Hello ,
I need your recommandations and advices .
i manage our Azure and only administrators have rights to the portal .i get recently a request from user , to create for him a azure account to the portal to create new ressource and VM .it's recommanded to give users rights in our portal even ready rights ?
Regards
Hi!
I´ve a really anoying problem. When trying to sign in on my university account in Word or Excel (Office 365) I get the error code 700003 stating that "Your organization has deleted this device". Everything works online, but when opening Word or Excel on the desktop, then I can´t sign in. Everything looks ok from the university´s side and the IT-support couldn´t help me. I´ve tried everything (I think). Does anyone know how to solve this? Didn´t use my computer during June-July and everything was working before that. In August when returning I had this problem.
Hi All,
We have applications using SAML 2.0 open standard for the authentication .
we wanted to integrate those applications with Azure B2C AD.
Can you guys please help me how to do the implementation ?
Selvakumar Rathinam
Hi,
I am looking for an alert rule which will trigger whener there is any role assignment in my environment for .e.g if somebody has assigned Global ADmin role i should recieve alert with the details.
JUST FYI:
I have tried to create with the monitoring alerts i am recieving email but there is no specification that what is the reason behind that email like it is not showing that somebody has assigned GA role or anything.
I was unable to find alert rule in PIM as well, if you are suggesting any answer kindly request you to share the rule what to select, as my description is simple need alert via email whenever there is any role assignment in my tenant with some description
Hello,
We have an application which is doing Kerberos authentication. After going through the Azure Domain services I got to know that kerberos based authentication is supported via AD DS with Azure AD.
Does Azure App Proxy support Kerberos Based authentication with Azure Domain Services or it can be integrated with any on-premises Application as well ?
Few queries here:
Q1. For Kerberos Based application support do we need to use all 3 services i.e. Azure Domain Services + Azure App proxy [ Kerberos constrained delegation (KCD)] ?
Q2. Is Kerberos based authentication supported with Azure App Proxy (KCD ) alone without the need to deploy Azure Domain Services ?
Q3. Will kerberos based authentication in Azure Domain services will work inside Azure VM that are domain joined to AD DS or it can work over the internet with Azure App proxy help
We need to make this application accessible for External and partner users.
We have created one custom field call "tags" in SCIM mapping. But when we create a user, the POST request doesn't contain "tags" field. The same field gets updated when next PATCH call happens during an update. Here is the mapping for"tags" field:
Join(":", [jobTitle], [department]) tags
Apply this mapping : Always
Also pasting request body for reference. Please check & let us know why "tags" field is not coming as part of POST request. "tags" is part of schema "urn:ietf:params:scim:schemas:core:2.0:User"
{Hello everyone,
I am using Azure AD to provision Users/Groups with my SCIM enabled application using non-gallery app. I am able to configure application properly and receiving required requests which Azure AD sends for Users and Groups.
But the problem is with Group requests. For Group requests, Azure AD always sends GET/<displayName> (same case for PATCH). However, I need GET/PATCH/DELETE requests with <objectId> instead of <displayName>. Consider below example :
For example, if I am having following group info in my Azure AD account:
Group name : Group1
Object Id : abc-123-def-456
Current GET request for groups is : GET/Group1
Required request : GET/abc-123-def-456
(same case for PATCH/DELETE)
I am new to Azure AD so might be missing something. Can anyone suggest what configuration changes required to achieve above scenario.
Thanks & Regards
Mohit Shah
Hello,
I followed the steps exactly as specified at Azure documentation to add a new custom domain gas-ad.com . Even though I added the @ TXT entry in DNS (managed at Amazon DNS/Route 53) and waited for many hours, the domain is not verifying the domain.
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain
I am able to verify the @ gas-ad.com at a third party DNS lookup tools online it seems to be fine.
https://dnslookup.online/txt.html
Thanks in advance for your help!
Biju
Hi,
I am working on Azure AD Connect implementation for my customer.
The AD forest contains three child domains and I would like to add to AADC only one of them. The rest two domains are in a special restricted area and are not available from the AADC servers.
The problem is that the installation wizard of AADC would like to go through all child domains in the forest and would like to configure the forest service account in all domains. The two restricted domains are not available, and instead of simply ignoring these domains, the installation fails and I cannot add the domain which is available and which I want to use.
Is there any solution for ignoring the non-available child domains? I don't think it is a good option to open firewall even if it would be required for the installation time. This is forbidden.
I don't understand why it is not possible to setup only one single domain (not forest) in AADC installation. It would make the whole setup much easier.
Thanks for any response!
Have a nice day!
Gabor
Hello Team
Problem
I have a Dynamics 365 setup with Office 365 subscription (trial) on abc@mytrialinstance.onmicrosoft.com
I also have got a Azure trial setup on arafat@myotherdomain.com
In order to utilize the Data Export Service (which brings data to the Azure SQL Database), I need to establish a trust / association between Office 365 Active Directory and Azure Active Directory (in short, I should use Active Directory of Office 365 as per the official docs)
Issue
I am not able to find out any way to associate my Office 365 Active Directory in Azure because there's already one Active Directory available. If I click on Switch or Change, it just gives me a message that you don't have any other active directory available.
Please note that I also tried to add my abc@mytrialinstance.onmicrosoft.com account to my Azure subscription as Co-Administrator but it doesn't do any good (like it does not show anything even if I switch directory from my office 365 account).
Question
Can I achieve what I am trying to do with the current setup? Am I doing something wrong or am I missing something? Please enlighten me with your expert opinion.
Thanks!
Hi,
Within DNS Manager connected to our Azure AD DS PaaS DCs it seems I am unable to create NS records.
NS records for the 2 Microsoft managed Domain Controllers appear as expected, but I am unable to add new ones to a new DNS subdomain of the parent. The new name servers records are requied to solve the problem of locking down external access for AKS via
our 3rd party firewall (CheckPoint Cloud Guard). Is this inablity to add NS records a bug or by design?
Thanks
Zulf
Hi,
I'm using this code to sign out of my ASP.net Website.
string callbackUrl = Url.Action("SignOutCallback", "Account", routeValues: null, protocol: Request.Url.Scheme);
HttpContext.GetOwinContext().Authentication.SignOut(
new AuthenticationProperties { RedirectUri = callbackUrl },
OpenIdConnectAuthenticationDefaults.AuthenticationType,
CookieAuthenticationDefaults.AuthenticationType);It is running in an Azure App Service/App Registration using the AD from my Azure domain to authenticate the user.
The entire project is based of the template provided in Visual Studio 2019 when you select New Project/ASP.NET Web Application and select Work or School Accounts and Cloud - Single Organisation for authentication and select my domain from my Azure account.
The problem is when you select Sign Out on my web page, this code runs and you see the Microsoft page to log the user out but when I browse back to my website I am still logged in. It doesn't seem to clear the cookie from the browser.
Thanks in advance for the help.
I would like to create the following setup and would like some guidance.
Azure AD
VM in Azure that is a DC
On Premise Server that is also a DC
All working together with Azure being the primary source.
Do I need to have two separate forests and use the Azure Connect tool even on the VM in Azure?
Or can I join the servers to the Azure Domain and then promote them to Domain Controllers?
When I try to do that I get a message saying that the credentials (for the global admin) doesn't let me.
I'm following this document - aka.ms/b2b-direct-fed
Get this error - "
This direct federation policy does not pass one or more requirements. Go to aka.ms/b2b-direct-fed to learn more."
I'm parsing metadata file from Okta. For domain name I tried both okta.com as well ashttps://dev-844942.okta.com, both give the same error.
TIA!
Sam
Hi,
I tried to use Yubikey to log in following this documentation (https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key#user-registration-and-management-of-fido2-security-keys)
The link to enable the security key doesn't work. https://myprofile.microsoft.com
I got these errors:
If not logged in the user:
"User account does not exist in tenant 'Microsoft Services' and cannot access the application '8c59ead7-d703-4a27-9e55-c96a0054c8d2'(My Profile) in that tenant. "
If user already logged in:
"Oops, seems like the organization you tried signing into hasn't activated the new profile experience at this time. Please contact your admin for more information."
Then I figured to register Yubikey with this link https://account.live.com/proofs/Manage/additional
But I can successfully logged in with Yubikey if I put in the username while failed to logged in when no username given. Although when no username given and plugged in Yubikey, the browser will pop out to ask me to choose a user. Then I got the following error: "Length of userhandle not correct. "
So, my questions are:
1. What is the New Profile? How should I activate it?
2. Why the log in will work with the username put in but not when without the username even though we can choose the user?
I noticed the documentation are being updated constantly these days. Can someone help me to answer this? Thank you so much.
Best wishes,
Zoe
Running an on site domain, using AD Connect to sync devices to Azure. I have been following the guide https://docs.microsoft.com/en-au/azure/active-directory/devices/enterprise-state-roaming-enable and I've enabled device sync, I can see the device in question in my Azure AD devices as Hybrid Azure AD joined.
I have enabled my test user to allow sync.
However when I check sync settings on that machine with that user, I get an error about sync not being available on this account.
I have verified that the same account is listed under Email & App Accounts.
I have also assigned a license in Azure AD "Enterprise Mobility + Security E3"
Not sure what else to check? Any suggestions?
10:11:01.650 - INFO - 15b82440-69d2-48cf-be5d-d71f33a3fe76 - RegisterProxy: Validating Azure auth token
10:11:01.650 - INFO - 15b82440-69d2-48cf-be5d-d71f33a3fe76 - RegisterProxy: Token tid claim matches discovery data tenantid
10:11:01.650 - INFO - 15b82440-69d2-48cf-be5d-d71f33a3fe76 - RegisterProxy: Token upn claim matches accountUpn
10:11:01.650 - INFO - 15b82440-69d2-48cf-be5d-d71f33a3fe76 - RegisterProxy: Finished validating Azure auth token
10:11:01.650 - INFO - 15b82440-69d2-48cf-be5d-d71f33a3fe76 - RegisterProxy: Creating a new proxy certificate CSR
10:11:03.010 - INFO - 15b82440-69d2-48cf-be5d-d71f33a3fe76 - RegisterProxy: Restoring original trace id
10:11:03.010 - INFO - 00000000-0000-0000-0000-000000000000 - RegisterProxy: RegisterProxy.ExecuteInternal ending
10:11:03.010 - ERR - 00000000-0000-0000-0000-000000000000 - RegisterProxy: ExecuteInternal threw an exception:
10:11:03.010 - ERR - 00000000-0000-0000-0000-000000000000 - RegisterProxy: System.Exception: CertUtilCreateCertificateSigningRequest() failed with hr=2147942405
at ServiceCommon.Utility.ServiceCommonHelperInterop.CreateCertificateSigningRequest(CERTUTIL_CERTREQUEST_ARGS& selfSignedCertArgs, IntPtr& pCSR, UInt32& cbCSR, IntPtr& pCSRHandle)
at ServiceCommon.Utility.ProxyCertificate.CreateProxyCertificateCSR(IntPtr& pCSRHandle)
at Microsoft.AzureADPasswordProtection.Powershell.Commands.RegisterProxy.ExecuteInternal()
at Microsoft.AzureADPasswordProtection.Powershell.CmdletBase.ExecuteActualBusinessLogic()
10:11:03.025 - INFO - 00000000-0000-0000-0000-000000000000 - RegisterProxy: Uninitializing logging<o:p></o:p>