Hi Team,

I have recently started working on Azure Active Directory and i am trying to integration custom java based web application with Azure AD.

I refer github  (https://github.com/AzureADSamples/WebApp-GraphAPI-Java) java code for the same, however after implementing the same, i am not able to perform any of the desired operations and getting below error.

followed with exception:

Server returned HTTP response code: 400 for URL: https://login.windows.net/cecvpoc.onMicrosoft.com/oauth2/token?api-version=1.0

and strange thing is whenever i try to access https://graphexplorer.cloudapp.net/<tenent-name>/user, it ask for principal ID and symetric key and after providing both when i click on login button i get below error

"Status Code" : "Unauthorized","Description" : "The remote server returned an error: (401) Unauthorized.","Response" : "{"odata.error":{"code":"Authentication_MissingOrMalformed","message":{"lang":"en","value":"Access Token missing or malformed."},"values":null}}"

however, when i log in to graph explorer using my organizational credentials, i always get the user data so i believe it something to do with the way i am registering my application though i followed the same step which present online.

My simple requirement is to have java application which  can search user, create user, modify user in azure active directory and just to add my application should be authenticated and authorized to perform above operation with client id and symmetric key so that user need not to authenticate against WAAD for the same.

Note: i also added roles to my application too: Read, Write and Admin roles too.

Kindly provide some pointers towards the solution, i know this is possible its just i am not able to click the right thing.

Thanks in advance.

Regards,

Anurag

Hello,

We are getting an error message from DirSync on a disabled SMSCliToknAcct& account that is quite annoying (MSOnline sends an email reporting the same error every 3 hours)

This is the error message. Any help is appreciated.

See Directory Synchronization errorsfor more information about the errors listed in this email message.

The Directory Synchronization batch run was completed onTuesday, 09 September 2014 15:38:47 GMT for tenant WXXX [wxxx.onmicrosoft.com]. The following errors occurred during synchronization:

Tracking ID: d8c4ff31-e4bb-4ed4-aae7-874ace8c062c

We are currently developing a user provisioning service for Azure Directory Services using the Azure Graph API. 

As part of the service, we need to be able to delete users, much the same way as you would through the web interface.

In order to delete a user, we are first attempting to retrieve them via UPN using the API, then we are calling the GraphConnection.Delete method passing in the User we have just retrieved.

The problem we are having is the GraphConnection.Delete method is throwing an AuthorizationException"Insufficient privileges to complete the operation."

The application we are developing has been added to Azure Services as a 'Web Application'.

I have checked the Application Permissions in the Azure management interface and ensured that ALL permissions have been assigned - these are as follows:

• Delegated Permissions (4): Access your organization's directory (preview), Read and write directory data, Read directory data, Enable sign-on and read user's profiles
• Application Permissions (2): Read and write directory data, Read directory data

The following is an extract of the code we are running:

var clientRequestId = Guid.NewGuid();
var graphSettings = new GraphSettings { ApiVersion = GraphApiVersion, GraphDomainName = GraphDomainName };

var authenticationContext = new AuthenticationContext(AuthString, false);
authResult = authenticationContext.AcquireToken(GraphResourceName, ClientCredential);

token = authResult.AccessToken;

var graphConnection = new GraphConnection(token, clientRequestId, graphSettings);

graphConnection.Delete(User);

No problem when resetting a non-Administrative Users password. Is this by design? I suspect it is as it only occurs when I assign the "Global Administrator" Role to the User.

Given I'll want to work around this, is there any way to determine membership of this Role?

Sincerely,
//Adam

http://social.technet.microsoft.com/wiki/contents/articles/17857.dirsync-how-to-switch-from-single-sign-on-to-password-sync.aspx

Does dirsync with password sync actually work for a true DR scenario as per article above? I have the same question that Justin Barker asked in the comments section on the article above but there is no answer.

If we lose our internet connection O365 users cannot use ADFS to log in so we would try to enable password sync by converting all users to managed instead of federated. BUT in order to do this, do you not need access to either your on-premise ADFS servers or the Dirsync server. If your on-premise internet connection is down then you cannot run the Convert-MSOLDomaintoStandard command because you cannot run the Set-MSOLADFSContext command because there is no connectivity to the ADFS servers?

Could someone please clarify if dirsync with password sync can help if the on-premise internet connection fails or if the ADFS servers are down?

Thank you

I am using the WSFederationAuthentication module for authenticationin my site which in turn is using the Azure ACS. I can successfully login and logout of the system . We have our site setup so as soon as someone hits it and if they are not authenticated it transfers to a Secure Token Service website which does the authentication. The issue comes when I select the remember me checkbox checked and logout it logs me out and then tries to transfer me to the login page but it thinks I am already logged in and automatically logs me back in. I am thinking its not clearing the authentication cookies in or the information present in the header which does not get properly clear when I logout.

Can someone please look at the code and give me some idea on how to resolve this issue.

Note: It is only happening in IE . Firefox and Chrome are working as expected.

     WSFederationAuthenticationModule authModule = FederatedAuthentication.WSFederationAuthenticationModule;
                //clear local cookie
                authModule.SignOut(true);

                //  initiate federated sign out request to the STS
                SignOutRequestMessage signOutRequestMessage = new SignOutRequestMessage(new Uri(authModule.Issuer), authModule.Realm);
                String queryString = signOutRequestMessage.WriteQueryString();
                if (!string.IsNullOrEmpty(queryString))
                {
                    return new RedirectResult(queryString);
                }
                else
                {
                    return RedirectToAction("Index", "Home");
                }

Also something very weird is that even if the isPersistent is sent to false but the remember me checkbox is checked chrome and firefox seem to store the password somehow.

Can someone please help me with this and let me know what I am doing wrong.

Thanks

Hi All,

The link - http://msdn.microsoft.com/library/azure/dn532272.aspx mentions that following features are currently in preview.

• Password reset with write-back to on-premises directories
• Azure AD Sync bi-directional synchronization
• Azure AD Application Proxy

I have a question about bi-directional synchronization.

Does this include everything like users, contacts, groups?

We have an on-premise AD and currently synchronize one way to Azure AD.

I can see the benefit in password reverse sync - to allow users self service reset without having to deploy on-premises FIM.

But could not think of reasons why we would want to manage users, groups in Azure AD and synchronize them back to on-premises AD.....especially for those who have FIM to do group management on-premises and DirSync to synchronize them to AAD.

Regards,

Ajay Suri

Hi,

I’m currently testing the Microsoft Azure and SharePoint 2013 ability.

In our office, we have an Office 365 account, and I have created a Azure 30-days trial subscription. I have connected those two, so our Office 365 users are visible in Azure AD.

We need to install a virtual server with SharePoint installed on it, with access to a SQL server in Azure as well.

Is it possible to use the Azure AD as authentication for SharePoint users?

If possible, we would like to avoid installing an On-premises AD in Azure. We simply need the authentication for our SharePoint users, so we can keep everything in the cloud, without Site to site VPN to our in house AD.

I am aware, that the virtual machine in Azure with Sharepoint on it, will run in a Workgroup, but I have a hard time figuring out, how I can access the Azure AD to lookup users. I don’t know if this is possible.

Best regards

Christian

Hi,

I am trying to manage my company credential throw WAAD but I noticed my users can use powershell with MSOnline module to retrieve information.

They cannot anymore retrieve all others users with Get-MsolUser because I found an option to disable this command : Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false

Now they directly get the following error :  Get-MsolUser : Access Denied. You do not have permissions to call this cmdlet

Is there a way to do the same for Get-Group and Get-GroupMember ?

I have the following settings using Get-MsolCompanyInformation :

Thank you for your answer

I'm following documentation at http://msdn.microsoft.com/en-us/library/azure/dn645542.aspx

I'm redirecting the user to

https://login.windows.net/common/oauth2/authorize?response_type=code&resource=https%3A%2F%2Fgraph.windows.net&client_id=fee76137-a1d9-4545-bf6d-7214e14d7017&redirect_uri=REPLY-URL-HERE

and sometimes (say 1 time in 10) the user gets stuck on https://login.windows.net/common/oauth2/authorize?... with an error message

Sign In

We received a bad request.

So, obviously the user consent is the problem.

I can fix the problem by adding "&prompt=consent" to the the redirect URL but in that case I'm losing Single Sign-On experience for 9 times out of 10 when it would work without enforced consent dialog.

I'd expect the user to be redirected to my reply URL where I could diagnose the problem and allow user to re-request the consent if needed. However, this does not happen and user is left on https://login.windows.net/common/oauth2/authorize?... without any hints about what to do next.

Is this a known problem or is there some way to request that any errors should always get redirected to my own reply URL?

Hi,

I need for my client to check user from Azure Active Directory. It's an WPF application and I haven't any service (no siteweb, no wcf services) in Azure. I just want pass login and password or open standard login windows. 

I have already add an application in Azure managment portail (Active Directory section) and try to use ADAL to log user. 

AuthenticationContext ac = new AuthenticationContext(<authority>)

AuthenticationResult ar = ac.AcquireToken(<resource>,<clientID>,<RedirectURi>)

How to do that without "resource" to pass to "AcquireToken" method ? what is this resource ?

I only have the clientID and redirect URI

Please help !

Hi,

From the Azure console, I am trying to add my existing Office365 AD but when I click on "New" -> "App services" -> "Active Directory" -> "Directory" -> "Custom create", I don't have the option"Select existing AD". Is there a reason why? I tried on all browsers and on my other Azure account and got same result all the time.

Please help!!!

Hi, I'm having some trouble setting up the ADFS 2 + ACS to authenticate, it works fine when I'm logged in the domain network but when I am outside of the network I get this error shown bellow. 

We have UAG sat in front of ADFS for external Access, could this be issue?

ACS20001: An error occurred while processing a WS-Federation sign-in response.

ACS50008: SAML token is invalid.

Trade Id: cfeff2e7-4b1f-4ec9-948b-e9fc9afa1773

I'm not sure why it's not working from outside of the domain network since the message is too generic, this is the message I got from ADFS debug

Ignoring Invalid entry 'signoutCleanup;https%3a%2f%2fxxx.accesscontrol.windows.net%2f&FSS0+-+XXX+Azure&https%3a%2f%2fxxx.accesscontrol.windows.net%2fv2%2fwsfederation&https%3a%2f%2fxxx.accesscontrol.windows.net%2fv2%2fwsfederation' in signout cookie

Constructing MSISAppliesTo from custom URI 'microsoft:identityserver:https://xxx.accesscontrol.windows.net/' if applicable

Constructing MSISAppliesTo from custom URI 'https://xxx.accesscontrol.windows.net/' if applicable

Initiating search for scope https://xxx.accesscontrol.windows.net/

Successfully retrieved scope details for scope https://xxx.accesscontrol.windows.net/

Began processing policy for target: https://xxx.accesscontrol.windows.net/
Request AppliesTo: https://xxx.accesscontrol.windows.net/
Using ActAs: false
Using OnBehalfOf: true

LDAPAttributeStoreReader: Successfully retrieved 1 attribute(s) for user sAMAccountName=k000000

Finished processing policy

Constructing MSISAppliesTo from custom URI 'https://xxx.accesscontrol.windows.net/' if applicable

Constructing MSISAppliesTo from custom URI 'https://xxx.accesscontrol.windows.net/' if applicable

Thanks,

Lucas

Hi,

We are using Azure ACS in our application, Also we have used customized ACS page as login form. now whenever we are deploying it to staging, settings available in customized ACS page works fine. but when we switch it to production then web config and login page settings are not changing. How we can change it or is there any other to implement ACS?

Thanks & Regards

Sachin Jain

Hi Guys,

  I ma trying to execute a rest method to get all the users https://graph.windows.net/mytenantdomain/users?api-version=2013-04-05  This method requires one of the header as "Authorization" . For this we need to generate access token .  So guys can I know how can I get this access token?

Thanks,

-Rakesh

Bonjour,

I ma trying to link my Office365 account AD to my Azure account. The procedure is pretty simple but the issue is that, from azure, I don't have the possibility to "Add existing AD" from the form. I only have the option to enter a new one. I am global admin on both account.

Is there a reason why I don't see the option?

I have installe the AADSync Beta 2 (1.0.0342.0715) and at the time the tool is configuring the local forest I got the error "Failed to commit the schema". I have validated that has plain network communication to all DCs in the forest.  Attached is an extract of the errors on the Windows/AADSync Log file and events on the eventviewer. I have changed the domain name for obvious reasons.

-----------------------------

LOG FILE

AzureActiveDirectoryDirectorySyncTool Information: 904 : ADDS Credentials Page: Attempting to create connectors for 1 new forests
AzureActiveDirectoryDirectorySyncTool Information: 904 : Initializing AD DS connector (DOMAINREMOVED.COM)
AzureActiveDirectoryDirectorySyncTool Information: 904 : ADDS Credentials Page: Updating credentials for connector (DOMAINREMOVED.COM)
AzureActiveDirectoryDirectorySyncTool Information: 904 : Starting: Creating or updating the DOMAINREMOVED.COM ......
AzureActiveDirectoryDirectorySyncTool Information: 904 : Finished: Creating or updating the DOMAINREMOVED.COM .... Duration: 0.633 sec.
AzureActiveDirectoryDirectorySyncTool Information: 904 : Gathering schema information (DOMAINREMOVED.COM)
AzureActiveDirectoryDirectorySyncTool Error: 906 : System.Management.Automation.CmdletInvocationException: Failed to commit the schema ---> Microsoft.IdentityManagement.PowerShell.ObjectModel.SynchronizationConfigurationValidationException: Failed to commit the schema
   at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.GetSchemaFromDirectory(Connector connector, Boolean commit)
   at Microsoft.IdentityManagement.PowerShell.Cmdlet.UpdateADSyncConnectorSchemaCmdlet.ProcessRecord()
   --- End of inner exception stack trace ---
   at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
   at Microsoft.Azure.ActiveDirectory.Synchronization.PowerShellConfigAdapter.PowerShellAdapter.TypeDependencies.InvokePipeline(Pipeline pipeline)
   at Microsoft.Azure.ActiveDirectory.Synchronization.PowerShellConfigAdapter.PowerShellAdapter.InvokePowerShellCommand(String commandName, IDictionary`2 commandParameters)
   at Microsoft.Azure.ActiveDirectory.Synchronization.PowerShellConfigAdapter.ConnectorConfigAdapter.UpdateConnectorSchema(Connector connector)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Config.ConnectorAdapterBase.UpdateConnectorSchema()
   at Microsoft.Azure.ActiveDirectory.Synchronization.UserInterface.UI.WizardPages.ADDSSourceDirectoryPageViewModel.SetupADDSConnectorCore(BackgroundWorker backgroundWorker)
   at Microsoft.Azure.ActiveDirectory.Synchronization.UserInterface.UI.Controls.Wizards.ProgressReportingTaskViewModel.ExecuteAction(Action action, Boolean isProgressIndeterminate)

-----------------------------

Log Name:      Application
Source:        ADSync
Date:          04/08/2014 12:34:19 p. m.
Event ID:      6309
Task Category: Server
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      WORKSTATION
Description:
The server encountered an unexpected error while performing an operation for a management agent.
 
 "BAIL: MMS(2332): ..\parser.cpp(2053): 0x80230900 (E_MMS_SCHEMA_DSML_NO_SCHEMA)
BAIL: MMS(2332): ..\schema.cpp(91): 0x80230900 (E_MMS_SCHEMA_DSML_NO_SCHEMA)
ERR_: MMS(2332): ..\mastate.cpp(11621): Error creating MA schema object: 0x80230900
BAIL: MMS(2332): ..\mastate.cpp(11810): 0x80230900 (E_MMS_SCHEMA_DSML_NO_SCHEMA)
BAIL: MMS(2332): ..\mastate.cpp(5664): 0x80230900 (E_MMS_SCHEMA_DSML_NO_SCHEMA)
BAIL: MMS(2332): ..\ma.cpp(669): 0x80230900 (E_MMS_SCHEMA_DSML_NO_SCHEMA)
BAIL: MMS(2332): ..\ma.cpp(951): 0x80230900 (E_MMS_SCHEMA_DSML_NO_SCHEMA)
Azure AD Sync 1.0.0342.0715"
Event Xml:
<Event xmlns="http_://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="ADSync" />
    <EventID Qualifiers="49152">6309</EventID>
    <Level>2</Level>
    <Task>3</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-08-04T17:34:19.000000000Z" />
    <EventRecordID>5315</EventRecordID>
    <Channel>Application</Channel>
    <Computer>WORKSTATION</Computer>
    <Security />
  </System>
  <EventData>
    <Data>BAIL: MMS(2332): ..\parser.cpp(2053): 0x80230900 (E_MMS_SCHEMA_DSML_NO_SCHEMA)
BAIL: MMS(2332): ..\schema.cpp(91): 0x80230900 (E_MMS_SCHEMA_DSML_NO_SCHEMA)
ERR_: MMS(2332): ..\mastate.cpp(11621): Error creating MA schema object: 0x80230900
BAIL: MMS(2332): ..\mastate.cpp(11810): 0x80230900 (E_MMS_SCHEMA_DSML_NO_SCHEMA)
BAIL: MMS(2332): ..\mastate.cpp(5664): 0x80230900 (E_MMS_SCHEMA_DSML_NO_SCHEMA)
BAIL: MMS(2332): ..\ma.cpp(669): 0x80230900 (E_MMS_SCHEMA_DSML_NO_SCHEMA)
BAIL: MMS(2332): ..\ma.cpp(951): 0x80230900 (E_MMS_SCHEMA_DSML_NO_SCHEMA)
Azure AD Sync 1.0.0342.0715</Data>
  </EventData>
</Event>

--------------------------------------------------------

Log Name:      Application
Source:        AzureActiveDirectoryDirectorySyncTool
Date:          04/08/2014 12:34:19 p. m.
Event ID:      906
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      WORKSTATION
Description:
System.Management.Automation.CmdletInvocationException: Failed to commit the schema ---> Microsoft.IdentityManagement.PowerShell.ObjectModel.SynchronizationConfigurationValidationException: Failed to commit the schema
   at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.GetSchemaFromDirectory(Connector connector, Boolean commit)
   at Microsoft.IdentityManagement.PowerShell.Cmdlet.UpdateADSyncConnectorSchemaCmdlet.ProcessRecord()
   --- End of inner exception stack trace ---
   at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
   at Microsoft.Azure.ActiveDirectory.Synchronization.PowerShellConfigAdapter.PowerShellAdapter.TypeDependencies.InvokePipeline(Pipeline pipeline)
   at Microsoft.Azure.ActiveDirectory.Synchronization.PowerShellConfigAdapter.PowerShellAdapter.InvokePowerShellCommand(String commandName, IDictionary`2 commandParameters)
   at Microsoft.Azure.ActiveDirectory.Synchronization.PowerShellConfigAdapter.ConnectorConfigAdapter.UpdateConnectorSchema(Connector connector)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Config.ConnectorAdapterBase.UpdateConnectorSchema()
   at Microsoft.Azure.ActiveDirectory.Synchronization.UserInterface.UI.WizardPages.ADDSSourceDirectoryPageViewModel.SetupADDSConnectorCore(BackgroundWorker backgroundWorker)
   at Microsoft.Azure.ActiveDirectory.Synchronization.UserInterface.UI.Controls.Wizards.ProgressReportingTaskViewModel.ExecuteAction(Action action, Boolean isProgressIndeterminate)
Event Xml:
<Event xmlns="http_://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="AzureActiveDirectoryDirectorySyncTool" />
    <EventID Qualifiers="0">906</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-08-04T17:34:19.000000000Z" />
    <EventRecordID>5316</EventRecordID>
    <Channel>Application</Channel>
    <Computer>WORKSTATION</Computer>
    <Security />
  </System>
  <EventData>
    <Data>System.Management.Automation.CmdletInvocationException: Failed to commit the schema ---&gt; Microsoft.IdentityManagement.PowerShell.ObjectModel.SynchronizationConfigurationValidationException: Failed to commit the schema
   at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.GetSchemaFromDirectory(Connector connector, Boolean commit)
   at Microsoft.IdentityManagement.PowerShell.Cmdlet.UpdateADSyncConnectorSchemaCmdlet.ProcessRecord()
   --- End of inner exception stack trace ---
   at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
   at Microsoft.Azure.ActiveDirectory.Synchronization.PowerShellConfigAdapter.PowerShellAdapter.TypeDependencies.InvokePipeline(Pipeline pipeline)
   at Microsoft.Azure.ActiveDirectory.Synchronization.PowerShellConfigAdapter.PowerShellAdapter.InvokePowerShellCommand(String commandName, IDictionary`2 commandParameters)
   at Microsoft.Azure.ActiveDirectory.Synchronization.PowerShellConfigAdapter.ConnectorConfigAdapter.UpdateConnectorSchema(Connector connector)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Config.ConnectorAdapterBase.UpdateConnectorSchema()
   at Microsoft.Azure.ActiveDirectory.Synchronization.UserInterface.UI.WizardPages.ADDSSourceDirectoryPageViewModel.SetupADDSConnectorCore(BackgroundWorker backgroundWorker)
   at Microsoft.Azure.ActiveDirectory.Synchronization.UserInterface.UI.Controls.Wizards.ProgressReportingTaskViewModel.ExecuteAction(Action action, Boolean isProgressIndeterminate)</Data>
  </EventData>
</Event>

I have a MSDN Ultimate subscription, and enabled the Active Directory Premium 90-day trial feature, for the Default Directory. After waiting a bit, and signing back into the Azure Portal, I cannot seem to find the option to configure the "company branding" feature on the Configure tab. I see options to configure: Directory Name, E-mail Language Preference, Multi-factor Authentication, Device Registration, and Application Proxy, but do not see the option to customize theSign-in Page or Access Portal.

Where are these options located? According to the MSDN documentation for Azure Active Directory, the company branding options should appear under theConfigure tab.

http://msdn.microsoft.com/en-us/library/azure/dn532270.aspx

Cheers,
Trevor Sullivan
Microsoft MVP: PowerShell

If this post was helpful, please click the little "Vote as Helpful" button :)