Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

1 User getting Sync-Generic-Failure for Azure AD sync

September 3, 2019, 9:10 am
$
0
0
We have 1 user getting a Sync-generic-failure when attempting to sync from on-prem AD to Azure.  The Stack Trace information tells me Year, Month, and Day parameters describe an un-representable DateTime.  I don't believe this account has synced successfully in years.  How can I get it to sync successfully?  If I just delete it in Azure will it sync successfully from on-prem AD the next cycle?
Search

How to force a sync with Azure Active Directory.

September 3, 2019, 9:18 am
$
0
0

We have a 100% cloud based AD system. ONLY running Azure AD.

If I create a new user on the Azure AD portal that user is invisible on active directory users and computers and is unable to be used to sign in to pcs on the domain for about 30 minutes. After 25 - 30 minutes AD Users and computers shows the account and that account can be used to sign in to domain pcs.

Is there anyway to force this sync?

To clarify we do NOT have a local DC so ad connect cant be used as far as I know to force a sync. Any help with this would be greatly appreciated.

Granting admin consent from portal fails with "Exception: Correlation failed." message.

September 3, 2019, 10:16 am
$
0
0

I am trying to grant admin consent to my application through:

enterprise applications/<My app>/Permissions/Grant Admin Consent for <...> (Default Directory)

It prompts me for login, when I login with admin account I get prompted for consent, but when I click the Accept button it fails with the error message.
I have tried the link separately as well but no luck. 

Inube*https://the-us-open.com/

September 3, 2019, 10:31 am
$
0
0
https://the-us-open.com/
https://the-us-open.com/live/
https://the-us-open.com/2019/
https://the-us-open.com/stream/
https://the-us-open.com/tennis/
-------------
https://theusopen-live.com/
https://theusopen-live.com/live/
https://theusopen-live.com/2019/
https://theusopen-live.com/stream/
https://theusopen-live.com/tennis/

Inube*https://the-us-open.com/

September 3, 2019, 10:42 am
$
0
0
https://us-open-liveus.com/
https://us-open-liveus.com/live/
https://us-open-liveus.com/2019/
https://us-open-liveus.com/stream/
https://us-open-liveus.com/tennis/
-------
https://us-openopen.com/
https://us-openopen.com/live/
https://us-openopen.com/stream/
https://us-openopen.com/2019/
https://us-openopen.com/tennis/s

Inube*https://the-us-open.com/

September 3, 2019, 10:44 am
$
0
0
https://ufc-242-live.com/
https://ufc-242-live.com/live/
https://ufc-242-live.com/stream/
https://ufc-242-live.com/livestream/
https://ufc-242-live.com/streaming/
https://ufc-242-live.com/khabibvspoirier-live/
https://ufc-242-live.com/poiriervskhabib-live/
------------------
https://ufc242-live.com/
https://ufc242-live.com/live/
https://ufc242-live.com/stream/
https://ufc242-live.com/livestream/
https://ufc242-live.com/streaming/
https://ufc242-live.com/Khabibvspoirier-Live/
https://ufc242-live.com/poiriervskhabib-live/

Inube*https://the-us-open.com/

September 3, 2019, 10:49 am
$
0
0
https://ufc--242.com/
https://ufc--242.com/live/
https://ufc--242.com/stream/
https://ufc--242.com/livestream/
https://ufc--242.com/streaming/
https://ufc--242.com//Khabibvspoirier-live/
https://ufc--242.com/poiriervskhabib-live/
----------
https://ufc-ufc242.com/
https://ufc-ufc242.com/live/
https://ufc-ufc242.com/stream/
https://ufc-ufc242.com/livestream/
https://ufc-ufc242.com/streaming/
https://ufc-ufc242.com/Khabibvspoirier-live/
https://ufc-ufc242.com/poiriervskhabib-live/

Inube*https://the-us-open.com/

September 3, 2019, 11:02 am
$
0
0
https://nebraskavscolorado.com/
https://nebraskavscolorado.com/live/
https://nebraskavscolorado.com/stream/
https://nebraskavscolorado.com/reddit/
https://nebraskavscolorado.com/football/

https://nebraskavscoloradolive.com/
https://nebraskavscoloradolive.com/live/
https://nebraskavscoloradolive.com/stream/
https://nebraskavscoloradolive.com/reddit/
https://nebraskavscoloradolive.com/football/
Search

Azure AD and original (manual) AD DS questions. We are not using managed Azure AD DS.

August 28, 2019, 8:16 pm
$
0
0

We are wanting to create a Azure AD and bring the original on premise AD DS into the cloud.

Can I assume that if we are using extending the original domain (on premise) AD DS to the cloud that we would create DCs as they would normally be created on premise.  By "normally" created DCs I am referring to DCs which are not AAD DCs.  The reason for keeping the original AD DS is that the original AD structure with the GPO need to be available. 

If we have created original domain DCs in the cloud with the original FSMO roles how do we integrate this with AAD?   We will eventually decommission the on premise DCs.   

What steps need to be done when decommissioning the on premise DCs for the Azure synchronization?

Also when creating the 1st AAD DC why do we add the Feature AD DS and AD LDS Tools) instead of the AD Role?  Does adding only the Feature (AD DS and AD LDS Tools) allow for the creation of Azure AD only (not the managed Azure AD DS).  NOTE- We do not want add managed (Azure AD DS) services but will be using the original manual AD DS in the cloud.   

I always thought AD Role (AD Domain Services) had to be added to create a DC as well as Feature (AD DC and AD LDS Tools).

Don't both the Role (AD Domain Services)  and the Feature (AD DC and AD LDS Tools) both need to be added when creating the 1st AAD DC?   

For any subsequent ADD DC's do we need to create the AAD DCs using the same steps as the 1st AAD DC?

Also noticed that when we created the Azure AD that it provided us with two IP for DNS servers.   Assuming we are supposed t use the two DNS IPs for the two AAD DCs?   Would we need to create more AAD DCs or can we just create the original domain DC's?  Can  the FSMO roles from the on premise DCs be transferred to the original domain DC's only?

What is the best practice for Azure AD DCs and original domain DCs (in the cloud )? 

dsk




Failed to delete custom control

September 3, 2019, 11:44 am
$
0
0

I have been experimenting with implementing Duo for MFA via Conditional Access. I have since decided to not use Duo and am trying to remove the custom controls from Azure AD. When I try to delete RequireDuoMfa, I'm met with a:

"Failed to delete custom control
Deleting custom control 'RequireDuoMfa' failed. Please try again later."

I have waited until later; 1, 4, 8, even 72 hours later but I'm still getting the same message. I've already deleted the policy it was associated with, so I'm not sure what else I could do.

Sync on premesis to AAD Problem - Users on AAD are the same as the on Premesis - It creates a second user on AAD - Local users cant log on!!! HELP!@

September 2, 2019, 3:16 pm
$
0
0

Hello -

I have gone round and round with this. No resolution so for.

I have configured AD Connect for password sync with write back.

I have an on premises Server 2012 R2 with a dozen users. It has a non-routable domain suffix, so I added the public domain suffix in to the local trusted domains. It is now available as a drop down in the user accounts.

When the system syncs, there are duplicate UPN's, of course. So if I change the user logon to the public domain name, no one can log on locally at all. Evidently the passwords are syncing, but that is pretty useless if no one can log on.

Is there any way to connect  both the user accounts on Azure with the local user accounts outside of recreating everything? The local AD users have redirected folders and other customizations. This is making me nuts. I have to stop the sync so that everyone can use their computers on the local domain again. 

Any help would be greatly appreciated.

THANKS!


configuring a azure AD. not Azure AD DS.

August 30, 2019, 7:03 pm
$
0
0

Want to create Azure AD only ( not Azure AD DS).   Azure AD will sync with on-premise AD.

Questions below:

1) Do I need to create a separate vnet then create a specific subnet for the Azure AD (not for the IaaS, PaaS,... )?  I am thinking Azure AD is ready to be used and no special vnet and subnet needs to be created.   This would be required for Azure AD DS only?

2) I would add a custom domain and add the name of the on-premise domain?  Is a custom domain required for Azure AD?

3) When adding this custom domain I would have to register a text or MX record on my on premise domain controller?

4) Azure AD connect will need to be run in order for Azure AD to populate with on premise AD DS?  

5) Azure AD connect needs to be run on a server which is a member of the domain (on premise domain)?

6) On the azure IaaS which are in the domain, we will need to add AD DS tools to RDP to monitor Azure AD?

Are these tools necessary administering Azure AD DS or Azure AD to monitor the directory in Azure?  

7)  Are there any other differences in configuring Azure AD versus Azure AD DS?   

dsk

How do I delete AD Connect from my tenant?

September 3, 2019, 5:58 pm
$
0
0

How do I delete AD Connect from my tenant?  I no longer want the AD server to connect or dictate my password policies and want to only have them in the Cloud.

I'd ask Azure support, but there's no such thing.

Thanks

Azure AD Connect - Synchronization Service Installation fails

September 2, 2019, 6:01 am
$
0
0

Hello everyone,
we have a problem installing azure ad connect on a windows server 2019. when installing the syncronization service an error occurs.this is a first time installation on a brand new server (only AD DS, DNS and DHCP has been installed).
In Azure AD Connect installation wizard, we use the express settings.AD DS Enterprise Admin credentials and Azure AD Global Admin credentials are correct. A service user account issuccessfully auto-generated during the installation.
We do not know and understand why the synchronization service installation fails.
Parts of the logs (in German) attached...

[14:06:53.576] [ 21] [INFO ] Starting Sync Engine installation
[14:06:57.425] [ 21] [ERROR] PerformConfigurationPageViewModel: Caught exception while installing synchronization service.
Exception Data (Raw): System.Exception: Unable to install the Synchronization Service.  Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt.  Please see the event log for additional details. ---> System.NullReferenceException: Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt.
   bei Microsoft.Azure.ActiveDirectory.Synchronization.Framework.AccountManagementAdapter.RemoveMembersFromLocalGroup(SecurityIdentifier groupSid, DirectoryEntry[] members)
   bei Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SyncServiceAccount.<>c__DisplayClass54_0.<RemoveFromLocalAdministratorsGroup>b__0()
   bei Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.Execute(Action action, String description)
   bei Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InstallCore(String logFilePath, String logFileSuffix)
   bei Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.ExecuteWithSetupResultsStatus(SetupAction action, String description, String logFileName, String logFileSuffix)
   bei Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
   --- Ende der internen Ausnahmestapelüberwachung ---
   bei Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.ThrowSetupTaskFailureException(String exceptionFormatString, String taskName, Exception innerException)
   bei Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
   bei Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstallCore(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
   bei Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstall(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
   bei Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.ExecuteSyncEngineInstallCore(AADConnectResult& result)

AzureActiveDirectorySyncEngine Error: 906 : SynchronizationServiceSetupTask:InstallCore - Caught unexpected exception. Details System.DirectoryServices.AccountManagement.PrincipalServerDownException: Mit dem Server konnte keine Verbindung hergestellt werden. ---> System.DirectoryServices.Protocols.LdapException: Der LDAP-Server ist nicht verfügbar.
   bei System.DirectoryServices.Protocols.LdapConnection.Connect()
   bei System.DirectoryServices.Protocols.LdapConnection.SendRequestHelper(DirectoryRequest request, Int32& messageID)
   bei System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   bei System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)
   --- Ende der internen Ausnahmestapelüberwachung ---
   bei System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)
   bei System.DirectoryServices.AccountManagement.PrincipalContext.DoServerVerifyAndPropRetrieval()
   bei System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name, String container, ContextOptions options, String userName, String password)
   bei System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name)
   bei Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SyncServiceAccount.GetPrincipal(Boolean isDomainController, AccountManagementAdapter localAccountManagementAdapter, AccountManagementAdapter& domainAccountManagementAdapter)
   bei Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SyncServiceAccount.ResolveSid(Boolean isDomainController)
   bei Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InstallCore(String logFilePath, String logFileSuffix)
AzureActiveDirectorySyncEngine Error: 906 : SyncServiceAccount:RemoveAccountRights - no SidString available
AzureActiveDirectorySyncEngine Information: 904 : SyncServiceAccount:RemoveFromLocalAdministratorsGroup:
AzureActiveDirectorySyncEngine Information: 904 : Starting: Removing the Sync Service account from the local Administrators group...
AzureActiveDirectorySyncEngine Error: 906 : Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt.
...Please help.

Azure Active Directory Enterprise Application IdP SAML2 Single Sign Out

September 2, 2019, 8:33 am
$
0
0

Hi, I'm using Azure AD as a third party Identity Provider for a SAML SSO enabled enterprise application. I have configured the application in AD as a non-gallery application and configured the SAML2 SSO properties. SSO login is working as expected, but SSO logout is not working correctly. Azure AD correctly logs out when requested and returns a SAML logout success response:

<samlp:LogoutResponse ID="123XXX" Version="2.0" IssueInstant="2019-09-02T10:09:51.778Z" Destination="xxx/saml2/logout" InResponseTo="123YYY" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/abcdef/</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
</samlp:LogoutResponse>

This logout SAML response is made as a GET request, but my service provider requires a POST request. There seems to be no option in the Azure AD admin interface to specify the Logout URL is a POST, and when I upload the service provider metadata to configure the application SSO SAML2 properties, although the metadata specifies the logout endpoint should be POST, Azure ADignores this and still uses a GET request.

The SP metadata xml includes the following (specifying logout endpoint should be HTTP-POST):

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2020-05-31T15:00:00Z" cacheDuration="PT604800S" entityID="abcdef">
  <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <snip/>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="xxx/saml2/logout" />
    <snip/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>

The Azure documentation doesn't specify if the LogoutResponse is sent as GET or POST, or indeed how to configure this:

https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-out-saml-protocol#logoutresponse

Can the LogoutResponse be configured to use a POST request instead of a GET request?

Search

Trying to associate Office 365 Azure Active Directory with existing Azure account.

September 3, 2019, 9:50 pm
$
0
0

I'm trying to associate our Office 365 Azure Active Directory with our existing Azure account and all the documentation (https://docs.microsoft.com/en-us/graph/associate-account) I see online says that you have to select the Active Directory node, then select the Directory tab and, at the bottom of the screen, select New. But I can't find those options. First I don't see an "Active Directory" node, so I have been working with "Azure Active Directory" instead. Second, I can't find a Directory tab or a New button under "Azure Active Directory" menu. As I continue through the steps, I can find options that are similar, (ex: "Create a directory" instead of "Custom Create") but none get me to where the instructions say I should end up.


Box.com - BoxEdit - Conditional Access Azure AD Issue

August 29, 2019, 5:16 am
$
0
0
So we have a tenant that utilizes SSO and has a conditional access policy to not allow connections from outside the USA. Azure AD has integrations with Box.com

A user signs in, loads their box drive and can see their files, open them in the browser etc., and all is good there. There is a button at the top where they can select "Open in Desktop" which opens a window to install "BoxEdit," to allow files to be opened in Office desktop applications. We install it, refresh, but it keeps prompting to install.

After lengthy support sessions with Box, it was determined that when the "Open in Desktop" link is clicked the address should resolve to "http://127.0.0.1:17223/status"

What is happening is it is resolving to "http://127.0.0.1.us3.cas.ms:17223/status?XHR1337MAGICvalueXHR=8ed3335cc2&McasUserAuth=casBFnByb2Q1LW5pcHR1Y2stMjAxODA3MDgF-joZ5IqXQHwJi4xCLQpiUYCKwgykyoPgNcHw1vuE6ndD7N5mk3lYzNlr2JvnGkgdMH5DaIhhUaOzqeHYwWJtesVjoWJsrMziUspSyTnqKwVNNHqE1qs0wAsc-NuyQgC-14PExot6mtqkc808-5PGKAAJdD5XFKEDdEtGe3j0wSq-4mUm-3kSAI76oTYxoxMtppUQFcayURAs0MMRtsSYNHUbsc613gymFcNiEzH4qBzqHduCpV4srwqMfrUjGZp9QMY2n-zI-CtcJfuKDP3icvORx4QWLAs886UmAS2D685TPz6M6kjdDej4R9WGq4o"

and BoxEdit sees an invalid link, and prompts to install the software again. it is adding "us3.cas.ms" which looks like something Microsoft is adding to the address. Does anyone have any ideas as to why this is happening or how to fix it?






Facing an error configuring Azure Site recovery - VMware to Azure - Insufficient privileges to configure server identity in Active Directory

October 1, 2018, 10:08 am
$
0
0

The long title says it all. Can't upload the screenshot but, I have downloaded the configuration server OVA file, and have installed the server. The Azure Site Recovery tool starts up, and wants me to sign in with an ID to register my server with Azure. I keep getting the error: 

Configuring identity for server in Azure Active Directory 

Insufficient privileges to complete the operation. 

Have tried with many different forms of IDs. It doesn't seem to follow any set pattern. Can anyone tell me exactly WHAT role does an ID require, to be able to create this identity in AAD? I have had no luck with our orginization's ID. I don't want to ask for a global administrator account. 

Any help would be great. 

MFA for SharePoint server 2019 in Azure VMs

May 2, 2019, 1:09 pm
$
0
0

Hello,

We have AAD sync to O365 (Azure) and MFA turned on in Azure AD. We would like to stand up a SP 2019 server in an Azure VM, can we leverage the MFA with this setup? What are the steps?

Dheepa

Locking down a domain-joined device during employee termination

August 16, 2019, 1:58 am
$
0
0

Does disabling a domain-joined device in Azure AD prevent login to that device?

The O365 support team confirmed that 'resetting password/signing out now' prevents a user from logging into a domain-joined device using their Office email and password.

However neither they nor Windows support could not confirm if this also blocked the user from logging into the device using other credentials, i.e. Office email and PIN/fingerprint.

This query relates to Windows 10 and Office 365 Business Premium subscription.

Does anyone have any insights they could share, or best practices for locking down a device locally on employee termination?
Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>