Hi,

I don't know if this is the right subforum to post this question but I think this is the closest one related to our problem. We are trying to simulate an actual printer registration to Microsoft Universal Print . Here are the steps we did:

1) Send a POST webservice request to MCP Registration Service:"https://register.print.microsoft.com/api/v0.1/register"
    The request payload is seen below:
    {
    "name": "Test Printer 11",
    "manufacturer": "PrinterManufacturer",
    "model": "PrinterModel",
    "device_type": "printer",
    "device_id": "c4303900-c7c2-4419-8eec-5a7d9a304af9",
    "certificate_request": {
        "type": "pkcs10",
        "data": "MIIEBTCCAu2gAwIBAgIJAL0+JAB9oDCMMA0GCSqGSIb3DQEBCwUAMIGYMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHUmVkbW9uZDEXMBUGA1UECgwOTWljcm9zb2Z0IENvcnAxCzAJBgNVBAsMAklUMRIwEAYDVQQDDAlNaWNyb3NvZnQxKDAmBgkqhkiG9w0BCQEWGWpvaG5odWJlcnQubWFAbGV4bWFyay5jb20wHhcNMTkwNzI1MDkyMDU0WhcNMTkwODI0MDkyMDU0WjCBmDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1JlZG1vbmQxFzAVBgNVBAoMDk1pY3Jvc29mdCBDb3JwMQswCQYDVQQLDAJJVDESMBAGA1UEAwwJTWljcm9zb2Z0MSgwJgYJKoZIhvcNAQkBFhlqb2huaHViZXJ0Lm1hQGxleG1hcmsuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwo8lLBniQxoJBz6cOO1R3WyMX5VDsnSH1yH7fREIJHZBfokawjOlCHbfwaL7rmGFR6rMetGA7Myl5+I7uEwzUISa17ShazAmiw+QAT0nqRYGqNk3NM8ZPy8whfVzC6OxQs5IifrkI8hTvTpGdZrpwOWdg3ISUtel0GlJKzvU1+8Jj5jCoGqU3VITnHMdq1l7cTc2ZhmTPB8H8Rt7e+VkEVOiVuuz4ecRhjBQBS1KQxrBfHQpkb+XwSV5wc8/bS7pu5ziypkZBtcDLMxgdpyLBtm0OXaRFc5Q1TPfnjKOjtq7CDca3qx8RndtV2AtqOpPpuSb52rYUcXjYQDXCu5FgQIDAQABo1AwTjAdBgNVHQ4EFgQUHFyAjucfm5WWpuhkTSMhW+mJUPAwHwYDVR0jBBgwFoAUHFyAjucfm5WWpuhkTSMhW+mJUPAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAQqGHniEmsjl/HFx173qgwltCwPrEiPoPYJnnxW3+5rjZrmaFaQ/XQ30VtZ39z6jMA5QLWpud1/8GFAOwGdVpOiRXrcMIQ7CWlMc7BUw2a8xwOxpzD/720FYKCRPGAHh3o1/J1H05xOzzrnkg2qChdlu9q9p0IwmKGfZJ/OB9FX5fhCHMC1LCmXnowQB8YkEgrZVX59cnoSBjJb17Tqpr7VlMIh81Lq+g7FS1sRFYF0oQLukQmkc37GQFDgW+HBscoTpgjiNwUsz9CMglB1Jkq8zzY9NKcvtKDYK++dzoareo66hnJIEhD6vcMpuHFSfJhX605xI6IvfidGPGEG4D6Q==",
        "transport_key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwo8lLBniQxoJBz6cOO1R3WyMX5VDsnSH1yH7fREIJHZBfokawjOlCHbfwaL7rmGFR6rMetGA7Myl5+I7uEwzUISa17ShazAmiw+QAT0nqRYGqNk3NM8ZPy8whfVzC6OxQs5IifrkI8hTvTpGdZrpwOWdg3ISUtel0GlJKzvU1+8Jj5jCoGqU3VITnHMdq1l7cTc2ZhmTPB8H8Rt7e+VkEVOiVuuz4ecRhjBQBS1KQxrBfHQpkb+XwSV5wc8/bS7pu5ziypkZBtcDLMxgdpyLBtm0OXaRFc5Q1TPfnjKOjtq7CDca3qx8RndtV2AtqOpPpuSb52rYUcXjYQDXCu5FgQIDAQAB"
    }
}

2) The MCP Registration Service response is seen below:
     202 Accepted
     {
        "registration_id": "019d936c-c087-478c-9458-5899aa2c479e",
        "user_code": "B9928AH5X",
        "messages": [
            {
                "message": "To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code B9928AH5X to authenticate.",
                "lang": "en-us"
            }
        ],
        "verification_url": "https://microsoft.com/devicelogin",
        "interval": 5
    }

3) Before going to the verification url, we check the registration status by doing a GET webservice request to MCP Registration service using the registration id provided: "https://register.print.microsoft.com/api/v0.1/register?registration_id=019d936c-c087-478c-9458-5899aa2c479e"

4) The MCP Registration Service response is seen below which indicates that Registration is in progress:
     202 Accepted
     {
         "interval": 5
     }

5) Authenticate and verify the registration by going to "https://microsoft.com/devicelogin" and input "B9928AH5X" as the code.

6) Microsoft asks to pick an account to sign in. We use our company email which is registered in Azure Active Directory with a role of "user".

7) A successful confimation is displayed in the browser: "You have signed in to the Microsoft Print Enabled Printer application on your device. You may now close this window."

8) Check the registration status again(We should now receive a 200 OK for "Registered"): "https://register.print.microsoft.com/api/v0.1/register?registration_id=019d936c-c087-478c-9458-5899aa2c479e"

9) An error is now returned by the MCP Registration Service:
    403 Forbidden
    {
        "error": "invalid_request",
        "error_description": "User not authorized to access Microsoft Universal Print",
        "registration_id": "019d936c-c087-478c-9458-5899aa2c479e",
        "http_status_code": 403
    }

We are not sure what is causing this error and maybe this forum can point us in the right direction. On our end, we tried to play around with how we generated our certificate signing request. We followed the requirements stated in the UPAPI.pdf specs on how to generate the CSR(The certificate request MUST use an RSA public key algorithm with a 2048-bit key, a SHA256WithRSAEncryption signature algorithm, and a SHA256 hash algorithm).

We also tried using a different(newly created) microsoft account during the authentication step but we got an error stating that the said account does not exist in tenant Azure Active Directory.

Should we try using a microsoft account with an "admin" role in Azure Active Directory? The account we have and currently using is only defined as "user" and searching for "Universal Print" in "https://portal.azure.com" comes out empty.

Trying to set up Azure AD OAuth client credentials grant flow for my web api. I'm following the document in https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow. I have to expose my API to a 3rd party. I've created the APP in Azure AD (this is for the client that is requesting my API), generated the secrets and was able to get a response from oauth2/token endpoint. My questions are below:

1. What is the best way to validate the token? Is it by passing the JWT (bearer token) as a HTTP header to my API, and then using the SDK to validate the token (System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler)? I'm using C#.

2. What is the significance of Azure AD -> App Registrations -> "My API App" -> under Manage, Expose an API? It has an option to "Authorize client applications". How could I use this feature to conditionally block and approve the client applications?

3. I will have to share the secret, client id and the App Id Uri with the 3rd party for them to generate the token and I will validate the token when I receive it.

Hello,

We are running into an issue with some of our systems here in the office when trying to get them added to Azure AD. We found that if a user skips the initial setup of joining our organization and instead just creates a local user. It just adds the system as AD Registered and not AD Joined. Is there a way to fix this after the fact?

Is there a way to assign azure reader role to reserved VM instance?

I'm trying to use management.azure.com/roleassignments endpoint with no luck.

I need request uri like below

https://management.azure.com/{subSegment}/roleAssignments/{Guid.NewGuid()}?api-version=2015-07-01

to make role assignment for reserved vm.

I've been looking here

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-rest

But this only describes subscription but I need to do this for reservation.

I have reservationOrderId and reservationId.

Cheers,

Adam

Hi, 

I'm trying to use Azure SDK for go to authenticate with AD to access blob. I'm able to use the client credential to do this. But if I change to username and password, it gave me the error as below. 

failed to list keys: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/{SubscriptionHidden}/resourceGroups/resgrpadblob/providers/Microsoft.Storage/storageAccounts/storageaccadblob/listKeys?api-version=2017-06-01: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_grant","error_description":"AADSTS50034: The user account {EmailHidden} does not exist in the {TenantHidden} directory. To sign into this application, the account must be added to the directory.\r\nTrace ID: ...\r\nCorrelation ID: ...\r\nTimestamp: 2019-07-25 00:11:57Z","error_codes":[50034],"timestamp":"2019-07-25 00:11:57Z","trace_id":"...","correlation_id":"..."}

My code:

func main() {
	storageAccountsClient := storage.NewAccountsClient(<subscriptionID>)
	authorizer, err := auth.NewAuthorizerFromEnvironment()
	if err == nil {
		storageAccountsClient.Authorizer = authorizer
	} else {
		fmt.Println(err)
	}

	response, err := storageAccountsClient.ListKeys(context.Background(), <resourceGroupName>, <storageAccountName>)
	if err != nil {
		log.Fatalf("failed to list keys: %v", err)
	}
	key := *(((*response.Keys)[0]).Value)
	credential, err := azblob.NewSharedKeyCredential(<storageAccountName>, key)
	if err != nil {
		log.Fatal("Invalid credentials with error: " + err.Error())
	}
	p := azblob.NewPipeline(credential, azblob.PipelineOptions{})

	// From the Azure portal, get your storage account blob service URL endpoint.
	URL, _ := url.Parse(
		fmt.Sprintf("https://%s.blob.core.windows.net/%s", storageAccountName, containerName))

	// Create a ContainerURL object that wraps the container URL and a request
	// pipeline to make requests.
	containerURL := azblob.NewContainerURL(*URL, p)

	// Create the container
	fmt.Printf("Creating a container named %s\n", containerName)
	ctx := context.Background() // This example uses a never-expiring context
	_, err = containerURL.Create(ctx, azblob.Metadata{}, azblob.PublicAccessNone)
	handleErrors(err)
}

I have set up a service principal in the directory with the user and added API permission for Azure storage. The authentication method I used is environment-based authentication. When I set up the variable with client ID and secret, I'm able to access blob to create, delete, upload and etc. But if I set up the username and password, it won't work. Can anyone help me on this? Thank you so much!

The solution I tried and failed are:

1. Change username from email to the form of smtp:email. based on AADSTS50034

2. Add the user with Storage Blob Data Contributor role in the storage account. 

Besides, I read in the document the following. Should I add the resource manger deployment or the redirect URI?

Only storage accounts created with the Azure Resource Manager deployment model support Azure AD authorization.

Hello.

This morning we started getting tickets that SSO has stopped working and users who are on sight need to enter their passwords to authenticate to Office365 and Azure.  Upon investigation it appears that the problems are with Chrome and Firefox browsers.

The browsers were both updated on 7/18/2019 and no issues appeared until today.

Chrome version is 75.0.37770.142

Firefox version is 68.0.1 (32-bit).

Anyone else seeing this or have reports of it?  I've gone through all the settings in the browsers that I can think of to trust the sight, it just seems to not be passing the Pw hash.

Thanks.

have a number of Win10 computers joined to my on prem domain and sync'd to Azure AD via AAD Connect.  They are hybrid Azure AD joined via group policy.  I have 1 computer that has a $ appended at the end of it's name on the Intune/Azure AD portal.

What could be the cause for the "$" sign at the end of the name?

Thanks

Christian

Hi, I keep getting this error everytime. I access Microsoft AD from my test application

AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application.

I have been using the following library for integration in PHP

Azure Active Directory provider for oAuth 2.0 client (Can't add the link for some reason.)

I have set the RedirectURI in the code as well as in the authentication section of the active directory. But still keep seeing this error. Can anyone help me with this? Been stuck at it for 2 days.

If anyone could help me out with this, I will really appreciate it. Thanks

How can I connect my machine to my AAD instead of a workgoup?

I have installed Power BI and an SQl Server on a Hyper V machine. When I try to connect Power BI Services (a Web Application) to setup a gateway connection to SSAS (where i have my tabular model) to run the report i got an error message. MS Support told me, the problem is that the hyper V  machine is connected to a workgroup and not to a domain. (issue 119072321000575 closed because has to be solved by Azure AD Team)

So i was forwarded to Azure Support to change this setting on the machine. I made a couple of steps but my hyper v machine is still connected to a workgroup and not to a domain

Please help

Recently i have integrated azure service principal with hashicorp vault to get temporary client ID & client secret. After integration, I have noticed that whenever i request hashicorp vault for token, it generate new service principal into azure portal& assigned a role (like Reader, Owner etc) which i mentioned while requesting to vault. After getting client ID & client secret of the service principal, i checked client secret key doesn't exist into "Certificate & Secret" section of the service principal (app registrations).

So, now my question how it's possible to create new sp with client id & client secret which doesn't show into azure portal?

I noticed a banner at the top of my Microsoft Applications Registration Portal account telling me the service will be deprecated soon and that I need to move into Azure, however when I click on the redirect hyperlink, I get the below error:

Here's the original link: https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade

Hi,

We have recently upgraded our Azure AD Connect instance and have deployed a custom AD Connector account, applying permissions using the ADSyncConfig powershell cmdlets and module as described here: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account

After running the cmdlets we verified the correct permissions had been applied, however we are encountering permission-issue when exporting some changes from the metaverse back to the on-prem AD.

A couple of examples include office 365 group writeback failing and password writeback failing to admin users.

We've identified that the Create Group Object permission appears to be missing from both the table of permissions and cmdlets referenced in the above article. This is granted when adding the "create, delete and manage" delegation to an OU and when we add it manually to the AD Connector account Group writeback succeeds. 

Permission on the adminSDHolder object also appear to apply to "descendant user objects" and not "this object". If we manually update to "this object" AD Connect is able to successfully write password changes.

Has anyone else encountered this? Are the permission applied by the ADSyncConfig cmdlets incorrect or am I missing something?

Thanks,

Shane.

Hi All

So, i'm setting up AAD Connect and want to enable single sign-on for my users. Currently we have to setup an Windows AD account and then and Office 365 account.

If i want to enable single-signon so they don't have to keep putting in there O365 passwords what will happen when the users info is synced (going to use Password Hash Sync) ? Currently users are listed in Azure AD as source 'Azure Active Directory' ? Will the sync duplicate account details , i've tried on my account and i show as 'Windows AD Server', (I;'m using my account as test for syncing) 

Thanks

Hello,

We are evaluating the use of Azure AD Application Proxy for use with Exchange services, including OWA/ECP. External access to the applications is working successfully, along with Azure pre-authentication, but we are experiencing the following 2 symptoms:

1) Refresh time to show new/updated mail is much slower than it used to be (using WAP/ADFS). Sometimes it takes a minute or two for new e-mail to appear. Not a huge deal, but wondering if anyone  has seen this and knows of a fix.

2) After about an hour, e-mail stops refreshing all together and the user must manually refresh the browser to see new mail. I think this is related to the access token expiring, as from what I've read the default is 1 hour. I followed some guides to create a new policy to extend the access token lifetime to 24 hours (testing is still in progress), but again, am wondering if anyone has come across this and knows the fix.

Thanks for your help!

Wade

We are trying to get Maas360 Azure AD SSO integration to work with our iOS security policies that push apps out to the iPhones. Maas360 support mentioned that we needed to setup the SSO section in the security policy, but did not have any additional information on how to get an identity certificate or how to setup the SSO settings for Azure AD (an example configuration would have been nice for them to provide). Does anyone know how to configure the SSO policy to work with Azure AD? We don't want to use the IBM Cloud Identity integration because we would have to change our entire setup for everyone in the organization to use Maas360. The goal is to use Maas360 for the mobile devices and we don't want users to have to enter passwords the first time they get a device. We want the device to power on and get setup automatically and push the apps to the device. The documentation that we have found says the user will have to enter their password the first time you open an app, but we don't want a user to have to enter their password 15 times if they have 15 apps on their device. I appreciate any help or advice you can give us.

https://www.ibm.com/support/knowledgecenter/en/SS8H2S/com.ibm.mc.doc/pag_source/concepts/mdm_policy_gde_ios_single_sign_on.htm

While doing initial sync up, SCIM will make hundreds or thousands of calls based on user base. Now if the service provider's server doesn't handle the specific load & returns 429 error code, how does Azure AD handles the scenario. Does it try to re sync again & throttle the requests?  If yes, at what rate & how does it decide on that? Can service provider send anything to indicate the threshold?

Hi,

I am implementing Microsoft ADAL plugin in my ionic app 3 so for that i have created an account on Microsoft azure and register my app in Azure portal. After all necessary configuration i used the app credential in my ionic but it through configuration error. 

Although i configured my app properly and Grant all necessary administrative permission. I searched this on all Microsoft forum but error is there.

The error which popup

AADSTS650056: Misconfigured application. This could be due to one of the following: The client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, The admin has not consented in the tenant. Or, Check the application identifier in the request to ensure it matches the configured client application identifier. Please contact your admin to fix the configuration or consent on behalf of the tenant. Client app ID: 

Thanks

Hi,

When I want to Connect PhotoCloud Slideshow (Android App) to OneDrive Business is coming error message like below:

"AADSTS700016: Application with identifier '000000004015E800' was not found in the directory 'manlogistics.com.au'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant." 

Can anybody help me how to resolve this issue, so this PhotoCloud ndroid app can access my photos in OneDrive Business, please?

Cheers,

Gedhe ND