When using the out of box settings a local DB express edition is installed. Is is possible to browse the data therein? My sec deot. have been asking me about the data stored in the ADConnect database and whether or not it encrypted.
↧
ADConnect - SQL
↧
ADConnect - Automate deployment end to end
I wish to automate the entire setup of ADConnect. I have the VM build, firewall rules all automated but wondering what can be used to automate the ADConnect config? powershell ?
↧
↧
Azure AD Domain Services recent issue: AADDS500: Synchronization has not completed in a while
Starting Friday Evening July 29th, we are getting:
AADDS500: Synchronization has not completed in a while
Alert message:
The managed domain was last synchronized with Azure AD on [date]. Users may be unable to sign-in on the managed domain or group memberships may not be in sync with Azure AD.
No changes have been made and this has been functional since last year. The Azure AD connect from on premise is happily syncing to Azure Active Directory and there is no special network security setup. So what gives here? I literally have no way to go about resolving this for the Azure AD tenant. Am I dead in the water? Please help!!!
↧
Error message: AADSTS700016 when want connect OneDrive Business via PhotoCloud Android App
Hi,
When I want to Connect PhotoCloud Slideshow (Android App) to OneDrive Business is coming error message like below:
"AADSTS700016: Application with identifier '000000004015E800' was not found in the directory 'manlogistics.com.au'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant."
Can anybody help me how to resolve this issue, so this PhotoCloud ndroid app can access my photos in OneDrive Business, please?
Cheers,
Gedhe ND
↧
Find out the User Sign in method in Azure Active Directory using API
I have added few domains in my Azure Active Directory tenant. All of which are synced from on premise Active Directory. I have enabled Password Hash Synchronization for few domains and I have enabled Pass though authentication
for the others. I assume that in Pass through authentication, the authentication is managed by the on premise Active Directory and not the cloud. So, why doesn't the Authentication Type change to Federated for those domains. I would also like to know the User
sign in method used for every domain using an API. If there is no API, I would like to know if there is any cmdlet to achieve this.
↧
↧
AAD B2C: Pass redirect_uri as parameter to REST API (Dynamic Custom UI using Custom Policies)
I have created a custom policy using the Identity Framework in AAD B2C. I am serving a custom UI via a REST-based API. Now, when calling the REST-Service I need to change certain UI-Elements depending on the some parameters (in my case: client-id and redirect-uri).
I was successful in mapping the client-id parameter using the following definition in my SignUpOrSignin.xml:
<UserJourneyBehaviors><ContentDefinitionParameters><Parameter Name="clientId">{OIDC:ClientId}</Parameter></ContentDefinitionParameters></UserJourneyBehaviors>However, I cannot find a similar mapping for the redirect-uri.
Using {OIDC:RedirectUri} (or different variants of it) results in a schema-validation error.
How can I pass the redirect-uri to my REST-API?
Kind regards
Andreas
↧
Azure ad Claims mapping policy for mobile and country claim
I have added below claim but only department and telephone number claims are coming correct . In country claim we are getting value of usagelocation and there is no usageLocation value in the jwt token and no mobile value in the token not sure why though it is added below in the policy with value.
Is it by design that we can not send mobile or country value in the JWT Token using azure ad policy ?
I am checking using https://openidconnect.net/ site. Can you please suggest I there is nay miss ?
$var = @('{"ClaimsMappingPolicy": {
"Version": 1,
"IncludeBasicClaimSet":"true",
"ClaimsSchema":
[{
"Source": "user",
"ID": "country",
"JwtClaimType": "country"
},
{
"Source": "user",
"ID": "department",
"JwtClaimType": "department"
},
{
"Source": "user",
"ID": "mobile",
"JwtClaimType": "mobile"
},
{
"Source": "user",
"ID": "usageLocation ",
"JwtClaimType": "usageLocation "
},
{
"Source": "user",
"ID": "telephoneNumber",
"JwtClaimType": "telephoneNumber"
}]
}
}')
↧
Azure B2C - Not able to get the access_code & refresh_token through postman
Dear All,
I am trying to get the access_token and refresh_token through below request but I am getting the below error in the postman
{
"error": "invalid_grant",
"error_description": "AADB2C90090: The provided JWE is not a valid 5 segment token.\r\nCorrelation ID: f4b8be04-9dce-4e07-a72f-7aacdd0e9cc8\r\nTimestamp: 2019-07-11 16:13:56Z\r\n"
}
I have double checked the parameters entered in the postman and code I have captured after logged in.
Selvakumar Rathinam
↧
Create a new role assignment for an enterprise application using Graph beta version
Hello Team,
I am trying to create role assignments for an enterprise application using Graph api beta version .
I am following Microsoft document to do the same
Error
This is the error I am getting while checking Write requests are only supported on contained entities
I tried the same using the Azure AD Graph also(graph.windows.net) and I am able to achieve the following.
{"error": {"code": "BadRequest","message": "Write requests are only supported on contained entities","innerError": {"request-id": "f8b80735-c516-4a65-9f42-2b3088f2951a","date": "2019-07-30T09:23:13"
}
}
}But I want to achieve this using Graph API beta version.Please let me know if this is possible using beta version and how to do it.
↧
↧
Are the breaking changes of the Facebook Graph API handled by Azure AD B2C?
Facebook is giving us warnings on the developers portal that the Graph API (Facebook) our Azure AD B2C tenant is using has some breaking changes for the endpoints it uses. It feels to me that managing this is not within our span of control and it is solely
handled by Azure AD B2C. Is that a good assumption?
WoutervV
↧
Azure AD Direct Federation - Okta domain name restriction
Hi All,
I am trying Direct Federation between AAD and Okta where the document suggests the accepted domains are okta.com but my domain is dev-133.oktapreview.com. Will this cause any authentication issues, I am facing Error o issue
My Direct Federation is established successfully and able to redirect to okta and Okta is pushing it back to AAD but in AAD i am exception in Authentiation
↧
Getting "403 Forbidden" from Azure AD Graph API trying to reset a user's password
We're trying to reset user password using Azure AD Graph API but receiving a "403 Forbidden" when we try to do the reset operation. The call fails in both the scenario where the user is signed-in with the Web API and when they are signed-out. The call is made from our Web API application which has what we think are the correct permissions:
- "Read and write directory data" - Directory.ReadWrite.All
- "Sign in and read user profile" - User.Read
- "Access the directory as the signed-in user" - Directory.AccessAsUser.All
Here are the details of the password reset operation we are doing: https://docs.microsoft.com/en-gb/previous-versions/azure/ad/graph/api/users-operations#reset-a-users-password--
Any suggestions as to why this isn't working?
I am not entirely sure how to interpret this section of the documentation:
"Either delegated scope User.ReadWrite.All or Directory.AccessAsUser.All is required to reset a user's password. In addition to the correct scope, the signed-in user would need sufficient privileges to reset another user's password."
Does our application only have these delegated scopes when a user is signed-in? When it refers to "the signed-in user" could this mean our application? Or do we need a special admin user to complete this operation?
Any help at all appreciated :).
↧
Azure B2C with custom attributes to render the radio button/Checkbox & Dropdown List
Dear All,
I wanted to render the dropdown list (with data), Checkbox & Radio buttons in the Azure b2c sign up page through custom attributes or through custom signinandsignup policy.
Custom attributes with Boolean data type is rendering as a textbox and user has to enter the value as true/false - Not sure how this can be given to end user.
Please advice How to achieve this ?
Selvakumar Rathinam
↧
↧
Service Connection Point
Hi
I have successfully tested Hybrid join with a few workarounds to get authentication running through a firewall.
I am in the final stages of the project and have manually Hybrid joined 20-30 machines to Azure.
I have not enabled the SCP, if I enable this onsite, will this effect machines without specific policies set in place to Hybrid Join to the cloud? We are working fine without the SCP but it seems that I have made it to the end of the project without the need for enabling the SCP? Especially if I only select specific machines to Hybrid join in Ad Connect the Hybrid join is not going to work for other machines I might not want to hybrid join
Regards,
Darren
darren hitchen
↧
Azure AD Application - Change Notification Email through PowerShell?
I have several applications added in Azure AD. These applications are all configured with SAML Single Sign-On (SSO) (screenshot here).
In the SAML SSO configuration page, there is a setting for Notification Email, which is the email address that will be notified when the SAML signing certificate is close to expiration (screenshot here).
I want to be able to programmatically change the notification email on an Azure AD app through PowerShell.I have been exploring with the cmdlet Get-AzureADApplication, but I don't seem to find the "notification email" property, and therefore not sure how to set it.
Here is the output of Get-AzureADApplication on a Test App. No "notification email" property:
DeletionTimestamp :
ObjectId : 24dcf6a8-2746-4ba9-af54-062ac39d5a4d
ObjectType : Application
AddIns : {}
AllowGuestsSignIn :
AllowPassthroughUsers :
AppId : c95bca7f-5c32-4a17-9d3f-89234124fad7
AppLogoUrl :
AppRoles : {class AppRole {
AllowedMemberTypes: System.Collections.Generic.List`1[System.String]
Description: User
DisplayName: User
Id: 18d14569-c3bd-439b-9a66-3a2aee01d14f
IsEnabled: True
Value:
}
, class AppRole {
AllowedMemberTypes: System.Collections.Generic.List`1[System.String]
Description: msiam_access
DisplayName: msiam_access
Id: b9632174-c057-4f7e-951b-be3adc52bfe6
IsEnabled: True
Value:
}
}
AvailableToOtherTenants : False
DisplayName : TestApp
ErrorUrl :
GroupMembershipClaims :
Homepage : https://account.activedirectory.windowsazure.com:444/applications/default.aspx?metadata=customappsso|ISV9.1|primary|z
IdentifierUris : {test.com}
InformationalUrls : class InformationalUrl {
TermsOfService:
Marketing:
Privacy:
Support:
}
IsDeviceOnlyAuthSupported :
IsDisabled :
KeyCredentials : {}
KnownClientApplications : {}
LogoutUrl :
Oauth2AllowImplicitFlow : False
Oauth2AllowUrlPathMatching : False
Oauth2Permissions : {class OAuth2Permission {
AdminConsentDescription: Allow the application to access TestApp on behalf of the signed-in user.
AdminConsentDisplayName: Access TestApp
Id: 4a22a7ad-f133-46e7-b5fb-915914da8894
IsEnabled: True
Type: User
UserConsentDescription: Allow the application to access TestApp on your behalf.
UserConsentDisplayName: Access TestApp
Value: user_impersonation
}
}
Oauth2RequirePostResponse : False
OrgRestrictions : {}
OptionalClaims :
ParentalControlSettings : class ParentalControlSettings {
CountriesBlockedForMinors: System.Collections.Generic.List`1[System.String]
LegalAgeGroupRule: Allow
}
PasswordCredentials : {}
PreAuthorizedApplications :
PublicClient : False
PublisherDomain : <redacted>
RecordConsentConditions :
ReplyUrls : {https://testc.om}
RequiredResourceAccess : {}
SamlMetadataUrl :
SignInAudience : AzureADMyOrg
WwwHomepage : Any help or ideas?
↧
Inbound Filtering and ADDS connector
Guys, I have custom sync rule that filters users based on the value of extensionAttribute1. This works well and outbound sync only pushes up those users with this attribute set. However, the metaverse seems to contain many more users. Why would this
be?
↧
You can't get there from here
No matter what site I log on to, I get this error below. I had just renewed my Action Pack, and converted my partner account from an @outlook.com account to my domain email for the new partner portal. I did have pass thru auth setup on AADSync on my on-prem DC, and it had been working fine previously. I did have SCCM/Intune in Hybrid mode, and went through the workflow to separate them so I could do Co-management. Pass thru & AADsync are no longer setup (tried to update client, and it got stuck in limbo because it wouldn't let me auth during update.. so I had to uninstall it). SCCM is no longer hybrid. Co-management oddly enough, allowed the setup. I can log into the old Intune portal page, and made sure all rules/policies are out. I cannot fathom what rules are in place that would do this. I setup a mobile device and tried to get in through it, and it failed. I had a Windows 10 machine that had been Azure AD joined, and it failed too.
Can anyone point me in the right direction, or at least let me know if I can call support to turn off rules?
You can't get there from here
This application contains sensitive information and can only be accessed from:
- Company domain joined devices. Access from personal devices is not allowed.
Please contact your administrator.
↧
↧
Additional security verification: when I entered my details, I selected Russia (+7) in the Country field. After saving the information, the page https://account.activedirectory.windowsazure.com/proofup.aspx?proofup=1 reports my country as Kazakhstan (+7)
Additional security verification: when I entered my details, I selected Russia (+7) in the Country field. After saving the information, the pagereports my country as Kazakhstan (+7).
Notifications are working with wrong country now, but I cannot even save the the right country via that link.
This is an issue of corporate security I feel obliged to report the software bug and the fact that incorrect data has apparently been stored in my MFA profile.
↧
Windows Hello for Business Provisioning Will Not be Launched
Hello,
I am trying to configure Windows Hello for Business and I have run into an issue. I am seeing event 362 in the User Device Registration log (Event Viewer -> Applications and Services -> Windows -> User Device Registration). The event is indicating that "Enterprise user logon certificate enrollment endpoint is ready: No ". I cannot seem to find any information on this message and could use some assistance. Any thoughts on where I might look to track down the issue?
A few points to keep in mind:
- I have an enterprise certificate service running and it is distributing various certificates to users and computers.
- I have ADFS and ADFS proxies configured and working as expected.
- I have AD Connect configured and working as expected.
- I have been through the various Windows Hello for Business articles and I think I have everything completed.
Yet obviously I am missing some component.
Thank you for any help you can provide,
Matt
Event 362, User Device Registration Windows Hello for Business provisioning will not be launched. Device is AAD joined ( AADJ or DJ++ ): Yes User has logged on with AAD credentials: Yes Windows Hello for Business policy is enabled: Yes Windows Hello for Business post-logon provisioning is enabled: Yes Local computer meets Windows hello for business hardware requirements: Yes User is not connected to the machine via Remote Desktop: Yes User certificate for on premise auth policy is enabled: Yes Enterprise user logon certificate enrollment endpoint is ready: No Enterprise user logon certificate template is : Not Tested User has successfully authenticated to the enterprise STS: Yes Certificate enrollment method: enrollment authority See https://go.microsoft.com/fwlink/?linkid=832647 for more details.
↧
What is the scope to use OAuth2.0 on ExchangeActiveSync protocol for personal Microsoft accounts?
Hi,
i am trying to authenticate a personal Micrsoft account (Outlook.com account) using ExchangeActiveSync with OAuth. The application is registered on AzureAD. In order to use the OAuth v2.0 protocol for personal Microsoft accounts, the manifest config is set to:
"accessTokenAcceptedVersion": 2,"signInAudience": "AzureADandPersonalMicrosoftAccount",
ExchangeActiveSync permission is also added.
I tried to fetch authorization code with the scope parameter set to
offline_access https://outlook.office365.com/EAS.AccessAsUser.All
But I got a invalid_scope response
example://example.oauth2redirect?error=invalid_scope&error_description=The provided value for the input parameter 'scope' is not valid. The scope 'offline_access https://outlook.office365.com/EAS.AccessAsUser.All' does not exist.
Is ExchangeActiveSync supported by the AD OAuth v2 protocol? If it is, what is the correct scope to use it?
Thanks,
↧