Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Problems with enterprise state roaming.

September 8, 2019, 8:05 pm
$
0
0

Running an on site domain, using AD Connect to sync devices to Azure.  I have been following the guide https://docs.microsoft.com/en-au/azure/active-directory/devices/enterprise-state-roaming-enable and I've enabled device sync, I can see the device in question in my Azure AD devices as Hybrid Azure AD joined. 



I have enabled my test user to allow sync.

However when I check sync settings on that machine with that user, I get an error about sync not being available on this account.

I have verified that the same account is listed under Email & App Accounts.

I have also assigned a license in Azure AD "Enterprise Mobility + Security E3"

Not sure what else to check?  Any suggestions?


Search

Azure AD Provisioning Group sync does not send objectId as GET/objectId or PATCH/objectId in request

September 10, 2019, 5:42 am
$
0
0

Hello everyone,

I am using Azure AD to provision Users/Groups with my SCIM enabled application using non-gallery app. I am able to configure application properly and receiving required requests which Azure AD sends for Users and Groups.

But the problem is with Group requests. For Group requests, Azure AD always sends GET/<displayName> (same case for PATCH). However, I need GET/PATCH/DELETE requests with <objectId> instead of <displayName>. Consider below example :

For example, if I am having following group info in my Azure AD account:

Group name : Group1
Object Id : abc-123-def-456

Current GET request for groups is : GET/Group1
Required request : GET/abc-123-def-456
(same case for PATCH/DELETE)

I am new to Azure AD so might be missing something. Can anyone suggest what configuration changes required to achieve above scenario.

Thanks & Regards

Mohit Shah



Sync failure about AD contact list - I couldn't find updated contact info

September 9, 2019, 3:05 am
$
0
0

Hello,

I have tried to import global address list (Contact lists) to our on-premise AD, then sync them to O365 AzureAD.
Here is my scenario:

  1. We have already created some OU-group for AD contact objects and synced them to O365.
  2. some members of the contact list are updated, so we need to update the data
    Of course we have new members to be added and resigning members to be deleted and members don't need to be changed
  3. import the contact list (which includes name, email address, company, department info)
  4. Seems some contact objects successfully synced because they are brand-new contact.
  5. However, other contact objects didn't sync (maybe same alias are already existing).
    There is no sync error message in Azure AD connect Health.

If you have some idea to solve this, please share it with me.

Thank you.


Dynamically populate Azure/Office 365 Groups from existing Distribution Groups - NO conversion

September 16, 2019, 3:00 pm
$
0
0

So I have a dilemma here. I need to create about 862 office 365 groups, but I do not want to convert the existing distribution groups. Dynamic Groups are only achievable inside Azure Active Directory or powershell. I would like to replicate all groups as Office 365 for the purpose of Teams. The trick here is I do not want to have to edit to sets of groups. 

So is there a way to query a Distribution Group list of members into an Office 365 Group? 



Log in to custom domain with having to create a new user profile.

September 16, 2019, 9:56 pm
$
0
0

Hola, everyone.

Currently, using default "onmicrosoft.com" domain in our Azure AD. Recently, we created a new custom domain. My question is:

- Do I need to disconnect each laptop connected to "onmicrosoft.com" and join them to the new custom domain? 

- If no need to disconnect, will it be possible to log in to the custom domain without havin to create a new user profile? 

It's more of just the custom domain not detecting a new log in and just using the cache of "onmicrosoft.com" or just creating an alias? Is this doable? 

thumbnailPhoto is too big

August 31, 2016, 6:40 am
$
0
0

Hello,

I'm using Azure AD Sync to keep my on-premises AD in sync with Azure. I keep getting the following error:

Unable to update this object in Azure Active Directory, because the attribute
[extension_ebad079fee3145b286669fc781788c1b_thumbnailPhoto], in the local Directory
exceeds the maximum allowed length. If you want to update, reduce the length in the
local directory services, and then try again

I tried to clear the attribute locally via ADSI (I assume is thumbnailPhoto attribute in the user's AD profile), and also to replace with another image, but I keep getting the same error. Do you have any idea, please?

Thanks,
Luca

Newly created Azure AD - AADDC Computer container missing all devices

September 16, 2019, 12:04 am
$
0
0
I have recently created a new Azure VM and added in the Azure AD services, the AADDC Users container has populated but the AADDC Computer container only has the DC VM in it.  Where are all of my joined machines - I can see them in Intune.

Via a service management system, automatic user creation in the Azure AD via an interface.

September 17, 2019, 12:38 am
$
0
0

Hello, everybody,

I am in charge of a Service Management System (SMS). Now I want to automatically manage users in the Azure AD via the SMS (create user, authorization, etc.).

What does the API look like? 
How can I generate the API Key?
Do you have any other tips or links for me?

Thank you very much

Search

Active directory integrate with Azure AD

September 17, 2019, 1:16 am
$
0
0

Hi there, 

I read through the article on the "docs.microsoft.com" (https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/azure-ad), the article elaborate the process detailed. and my question is the step 4 is "MUST HAVE" or NOT:

...

Azure AD Connect sync server. An on-premises computer that runs theAzure AD Connect sync service. This service synchronizes information held in the on-premises Active Directory to Azure AD. For example, if you provision or deprovision groups and users on-premises, these changes propagate to Azure AD.

...

WILL

Hi there, if you found my comment very helpful then please | Propose as answer | . Thanks and Regards.

Degreed Integration with Azure b2c

September 16, 2019, 10:19 am
$
0
0

Dear All, 

We are trying to integrate Degreed Application with Azure B2C tenant users. the below link explains How to integrate the Degreed with Azure AD (As an Enterprise application) https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/degreed-tutorial 

However we want all our Azure B2C tenant users should be able to seamlessly access the Degreed application through single sign on.

If any body has implemented the same or has expertise please let us know how do we able to do this ?

Thanks,

Selva

 

 


Passwordless log in problem with Yubikey (wrong length of UserHandle)

September 4, 2019, 11:32 am
$
0
0

Hi, 

 

I tried to use Yubikey to log in following this documentation (https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key#user-registration-and-management-of-fido2-security-keys)

The link to enable the security key doesn't work. https://myprofile.microsoft.com

I got these errors: 

If not logged in the user:

"User account does not exist in tenant 'Microsoft Services' and cannot access the application '8c59ead7-d703-4a27-9e55-c96a0054c8d2'(My Profile) in that tenant. "

If user already logged in:

"Oops, seems  like the organization you tried signing into hasn't activated the new profile experience at this time. Please contact your admin for more information."

Then I figured to register Yubikey with this link https://account.live.com/proofs/Manage/additional

But I can successfully logged in with Yubikey if I put in the username while failed to logged in when no username given. Although when no username given and plugged in Yubikey, the browser will pop out to ask me to choose a user. Then I got the following error: "Length of userhandle not correct. "

So, my questions are: 

1. What is the New Profile? How should I activate it?

2. Why the log in will work with the username put in but not when without the username even though we can choose the user?

I noticed the documentation are being updated constantly these days. Can someone help me to answer this? Thank you so much.

Best wishes,

Zoe

Azure Windows 10 Account Notification

September 17, 2019, 4:29 am
$
0
0

Hi All,

I am trying to enroll Windows 10 devices using Co-Management feature from SCCM. Added in to SCCM collection and everything seems fine but during enrollment i get the below notification which is delaying the enrollment in to Intune console.

Only after fixing the error in the user PC, it gets enrolled. Out of 10 users atleast 5 users affected with below notification, please advice if this is something related to Azure/ADFS authentication or is there anything i can do please

Regards, Pratap

Regards, Pratap

Regards, Pratap

App registrations - Azure AD x Azure AD B2C

September 17, 2019, 6:13 am
$
0
0
Is it possible to grant permissions on an Azure AD B2C Web Api to a Web App on normal Azure AD?

WHFB for Azure joined PC and access to on-premises fileshares

September 9, 2019, 7:44 am
$
0
0

Hello,

I have WHFB configured and works perfectly with AD joined PCs, but on Azure joined PCs, I can not open fileshares with Hello (with password works fine). The error -

"the system cannot contact a domain controller to service the authentication request"

the domain and domain controller are pingable.

Any ideas?

Thanks, Dan


Dynamically populate Azure/Office 365 Groups from existing Distribution Groups - NO conversion

September 16, 2019, 3:00 pm
$
0
0

So I have a dilemma here. I need to create about 862 office 365 groups, but I do not want to convert the existing distribution groups. Dynamic Groups are only achievable inside Azure Active Directory or powershell. I would like to replicate all groups as Office 365 for the purpose of Teams. The trick here is I do not want to have to edit to sets of groups. 

So is there a way to query a Distribution Group list of members into an Office 365 Group? 



Search

unable to create sql registry resource

September 17, 2019, 1:10 pm
$
0
0

I keep getting an error that the name is in use when trying to create a SQL registry resource.  It doesn't matter what I put for the name.

Sam

SB

Azure SCIM Sync - why does Group Membership sync perform PATCH calls per member instead of one PATCH call for multiple members?

September 17, 2019, 1:39 pm
$
0
0

Azure SCIM 2.0 Sync question.

- why does Group Membership sync perform PATCH calls per member instead of one PATCH call for multiple members?

Description:

- we deployed the Azure SCIM app.
- we added a Group in AD and then associate, say, 50 members into the group.
- then we go to the SCIM app, and then trigger a sync.
- we found that our SCIM 2.0 implementation received 50 individual PATCH calls that adds one member for each call to the same group.

Issue:

- this behaviour is very under-performing as it's hammering services, especially if we were to sync an even larger group

Is there something that can be done to sync optimally from Azure AD (via SCIM)?

MSAL 3x : AcquireTokenByUsernamePassword not working as documented : Microsoft.Identity.Client.MsalServiceException

May 6, 2019, 9:57 am
$
0
0

Hi 

WPF, VS2017, MSAL 3x version.

I am trying an sample to test function AcquireTokenByUsernamePassword().  Following is the code example.I am getting error 

Error Acquiring Token:
Microsoft.Identity.Client.MsalServiceException: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

  private async void MSALUsingScopeUserNamePasswordVersion3_Click(object sender, RoutedEventArgs e)
        {
            string[] scopes = new string[] { "<ResourceID XXXXXX>/user_impersonation" };
            string targetAPIUrl = string.Format("https://xxxxxxxxx.azurewebsites.net/api/TestFunction1");

            string ClientId = "3c278a32-0202-111c-8b03-xxxxxxxxxx";   
            string Tenant = "xxxxxx-7665-xxxx-8ce2-xxxxxxxxxxxx";


            IPublicClientApplication _clientApp;
            AuthenticationResult authResult = null;

            _clientApp = PublicClientApplicationBuilder.Create(ClientId)
               .WithAuthority(AzureCloudInstance.AzurePublic, Tenant)
               .Build();

            try
            {
                var securePassword = new SecureString();
                foreach (char c in "RealPassword123")        // you should fetch the password
                    securePassword.AppendChar(c);  // keystroke by keystroke

                authResult = await _clientApp.AcquireTokenByUsernamePassword(scopes, "ADUser@CompanyName.com", securePassword)
                    .ExecuteAsync();

                outputBox.Text = await GetHttpContentWithToken(targetAPIUrl, authResult.AccessToken);
            }
            catch (MsalException msalex)
            {
                outputBox.Text = $"Error Acquiring Token:{System.Environment.NewLine}{msalex}";
            }
        }

Please Advice.

Regards

More Granular Controls when creating custom roles in AD - Azure Portal

September 6, 2019, 9:53 am
$
0
0

Hey All,

So we are looking to extend Azure Portal access, however when looking at the custom roles and the permissions available to create a rule, it looks like for most part everything is bundled together. Is it possible to add custom permissions. For example if we wanted someone to have the ability to Restart an app/site, restart a VM, view the status of an app/site, and/or update SSL certificates, can the console be used to script the role if so what would they be.

If its not possible to set this level of permissions I believe this would be a massively beneficial addition to the service.

Thanks in advance - Cal

AAD - AuthenticationContext AcquireTokenAsync

September 17, 2019, 8:42 pm
$
0
0

Hi there,

when I attempt to login to AAD by using API "AuthenticationContext AcquireTokenAsync", but I always run into the problems

"

An unexpected error occurred.
Message: One or more errors occurred.
Inner Exception : AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
Trace ID: 513c12d4-ed0d-490b-acd1-6a44db091100
Correlation ID: af41a573-65a5-40b7-b556-059279bd3d87
Timestamp: 2019-09-18 03:38:27Z

"

I use the following api and method to do it for getting back a result.

"authenticationResult = authContext.AcquireTokenAsync(resourceHostUri, clientId, uc).Result;" [uc isUserCredential]

my question is where the "resourceHostUri" is and where the information comes from??

Thanks

WILL

Hi there, if you found my comment very helpful then please | Propose as answer | . Thanks and Regards.


Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>