Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Azure AD Graph API Endpoint URL?

August 8, 2019, 1:09 pm
$
0
0

Folks,

We recently implemented Cisco ISE Integration with Intune a few months back. Today, we're facing a problem with ISE logs reporting "External MDM Server Connection Failure" errors, having trouble with what appears like making API calls out to Intune to check device compliance, classification, etc.

Going down this rabbit hole with Premier Support (still ongoing now, this is a parallel discussion to attempt to gain further insight on this issue from the overall community), we discovered several areas of concern that need to be verified.

One such main area was the Autodiscovery URL implemented into ISE, being referenced from Azure. We currently have our format in ISE as: https://graph.windows.net/(tenantID)

  • Is this the up-to-date, correct URL to be referenced for the autodiscovery URL in ISE? If I look in the Azure Mgmt Portal -> App Registrations -> Cisco ISE (we set this up) -> Endpoints (within the Overview window), it shows the Microsoft Graph API URL (and not an AAD Graph API URL) as: https://graph.microsoft.com
  • Another question from a different angle; where would I go about finding the exact AAD Graph API URL, is this just from following the generic format of https://hostname/tenantID?
  • Is the MS Graph API Endpoint URL able to be usedinstead of the AAD Graph API Endpoint URL?

I'm also confused on the OAuth 2.0 Endpoint URL to be used for ISE, referencing from Azure. Microsoft documentation conflicts, showing a picture to use the Token Endpoint URL and a text caption showing to use the Auth Endpoint URL. Cisco ISE documentation tells us to use the Token endpoint URL. Should we ultimately be using Cisco doc recommendation?

Finally, would anyone know if using an app proxy connector for Cisco ISE app proxy allows for ISE to make the necessary API calls outbound to Intune MDM server(s)? We only have 1 connector existing in the Azure mgmt portal, which looks to point toward NDES for the SCEP app proxy registration. We've been advised by Premier that each app proxy requires its own unique connector; if this is true, we would have to set up a separate connector for ISE, aside from the one for SCEP, would this assumption be correct?

Thanks for your help (if possible) in-advance!

Jayson

Search

Is there a time limitation on autopilot and autopilot with whiteglove regarding azure devices?

August 8, 2019, 11:33 pm
$
0
0

I am currently presenting the idea of autopiloting devices ahead of time to my IT department.

But I am unsure if adding a device lets say 1-2 months ahead of time would result in devices becoming tombstones or other issues that might interfere with the project.

 So my question is: Is there a time limit on how early you can autopilot a device before active use, or other things that might cause issues doing so?

Adding another Forest to AD Connect and when to create a Trust Relationship

August 6, 2019, 10:02 am
$
0
0

I'm starting work on a project to add an additional forest to sync to Azure.  The users in this forest have accounts in both their forest and the forest syncing to Azure.

I figure since we want to grant access to resources in the existing domain, syncing to Azure, we would need a trust relationship because we can't add an AzureAD account back to a synced group for permissions and assign azure accounts to internal resources.

I just want to make sure I'm not missing anything.

David Jenkins



Accessing Multiple resources in a single authorization request

August 9, 2019, 4:26 am
$
0
0

Currently, on SPA Application (Angular 8), we are authorizing users using "OAuth 2.0 Implicit Grant Type" from Microsoft using ADAL services.

When the application is loaded, Adal service is initialized with a single environment configuration. So while acquiring token it uses that loaded configuration.

Scenario: Now we have two resources endpoint:

  1. API resources
  2. Power BI resources

Workaround: What we can do is we can first get access token for API resources using Graph API configurations then we will load Power BI configurations to get access token for Power BI resources.

But here we have one major problem: If again user access API resources, it has to load again the API configuration and again user will be prompted for sign-in.

Approach 1: We can register both Microsoft graph API resources and Power BI resources under the same AD (Active Directory), so that resources from both ends can be accessed using the same access token (I am not sure whether we can access multiple resources using same access token).

Please suggest how we can deal with this.

Waiting for your valuable approaches in response.

B2C Rest API for user registration

July 14, 2019, 10:15 am
$
0
0

Hello,

I have a application with a Rest API using Azure B2C to authenticate the users. A user gets a token using a B2C ROPC policy thru the Rest API sending a request to:

https://<myTenant>.b2clogin.com/<myTenant>.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_ropc

To register a new user, for now, I'm using a B2C Sign In and Sign Up policy. So, the registration goes thru a web interface asking the user's data. I would like to register a new user using the Rest API, something like:

https://<myTenant>.b2clogin.com/<myTenant>.onmicrosoft.com/oauth2/v2.0/user?p=b2c_1_ropc

Is it possible? I cannot find the reference documentation for the B2C Rest API... I guess I missed something :-)



Accessing token for current session / user

August 9, 2019, 10:28 am
$
0
0

I have secured an azurewebsites domain with AAD authentication

I've navigated to the home page, logged in to the B2C account, and can access the contents of the Azure website - API, Views

What I'm puzzled about is every time I've done this before, it's been from an MSAL or ADAL library inside a Xamarin app. I've then known how to retrieve and use the token

Since I've just logged into the site and am browsing it, if I want to write some code to interact with the back end using tokens, how do I start to write code to access the current token? Is it saved somewhere when I log into the app?

I decided to see what would happen by calling AcquireTokenSilentAsync and it responds with "no token was found in the cache." 

I don't want the user to have to log in again after signing in, so how can I get a token I can use from that initial sign in please?

Azure AD Domain creation fails with gateway Timeout

August 9, 2019, 10:39 am
$
0
0

Tried multiple times to create a new Domain service, but it fails with:

"statusCode": "GatewayTimeout", "statusMessage": { "error": { "code": "GatewayTimeout", "message": "The gateway did not receive a response from 'Microsoft.AAD' within the specified time period.

Publisher Domain verification fails because "Verification of publisher domain failed. Error getting JSON file from https://{publisher_domain}/.well-known/microsoft-identity-association. The server returned an unexpected content type header value. [f566g]"

July 29, 2019, 6:30 am
$
0
0

I'm trying to verify the publisher domain of my application but it's not working despite the json file being available when checking the link in a browser.https://{publisher_domain}/.well-known/microsoft-identity-association.

The instructions ask for the json file being hosted at https://{publisher_domain}/.well-known/microsoft-identity-association.json. I get the following error message:
Verification of publisher domain failed. Error getting JSON file from https://app.swydo.com/.well-known/microsoft-identity-association. The server returned an unexpected content type header value. [vquV0]

Does anyone know what can be the problem? 

Search

Databricks signin using Azure Active Directory SSO fails

July 20, 2019, 6:09 am
$
0
0

I have a Pay-As-You-Go account. Created Databricks workspace in Azure Portal and trying to launch it but stuck at the Databricks login screen. It fails after a while with message - ''We've encountered an error creating your workspace. Please wait a few minutes and try again'. Tried different browser but same problem. Please help.

Find amount of objects synchronized with AAD

August 2, 2019, 7:11 am
$
0
0

We're currently running Azure AD Domain Services on a Pay-as-you-go Subscription model and we are looking at moving over to a static monthly subscription. The Tier's are set by number of Directory Objects and for less than 25,000 it's about $109.50/month, from 25,001 to 100,000 it's about $292/month and so forth.

I want to find out the amount of objects we're currently synchronizing but haven't been able to locate this piece of information in any of the portals so far. Is it available anywhere or will I need to calculate it manually somehow?

AAD connect - move to another server

January 23, 2018, 7:37 am
$
0
0

Hello,

Short Description:

I need to migrate current installation of AAD Connect (1.0.9131.0 - Released: December 2015) from Domain Controller (Windows Server 2008 R2).

To new dedicated Windows Server 2016. This was installed by customer technicians in past, and not documented what was done therefore it’s hard to say if the installation is customized and how far they went with it.

I’ve tried go through this suggested way via Documenter tool:

However the HTML file with compare is too long with many red/blue/green lines so the configuration of new server is almost impossible nevertheless I have no idea where and how to adjust some of the settings. Example is at the end.

I am not sure if some of the findings are related the differences between versions and probably some new / depreciated features so can be ignored with no harm to production or if it’s really misconfiguration and important to set.

I’ve also think about in-place upgrade but there are also some warnings related to lose of configuration and etc.

Is there any easier way how to perform migration with all setting and configuration? Import/export?

I’ve spent 2 days of reading, googling about this and possible scenarios with no success so any idea or advice is more than welcome!

 

Thank you in advance,


How do I specify the password of a new user created by the API of the blockchain workbench?

August 10, 2019, 1:23 pm
$
0
0

Hi, I have deployed an Azure workbench here https://votemaadi-4bm4ew.azurewebsites.net/.

So using the API (POST /api/v1/users ) I have been able to create a new user by specifying first name, last name and a new email id.

But, if i need to now login as this new user, how do I get the password? Also, the new user is not reflected in the users section of the Azure Active Directory.

I would be happy to get any clarification about it.

Azure AD Connect Sync failure - sync-generic-failure

August 10, 2019, 3:15 pm
$
0
0

Running into some issues with one user account syncing from on Prem to Azure AD. 

This account was a cloud account and a new server 2016 environment was deployed. All other user account successfully linked. But not this one. 

Azure synchronization tool reports sync-generic-failure
Weird part is that this is the only user that has three connectors listed for the metaverse object properties. Two for the onmicrosoft and one for on prem connector.

Attempted to run IDFix, it finds the user and reports 
Attribute = mailnickname Error = blank
Attribute = targetaddress Error = blank
Attempt the edit action and it fails. 
Log reports error = The requested attribute does not exist.

Not sure if the issue is a ghost object in metaverse, missing attributes in Azure, or missing attributes in local AD.

Thank you.

How to add file permissions (or anything else) for AzureAD users on AzureAD-joined Win10 machine?

December 21, 2015, 3:42 pm
$
0
0

I'm on a Win10 workstation that's joined to AzureAD like this. How can I grant file permissions to an AzureAD user?

When I try to use the File Properties > Security > Edit > Add dialog I can't find/select any users on the AzureAD domain, including the currently logged in user. Entering `AzureAD\FirstLast` and clicking Check Names gives this (where AzureAD\JohnSmith happens to be the currently logged-in user):


There's no option to use AzureAD as the location for the Search either. 

In general this sort of thing seems to be a problem with AzureAD-joined accounts: windows appears to not know about them, e.g. when adding them to SQL Server. Or perhaps I just don't know the right way to refer to these users? 

thanks for any help!

Rory

Also posted on SuperUser

get-azresourcegroup : The term 'get-azresourcegroup' is not recognized as the name of a cmdlet, function, script file

August 10, 2019, 10:45 pm
$
0
0

this message: get-azresourcegroup : The term 'get-azresourcegroup' is not recognized as the name of a cmdlet, function, script file....

i have installed the module AzureRM.

Search

Switch from Pass-through to Password Hash Sync using PowerShell

August 10, 2019, 11:32 pm
$
0
0

I have PTA with PHS enabled simultaneously so that in the case of an outage of the agents I can manually disable PTA for a cloud only authentication. However, I do not have access to the Azure AD Connect server. Can I switch to Password-Hash Sync without Azure AD Connect?

The cmdlet

Set-MsolDomainAuthentication -DomainName <domain> -Authentication Managed
does not work since it switches from federated to Managed, but how to switch between the 2 types of managed authentication?
 

Power BI with multiple data source

August 11, 2019, 6:29 am
$
0
0

I need help on creating Power BI having multiple data source.

Scenario: 

There are multiple ADs which can have access to specific data source using Power BI.

A regional director has access to power bi with data source that belongs to his/her resource, where as CEO has full access to all the datasource using power BI.

Data stored in Azure.

Thanks

Not able to get the tenant ID

August 11, 2019, 8:44 pm
$
0
0

Hi,

I am trying to get the tenantID. I tried following the steps provided.

When trying to open Manage  -> Properties in Azure Active directory in the Azure Portel, i am getting an error

"Unable to complete due to service connection error, please try again later."

Please provide me with a solution on how to fix this.

Thanks and regards,

Anil Simon


How Azure AD handles Rate Limiting (Error code 429) in SCIM

July 26, 2019, 12:24 am
$
0
0

While doing initial sync up, SCIM will make hundreds or thousands of calls based on user base. Now if the service provider's server doesn't handle the specific load & returns 429 error code, how does Azure AD handles the scenario. Does it try to re sync again & throttle the requests?  If yes, at what rate & how does it decide on that? Can service provider send anything to indicate the threshold?

Angola not in the list of country/region for creation of an Azure Active Directory/Tenant. Efects?

July 18, 2019, 3:56 am
$
0
0

Hello all,

While trying to create my Azure AD/Tenant, I have noticed that my location (Angola) is not available in the list of countries or regions. It is clear that I cannot choose a random country7region now because I won't be able to alter it later, therefore, could you please clarify the following points?

Why Angola is not available in the list

If I have to choose a country/region that is in the list, which one has to be?

If I choose another country/region, will it afect the subscriptions that we pretend to buy via reseller (O365, Power BI) considering that the users and my atual domain are based in Angola?

Thanks

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>