Access Azure B2C Sign-In logs after 90 Days

July 22, 2019, 10:35 pm

≫ Next: Hyperledger Fabric integration with Azure AD

≪ Previous: Additional security verification: when I entered my details, I selected Russia (+7) in the Country field. After saving the information, the page https://account.activedirectory.windowsazure.com/proofup.aspx?proofup=1 reports my country as Kazakhstan (+7)

Hi All,

We are trying to overcome a situation where we need to delete the users from Azure B2C directory who have not logged in for more than 90 days. I am using the graph api, but it returns me the login history for max 30 days.

All searches i made direct me audit logs ob Azure AD and not B2C (i presume, they are not the same). The graph api as well that i found for B2C was for audit logs and not just the sign in logs, which is also in beta version of the api only.

I need either help or alternatives on how this could be achieved. Thanks in advance.

↧

Hyperledger Fabric integration with Azure AD

July 22, 2019, 10:33 am

≫ Next: Application Administrator AD role not providing correct privileges

≪ Previous: Access Azure B2C Sign-In logs after 90 Days

Hi Team,

I am looking for a blog or document to integrate Hyperledger Fabric CA to use Azure AD?

Can you please help me out? is there any way other than using Blockchain as a service?

Thanks & Regards,

Karthick

↧

Application Administrator AD role not providing correct privileges

July 24, 2019, 6:39 am

≫ Next: Publishing OWA with Azure Application Proxy - Refresh/Timeout

≪ Previous: Hyperledger Fabric integration with Azure AD

I'm wondering if anyone's came across any problems with the 'Application Administrator' AD role, i'm trying to apply that role to a service principal to allow it to create other service principals. I would have assumed that having the ability to manage all aspects of app registrations etc as explained in the docs here: https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory/users-groups-roles/directory-assign-admin-roles.md would have allowed me to do this but i still cannot create new service principals in this way?

If i apply the 'Global Administrator' role it works as expected.

Any help on a better way to automate the creation of service principals would be much appreciated

↧

Publishing OWA with Azure Application Proxy - Refresh/Timeout

July 24, 2019, 6:45 am

≫ Next: Azure AD Application - Change Notification Email through PowerShell?

≪ Previous: Application Administrator AD role not providing correct privileges

Hello,

We are evaluating the use of Azure AD Application Proxy for use with Exchange services, including OWA/ECP. External access to the applications is working successfully, along with Azure pre-authentication, but we are experiencing the following 2 symptoms:

1) Refresh time to show new/updated mail is much slower than it used to be (using WAP/ADFS). Sometimes it takes a minute or two for new e-mail to appear. Not a huge deal, but wondering if anyone has seen this and knows of a fix.

2) After about an hour, e-mail stops refreshing all together and the user must manually refresh the browser to see new mail. I think this is related to the access token expiring, as from what I've read the default is 1 hour. I followed some guides to create a new policy to extend the access token lifetime to 24 hours (testing is still in progress), but again, am wondering if anyone has come across this and knows the fix.

Thanks for your help!

Wade

↧

Azure AD Application - Change Notification Email through PowerShell?

July 24, 2019, 6:53 am

≫ Next: No Synchronization in Workday to Active Directory User Provisioning

≪ Previous: Publishing OWA with Azure Application Proxy - Refresh/Timeout

I have several applications added in Azure AD. These applications are all configured with SAML Single Sign-On (SSO) (screenshot here).

In the SAML SSO configuration page, there is a setting for Notification Email, which is the email address that will be notified when the SAML signing certificate is close to expiration (screenshot here).

I want to be able to programmatically change the notification email on an Azure AD app through PowerShell.I have been exploring with the cmdlet Get-AzureADApplication, but I don't seem to find the "notification email" property, and therefore not sure how to set it.

Here is the output of Get-AzureADApplication on a Test App. No "notification email" property:

DeletionTimestamp          : 
ObjectId                   : 24dcf6a8-2746-4ba9-af54-062ac39d5a4d
ObjectType                 : Application
AddIns                     : {}
AllowGuestsSignIn          : 
AllowPassthroughUsers      : 
AppId                      : c95bca7f-5c32-4a17-9d3f-89234124fad7
AppLogoUrl                 : 
AppRoles                   : {class AppRole {
                               AllowedMemberTypes: System.Collections.Generic.List`1[System.String]
                               Description: User
                               DisplayName: User
                               Id: 18d14569-c3bd-439b-9a66-3a2aee01d14f
                               IsEnabled: True
                               Value: 
                             }
                             , class AppRole {
                               AllowedMemberTypes: System.Collections.Generic.List`1[System.String]
                               Description: msiam_access
                               DisplayName: msiam_access
                               Id: b9632174-c057-4f7e-951b-be3adc52bfe6
                               IsEnabled: True
                               Value: 
                             }
                             }
AvailableToOtherTenants    : False
DisplayName                : TestApp
ErrorUrl                   : 
GroupMembershipClaims      : 
Homepage                   : https://account.activedirectory.windowsazure.com:444/applications/default.aspx?metadata=customappsso|ISV9.1|primary|z
IdentifierUris             : {test.com}
InformationalUrls          : class InformationalUrl {
                               TermsOfService: 
                               Marketing: 
                               Privacy: 
                               Support: 
                             }
IsDeviceOnlyAuthSupported  : 
IsDisabled                 : 
KeyCredentials             : {}
KnownClientApplications    : {}
LogoutUrl                  : 
Oauth2AllowImplicitFlow    : False
Oauth2AllowUrlPathMatching : False
Oauth2Permissions          : {class OAuth2Permission {
                               AdminConsentDescription: Allow the application to access TestApp on behalf of the signed-in user.
                               AdminConsentDisplayName: Access TestApp
                               Id: 4a22a7ad-f133-46e7-b5fb-915914da8894
                               IsEnabled: True
                               Type: User
                               UserConsentDescription: Allow the application to access TestApp on your behalf.
                               UserConsentDisplayName: Access TestApp
                               Value: user_impersonation
                             }
                             }
Oauth2RequirePostResponse  : False
OrgRestrictions            : {}
OptionalClaims             : 
ParentalControlSettings    : class ParentalControlSettings {
                               CountriesBlockedForMinors: System.Collections.Generic.List`1[System.String]
                               LegalAgeGroupRule: Allow
                             }
PasswordCredentials        : {}
PreAuthorizedApplications  : 
PublicClient               : False
PublisherDomain            : <redacted>
RecordConsentConditions    : 
ReplyUrls                  : {https://testc.om}
RequiredResourceAccess     : {}
SamlMetadataUrl            : 
SignInAudience             : AzureADMyOrg
WwwHomepage                :

Any help or ideas?

↧

No Synchronization in Workday to Active Directory User Provisioning

June 25, 2019, 12:26 pm

≫ Next: Azure AD Connector Account Permissions

≪ Previous: Azure AD Application - Change Notification Email through PowerShell?

I am trying to set up the app "Workday to Active Directory User Provisioning" in Azure AD. The purpose of this app is to enable the automatic provisioning of users from Workday into on-premises Active Directory. I already have Azure AD Connect set up and running. I am following the Microsoft public documentation (https://aka.ms/workday).

I have one on-premises Azure AD Connect Provisioning Agent running (screenshot from Azure AD,screenshot from the on-premises server).

I have also tested the connection from the "Workday to Active Directory User Provisioning" app in Azure AD to Workday's API, and that also works (screenshot).

However, the synchronization service in this app in Azure AD does not appear to start. The "Provisioning" section of this app in the Azure portal still shows "Initial cycle not run" (see screenshot). I already tried toggling the Provisioning Status from Off and then to On again (after clicking "Save"), and have already tried checking the box "Clear current state and restart synchronization."

Additionally, under Audit logs, there appear to be no attempts at synchronization (see screenshot).

So there appears to be no synchronization attempts after several hours. Under the Microsoft public documentation on "Troubleshooting user provisioning - Provisioning service does not appear to start" (link), the only guidance is "It is likely that the service is running but has not completed an initial synchronization yet." However, this lack of synchronization has been going on for several hours, and seems completely unresponsive.

How can I trigger synchronization for "Workday to Active Directory User Provisioning"?

↧

Azure AD Connector Account Permissions

July 24, 2019, 7:11 am

≫ Next: Misconfigured Azure directory application error

≪ Previous: No Synchronization in Workday to Active Directory User Provisioning

Hi,

We have recently upgraded our Azure AD Connect instance and have deployed a custom AD Connector account, applying permissions using the ADSyncConfig powershell cmdlets and module as described here: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account

After running the cmdlets we verified the correct permissions had been applied, however we are encountering permission-issue when exporting some changes from the metaverse back to the on-prem AD.

A couple of examples include office 365 group writeback failing and password writeback failing to admin users.

We've identified that the Create Group Object permission appears to be missing from both the table of permissions and cmdlets referenced in the above article. This is granted when adding the "create, delete and manage" delegation to an OU and when we add it manually to the AD Connector account Group writeback succeeds.

Permission on the adminSDHolder object also appear to apply to "descendant user objects" and not "this object". If we manually update to "this object" AD Connect is able to successfully write password changes.

Has anyone else encountered this? Are the permission applied by the ADSyncConfig cmdlets incorrect or am I missing something?

Thanks,

Shane.

↧

Misconfigured Azure directory application error

July 24, 2019, 7:52 am

≫ Next: Windows 10 hybrid azure ad device name appended with $

≪ Previous: Azure AD Connector Account Permissions

Hi,

I am implementing Microsoft ADAL plugin in my ionic app 3 so for that i have created an account on Microsoft azure and register my app in Azure portal. After all necessary configuration i used the app credential in my ionic but it through configuration error.

Although i configured my app properly and Grant all necessary administrative permission. I searched this on all Microsoft forum but error is there.

The error which popup

AADSTS650056: Misconfigured application. This could be due to one of the following: The client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, The admin has not consented in the tenant. Or, Check the application identifier in the request to ensure it matches the configured client application identifier. Please contact your admin to fix the configuration or consent on behalf of the tenant. Client app ID:

Thanks

↧

Windows 10 hybrid azure ad device name appended with $

February 22, 2019, 11:04 am

≫ Next: Publishing on-premise OWA with Azure Application Proxy - Refresh/Timeout

≪ Previous: Misconfigured Azure directory application error

have a number of Win10 computers joined to my on prem domain and sync'd to Azure AD via AAD Connect. They are hybrid Azure AD joined via group policy. I have 1 computer that has a $ appended at the end of it's name on the Intune/Azure AD portal.

What could be the cause for the "$" sign at the end of the name?

Thanks

Christian

↧

Publishing on-premise OWA with Azure Application Proxy - Refresh/Timeout

July 24, 2019, 6:45 am

≫ Next: Active Directory Cloud Servers

≪ Previous: Windows 10 hybrid azure ad device name appended with $

Hello,

Thanks for your help!

Wade

↧

Active Directory Cloud Servers

July 24, 2019, 8:58 am

≫ Next: Directory extensions not being sync'd to Azure AD via Azure AD Connect - missing rules

≪ Previous: Publishing on-premise OWA with Azure Application Proxy - Refresh/Timeout

We at present have a hybrid AD where our company AD is synchronised to Azure AD.

We are thinking as a company of deploying servers in the Azure cloud that can be added to our company domain and reached from our company AD servers. Or even moving our VMs to the azure environment.

At the moment some of this is possible through my own free Azure account but I'd like to set this up company wide.

↧

Directory extensions not being sync'd to Azure AD via Azure AD Connect - missing rules

July 11, 2019, 4:12 pm

≫ Next: Azure AD B2C custom policy include acr_values in as a parameter

≪ Previous: Active Directory Cloud Servers

I have just discovered that none of the directory extension I have defined to sync in AAD Connect are being pushed into Azure AD.

Last time I can confirm this was working is on 5/31/2019, and it was not working on 6/6/2019. Been running AADC 1.2.70.0 during this time frame. Today I upgraded to AADC 1.3.21.0 but it did not resolve the issue.

After some digging around I found there are 5 template files related to Directory Extensions in C:\Program Files\Microsoft Azure Active Directory Connect\SynchronizationRuleTemplates

In from AD - User DirectoryExtension.xml
In from AD - InetOrgperson DirectoryExtension.xml
In from AD - Group DirectoryExtension.xml
Out to AAD - User DirectoryExtension.xml
Out to AAD - Group DirectoryExtension.xml

When I look in the Sync Rules Editor, only 2 of these rules actual exist:

In from AD - User DirectoryExtension
In from AD - InetOrgperson DirectoryExtension

Given that neither of the "Out to AAD" rules exist, this explains why the values are not making it to Azure AD.

What greatly concerns me is that this broke with no changes made by me, so something appears to cause the Out to AAD rules to drop out of the rule editor. Even more concerning is when I upgraded AAD Connect today and it re-created the rules, it didn't create 3 of them.

Is this a bug? Is there a PowerShell script I can runt o get these rules re-created?

↧

Azure AD B2C custom policy include acr_values in as a parameter

September 27, 2017, 6:29 am

≫ Next: Verifying Active Directory Domain Service with AWS route 53

≪ Previous: Directory extensions not being sync'd to Azure AD via Azure AD Connect - missing rules

Hi, we use a 3rd party IdP that needs to get acr_values property in the authentication call, is there a way to add it?

Now we have to add it to the actual authorization url like this:

<Item Key="authorization_endpoint">https://idpservice.grean.id/oauth2/authorize?acr_values=urn:grn:authn:se:bankid:another-device</Item>

I cant get it to work by just adding another key like this:

<Item Key="acr_values">urn:grn:authn:se:bankid:another-device</Item>

Is there another way?

Thanks!

↧

Verifying Active Directory Domain Service with AWS route 53

July 15, 2019, 10:54 am

≫ Next: Password reset inconsistencies between O365 and Azure portal. Identifying federated domains.

≪ Previous: Azure AD B2C custom policy include acr_values in as a parameter

Hi Everyone,

We use AWS Route 53 for our domain hosting and Azure active Directory Domain services(ADDS) for managing Active directory.

Both AWS and Azure ADDS has same domain name "xxx.com" with different Ip addresses.

The problem is , I'm trying to join my laptop to Azure ADDS Domain as there are 2 different Ip Addresses it's picking up AWS Domain Ip Address and results in error .To work around it I changed the DNS configuration in my laptop to point to Azure ADDS and then i'm able to join my laptop to ADDS Domain.

Once joined, i cannot access my website which is hosted in AWS domain and i know the reason behind it is my custom DNS configuration setup in my Laptop. If i remove i cannot interact with my ADDS domain.

I have no clue how to connect route 53 to Azure ADDS . Is there any possible solution for this scenario.

Any suggestions could be helpful.

Thanks in Advance.

↧

Password reset inconsistencies between O365 and Azure portal. Identifying federated domains.

May 23, 2019, 1:20 am

≫ Next: Skype for Business - No SSO with Azure AD Connect & Seamless SSO

≪ Previous: Verifying Active Directory Domain Service with AWS route 53

Hi, I have some questions around B2B guest accounts. 1. Should we able to reset guest passwords in our Azure AD? We have an option to do so within O365, but AAD says this is not possible. Why is this? 2. Why do guest accounts appear as _hotmail.com#EXT#@contoso.onmicrosoft.com within O365, but @hotmail.com within Azure AD? 3. How can we identify if a partner domain is federated with O365 already? 4. Some of our partners have not completed O365 migration, so they're in a semi migrated state with some users in AAD and others still on premise. This causes issues with B2B. What's the best way to deal with this?

Thanks

↧

Skype for Business - No SSO with Azure AD Connect & Seamless SSO

July 23, 2019, 9:46 am

≫ Next: Additional security verification: when I entered my details, I selected Russia (+7) in the Country field. After saving the information, the page https://account.activedirectory.windowsazure.com/proofup.aspx?proofup=1 reports my country as Kazakhstan (+7)

≪ Previous: Password reset inconsistencies between O365 and Azure portal. Identifying federated domains.

Any idea what could be wrong with Skype for Business because it won't work with SSO? It's always prompting for credentials. Office, Outlook etc. works nicely with SSO but SfB doesn't.

↧

Additional security verification: when I entered my details, I selected Russia (+7) in the Country field. After saving the information, the page https://account.activedirectory.windowsazure.com/proofup.aspx?proofup=1 reports my country as Kazakhstan (+7)

July 24, 2019, 1:15 am

≫ Next: Redirect issue with the Microsoft Applications Registration Portal into Azure

≪ Previous: Skype for Business - No SSO with Azure AD Connect & Seamless SSO

Additional security verification: when I entered my details, I selected Russia (+7) in the Country field. After saving the information, the pagereports my country as Kazakhstan (+7).

Notifications are working with wrong country now, but I cannot even save the the right country via that link.

This is an issue of corporate security I feel obliged to report the software bug and the fact that incorrect data has apparently been stored in my MFA profile.

↧

Redirect issue with the Microsoft Applications Registration Portal into Azure

July 24, 2019, 7:08 am

≫ Next: After delete on-prim AD server, not able to delete sync user from Azure AD

I noticed a banner at the top of my Microsoft Applications Registration Portal account telling me the service will be deprecated soon and that I need to move into Azure, however when I click on the redirect hyperlink, I get the below error:

Here's the original link: https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade

↧

After delete on-prim AD server, not able to delete sync user from Azure AD

July 25, 2019, 1:16 am

≫ Next: Is there any way to migrate infrastructure from one tenant to another seamlessly

≪ Previous: Redirect issue with the Microsoft Applications Registration Portal into Azure

we created a on-prim AD server, after sync with the azure AD (Via AD connect tool). we deleted that On-prim server.

now the think is that sync user from on-prim AD server to Azure AD, That particular user not able to delete.

I tried each and every way and spoke with chat executive also but still issue not resolved.

Please help me for this, any help is appreciable .

Thanks in advance.

↧

Is there any way to migrate infrastructure from one tenant to another seamlessly

July 24, 2019, 1:06 am

≫ Next: Getting "User not authorized to access Microsoft Universal Print" error when trying to register for Microsoft Universal Print

≪ Previous: After delete on-prim AD server, not able to delete sync user from Azure AD

There is a need to move from one Azure AD tenant to another new tenant. There must be several resources which are tenant dependent. Then how can we plan to migrate it seamlessly ? Is there any best practice which Microsoft offers?

↧