Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Non Gallery SSO

August 14, 2019, 5:48 am
$
0
0

Hello Everyone,

Hope someone can help me out here. We are software development company which created web app. What we want to do is have sso sign on to our non gallery app. The remote users that are logging into our app are not a part of of our Azure AD and not member of organization.  So I have been on the phone with support but keep getting sent to either authentication support or dev support with no definitive answer on how to set this up. We have setup the SAML config on no gallery app but what I need to figure out is how do I configure this so that the remote customer can access our web app via SSO with there own AD logon which is not related to our Azure Domain. Any Help would greatly be appreciated. We have SAML configured but the piece that confuses me is how to get the user on far end outside our domain to authenticate to our app using their own AD logon. 

Thanks

Rob


Search

Azure AD created but how to add local user in AD account

August 14, 2019, 5:50 am
$
0
0
Azure AD created but how to add local user in AD account, Please help on this isse

Optional claims not included in id_token returned by /oauth2/v2.0/token

August 14, 2019, 5:52 am
$
0
0

Hi,

v1 version of the OAuth2 token endpoint (/oauth2/token) returns an id_token including given_name and family_name. These fields are not present on the new endpoint (/oauth2/v2.0/token).

According to the documentation (https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#v20-optional-claims). These claims are now optional and can be enabled by changing the manifest.

However, after including:

    "optionalClaims": {
        "idToken": [
            {
                "name":"given_name",
                "source":null,
                "essential":true,
                "additionalProperties": []
            },
            {
                "name":"family_name",
                "source":null,
                "essential":true,
                "additionalProperties": []
            },
            {
                "name":"email",
                "source":null,
                "essential":true,
                "additionalProperties": []
            }
        ],
        "accessToken": [],
        "saml2Token": []

    }

in my Manifest, the optional claims are still not present in the id_token. Am I missing something?

Regards,

Maciej

Azure Access Reviews

August 13, 2019, 8:51 pm
$
0
0

Testing Azure Access Reviews in Azure AD Premium P2.

I have tried creating couple of Access Reviews for Azure AD Groups but the creation fails. I have tried with different setting

The error is as shown below. How do I get rid of this error and create an Review.

I am logging in as a Global Administrator

Thanks


Azure App Registration Secret Expiry alerts

August 14, 2019, 5:23 am
$
0
0

Hello Team,

Can you please let us know how to get notification prior to app registration Client Secrets expiry ?
We are registering App and create secret for application which is valid for 1 year.

We want to enable notification for secret which is going to be expire soon ? Is there any mechanism available ?

Thanks in Advance  

Is it possible to revoke user permissions by removing him from the Azure AD Security Group after he signs in?

August 13, 2019, 6:36 am
$
0
0

An AD Group is assigned a role (say Reader for a particular Subscription) and then a member (user) is added to the group.

Now when user logs in to Azure Portal, he gets assigned the same role as the group to which he belongs. Say after signing in to portal, I remove him from the group (by calling API or through CLI), why don't his permissions get revoked?

Azure AD Connect

August 14, 2019, 5:44 am
$
0
0

Hi,

I have Azure AD Connect on Windows 2016 server in my AD environment.

Planned to configure Azure AD connect(staging mode) on Windows 2019 server on Premise server for secondary server.

Please let me know if there will be any impact ? ,does it works on Windows server 2019

Regards,

Anand



Refresh API of ADFS returning invalid_grant when in office network, but works fine in other networks

August 14, 2019, 9:54 am
$
0
0

We are trying to use ADFS authorization for our react application. We are handling our authentication with nodejs integration layer where the frontend requests for login or refresh token from Nodejs integration layer. Though the /authorize or /token (to get access token and refresh token) is working fine in office network, but /token (to get refreshed access token) is throwing "invalid_grant" issue and the description says "Client authentication failed. Please verify the credential provided for client authentication is valid". But this is working totally fine in other networks

Steps on which we get the error:

  1. React app checks for the token in localStorage. If token is not there, then it redirects to login api (GET) exposed in NodeJS layer
  2. Nodejs layer on getting request for login api, redirects to ADFS login page (/authorize) with response_mode as form_post, response_type as code+id_token and redirect uri as /postToken api exposed via NodeJS, which asks the user to enter the username and password.
  3. On successful authentication, ADFS calls the redirect_uri sending the code and id_token to nodejs layer api via post, and nodejs layer in turn call the /token api of ADFS with grant_type as authorization_code, scope as openid with client credentials to get the refresh_token and access_token
  4. Once the refresh_token and access_token is obtained, the Nodejs layer redirects to React app with access_token and refresh_token as cookies
  5. React app then uses access_token for futher requests for data
  6. Every 5 minutes once, the React app will call the /refresh api exposed in Nodejs layer, passing the refreshToken to get the new access_token
  7. Nodejs layer on getting the request for /refresh api, calls the /token api of ADFS with grant_type as refresh_token and pass the refresh_token to adfs to get the new access_token
  8. On successful request to /token api of ADFS, the refresh_token is obtaind back from ADFS and the data is sent to React app.

The above steps are working fine in outside office network. But in office network, still step 6 is working fine, but step 7 is failing hence providing the below error

{ "error":"invalid_grant", "error_description":"MSIS9622: Client authentication failed. Please verify the credential provided for client authentication is valid." }

We would need this to be resolved . Can anyone here help us in this case on how to resolve this?

Search

IronWiFi App Registration - Wireless Authentication Timeout Configuration

August 14, 2019, 12:43 pm
$
0
0

Hello,

We are currently evaluating a SaaS Cloud-RADIUS Provider (IronWiFi), to authenticate our Wireless users, via their Office 365 Credentials.

The issue, we are having is that the connection attempts from the Client Systems, time-out, when trying to authenticate to Azure AD, via the IronWiFi Setup (Which involves, creating and registering an IronWiFi-specific App in Azure and configuring some Cloud RADIUS Servers, within IronWiFi).

After conferring with IronWiFi support, they indicated that the issue resides within Azure. This was confirmed, when we tried authenticating straight to the IronWiFi Cloud Service. Worked all the time in that scenario, but times-out again, when switching back to Azure AD Authentication.

Has anyone any knowledge of whether Authentication Time Limits or similar, are stored within Azure, which could be affecting requests coming from 3rd-party services, like IronWiFi?

Cannot Delete Directory

August 12, 2019, 3:12 pm
$
0
0
When I attempt to delete my Directory I have 1 required action on the "Enterprise applications" row that says "Delete all enterprise applications".  However, when I click through on the required action I see no enterprise applications.  How can I proceed?

AIP Scanner - error acquiring token

August 6, 2019, 10:32 am
$
0
0

Hello,

Has anyone solved the issue where you get:

"Set-AIPAuthentication : Unable to authenticate and setup Microsoft Azure Information Protection At line:1 char:1 ..."

when trying to get the security token using the parameters -webAppId -webAppKey -nativeAppId for AIPScanner?

I am using a demo tenant (m365xxx.onmicrosoft.com) and a test domain (testdomain.local).

The two apps have been created in AAD following the documentation.

My local AIP service account is synced via ADConnect and has local logon rights to my AIPScanner server.

I am running the Set-AIPAuthentication with powershell running as my service account.

If I run *just* the Set-AIPAuthentication cmdlet, I am asked to provide credentials (service account), and I get a token.

If I run with *any ONE parameter* it seems to work.

If I run with *any TWO parameters" it seems to work.

If I run with *all THREE* parameters, I get the error.

I noticed someone else has a similar posting, with no resolution.  Has anyone found the explanation for this error?

Thanks!

Moving to a new domain

August 14, 2019, 3:31 pm
$
0
0

Hello

I hope this is the correct place to ask.

I am setting up a new environment for my little new startup. My plan is to put all of my desktop PCs, laptops and mobile phones (both Android and iOS) into new AD. I also want to migrate my personal data into new work accounts. 

So far I bought my own domain name and Exchange 2019 subs. In my personal Microsoft account I have Office 365 sub and lots of Windows 10 licenses. 

Is it possible to migrate everything into Azure Active Directory, then put policies and security settings? For example I want to use my Windows & Office licenses but they should work in my new work account. If they work in new work accounts then I can delete personal accounts.

There are also security concerns. Like I don't want any local accounts anymore and everything will be centrally controlled. I want to use Yubikey and possibly Microsoft Mobile Authenticators. Is that possible?

Can I use my own custom domain with Microsoft Azure AD Cloud? Do I need to create a work account with my own domain or there is a migration path from personal to work?


Can't delete Azure Active Directory - The managed domain is in a failed state

August 14, 2019, 3:55 pm
$
0
0

I have two active directories I can't delete.  

When trying to delete the resource group with Powershell: 

PS C:\Users\chris> Remove-AzResourceGroup -name "test-rg" -Force
Remove-AzResourceGroup : Long running operation failed with status 'Conflict'.
At line:1 char:1
+ Remove-AzResourceGroup -name "test-rg" -Force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Remove-AzResourceGroup], CloudException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.RemoveAzureResourceGroupCmdlet

In the portal, viewing the directory displays the error banner: The managed domain is in a failed state. Contact support with your Azure AD tenant ID and the domain name of the managed domain.

How do I go about deleting these directories?

How do you add a guest Microsoft account when the email address is the same as an Azure AD user?

August 14, 2019, 4:40 pm
$
0
0
I'm trying to add my personal Microsoft account as a guest user in Azure AD but get the error "User name already exists in this directory", which it does as an organizational user. This is all so I can attach our Devops, which uses Microsoft accounts, to our Azure AD and use organizational accounts instead. Is there a way?

Publisher Domain verification not working for an "application from personal account" despite json available in browser

June 6, 2019, 10:23 am
$
0
0

I'm trying to verify the publisher domain of my application but it's not working despite the json file being available when checking the link in a browser.

I suspect it's because the app is listed under 'Applications from personal account', as the error message shown is:

"Verification of publisher domain failed. The application was not found. If the application was just created, wait a few minutes and refresh the page. [62wAT]"

It's a several years old app that's working fine "in the wild" so it's definitely not "just created".

Does anyone know if I'm right that this is the problem and if so whether the app can be moved away from being a personal app? Re-creating it (with a different id) is not currently an option as it's "live".

Search

How to delegate RBAC role to 'Consent'?

August 15, 2019, 2:33 am
$
0
0

Hi,

I need to delegate the right to consent via the Azure Portal: Azure Active Directory / App Registrations / API Permissions / Grant Access. How can I do that?

GH

Multiple AD Forests with same routable UPN Suffix

August 15, 2019, 2:40 am
$
0
0
Hello folks,
I have two AD Forests, Forest A and Forest B, two way trust between forest, also in Forest A ADFS server and Azure AD Connect.
In Forest A I've added routable UPN-suffix domainxyz.com this domain is already configured as "Federated" in Azure AD.
My question is can I use the same routable UPN-suffix domainxyz.com in Forest B.
I couldn't find any clarification that's not supported.

P.S. I think not because it could causing an issue during authentication on ADFS, as ADFS will not understand to what DC in what forest would be an authentication target, correct?

Is it possible to convert a SAML token (assertion) to OAuth 2 JWT access token?

February 10, 2019, 2:04 am
$
0
0

We are exposing some APIs which are protected by checking for OAuth2 access tokens.

Some clients should access these APIs but apparently their easiest authentication with Azure-AD is using some module based on SAML (the apps are built on Mendix platform). 


Is there a way for them to obtain a JWT access token for a user whoch has been authenticated using SAML?



Does Windows Azure supports OAuth 2.0 SAML Bearer Assertion Flow??

April 2, 2015, 4:10 am
$
0
0
Does Windows Azure supports OAuth 2.0 SAML Bearer Assertion Flow, in which SAML assertion can be used to request an OAuth access token when a client wishes to utilize a previous authorization.

Alert on Client Secret Key Expiry for App registration

August 15, 2019, 5:41 am
$
0
0
Is there a way to enable alert on client secret key expiry for app registered with OpenIDC/OAuth2.0 ?
Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>