Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Publisher Domain verification not working for an "application from personal account" despite json available in browser

June 6, 2019, 10:23 am
$
0
0

I'm trying to verify the publisher domain of my application but it's not working despite the json file being available when checking the link in a browser.

I suspect it's because the app is listed under 'Applications from personal account', as the error message shown is:

"Verification of publisher domain failed. The application was not found. If the application was just created, wait a few minutes and refresh the page. [62wAT]"

It's a several years old app that's working fine "in the wild" so it's definitely not "just created".

Does anyone know if I'm right that this is the problem and if so whether the app can be moved away from being a personal app? Re-creating it (with a different id) is not currently an option as it's "live".

Search

AzureAD user as Local Administrator on scecified registered device.

July 26, 2019, 7:31 am
$
0
0

Hello! 

There is a problem I get stuck with applying AzureAD users to local groups on devices registered in AzureAD.

It'not only about adding AzureAD\username to Local Administrators Group it's also about giving user an opportunity to connect its PC via RDS. Applying "Everyone" to group Remote Desktop Users is not secure at all.

i've tried Instruction(can't link though) to make specified users to be local Administrators on every registered in AzureAD computer, but It's not what I am looking for. I need to add AzureAD users to Local Groups via Computer Management or equal solution. The only way I can make it is to disconnect PC from AzureAD and connect back with login I want to be an Administrator.

If you need any information to help me with this case please text me.

Thanks.



AAD-DS

July 26, 2019, 10:26 am
$
0
0

We currently use Azure Active Directory to handle logins on our Windows machines and we do not have any physical server equipment (i.e domain controller). However, I would like to implement GPO's to manage users & computers.

What is the best way to start using GPOs to better manage my organization?

Thanks,

-Richkixbooks

Background image darkening when branding—can this be disabled?

July 10, 2019, 6:13 am
$
0
0
We have applied a custom image for our background for our sign in experience. The color of the image meets our branding requirements, but when signing in a filter is applied which darkens it and therefore it is not matching the desired color. Is it possible to disable this filter?

Refresh an id_token from aspnet core MVC application to access an API

July 9, 2019, 2:07 pm
$
0
0

I am working on a aspnet core MVC project which calls an API which is secured by OAuth2.0. I have to pass the id token in the header of the API request.

I was able to access the API and get the response properly with the code below,

Startup.cs

public void ConfigureServices(IServiceCollection services)
        {
            services.Configure<CookiePolicyOptions>(options =>
            {
                options.CheckConsentNeeded = context => true;
                options.MinimumSameSitePolicy = SameSiteMode.None;
            });

            services.AddAuthentication(options =>
                {
                    options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
                    options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                })
                .AddCookie()
                .AddOpenIdConnect(options =>
                {
                    options.Authority = Configuration["AzureAD:Instance"] + "/" + Configuration["AzureAD:TenantId"];
                    options.ClientId = Configuration["AzureAD:ClientId"];
                    options.Secret = Configuration["AzureAD:Secret"];
                    options.Callback = Configuration["AzureAD:Callback"];
                    options.ResponseType = "code id_token";
                    options.SaveTokens = true;
                });

            services.AddMvc(options =>
                {
                    var policy = new AuthorizationPolicyBuilder()
                        .RequireAuthenticatedUser()
                        .Build();
                    options.Filters.Add(new AuthorizeFilter(policy));
                })
                .SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
        }

 public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            ...
            app.UseCookiePolicy();
            app.UseAuthentication();
            app.UseMvc(routes =>
            {
                routes.MapRoute(
                    name: "sign-in",
                    template: "signin-oidc")};

                ...

        });
        }


Controller.cs

I am getting the token from the HttpContext.

But the id_token expires after time, and when I load the MVC app it returns unauthorized. Is there a way to refresh the id token before it expires.
I tried few examples in stack overflow. But none worked for me.

Is there a way to get this to work without using the IdentityModel used in example below?
https://github.com/mderriey/aspnet-core-token-renewal/blob/master/src/MvcClient/Startup.cs

Few stackoverflows , suggest there is no way to refresh an id_toke, then how would I not let go about doing this?

Unable to login to SQL with AD integrated mode

July 11, 2019, 5:25 am
$
0
0

I can query this server/db in azure portal but when i try to connect to it in SSMS, I get below error:

TITLE: Connect to Server
------------------------------

Cannot connect to aaa.database.windows.net.

------------------------------
ADDITIONAL INFORMATION:

One or more errors occurred. (mscorlib)

------------------------------

One or more errors occurred. (mscorlib)

------------------------------

AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access 'xxx'.
Trace ID: xxx
Correlation ID: xxx
Timestamp: 2019-07-11 11:47:36Z (System.Data)


Cheers
Vaibhav
MCSA (SQL Server 2012)

Active Directory Health Report

July 19, 2019, 3:26 am
$
0
0

Hi Team,

Recently We are migrating domain controller from W2k8 R2 to WK12 R2  with same Name and IP address.

But after migrating when I run active directory health report from new recently migrated domain controller getting below failed on NTDSService,NetlogonsTest,ReplicationTest and ServicesTest.

https://gallery.technet.microsoft.com/scriptcenter/Active-Directory-Health-709336cd

And when I ran on our main Domain controller (Schema Master,DOmain Naming mastter,PDC,RID,Infra, FSMO ROles holding server)

All are green.

Anyone can help me.

where are issues and why it is getting like this.



Thanks Devendra B2-Consulate(Capgemini)

what data from AAD are "consented" in a AAD multi-tenant solution

July 19, 2019, 6:40 am
$
0
0
what data (name, first name, mailaddress, ..) are precisely "consented" when an administrator or user give his consent in a multi-tenant AAD solution
Search

Granting Read Only Permissions to Users flagged for Risk

July 16, 2019, 1:22 am
$
0
0

Hello,

we are having an issue with Users Flagged for risk as we are currently set to high, when trying to trouble shoot users who have been flagged our service team is unable to check whether this may be a cause as they have no read access to this area, so constant escalations are having to come through in cases where this may be a problem just for someone to check whether the user has been flagged

I am wondering if it is possible to grant read only access to this area?

,

Robert 

Joining Azure VMs to Azure DC?

July 10, 2019, 1:40 pm
$
0
0

I have VMs all on the same virtual network & subnet. Promoted one to Domain Controller with a Static IP. For some reason, I can't add the VMs to the Domain. I keep getting "DNS name does not exist"

Any tips?

Azure Ad users with On-Perm App

July 15, 2019, 4:56 pm
$
0
0

Hi all,

Question related to Azure AD and on-perm any applications

Is it possible to authenticate users using Azure AD and authorize users based on access levels for folders/sites using on-perm users/AD which is not synchronized or trusted or connected or without storing user information anywhere else?

We have two different domains, A domain is connected/synced to azure AD and another B domain is not connected to AzureAD. Now we want to run the application on B domain and use Azure Ad for authentication and B domain accounts for authorization  is that possible?



Azure AD B2C Multiple Clients

July 10, 2019, 12:26 pm
$
0
0
I am very new to AD B2C. We have multiple clients that have multiple users. We are interested in using B2C. But it is not like signing up for a single website. It is more like say Zendesk. You have a Client with multiple users. Is there anywhere I can get an example of what to do. So I have Company A, B, and C. Each company has it own users. I do not see how to set this up. It is not like we let anyone signs up. You are asked when you are added in as a user. But we would like to allow them to use there social media accounts to log in. 

error exporting user in Azure Tenant

July 16, 2019, 3:07 am
$
0
0

Hi,

when try to export few users from Onprem to azure tenant getting below error.Upon checking I found that ObjectIdInConflict issued to another user. So is it possible to remove the object conflict from Azure ? What willhappen if I remove object conflict ID from azure ? Will that cause any issue?

Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [SipProxyAddress yuki.ara@yen.com;].  Correct or remove the duplicate values in your local directory.  Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.

Tracking Id: f802534e-f216-416d-8a1e-dd9d2d9eg703
ExtraErrorDetails:
[{"Key":"ObjectId","Value":["b8g53c59-a693-454e-b98b-df8481d05884"]},{"Key":"ObjectIdInConflict","Value":["bed75406-69b7-4e02-ba0c-bf10c168b7d4"]},{"Key":"AttributeConflictName","Value":["SipProxyAddress"]},{"Key":"AttributeConflictValues","Value":["yuki.ara@yen.com"]}]

Yammer sign up issues

July 15, 2019, 10:06 pm
$
0
0

Not sure if anyone can help me. My daughter needs a yammer account because she works at kfc and has to access rosters.

when we try to sign up the screen says a verification code has been sent but never arrives. we have tried 3 different email accounts to sign up but nothing. We have checked the spam folder but no emails. I am told it has to be a corporate account. How do kids get a corporate email??? I signed in to yammer on my corporate email but cant even access external groups. all we want is the verification code to be sent by phone msg so that we can sign her up. How do we get around this issue please. and I have tried the Microsoft help desk but they aren't returning calls and keep saying there is an error and to try later.

Azure custom RBAC

July 18, 2019, 7:32 am
$
0
0

Hello,

I want to implement custom RBAC rules for set of users. Want to achieve something like below , is this possible? 

I have following resources deployed, and any user added should have only required services as specified below. 

Recovery service Vault - Contributor
VPN - Reader
VMs- Contributor
NSG-Contributor 

Please help me how can I achieve this  ? 

Search

The reply url specified in the request does not match the reply urls configured for the application

July 18, 2019, 12:11 pm
$
0
0

I created a script for jwt authentication with zendesk just putting this out there for those that read this

The problem is i keep getting this error after publishing the asp.net application "The reply url specified in the request does not match the reply urls configured for the application"

it will return this same error even if i start a brand new project like so

Open visual studio

Create new project

Select asp.net core web application, select next

Name project

Select create

Select web application (model-view-controller)

Select change under authentication on the right side

Select work or school accounts

Domain name fills in automatically

Select read directory data then select ok

Then select create

after created if i go to debug>start with/without debugging 

the website loads, asks for credentials, i sign in it works and takes me to the default asp.net page

everything hunky dory, if i then go to the overview page, select publish, then fill in the information like the name and group and then select publish, it will then open the web address it created, ask for my credentials..as soon as i put them in i get the exact error in the title 

"The reply url specified in the request does not match the reply urls configured for the application"

this is on an unmodified application i put in no additional code i literally left it barebones the way visual studio 2019 created it

i then figured i would log into the azure portal and modify the reply url to match the site url that visual studio created after publishing. it still returns the same error when trying to go to the published site

"The reply url specified in the request does not match the reply urls configured for the application"

if i create a brand new application with no authentication turned on and publish this site the published azure url suddenly works without me having to modify the reply url... im so confused....why cant it work the same way when turning authentication on during the creation of a new project and then publishing.

How to Filter List For Resource Group get non-inherited Role assignments by using management REST API

July 16, 2019, 12:13 pm
$
0
0

Hi
In this link 
https://docs.microsoft.com/en-us/rest/api/authorization/roleassignments/listforresourcegroup

For role assignments i wan to filter the results to show only the non-inherited ones, because the current behavior will include the inherited from the subscription and the manually added to the resource group level. 
I know from the docs that i have to use $filter query param but i don't know exactly the filter name that i have to use, i tried to search about it but i didn't find any related results.

How to feedback on https://feedback.azure.com/

July 14, 2019, 8:17 am
$
0
0

I want to give some feedbacks on Microsoft Authenticator app, 

The link in Google Play lead me to : https://feedback.azure.com/forums/169401-azure-active-directory

But when I tried to sign me in, I got this problem: 

```

AADSTS50020: User account 'long.nguyenxuan@outlook.com' from identity provider 'live.com' does not exist in tenant 'UserVoice, Inc.' and cannot access the application '91a42e81-999b-4cf1-aa36-bb33f25ff53b'(windowsazure.uservoice.com) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

```

How could I sign in to that and give my feedbacks? 


  

Angola not in the list of country/region for creation of an Azure Active Directory/Tenant. Efects?

July 18, 2019, 3:56 am
$
0
0

Hello all,

While trying to create my Azure AD/Tenant, I have noticed that my location (Angola) is not available in the list of countries or regions. It is clear that I cannot choose a random country7region now because I won't be able to alter it later, therefore, could you please clarify the following points?

Why Angola is not available in the list

If I have to choose a country/region that is in the list, which one has to be?

If I choose another country/region, will it afect the subscriptions that we pretend to buy via reseller (O365, Power BI) considering that the users and my atual domain are based in Angola?

Thanks

Wsus for Azure AD DS in Windows 10 machines

July 9, 2019, 8:26 pm
$
0
0

Hello all,

I would like to know if I can implement Wsus on virtual machine in Azure in order to patch around 20 windows laptop with windows 10 pro, these machines are goiing to be in the azure ad ds domain. Is this the best practice to patch security updates? in this case there are no local servers, everything will be in the cloud Azure AD.

I also want to know if Bitlocker can be implementes in thi scenario.

Thanks!

Alejandro

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>