now allowed to use O365 account, any of the functionality. And after some testing performed in my office this doesn't work properly. I can still access some of the applications after switching to another external IP. Some of them are blocked after a few seconds, some after a few minutes and some never (Outlook, Calendar) - while every app is included in CA policy.

I have a feeling that it depends on the auth tokens used in O365. Is there any possibility to force checking external IP every time a user does something on his account? How to configure CA in a way that prevents situations I described above? I tried session policy settings in CA but their does not seem to work.

If it helps, test users are assigned Azure AD Premium P2 licences.

Do you have any ideas?

Azure Active Directory - Users - Source - Azure Active Directory (self-service)

July 3, 2019, 12:23 am
$
0
0

Hello everyone,

we just got a new Azure Tenant and are in the process of configuring everything the way we need it. 

After a while, we noticed that three users had been created without us doing anything. These users had the source "Azure Active Directory (self-service)". These users were not created by anyone of the three IT people in this project and it would be impossible anyway since only one of the IT staff has the password for the admin, which is the only active user currently in this Tenant.

We did not have Azure AD Connect running at the time of the creation of these three accounts. However, when synchronizing from our on-prem AD (we're filtering by attributes and only gave the corresponding IT accounts the attribute to sync), the accounts were changed to "Windows Server AD", which is ok.

What we did do before setting up Azure AD Connect, was an external take-over of a custom domain, which for some reason, had been connected to a Tenant no one here knew of and which obviously did not exist anymore.

Could the three automatically created accounts have come from the (non-existent) Tenant from which we took the custom domain? Where else could they have come from? Can anyone shed some light on this (I've searched for infos, but couldn't find any definitive answer)?

Thanks,

Fred

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>