Hihi,

I need to get IDP initiated SLO working without errors. I have configured my logout endpoint in azure and the on the SP, using the SLO url provided by the IDP metadata.

When I send the saml logout response I get:

Request Id: 7af0ad15-1452-4da5-8eda-fe62607d0300
Correlation Id: d341f8d7-8352-4d86-b0a3-3777154de06b
Timestamp: 2019-07-04T10:44:05Z
Message: AADSTS7500513: The message type 'Microsoft.AzureAD.Protocols.Saml2.LogoutResponse' is not a supported type of SAML request. Supported SAML requests are AuthnRequest and LogoutRequest.

I'm sending the logout response to:
https://login.microsoftonline.com/{id}/saml2

Is this correct url for the response SLO response? I grabbed it from the azure metadata for my app.

Here is copy of the SAML logout request from microsoft and my SAML response:

<samlp:LogoutRequest ID="_3b603b51-6fe6-4e51-ad00-4fe36d6037c9"
                     Version="2.0"
                     IssueInstant="2019-07-04T10:44:04.786Z"
                     Destination="https://example.com/sp/logout.php"
                     NotOnOrAfter="2019-07-04T11:44:04.786Z"
                     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/09fa5f0e-2118-4656-8529-677ed8fdbe78/</Issuer>
    <NameID xmlns="urn:oasis:names:tc:SAML:2.0:assertion">f0WO8-FtB9LJX_KZQxsJS4mWGvzhPfkJCHfMXglrBBU</NameID>
    <samlp:SessionIndex>_0e40640e-c37b-4d8f-8887-b16da25d0400</samlp:SessionIndex>
</samlp:LogoutRequest>






<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                      ID="ONELOGIN_bff897c0ccaa51b32e92ea44b9061344bce9432b"
                      Version="2.0"
                      IssueInstant="2019-07-04T10:43:57Z"
                      Destination="https://login.microsoftonline.com/{{id}}/saml2"
                      InResponseTo="_3b603b51-6fe6-4e51-ad00-4fe36d6037c9"
>
    <saml:Issuer>https://example.com</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
</samlp:LogoutResponse>

Hi Team,

I am planning to implement Azure self service password on my environment according to General Data Protection Regulation process.

So can you please suggest me or help me how I can implement and before start is there any point which should be mark .

Please send me link also.

Thanks in advance.

Thanks & Regards,

Devendra Singh

Thanks Devendra B2-Consulate(Capgemini)

We are trying to get a Schema Extension on a User object to appear in an Access Token acquired using the Implicit Grant Flow but have been unsuccessful.

We've successfully created the schema extension and updated a user to provide a value for that schema extension.

We've created an App Registration, and configured the Implicit Grant to incldue both Access Tokens and ID Tokens.  And the Supported Account Types are "Accounts in any organization".

The App Registration's Manifest has been updated to include the configuration of two optional claims per token.  We used the "UPN" and our schema extension.
The "UPN" appears in both the ID Token and the Access Token.
However, the schema extension only appears in the ID Token and NOT in the Access Token.

We know that user's schema extension value has been successfully set based on Graph API queries and by the fact it appears in the ID Token.  But is does not appear in the Access Token.

We have seen that acquiring a token via the Resource Owner Grant Flow results in the extension property appearing in the the access token in that flow.
However, when using the Implicit Grant Flow the schema extension is not included in the access token.

Here is the documentation referenced:

Creating the Schema Extension:
Used both of these methods for creating a Schema Extension.  First one uses the Azure AD Graph API and the second uses the MS Graph API.  Both successfully provide the ability to add properties to the User object.  But it does not matter which is used because niether one ends up in the access token when using the Implicit Grant Flow.

Directory schema extensions | Graph API concepts
https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions

Add custom data to groups using schema extensions
https://docs.microsoft.com/en-us/graph/extensibility-schema-groups

Followed this for providing the optional claims...
How to: Provide optional claims to your Azure AD app
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims

Used this quickstart app to test login and acquisition of tokens...
Quickstart: Sign in users and acquire an access token from a JavaScript single-page application (SPA)
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-javascript#option-1-register-and-auto-configure-your-app-and-then-download-your-code-sample

Question:

What additional configuration is necessary to successfully include a schema extension of a user object within an Access Token via the Implicit Grant Flow?

Hi, 

This document 

https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Fuse-scim-to-provision-users-and-groups

step 8 states : If the SCIM endpoint requires an OAuth bearer token from an issuer other than Azure AD, then copy the required OAuth bearer token into the optional Secret Token field.

I am using Azure AD as my identity provider, so I should not have to paste anything in it, but it doesnt let me proceed because the field is required. 

I cant find any information on how to generate the required oauth token for the directory as mentioned in step 8. Here is a url encoded link to an image on onedrive. (Forum doesnt allow links or images for new accounts). 

https%3A%2F%2F1drv.ms%2Fu%2Fs%21AgjZ1yvBvXt8kHWMKinpAF9Wi0mr%3Fe%3DWv0IXC

I have been working on this for 3 days now but I can't seem to resolve it. I already followed the guides but still cannot able to access my fhir server. Though I was able to access it using postman and it works fine. But I don't want a login pop since my backend code (php) will be communicating the fhir server. So I followed the guide but after I the token was generated then tried to access the resource (https://this-is-test-blahblah.azurehealthcareapis.com/Patient).

I'm used to connecting with 3rd party api (just provided with token key), but im having trouble with azure's way of authenticating. Can you point me to the right direction?

Good morning

I have been asked to take an existing powershell script and make direct Microsoft Graph Calls.  The command(s) is Add-MsolRoleMember (also Remove-MsolRoleMember).  The pattern powershell uses 

Add-MsolRoleMember -RoleObjectId [GUID] -RoleMemberEmailAddress [EMAIL ADDRESS]

I am trying to build this using C# and the Microsoft Graph API.  I don't seem to see documentation for how to do this (or at least what to call it).  I see some directory roles examples but I didn't think that they were the same thing.  I have seen it stated that Powershell is leveraging the Microsoft Graph API but I don't see it outside of the BETA version.  Any help would be appreciated.

Update.

I keep seeing references to having to use Azure Graph instead because Microsoft Graph still has functionality in Beta and not supported.  I can pull all role assignments using Azure Graph this way

$"https://graph.windows.net/{settings.TenantID.value}/users/[ID}/appRoleAssignments?api-version=1.6";

I don't see how to add or remove from the list I get back.  They in fact look on the surface like applications to me.  I assume that these are different from directory roles so I cannot seem to find the correct call.  At this point if I could add and remove roles using Azure Graph I would be pleased because I presume that is what the powershell command is doing.  

Thank you

I get the following error when i try to sign in to Azure Portal with a newly created user.

Something went wrong. Try again in a few minutes. If this doesn't work, contact your admin and report the following error: 50000

When I look at activities for the new user, the Sign-ins show that Status: Interrupted, Sign-in error code: 50055, Failure reason: Invalid password, entered expired password.

How can this be if i just created the user and i plug in the temp password given to me by Azure?  When i try to change it the error above is what comes up.  I cant get passed this issue.  Can anyone point me in the right direction please?

I created this users because when i try to publish a web app from Visual Studio with my current credentials, it tells me that i cant use a personal account, that i need to use a work or school account.  I am terribly confused and stuck right now.

Is there a way to assign azure reader role to reserved VM instance?

I'm trying to use management.azure.com/roleassignments endpoint with no luck.

I need request uri like below

https://management.azure.com/{subSegment}/roleAssignments/{Guid.NewGuid()}?api-version=2015-07-01

to make role assignment for reserved vm.

I've been looking here

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-rest

But this only describes subscription but I need to do this for reservation.

I have reservationOrderId and reservationId.

Cheers,

Adam

Hi Team,

I've Query regarding Azure directory users, i've VNET1 having Azure Directory and created multiple users in it that manages the resources in same VNET1. Can the users created in Azure Directory for VNET1 will have access to VNET2 resources like VM's and storage? Or do i need to create separate Azure AD in VNET2 and sync it with the Azure AD in the VNET1.

Is Azure subscription need to be considered here for this scenarios

Note:- V-net to V-net peering over IPSec tunnel is created between VNET1 & VNET2.

Amey naik

We've moved all resources from one Azure account to another, including our Azure DevOps resource. I'm trying to disconnect our Azure DevOps organization from the old Azure Active Directory so that I can re-connect it to the new Azure Active Directory. I am following the instructions at https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/change-azure-ad-connection?view=azure-devops

I have changed the owner of the organization to a personal Microsoft account and added it to the Project Collection Administrator group. I have Global Admin in Azure AD. When I attempt to disconnect the directory inside of Azure DevOps, I get the following error:

What further can I do to get this switched over?

have an Azure AD (with AD connect syncing it to local AD).

I added a new On premise mobile management application through AAD-> Mobility(MDM and MAM)-> Add application ->On-premise MDM.

I have configured the terms of url and discovery url to my on-premise MDM server. I have checked that link is reachable and working from any location.

I have assigned Enterprise mobility license to the user.

When I try to join an existing windows 10 device to AAD the terms of use url is not rendered, instead it throws below error.

If I remove the MDM application the AAD join is successful.

I have checked license and URL access what am I doing wrong?

Hi Team,

We have one domain controller who is creating replication issue on all domain controller (from starting it is not working) .we are planning to demote this DC but getting some error during dcpromo (asking Partner DC replication server) if I use dcprpmo /forceremoval what it will do.

Is it work only this DC or it will create issue to other DCs.

Or Can I keep this server in power off state.

Thanks & Regards,

Devendra Singh

Thanks Devendra B2-Consulate(Capgemini)

Dear All, 

I am using Azure B2C for the authenticating my web application and API. 

After user logged in the web application I generating the access token using below code to establish the secure communication to my API. the question is How do I refresh the token if it is expired and is this the right way to do. 

                var authContext = new AuthenticationContext(authority,false);
                var credential = new ClientCredential(appId, appSecret);
                var authResult = await authContext.AcquireTokenAsync(resourceId, credential);
                var token = authResult.AccessToken;
                client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);

as of now, I am generating the access token for each and every request to the API which I do not wanted do.

what would be the right way to implement this and how to refresh the access token only if it is got expired. 

Selvakumar Rathinam

The long title says it all. Can't upload the screenshot but, I have downloaded the configuration server OVA file, and have installed the server. The Azure Site Recovery tool starts up, and wants me to sign in with an ID to register my server with Azure. I keep getting the error: 

Configuring identity for server in Azure Active Directory 

Insufficient privileges to complete the operation. 

Have tried with many different forms of IDs. It doesn't seem to follow any set pattern. Can anyone tell me exactly WHAT role does an ID require, to be able to create this identity in AAD? I have had no luck with our orginization's ID. I don't want to ask for a global administrator account. 

Any help would be great. 

I have a requirement to use 2 separate Azure AD tenants, the a subset of users will be synced from a single AD domain to the 2 tenants we will filter on OU’s ensuring users are synced to the correct tenant, we then wish to hybrid domain join all the devices into a single tenant and create policies for them, therefore is a user logs onto a device which has the user object in one Azure AD and the device object in another will the Intune policies set against the device in the Azure AD tenant containing the device take effect if the user logs in using an account in the other Azure AD(this account will have an Intune license assigned against it but device account with policies will be in another tenant )

Hi,

I am looking for an alert rule which will trigger whener there is any role assignment in my environment for .e.g if somebody has assigned Global ADmin role i should recieve alert with the details.

JUST FYI:

I have tried to create with the monitoring alerts i am recieving email but there is no specification that what is the reason behind that email like it is not showing that somebody has assigned GA role or anything.

I was unable to find alert rule in PIM as well, if you are suggesting any answer kindly request you to share the rule what to select, as my description is simple need alert via email whenever there is any role assignment in my tenant with some description

  I have taken over for a company that has joined their domain to AAD. I did not do the join and my account in AD that is synced does not have the .onmicrosoft.com. The one person that can add systems to the AAD in Azure has this as part of his account. My account that was synced is in the AAD global admin group but does not seem to work. When I try to add a system to the Azure domain it stated my user name or password is incorrect. I have created a new user in AAD and added to global admin group but that did not work. It states account is locked and I can't find any place that shows the account is locked. Can someone shed some light on this for me?

Thanks 

I need to export to a CSV file a list of Azure AD users with display name and email address, but need to specify certain email domains.  The users are a mix of Guest and Member users.

Can anyone tell me how I would do this? 

I have the following, which obtains all users.

Get-AzureADUser -all $True| Export-Csv C:\Test\test1.csv

But I need to filter on certain email domains.

Hi,

There are lots of different ways to sync AD to AAD and enable SSO etc. but would like some advice on the best/easiest way to do this based on my scenario.

90% of our users are local and have a local AD account they use to log on to their devices.

10% are remote and log on as a local user on their devices.

All users have an O365 account they use to log in to online services.

Looking at a local AD user on the Account tab they have both the local (@acme.local) and online (@acme.com) options shown.

The local username and the O365 user name match i.e. dsmith@acme.local, dsmith@acme.com

What would you recommend as the best way to sync from local AD to AAD?

Thanks in advance!

I am trying to set up the app "Workday to Active Directory User Provisioning" in Azure AD. The purpose of this app is to enable the automatic provisioning of users from Workday into on-premises Active Directory. I already have Azure AD Connect set up and running. I am following the Microsoft public documentation (https://aka.ms/workday).

I have one on-premises Azure AD Connect Provisioning Agent running (screenshot from Azure AD,screenshot from the on-premises server).

I have also tested the connection from the "Workday to Active Directory User Provisioning" app in Azure AD to Workday's API, and that also works (screenshot).

However, the synchronization service in this app in Azure AD does not appear to start. The "Provisioning" section of this app in the Azure portal still shows "Initial cycle not run" (see screenshot). I already tried toggling the Provisioning Status from Off and then to On again (after clicking "Save"), and have already tried checking the box "Clear current state and restart synchronization."

Additionally, under Audit logs, there appear to be no attempts at synchronization (see screenshot).

So there appears to be no synchronization attempts after several hours. Under the Microsoft public documentation on "Troubleshooting user provisioning - Provisioning service does not appear to start" (link), the only guidance is "It is likely that the service is running but has not completed an initial synchronization yet." However, this lack of synchronization has been going on for several hours, and seems completely unresponsive.

How can I trigger synchronization for "Workday to Active Directory User Provisioning"?