After Windows 10 client enters AD, it needs administrator authorization to change C disk files, desktop shortcuts and open some
software on the client. How can I close it?
↧
How to turn off and disable UAC in Active Directory strategy
↧
Azure Multi-Factor Authentication for remote access to local domain.
Hi there
I'm not sure if I'm on the right forum for this, let me know if not. I have a client who uses RDS services on a local Active Directory domain. Currently we use the gateway of the Server Essentials Role deployed on the the DC to access the session host remotely, which works fine. However, they would like to deploy Multi-Factor Authentication to log into the domain externally. We have a 365 tenant already deployed and use Azure for remote backup. Can this be achieved using Azure services?
Thanks in advance
MIS5000
↧
↧
Authenticate requests from aws cognito user pools
Hi All,
I have an API hosted in azure and want to protect it with Azure AD. However i have 3rd party client accessing my API where users are in aws cognito user pool. I have to authenticate both aws cognito user pool users and AAD users as well. Can some one pls help here. I have limited access to information of 3rd party client app. Like user pool ARN and client ID.
↧
AZURE AD SESSION TIMEOUT
Hi,
What is the default session timeout for SAML based application ?
Can we control the session timeout for SAML based application? How to check the current timeout setting for SAML applications ?
Regards,
Rahul
↧
How to Integrate Service Now with AAD Connect- Pass through Authentication for SSO
Hi,
I have implimented AAD Connect with Pass through Authentication and working find for O365 services like Outlook.
Now i want to Integrate Service Now with Same SSO functionallity.
Please let me now if Server now support AAD connect Pass through Auth for SSO and integration plan ?
Regards
AM
↧
↧
Get Token Request failing with AADSTS7000218
Hi,
I am using the sample provided at https://github.com/microsoft/PowerBI-Node and use the correct application ID along with the below config defined in the Jason config file.
{
"authorityUrl" : "https://login.microsoftonline.com/common/",
"resourceUrl" : "https://analysis.windows.net/powerbi/api",
"apiUrl" : "https://api.powerbi.com/",
"appId" : "",
"workspaceId" : "",
"reportId" : "",
"username" : "",
"password" : ""
}
But when this method is called
// use user credentials and appId to get an aad token
let promise = () => { return new Promise(
(resolve, reject) => {
context.acquireTokenWithUsernamePassword(config.resourceUrl, config.username, config.password, config.appId , function(err, tokenResponse) {
if (err) reject(err);
resolve(tokenResponse);
})
});
};
then It throw this error.
Get Token request returned http error: 401 and server response: {"error":"invalid_client","error_description":"AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.\r\nTrace ID: 6560c4b9-fe40-4120-ab2a-921956300000\r\nCorrelation ID: fd7fb0dd-e345-4206-b426-d121000f7393\r\nTimestamp: 2019-08-02 19:14:41Z","error_codes":[7000218],"timestamp":"2019-08-02 19:14:41Z","trace_id":"6560c4b9-fe40-4120-ab2a-921956300000","correlation_id":"fd7fb0dd-e345-4206-b426-d121000f7393"}
I do not understand why it is asking for client Secret because there is no option provided in this to specific client secret. Not sure where I need to specify that . Now sure How can we make this sample work.
I have use Azure Portal to register the App and assigning permission to PowerBI but that also did not worked and throwing the same error.
Any help would be really appreciated.
Regards
Rajaniesh
↧
The reply url specified in the request does not match the reply urls configured for the application: ' in mobile but in desktop is perfect
Hi, thank you very much for responding. I still have a problem when following the steps that indicate me, I do not see the option to configure the application what I could read is that it is
now in the authentication section and one places the answer url the inconvenience I still have is that everything works perfect for me on desktop but as I am also using progressive web app applications there is the problem I have I get the error of The reply
url specified in the request does not match the reply urls configured for the application: '<id de la aplicacion>
↧
Unable to locate BitLocker recovery key, ID mismatch
The issues we are seeing started today. Azure AD Domain joined computer. End user turned computer on, was presented with BitLocker recovery key, the ID presented on the screen does not match the one I see in Azure AD within Azure portal, Devices
section. I can provide recovery key ID and email address affected if that helps. Technician is onsite with access to BIOS trying to bypass bitlocker so we can resolve this. any help would be greatly appreciated.
↧
Client secret character length changed?
I've noticed that a client secret that I created last year had 44 characters.
When I am creating a new one, it only has 32 characters.
Is there a reason for this change? I couldn't see it documented anywhere.
Should the old key be recreated for security reasons?
↧
↧
Azure ad Claims mapping policy for mobile and country claim
I have added below claim but only department and telephone number claims are coming correct . In country claim we are getting value of usagelocation and there is no usageLocation value in the jwt token and no mobile value in the token not sure why though it is added below in the policy with value.
Is it by design that we can not send mobile or country value in the JWT Token using azure ad policy ?
I am checking using https://openidconnect.net/ site. Can you please suggest I there is nay miss ?
$var = @('{"ClaimsMappingPolicy": {
"Version": 1,
"IncludeBasicClaimSet":"true",
"ClaimsSchema":
[{
"Source": "user",
"ID": "country",
"JwtClaimType": "country"
},
{
"Source": "user",
"ID": "department",
"JwtClaimType": "department"
},
{
"Source": "user",
"ID": "mobile",
"JwtClaimType": "mobile"
},
{
"Source": "user",
"ID": "usageLocation ",
"JwtClaimType": "usageLocation "
},
{
"Source": "user",
"ID": "telephoneNumber",
"JwtClaimType": "telephoneNumber"
}]
}
}')
↧
Way to add users authenticated from AD using LDAP to sudoers file without using Azure AADLoginForLinux extension?
I have a number of VMs linked to Azure AD Domain services with LDAP and can authenticate and login correctly, however, those users cannot access sudo. I tried to add a user account to the sudoers file in the format used to login <firstname>.<lastname>@domainname.com, however it didn't work.
I found a Microsoft article about AD authentication on Linux and it recommended a series of steps including installing the Azure extension named AADLoginForLinux. After installing the extension, the account which was able to login previously was no longer able to login anymore. I had followed the steps to add the RBAC role Virtual Machine Administrator Loginfor that account.
Any guidance or suggestions would be welcome.
Michael Wangerin
↧
AIP Scanner - error acquiring token
Hello,
Has anyone solved the issue where you get:
"Set-AIPAuthentication : Unable to authenticate and setup Microsoft Azure Information Protection At line:1 char:1 ..."
when trying to get the security token using the parameters -webAppId -webAppKey -nativeAppId for AIPScanner?
I am using a demo tenant (m365xxx.onmicrosoft.com) and a test domain (testdomain.local).
The two apps have been created in AAD following the documentation.
My local AIP service account is synced via ADConnect and has local logon rights to my AIPScanner server.
I am running the Set-AIPAuthentication with powershell running as my service account.
If I run *just* the Set-AIPAuthentication cmdlet, I am asked to provide credentials (service account), and I get a token.
If I run with *any ONE parameter* it seems to work.
If I run with *any TWO parameters" it seems to work.
If I run with *all THREE* parameters, I get the error.
I noticed someone else has a similar posting, with no resolution. Has anyone found the explanation for this error?
Thanks!
↧
How Can I include client IP address in ADB2C accessToken claims
Hi,
How Can I include client IP address in ADB2C accessToken claims. We want to include client ip address in accessToken.
Thanks
Vinay
↧
↧
Questions abou first time AD Connect, existing Azure AD users, Azure AD primary domain
I need to set up Azure AD Connect between our on-premise AD and our existing Azure AD and have some questions.
Our Azure AD primary domain (xyzcorp.com) matches our company's email address SMTP domain, which doesnot match our on-premise AD domain that we will sync (child.root.xyzcompany.com). In prep for AD Connect we have added and verified our on-premise AD domain (child.root.xyzcompany.com) and its parents (root.xyzcompany.com and xyzcompany.com) to Azure AD. Fortunately, only a subset of employees are currently in Azure AD, for O365 OfficeProPlus use. All platforms including email are on-premise. We are not syncing the entire domain, we are only syncing specific OUs that only hold employees. Sync will only be one-way from on-premise to Azure; no writebacks.
I want to go with the MSFT recommendation to use on-premise AD UPN as the sync attribute. We want to end up with Azure AD UPN matching the on-premise AD UPN but not have the Azure AD email address change because it already matches the on-premise email address. In my research for AD Connect, I came across https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-existing-tenant, which talks about attribute matching between existing Azure AD users and on-premise AD. Some questions (assuming I am understanding the process correctly, which I am not sure I do):
- Should I switch the Azure AD primary domain to the one we added to match the on-premise domainbefore we use AD Connect? So that the Azure AD UPN suffix matches on-premise AD UPN suffix.
- Assuming I switch the Azure AD primary domain before using AD Connect to sync, what happens to the existing Azure AD users? Does their current Azure AD UPN suffix switch automatically to the new primary domain UPN suffix? What about their email address, does that stay as is? There will most definitely be a time lag (a few weeks) between the switch and using AD Connect to sync.
- After syncing - according to the article all Azure AD attributes for matching users are overwritten with the on-premise AD attributes - will OfficeProPlus recognize the user is the same user?
- Specifically with regard to the existing Azure AD accounts that are used to log into MSFT Business Center - will MSFT Business Center recognize and accept the new login?
Thanks,
Joan
↧
Device Registration failed
I have installed ADDconnect and creating a GPO to enable automatic registration of windows 10 machines.
but automatic registrations always failed with below errors.
Automatic registration failed at join phase. Exit code: Unknown HResult Error code: 0x801c0002. Server error: empty. Debug Output:\r\n joinMode: Join
drsInstance: azure
registrationType: sync
tenantType: managed
tenantId: fd95fe1a-1798-4386-b8b9-882505eccaff
configLocation: undefined
errorPhase: join
adalCorrelationId: undefined
adalLog: undefined
adalLog: undefined
adalResponseCode: 0x0
.
Automatic registration failed at join phase. Exit code: Unknown HResult Error code: 0x801c0002. Server error: . Debug Output:\r\n Managed.
The get join response operation callback failed with exit code: Unknown HResult Error code: 0x801c0002.
Activity Id: fa3539e1-e195-4cf5-b1e2-5f36ec2d13dc
The server returned HTTP status: 400
Server response was: {"ErrorType":"AuthenticationError","Message":"The provided client identity data is not valid: (S-1-5-21-1023253932-726605409-1206319596-1107.2017-03-10 18:15:22Z).","TraceId":"fa3539e1-e195-4cf5-b1e2-5f36ec2d13dc","Time":"03-10-2017
14:29:05Z"}
and when I try to join the machine manual I get below error.
This Device is joined to Azure AD, however, the user did not sign-in with an Azure AD account. Microsoft Passport provisioning will not be enabled. User:↧
Getting Error While connecting to MSOL Service
Hi All,
I have the below script
$user = "XXXX@XXX.com"
$sspw = ConvertTo-SecureString ‘XXXXXXX’ -AsPlainText -Force
$PlainCred = New-Object System.Management.Automation.PSCredential $user, $sspw
connect-Msolservice -credential $PlainCred
Getting the Below error, Not sure why any advice
connect-Msolservice : An error occurred while sending the request.At line:1 char:1
+ connect-Msolservice -credential $PlainCred
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Connect-MsolService], HttpRequestException
+ FullyQualifiedErrorId : System.Net.Http.HttpRequestException,Microsoft.Online.Administration.Automation.ConnectM
solService
↧
b2clogin.com issue - Hitting my azurewebsites endpoint results in incorrect login URL which never resolves
I have an app service which I have secured via Active Directory Authentication
I have a client application registered and am using the MSAL library and the B2Clogin domain
From my Xamarin app, the login flow works perfectly and returns a token I can use for API
I now wish to add a web front end to my azurewebsites domain
However, whenever I try and access mydomain.azurewebsites.net, at the point it should login, it simply loops never resolving
I have gone into Run User Flow section of my B2C directory and confirmed they all work when run
However, when comparing the URLs side by side - that is the URL in the Run User Flow vs the one it resolves to when you hit the azurewebsites.net end point - I notice the URL redirect which is triggered when you hit the azurewebsites.net end point is not the same
I suspect it might have something to do with the Issuer URL, but otherwise am completely stuck - can anyone help pls?
↧
↧
Required bandwith
i m planning to move my AD to Azure and I d like to know the required bandwith for 80 workstations and 10 servers.
thanks
claudio
↧
How to send JWT token as input to AD B2C Policy
We have to send JWT Token as input to AD B2C Policy, the JWT Policy has certain claims that Policy needs. We are trying to implement JWT Creation in Java. Any sample/example implementation
↧
Azure AD Domain Services assigning invalid user logon names
Hi,
We've been using Azure AD DS for the past 6 months without any issues and today I had to create a new set of test accounts for usage on our VMs that are using Domain Services and upon inspection the User logon name (pre-Windows 2000) it's coming through as:
Domain\test (CEDD46B9)
This is causing issues with out applications that are using Windows Authentication as they can't validate the user logon name correctly.
Just wondering if there is something that I am doing wrong suddenly or if there was a change recently?
Steps to create the account:
- Open Azure Active Directory
- Add New User
- Assign Name and Username (testaccount@mycompany.com)
- No Profile, Default Properies, No Group and Directory Role User
- Click Create
- Wait for the new account to replicate over to Azure AD Domain Services
- Open the account in Active Directory Users and Computers
- See that the username is partially cut off Domain\test (CEDD46B9) with random text added at the end.
Thank you.
↧