Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Azure OpenID Redirect post_logout_redirect_uri not working for most browsers

August 15, 2019, 5:57 am
$
0
0

Our company is trying to move it's business applications over to Azure. I am making use of OpenID Connect on Azure AD. I am doing this from a web application. Login works fine, but logout only works on some browsers. As documented I am sending the following:

  1. id_token_hint = the full raw id token
  2. post_logout_redirect_uri = the url to redirect to after logout which is one of the redirect uris in the App Registration Platform Configuration
  3. state = only meaningful to my application

The redirect works in the Brave browser, but does not in Chrome and Edge. I am more than happy to supply additional information in helping to debug.

Kind regards,

Dirk

Search

Azure AD for small office

August 15, 2019, 6:44 am
$
0
0

Hello!!

Perhaps this is a dumb question, but I have been looking an answer for it and I have not found any. 

In our office, we have a Samba server which is our current Domain Controller. We are going to move from this Samba server to a new AD on Windows Server. We are 6 people and we own 7 computers. It is a small office.

I was thinking of having a virtual Windows Server in the cloud, in Azure. Which is the correct way? 

1 – Create a VM in Azure, running Windows Server and enable AD DS and DNS. Then setting in the Windows clients the DNS server pointing to the VM and joining the domain created

2 – Do not create a VM and use Azure Active Directory

3 – Use the Azure AD for Office 365 the we already have for our Office 365 subscription.

In the 2nd and 3rd options, where should I run my DNS server? We are not going to have any physical server on premises.

I appreciate any help or guide to look at.

Many thanks.

VPN Point-to-Site --- Azure AD

August 15, 2019, 7:30 am
$
0
0
I have an AAD domain connected to an Azure virtual machine with Windows Server 2016 through Azure AD Domain Services. On a local virtual machine with Windows 10, I set up a Point-to-Site VPN connection with Azure. The local connection to Azure virtual machines works, but I can't connect my computer to the domain created in Azure AD. Is there such a possibility? If so, do any additional ports or protocols need to be unlocked or additional interfaces created? How to do it?Is it even possible to connect a host to an Azure AD domain via VPN Point-to-Site?

SAML support - Deeplinking (Bookmark URL) access by user

April 8, 2015, 11:51 pm
$
0
0

Hi,

I want to understand how deep linking is supported with AD Azure SSO, i.e. a case when a user clicks on a deep link (From bookmarks). Any help is greatly appreciated.

Thanks,

Surya Ch

How to check whether a domain has been registered for any Azure AD tenant?

August 15, 2019, 8:24 am
$
0
0

How can i programmatically verify whether a given (custom) domain has already been registered for an Azure AD tenant?

The solution must also work for tenants not federated with on-premises AD using ADFS and I'd rather not resort to web scraping.

A potential use case is to probe whether a partner organization is using Azure AD in the first place.


Unable to connect to Azure AAD/AD DS enabled file share from Windows 10 on premises

August 15, 2019, 9:04 am
$
0
0

I followed the guidance at Azure Storage article and whilst I am able to connect a VM in Azure to my shares over SMB with AAD authentication, I am unable to connect a PC from my premises without the storage access key.  We would like to use Azure Files in a 100% cloud environment with authentication handled by Azure AD/AD DS.  We don't have any on-premises servers and so Azure File Sync isn't an option.

Steps I followed:

  1. Set up Azure AD Domain Services.  This has now been online around 48 hours.
  2. Set up a completely new storage account for my users in Australia - abaustralia.
  3. Set up a security group - 'SEC-AU-AllStaff- in Azure AD. Waited for those to synchronise to AD DS.
  4. I added myself as a member of SEC-AU-AllStaff.
  5. I went to Storage Accounts\abaustralia\Access Control (IAM) and added myself to have the 'Storage File Data SMB Share Elevated Contributor' role.
  6. I spun up a Windows Server 2016 VM in Azure on the same Vnet as AD DS. I then domain joined it and connected to the file share using the storage access key and used icacls to grant read permission to SEC-AU-AllUsers at the root level of the file share: icacls Z: /grant "DOMAINNAME\SEC-AU-AllStaff:(R)". This succeeded.
  7. I used cmdkey /delete to remove the stored access key for the storage account and rebooted.
  8. Upon restarting the VM I was able to connect with net use on the domain-joined Windows Server 2016 VM.

That is all good and works as per the guidance.  However three separate Azure AD-joined VMs running Windows 10 signed into my account or a test account which is also a member of DOMAINNAME\SEC-AU-AllStaff, are unable to access the file share.  Running net use asks for a password; when the correct one is provided, System error 86 is returned:

net use z: \\(link: http://abaustralia.file.core.windows.net)abaustralia.file.core.windows.net\australia

Enter the username for '(link: http://abaustralia.file.core.windows.net)abaustralia.file.core.windows.net': aus.test@aqualisbraemar.com

Enter the password for (link: http://abaustralia.file.core.windows.net)abaustralia.file.core.windows.net: System error 86 has occurred The specified network password is not correct.

I tried providing credentials in both DOMAINNAME\user, and domain.com\user formats.  Nothing works.

The documentation does not stipulate that on-premises machines cannot use Azure Files with AAD authentication over SMB.  I did find it mentioned in a few other places, e.g.here where it says "Azure AD authentication over SMB is not supported for on-prem machines accessing Azure Files using either AD or AAD credentials."  This however isn't listed on the current Microsoft Docs documentation so presumably that restriction has gone away.  In which case, what am I doing wrong?


Error When Trying To Get Credentials in adal

August 15, 2019, 2:12 am
$
0
0

Here's My Code

import adal
import requests
a_url ="https://login.microsoftonline.com/d318c6fb-0376-4dbf-9022-282c3888380f/"

client_id ="d70d6f47-9d28-496e-b7dc-cbf8d03e68d7"
context = adal.AuthenticationContext(a_url,api_version=None)
token = context.acquire_token_with_username_password(resource=client_id,username="codefundo19@outlook.com",password="pass",client_id=client_id)

 The Error Is

AdalError: Unsupported wstrust endpoint version. Current support version is wstrust2005 or wstrust13.


Query license assignments from Azure using API?

August 15, 2019, 9:46 am
Search

Can AD users be created and updated from a Namely account?

August 15, 2019, 9:54 am
$
0
0
I would like to have Namely be the initial site of user creation/deletion for the Azure AD. Similar to the Workday integration, I am trying to set up automatic user provisioning from Namely. Is this possible through AD Provisioning Service or possibly another service? 

Azure Access Reviews

August 13, 2019, 8:51 pm
$
0
0

Testing Azure Access Reviews in Azure AD Premium P2.

I have tried creating couple of Access Reviews for Azure AD Groups but the creation fails. I have tried with different setting

The error is as shown below. How do I get rid of this error and create an Review.

I am logging in as a Global Administrator

Thanks


This domain has been previously configured on an existing Azure AD or Office 365

August 10, 2017, 6:11 am
$
0
0

I am trying to verify my company's domain in the Azure portal.  This domain was previously used in the classic portal, but it is no longer showing in either.  Since the update to the new portal, I can no longer see it listed in any Azure AD settings.

I do have an Office 365 account using an email address for that domain, but when I access that, I have no admin rights to edit (or see) what domains are set up.  Therefore I cannot "release" the domain, if that's where it resides.

Can somebody please help me re-gain control of this domain?  I should add that my email address is registered as a Personal Account (for now, until I get this sorted...).

I'm happy to share any account details in a private message.


Azure AD & ON Prem Printer/Scanner

August 15, 2019, 2:52 pm
$
0
0

Hello Team

I have 25 on Prem windows machine(Laptops/Desktops) with Windows 10 Professional and they are all Azure AD Joined.

I have on Prem Scanner and Printer and also Licensing for One Drive Business and Sharepoint. There is no on PREM AD.

1. Is it possible to configure scanner with azure AD credential in scanning profile?

2. Is it possible for scanner to scan to folder on azure connected Laptops/desktops?

users should be able to to work on the documents and then upload to the SMB share created on one drive for business?


How do you add a guest Microsoft account when the email address is the same as an Azure AD user?

August 14, 2019, 4:40 pm
$
0
0
I'm trying to add my personal Microsoft account as a guest user in Azure AD but get the error "User name already exists in this directory", which it does as an organizational user. This is all so I can attach our Devops, which uses Microsoft accounts, to our Azure AD and use organizational accounts instead. Is there a way?

Azure App Registration Secret Expiry alerts

August 14, 2019, 5:23 am
$
0
0

Hello Team,

Can you please let us know how to get notification prior to app registration Client Secrets expiry ?
We are registering App and create secret for application which is valid for 1 year.

We want to enable notification for secret which is going to be expire soon ? Is there any mechanism available ?

Thanks in Advance  

PIM Privileged Identity Management - 2 policys for same role?

August 16, 2019, 12:24 am
$
0
0

Is it possible to have 2 policies for Global Admin role? (or any role)

Example

User1 will have to request access to 'Global Admin' through PIM and will be automatically granted the role

User2 will have to request access to 'Global Admin' through PIM and request needs to be 'Approved' by any 'Global Admin'

Search

Forgot Password link not working for the Azure B2C AD

August 14, 2019, 3:23 am
$
0
0

Dear All, 

I would like to know How the change password link is working, I have configured both asp.net core application with Azure b2c as well as the moodle (LMS) open source with Azure b2c. 

 1. asp.net core web application it works fine and the Password reset and profile edit policies are mentioned in the config file. 

 2. Moodle LMS we have modified the custom code changes and now the sign in and sign up is working as expected but the forgot password link is not working.  

below in the URL captured when try to login for the moodle LMS system

https://b2ctest.b2clogin.com/b2cTest.onmicrosoft.com/B2C_1_signinupmoodle/api/CombinedSigninAndSignup/forgotPassword?csrf_token=SgsdgsgsdfmdfgdfgdfWDfgfdgfdgfdycXkvZUR5sdfsA4LTE0VDEwOjA0OjE2LjA4MzQxNFo7S2pOaUtlVk95WFdkY0FRclZpOWpmdz09O3siT3JjaGVzdHJhdGlvblN0ZXAiOjF9&

tx=StateProperties=eyJUSUQiOiI2ZTUxZmY0My1lN2I5LTQ5N2EtYTFkMi00YzgxNTFiZDBjNGUifQ&p=B2C_1_signinupmoodle

When trying to login both the application the forgot password link is appropriate to that application's policies.

But not sure how it is working for the asp.net core application and not working for PHP application.  Requesting the expert to answer this question. 

Selvakumar Rathinam

Locking down a domain-joined device during employee termination

August 16, 2019, 1:58 am
$
0
0

Does disabling a domain-joined device in Azure AD prevent login to that device?

The O365 support team confirmed that 'resetting password/signing out now' prevents a user from logging into a domain-joined device using their Office email and password.

However neither they nor Windows support could not confirm if this also blocked the user from logging into the device using other credentials, i.e. Office email and PIN/fingerprint.

This query relates to Windows 10 and Office 365 Business Premium subscription.

Does anyone have any insights they could share, or best practices for locking down a device locally on employee termination?

Error message: AADSTS700016 when want connect OneDrive Business via PhotoCloud Android App

July 26, 2019, 5:58 am
$
0
0

Hi,

When I want to Connect PhotoCloud Slideshow (Android App) to OneDrive Business is coming error message like below:

"AADSTS700016: Application with identifier '000000004015E800' was not found in the directory 'manlogistics.com.au'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant." 

Can anybody help me how to resolve this issue, so this PhotoCloud ndroid app can access my photos in OneDrive Business, please?

Cheers,

Gedhe ND


What is the scope to use OAuth2.0 on ExchangeActiveSync protocol for personal Microsoft accounts?

July 22, 2019, 12:40 pm
$
0
0

Hi,

i am trying to authenticate a personal Micrsoft account (Outlook.com account) using ExchangeActiveSync with OAuth. The application is registered on AzureAD. In order to use the OAuth v2.0 protocol for personal Microsoft accounts, the manifest config is set to:

"accessTokenAcceptedVersion": 2,"signInAudience": "AzureADandPersonalMicrosoftAccount",

ExchangeActiveSync permission is also added.

I tried to fetch authorization code with the scope parameter set to 

offline_access https://outlook.office365.com/EAS.AccessAsUser.All

But I got a invalid_scope response

example://example.oauth2redirect?error=invalid_scope&error_description=The provided value for the input parameter 'scope' is not valid. The scope 'offline_access https://outlook.office365.com/EAS.AccessAsUser.All' does not exist.

Is ExchangeActiveSync supported by the AD OAuth v2 protocol? If it is, what is the correct scope to use it?

Thanks,

Is it possible to connect Azure AD accounts to a LDAP server?

August 16, 2019, 4:10 am
$
0
0

Hi,

I use the Access Control IAM to add people to our Azure portal. If I create a LDAP server can I connect it to the same AD?

I want to create a website that uses authentication against the Azure AD.

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>