Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Office 365 group naming policy: Compliance across workloads

August 5, 2019, 5:02 am
$
0
0

We have enabled group naming policy for testing purpose, used prefix as string 'Grp' and user attribute [department] as suffix. However when we compared it with article (//docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-naming-policy) on compliance across workloads found below things). I had provided feedback on this article but I was asked to post here on MSDN.

1.

Exchange Admin Center: Getting below error
"A prefix or suffix required by your organization is missing from one or more of the following group name, alias, email address. The suggested group name is 'Grp_Test_IT'. Please add the missing information and try again."
Do we need to add prefix and suffix details manually in the group name, they are not populating automatically?
2.
Microsoft 365 Admin Center:
Users don't have access to Microsoft 365 Admin Center. I could not create group having 'SharePoint, Exchange, Application, Privileged role administrator permissions'. Global admin can create group from Admin center but he is exempted from policy.
Which other roles can be used to create O365 group from Microsoft 365 Admin Center.
3.
Azure active directory portal:
User are not allowed to create Groups from Azure active directory portal. Needs permissions like SharePoint Admin.
4.
Planner:
□ Before O365 group naming policy enabled
® when owner edit the Group name, change in group name is not allowed for Group created before naming policy enabled
□ After O365 group naming policy enabled
® New Plan/O365 Group:
◊ Policy is reflecting for new Plan/Group created
◊ However when owner tries to edit the group name again, change in group name is not reflecting
® Existing Plan/O365 Group:
◊ Neither Policy is reflecting for existing plan/group name on editing nor change in group name is allowed and reflecting
5.
Yammer and Teams:
In Yammer and Teams, while editing group name, it accepts the same name for group as previous name(No change in name is required). But in other workloads like(OWA, Stream, SharePoint), group name needs to be changed at least by letter(remove or add).


Search

How Can I include client IP address in ADB2C accessToken claims

August 5, 2019, 3:58 am
$
0
0

Hi,

How Can I include client IP address in ADB2C accessToken claims. We want to include client ip address in accessToken.

Thanks

Vinay

Get Token Request failing with AADSTS7000218

August 2, 2019, 2:31 pm
$
0
0

Hi,

I am using the sample provided at https://github.com/microsoft/PowerBI-Node and use the correct application ID along with the below config defined in the Jason config file.

{
    "authorityUrl" : "https://login.microsoftonline.com/common/",
    "resourceUrl" : "https://analysis.windows.net/powerbi/api",
    "apiUrl" : "https://api.powerbi.com/",
    "appId" : "",
    "workspaceId" : "",
    "reportId" : "",
    "username" : "",
    "password" : ""
}

But when this method is called 


    // use user credentials and appId to get an aad token
    let promise = () => { return new Promise(
        (resolve, reject) => {
            context.acquireTokenWithUsernamePassword(config.resourceUrl, config.username, config.password, config.appId , function(err, tokenResponse) {
                if (err) reject(err);
                resolve(tokenResponse);
            })
        });
    };

then It throw this error.

Get Token request returned http error: 401 and server response: {"error":"invalid_client","error_description":"AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.\r\nTrace ID: 6560c4b9-fe40-4120-ab2a-921956300000\r\nCorrelation ID: fd7fb0dd-e345-4206-b426-d121000f7393\r\nTimestamp: 2019-08-02 19:14:41Z","error_codes":[7000218],"timestamp":"2019-08-02 19:14:41Z","trace_id":"6560c4b9-fe40-4120-ab2a-921956300000","correlation_id":"fd7fb0dd-e345-4206-b426-d121000f7393"}

I do not understand why it is asking for client Secret because there is no option provided in this to specific client secret. Not sure where I need to specify that . Now sure How can we make this sample work.

I have use Azure Portal to register the App and assigning permission to PowerBI but that also did not worked and throwing the same error.

Any help would be really appreciated.

Regards
Rajaniesh


Find amount of objects synchronized with AAD

August 2, 2019, 7:11 am
$
0
0

We're currently running Azure AD Domain Services on a Pay-as-you-go Subscription model and we are looking at moving over to a static monthly subscription. The Tier's are set by number of Directory Objects and for less than 25,000 it's about $109.50/month, from 25,001 to 100,000 it's about $292/month and so forth.

I want to find out the amount of objects we're currently synchronizing but haven't been able to locate this piece of information in any of the portals so far. Is it available anywhere or will I need to calculate it manually somehow?

Azure AD Application - Change Notification Email through PowerShell?

July 24, 2019, 6:53 am
$
0
0

I have several applications added in Azure AD. These applications are all configured with SAML Single Sign-On (SSO) (screenshot here).

In the SAML SSO configuration page, there is a setting for Notification Email, which is the email address that will be notified when the SAML signing certificate is close to expiration (screenshot here).

I want to be able to programmatically change the notification email on an Azure AD app through PowerShell.I have been exploring with the cmdlet Get-AzureADApplication, but I don't seem to find the "notification email" property, and therefore not sure how to set it.

Here is the output of Get-AzureADApplication on a Test App. No "notification email" property:

DeletionTimestamp          : 
ObjectId                   : 24dcf6a8-2746-4ba9-af54-062ac39d5a4d
ObjectType                 : Application
AddIns                     : {}
AllowGuestsSignIn          : 
AllowPassthroughUsers      : 
AppId                      : c95bca7f-5c32-4a17-9d3f-89234124fad7
AppLogoUrl                 : 
AppRoles                   : {class AppRole {
                               AllowedMemberTypes: System.Collections.Generic.List`1[System.String]
                               Description: User
                               DisplayName: User
                               Id: 18d14569-c3bd-439b-9a66-3a2aee01d14f
                               IsEnabled: True
                               Value: 
                             }
                             , class AppRole {
                               AllowedMemberTypes: System.Collections.Generic.List`1[System.String]
                               Description: msiam_access
                               DisplayName: msiam_access
                               Id: b9632174-c057-4f7e-951b-be3adc52bfe6
                               IsEnabled: True
                               Value: 
                             }
                             }
AvailableToOtherTenants    : False
DisplayName                : TestApp
ErrorUrl                   : 
GroupMembershipClaims      : 
Homepage                   : https://account.activedirectory.windowsazure.com:444/applications/default.aspx?metadata=customappsso|ISV9.1|primary|z
IdentifierUris             : {test.com}
InformationalUrls          : class InformationalUrl {
                               TermsOfService: 
                               Marketing: 
                               Privacy: 
                               Support: 
                             }
IsDeviceOnlyAuthSupported  : 
IsDisabled                 : 
KeyCredentials             : {}
KnownClientApplications    : {}
LogoutUrl                  : 
Oauth2AllowImplicitFlow    : False
Oauth2AllowUrlPathMatching : False
Oauth2Permissions          : {class OAuth2Permission {
                               AdminConsentDescription: Allow the application to access TestApp on behalf of the signed-in user.
                               AdminConsentDisplayName: Access TestApp
                               Id: 4a22a7ad-f133-46e7-b5fb-915914da8894
                               IsEnabled: True
                               Type: User
                               UserConsentDescription: Allow the application to access TestApp on your behalf.
                               UserConsentDisplayName: Access TestApp
                               Value: user_impersonation
                             }
                             }
Oauth2RequirePostResponse  : False
OrgRestrictions            : {}
OptionalClaims             : 
ParentalControlSettings    : class ParentalControlSettings {
                               CountriesBlockedForMinors: System.Collections.Generic.List`1[System.String]
                               LegalAgeGroupRule: Allow
                             }
PasswordCredentials        : {}
PreAuthorizedApplications  : 
PublicClient               : False
PublisherDomain            : <redacted>
RecordConsentConditions    : 
ReplyUrls                  : {https://testc.om}
RequiredResourceAccess     : {}
SamlMetadataUrl            : 
SignInAudience             : AzureADMyOrg
WwwHomepage                :

Any help or ideas?

AIP Scanner - error acquiring token

August 6, 2019, 10:32 am
$
0
0

Hello,

Has anyone solved the issue where you get:

"Set-AIPAuthentication : Unable to authenticate and setup Microsoft Azure Information Protection At line:1 char:1 ..."

when trying to get the security token using the parameters -webAppId -webAppKey -nativeAppId for AIPScanner?

I am using a demo tenant (m365xxx.onmicrosoft.com) and a test domain (testdomain.local).

The two apps have been created in AAD following the documentation.

My local AIP service account is synced via ADConnect and has local logon rights to my AIPScanner server.

I am running the Set-AIPAuthentication with powershell running as my service account.

If I run *just* the Set-AIPAuthentication cmdlet, I am asked to provide credentials (service account), and I get a token.

If I run with *any ONE parameter* it seems to work.

If I run with *any TWO parameters" it seems to work.

If I run with *all THREE* parameters, I get the error.

I noticed someone else has a similar posting, with no resolution.  Has anyone found the explanation for this error?

Thanks!

Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException when attempting to acquire token using Active Directory Integrated Authentication

August 6, 2019, 11:33 am
$
0
0

I have an on-premises application that makes use of the Microsoft.IdentityModel.Clients.ActiveDirectory (ADAL) library to connect to Azure AD.  I am using the latest version, 5.1.0.

Azure AD is synched with on premises AD using Azure AD Connect.

            var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
            var userCredential = new UserCredential();
            var result = await context.AcquireTokenAsync(resource, _clientId, userCredential);

When I execute the command line application as the logged on user, an AD account that is synched with Azure AD (searchable, findable, etc. in Azure AD), even overriding the UserCredential() to ensure the upn (user principal name) matches the user id in Azure AD, I always get the same message:


Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException: 'Integrated Windows Auth is not supported for managed users. See https://aka.ms/adal-iwa for details.'

If I back out to an older version of ADAL (3.19.8), I get the error "Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException: 'password_required_for_managed_user: Password is required for managed user'.

What are the prerequisites for Active Directory Integrated Authentication to Azure AD?   Maybe some of the User-Sign in options, e.g. Federation, Seamless single sign-on, Pass through authentication need to be enabled?

Way to add users authenticated from AD using LDAP to sudoers file without using Azure AADLoginForLinux extension?

August 5, 2019, 5:43 pm
$
0
0

I have a number of VMs linked to Azure AD Domain services with LDAP and can authenticate and login correctly, however, those users cannot access sudo. I tried to add a user account to the sudoers file in the format used to login <firstname>.<lastname>@domainname.com, however it didn't work.

I found a Microsoft article about AD authentication on Linux and it recommended a series of steps including installing the Azure extension named AADLoginForLinux. After installing the extension, the account which was able to login previously was no longer able to login anymore. I had followed the steps to add the RBAC role Virtual Machine Administrator Loginfor that account. 

Any guidance or suggestions would be welcome.

Michael Wangerin

Search

Databricks signin using Azure Active Directory SSO fails

July 20, 2019, 6:09 am
$
0
0

I have a Pay-As-You-Go account. Created Databricks workspace in Azure Portal and trying to launch it but stuck at the Databricks login screen. It fails after a while with message - ''We've encountered an error creating your workspace. Please wait a few minutes and try again'. Tried different browser but same problem. Please help.

Device Enrollment Advice - Windows 10

August 1, 2019, 9:57 pm
$
0
0

Hi All,

We use Intune to enroll our iPad devices, however for our Windows 10 machines, we simply log into the device with an account and it auto enrolls.  I haven't done a lot on this side so I am looking for advice.

Up until now I have generally reset the machine (delete all) and then log in with my account.  Which then makes me the admin.  I then install all the software we generally roll out to our employees before sending it to them.  When they get it they log in (via TeamViewer) on their account and we just have to move a few desktop icons etc for them.  They are mostly remote employees.

However as you could imagine this is not ideal.  All the machines are registered as me in Azure\Devices and I think I may have just hit a limit as i went to do it and it says I dont have authority to add a device.  This may not be a limit and may be unrelated, but either way this cant be the ideal way of doing this.

We are not a large company and after talking to DELL about auto-enrollment it puts our cost per machine up by about $200-$300, so auto-enrollment isn't really viable.  I haven't had a lot of luck installing non-microsoft apps on machines via Azure either.

Any ideas or a link to some good advice on how we should now be setting these up? 

Thank you for any advice given or links supplied that are helpful and have a good weekend.

PS.  I know Azure AD isnt really the right subforum, but I couldnt find something that had a better match.


AzureAD Security Key

August 6, 2019, 1:14 pm
$
0
0

Trying to set up the preview to use the FIDO2 security keys in Azure AD but not getting any enrollment pages when logging in. I've set all users to have the FIDO2 Security Key enabled from the Authentication Method Policy (Preview) blade, and then in the User Feature Previews blade I've toggled all so that they can use the enhanced enrollment page.

The Authenticator Passwordless Sign in works however

Help and guidance would be greatly appreciated!

How to send JWT token as input to AD B2C Policy

August 5, 2019, 9:34 am
$
0
0

We have to send JWT Token as input to AD B2C Policy, the JWT Policy has certain claims that Policy needs. We are trying to implement JWT Creation in Java.  Any sample/example implementation


Getting Error While connecting to MSOL Service

August 6, 2019, 1:43 pm
$
0
0

Hi All,

I have the below script 

$user = "XXXX@XXX.com"
$sspw = ConvertTo-SecureString ‘XXXXXXX’ -AsPlainText -Force

$PlainCred = New-Object System.Management.Automation.PSCredential $user, $sspw

connect-Msolservice -credential $PlainCred

Getting the Below error, Not sure why any advice

connect-Msolservice : An error occurred while sending the request.
At line:1 char:1
+ connect-Msolservice -credential $PlainCred
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Connect-MsolService], HttpRequestException
    + FullyQualifiedErrorId : System.Net.Http.HttpRequestException,Microsoft.Online.Administration.Automation.ConnectM
   solService

Azure PTA & PHS

August 6, 2019, 3:21 pm
$
0
0

Hi Team,

Currently we've Pass Through Authentication enabled environment however, we want few users authenticate via PHS. Can we enable both (Pass Through & Password Hash synchronization) authentication in single environment. Please let us know if there is any process for using both the authentication system. Thanks

The reply url specified in the request does not match the reply urls configured for the application: '. On the desktop it works perfect but in the progressive web application the error appears and it is the same code

August 6, 2019, 2:32 pm
$
0
0
Hi, thank you very much for responding. I still have a problem when following the steps that indicate me, I do not see the option to configure the application what I could read is that it is now in the authentication section and one places the answer url the inconvenience I still have is that everything works perfect for me on desktop but as I am also using progressive web app applications there is the problem I have I get the error of The reply url specified in the request does not match the reply urls configured for the application: '<id de la aplicacion>
Search

Client secret character length changed?

August 6, 2019, 4:01 am
$
0
0

I've noticed that a client secret that I created last year had 44 characters.

When I am creating a new one, it only has 32 characters.

Is there a reason for this change? I couldn't see it documented anywhere.
Should the old key be recreated for security reasons?

Adding another Forest to AD Connect and when to create a Trust Relationship

August 6, 2019, 10:02 am
$
0
0

I'm starting work on a project to add an additional forest to sync to Azure.  The users in this forest have accounts in both their forest and the forest syncing to Azure.

I figure since we want to grant access to resources in the existing domain, syncing to Azure, we would need a trust relationship because we can't add an AzureAD account back to a synced group for permissions and assign azure accounts to internal resources.

I just want to make sure I'm not missing anything.

David Jenkins



Error message - Your organization has deleted this device. To fix this, contact your system administrator and provide error code 700003.

June 18, 2019, 8:39 pm
$
0
0

Hi,

I think I'm the administrator, however I have no idea what this means. I did have to recently apply an update to Office 365 apps on the desktops and laptops our small business has.

It seems that through that process I managed to delete my work desktop from being recognised as an 'official' work computer by our organisation.

It seems that I need to someow go into Azure Active Directory and get the device readded. However, it seems that the options that should be selected are selected.

Thank you for any assistance.

Russell

Reporting a suspicious sign-in activity

August 6, 2019, 10:01 am
$
0
0

Hi All,

Thanks in advance for helping me on this.

I have an event where a user's account was hacked and Signed-in from an unknown IP address into Azure using MFA. We have configured Conditional access to block sign-in outside named locations. But, I want to know is there a way where we can manually report the IP to Azure in order for them to block for all tenants?

Niranjan

Authenticate PostgreSQL Database using Azure Active Directory?

August 6, 2019, 10:57 pm
$
0
0
Is there any way to authenticate PostgreSQL Database using Azure Active Directory?
Viewing all 16000 articles
Browse latest View live
Search