Hola, everyone.

Currently, using default "onmicrosoft.com" domain in our Azure AD. Recently, we created a new custom domain. My question is:

- Do I need to disconnect each laptop connected to "onmicrosoft.com" and join them to the new custom domain? 

- If no need to disconnect, will it be possible to log in to the custom domain without havin to create a new user profile? 

It's more of just the custom domain not detecting a new log in and just using the cache of "onmicrosoft.com" or just creating an alias? Is this doable? 

We have devices that are Azure joined and hybrid joined. Both types shows the local network as "Public"

The onprem joined devices shows as domain joined (as expected).
We also have Windows Hello for Business hybrid, and some ports are only open for domain. So that gives problems with specific services.

We can't override this setting than only in register for example but after a reboot that setting is gone. And that's not really a good way either.

Any idea's how we can solve this?

Thanks.

Our client has asked us to develop a Microsoft Access solution with Azure SQL that has MF and Azure Directory integration, we can login just fine using SSMS but when we try to connect with Microsoft Access using OLE DB driver 18.2.2 and ODBC for SQL Server 17.4 it will not work.

Do the latest OLE DB or ODBC drivers support Azure active directory with Multi Factor Authentication? If they do that would point us towards a solution, otherwise we would need to figure out another way of doing it.

Founder AccessExperts.net Blog: AccessExperts.net/blog

10:11:01.650 - INFO - 15b82440-69d2-48cf-be5d-d71f33a3fe76 - RegisterProxy: Validating Azure auth token
10:11:01.650 - INFO - 15b82440-69d2-48cf-be5d-d71f33a3fe76 - RegisterProxy:   Token tid claim matches discovery data tenantid
10:11:01.650 - INFO - 15b82440-69d2-48cf-be5d-d71f33a3fe76 - RegisterProxy:   Token upn claim matches accountUpn
10:11:01.650 - INFO - 15b82440-69d2-48cf-be5d-d71f33a3fe76 - RegisterProxy: Finished validating Azure auth token
10:11:01.650 - INFO - 15b82440-69d2-48cf-be5d-d71f33a3fe76 - RegisterProxy: Creating a new proxy certificate CSR
10:11:03.010 - INFO - 15b82440-69d2-48cf-be5d-d71f33a3fe76 - RegisterProxy: Restoring original trace id
10:11:03.010 - INFO - 00000000-0000-0000-0000-000000000000 - RegisterProxy: RegisterProxy.ExecuteInternal ending
10:11:03.010 - ERR  - 00000000-0000-0000-0000-000000000000 - RegisterProxy: ExecuteInternal threw an exception:
10:11:03.010 - ERR  - 00000000-0000-0000-0000-000000000000 - RegisterProxy: System.Exception: CertUtilCreateCertificateSigningRequest() failed with hr=2147942405
   at ServiceCommon.Utility.ServiceCommonHelperInterop.CreateCertificateSigningRequest(CERTUTIL_CERTREQUEST_ARGS& selfSignedCertArgs, IntPtr& pCSR, UInt32& cbCSR, IntPtr& pCSRHandle)
   at ServiceCommon.Utility.ProxyCertificate.CreateProxyCertificateCSR(IntPtr& pCSRHandle)
   at Microsoft.AzureADPasswordProtection.Powershell.Commands.RegisterProxy.ExecuteInternal()
   at Microsoft.AzureADPasswordProtection.Powershell.CmdletBase.ExecuteActualBusinessLogic()
10:11:03.025 - INFO - 00000000-0000-0000-0000-000000000000 - RegisterProxy: Uninitializing logging<o:p></o:p>

Background: 

I'm assessing functionality between PingFederate and Azure AD.  We currently use PingFederate.  As a need, some of our clients use an 'Reference ID Adapter' (https://www.pingidentity.com/developer/en/resources/agentless-integration-kit-developers-guide.html) as a means to provide PingFederate with information that it can then use to customize claims.  The customization could be as simple as a transformation, or a lookup against Active Directory for additional information.

Example, imagine an application that's used to grant users access to file containers.  How this is determined is based on a claim that's returned within a SAML response.  A user is a member of a group in AD which will correspond to this location (a very easy lookup).  Let's say this user is a member of many groups, which in turn corresponds to many containers on the site.  You can easily filter the groups and submit a claim for each, but the user only wants to be granted access to a single one of containers of their choosing.  Without the user being able to pre-select what gets sent in the claim, there's no way to limit this access to a single container.  How we accomplished this was to perform a first mile/ last mile approach.  The user would be authenticated, and a claim sent to a 3rd party, trusted site, that displayed all the users pertinent groups (or possible containers).  The user would then select a single container, which initiates another SSO, but also sends this group name to PingFederate to include within a claim.  The result is the final claim to the application will only contain 1 group, instead of all that meet the filter criteria. For those familiar with AWS, how would you authenticate to a single app?

Question:

Does Azure AD provide similar functionality where a client can send parameters during the SSO process that can then be acted on for claim creation?  This can be either within the initiation URL, or behind the scenes with a possible Graph call.  Links to documentation detailing this would be much appreciated (I'm not having luck on my own).

Thanks!

I'm looking at the preview of Azure B2C, wondering if it could be used for a single application being designed for multiple tenants.

Each tenant (restaurant in our case), would want their own consumers to register and log in.

From what I see so far in any examples is that B2C is only designed for an application that only supports a single tenant, with consumers for that single tenant.

Can you clarify whether or not B2C can be used for multi - tenant applications, or are there any plans to support that?

Is it possible for someone to walk me through getting Microsoft Azure API to work?

I want a complete beginners walk through. I am not a programmer. Two days ago I did not know what an API really even was and it took me 5 mins to set up Google API and get it working from a web browser and an app. Microsoft Graph seems impossible to get to work outside Graph Explorer, and even then it wont actually work for the query I want.

All I want to do is get a OneDrive personal file embed link through API call. Thats it.

1. Is that possible to do with an Office365 Personal subscription and a free Azure Trial account?

2. How?

Hello,

I am trying ti setup provisioning with the gallery application Salesforce.

I receive a failure with accounts I am trying to provision. The failure is Process Escrow. Details below:

Status Reason:
We are retrying an operation that previously failed. Identifier: username@comany.com Object type: User Directory: Azure Active Directory; Error: An error occured while evaluating this function: 'Replace.'. This operation was retried 1 times. It will be retried again after this date: 2019-09-21T01:08:14.2481484Z UTC

Details:

Hello,

Need some guidance on how to go about Azure B2C redirecting to some custom URL in my Blazor application so I can do additional processing i.e. Creating a newly signed up user in my custom repository?

Thanks

Hello,

Has anyone solved the issue where you get:

"Set-AIPAuthentication : Unable to authenticate and setup Microsoft Azure Information Protection At line:1 char:1 ..."

when trying to get the security token using the parameters -webAppId -webAppKey -nativeAppId for AIPScanner?

I am using a demo tenant (m365xxx.onmicrosoft.com) and a test domain (testdomain.local).

The two apps have been created in AAD following the documentation.

My local AIP service account is synced via ADConnect and has local logon rights to my AIPScanner server.

I am running the Set-AIPAuthentication with powershell running as my service account.

If I run *just* the Set-AIPAuthentication cmdlet, I am asked to provide credentials (service account), and I get a token.

If I run with *any ONE parameter* it seems to work.

If I run with *any TWO parameters" it seems to work.

If I run with *all THREE* parameters, I get the error.

I noticed someone else has a similar posting, with no resolution.  Has anyone found the explanation for this error?

Thanks!

I am following the steps listed in the following link 

https://docs.microsoft.com/en-us/azure/virtual-machines/linux/image-builder-gallery

I have already registered the azure image builder for my subscription 

az provider show -n Microsoft.VirtualMachineImages | grep registrationState

  "registrationState": "Registered",

 az provider show -n Microsoft.Storage | grep registrationState

  "registrationState": "Registered",

Now when I try the step where I give the azure image builder permission to create resources in the resource group, I get 

Insufficient privileges to complete the operation.

Hello everyone,

I am trying to download our customer data from our azure servers. I am a non technical person so its a little confusing to figure out the right way to do it. Any advice would be really helpful. Thanks in advance

I'm trying out Azure AD, to allow users to authenticate with their Microsoft account on my website. Oauth2 works fine when the redirect URI is http://localhost:8080/callback, but it fails when I try to enter the "real" IDN URI (https://södermalmsskolan.com/callback) in the portal, saying that the URI is invalid. I have also tried entering the punycode version (https://xn--sdermalmsskolan-8sb.com) but without any success. Am I doing something wrong?

Hello AD Gurus.

Looking for some help here.

I am extremely new to Azure and its Domain environment but I'm trying to learn.

We have a fully functional Azure Active Directory setup. PC's joined to the domain, and logging in with AD creds works as expected.

Issue I've noticed today is our office 365 account is not syncing with our Azure AD. We have to reset pw's in O365 to get users to login. 

We do NOT have an on prem DC purely a cloud setup and all walkthroughs I am finding seem to be based on Azure AD connect and a local domain to sync to. I cant seem to find any documentation on a pure cloud setup. 

So my question is...

#1 is it possible to sync Azure AD and O365 with a purely cloud setup?

#2 if so can you point me to documentation showing how one would setup the sync.

Reading through all the different documentation and various forums, I am getting confusing/conflicting answers as to whether or not I can have a VM running in an external datacenter (i.e. HostWay), but have my VMs in that data center join the Azure Active Directory - Domain Services without installing a AD controller within the datacenter.

To be more specific:

I have put physical hardware in an off-site location.

I have 3 VMs on that physical server that I want to join to our AAD DS.    (Using Windows 2019 or 2016)

Can I do this without creating a 4th VM that serves as an on-prem Active Directory DC?

I just want users to be able to log into the VMs and use the services using their Azure credentials, and if I can avoid creating a DC, that would be ideal.

If it is possible, can someone point me to a step by step process for configuring Azure and the VMs to make this happen?

The first synchronisation added the existing security groups, however subsequent newly added groups are not being added to Azure AD.

Anyone have any clues how to resolve?

I receive an error when trying the final step on the Azure Migrate Assessment virtual appliance, the "Save and start discovery" button:

"Could not initiate discovery.Discovery and performance data collection could not be started successfully due to the following error.

Details: Azure Active Directory (AAD) operation failed with status 'Forbidden'. The error occurred while creating/updating AAD Application 'App...' in tenant 2e5...

Recommendation: The currently logged in Azure user account does not have access to the AAD application specified in the error message. Please check whether you are the owner of the AAD Application. Learn more about AAD application permissions."

When I look at the Application, I appear to be the owner. For my Azure account, I was a guest invited to this tenant and assigned Global Administrator rights. I also have permission to create apps from this account. The account used to connect to the HyperV hosts from the appliance is a domain administrator. I have tried completely removing the project and appliance and starting from scratch, and each step in the appliance completes successfully until the final step of starting discovery.

Confirmed I am assigned the "Owner" role for both the Resource Group and Key Vault associated with this project.

Please advise on resolutions or log file locations for this error.

Thanks,

S

I have followed this link to setup Active Directory DS. I am not able bind user in ldp.exe tool.

Below is my connection output

ld = ldap_sslinit("ldaps.ad.pumahub.com", 636, 1);
Error 49 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 128 bits
Established connection to ldaps.ad.pumahub.com.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,DC=ad,DC=pumahub,DC=com;
currentTime: 9/23/2019 10:17:06 PM India Standard Time;
defaultNamingContext: DC=ad,DC=pumahub,DC=com;
dnsHostName: V8XIHHEM-YEF2AP.ad.pumahub.com;
domainControllerFunctionality: 6 = ( WIN2012R2 );
domainFunctionality: 6 = ( WIN2012R2 );
dsServiceName: CN=NTDS Settings,CN=V8XIHHEM-YEF2AP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=pumahub,DC=com;
forestFunctionality: 6 = ( WIN2012R2 );
highestCommittedUSN: 34195;
isGlobalCatalogReady: TRUE;
isSynchronized: TRUE;
ldapServiceName: ad.pumahub.com:v8xihhem-yef2ap$@AD.PUMAHUB.COM;
namingContexts (5): DC=ad,DC=pumahub,DC=com; CN=Configuration,DC=ad,DC=pumahub,DC=com; CN=Schema,CN=Configuration,DC=ad,DC=pumahub,DC=com; DC=DomainDnsZones,DC=ad,DC=pumahub,DC=com; DC=ForestDnsZones,DC=ad,DC=pumahub,DC=com;
rootDomainNamingContext: DC=ad,DC=pumahub,DC=com;
schemaNamingContext: CN=Schema,CN=Configuration,DC=ad,DC=pumahub,DC=com;
serverName: CN=V8XIHHEM-YEF2AP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=pumahub,DC=com;
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=ad,DC=pumahub,DC=com;
supportedCapabilities (6): 1.2.840.113556.1.4.800 = ( ACTIVE_DIRECTORY ); 1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = ( ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 ); 1.2.840.113556.1.4.2080 = ( ACTIVE_DIRECTORY_V61_R2 ); 1.2.840.113556.1.4.2237 = ( ACTIVE_DIRECTORY_W8 );
supportedControl (37): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = ( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION ); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT ); 1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN ); 1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET ); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME ); 1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE ); 1.2.840.113556.1.4.1340 = ( SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = ( PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = ( QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = ( SHUTDOWN_NOTIFY ); 1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = ( FORCE_UPDATE ); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = ( DN_INPUT ); 1.2.840.113556.1.4.2064 = ( SHOW_RECYCLED ); 1.2.840.113556.1.4.2065 = ( SHOW_DEACTIVATED_LINK ); 1.2.840.113556.1.4.2066 = ( POLICY_HINTS_DEPRECATED ); 1.2.840.113556.1.4.2090 = ( DIRSYNC_EX ); 1.2.840.113556.1.4.2205 = ( UPDATE_STATS ); 1.2.840.113556.1.4.2204 = ( TREE_DELETE_EX ); 1.2.840.113556.1.4.2206 = ( SEARCH_HINTS ); 1.2.840.113556.1.4.2211 = ( EXPECTED_ENTRY_COUNT ); 1.2.840.113556.1.4.2239 = ( POLICY_HINTS ); 1.2.840.113556.1.4.2255; 1.2.840.113556.1.4.2256;
supportedLDAPPolicies (19): MaxPoolThreads; MaxPercentDirSyncRequests; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxBatchReturnMessages; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MinResultSets; MaxResultSetsPerConn; MaxNotificationPerConn; MaxValRange; MaxValRangeTransitive; ThreadMemoryLimit; SystemMemoryLimitPercent;
supportedLDAPVersion (2): 3; 2;
supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;

And I am getting below while binding the user

53 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
    {NtAuthIdentity: User='ldaptest@pradippatelc2gmailcom.onmicrosoft.com'; Pwd=<unavailable>; domain = 'ad.pumahub.com'}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 80090346: LdapErr: DSID-0C09056D, comment: AcceptSecurityContext error, data 80090346, v2580
Error 0x80090346 Client's supplied SSPI channel bindings were incorrect.

While binding user I am selecting bind type Bind with credentials.

The user with which I am binding is Cloud AD user and also present in Administrator group. I have also reset the password of this user so AD DS can store password hashes but nothing worked.

Hello.

I reset my phone and now i am not able to access company portal. It sends a request to Microsoft authenticator app and the app does not get it.

When i open the app, it asks me to add an account by a QR code or By URL and A code.

I am not sure of either of these information.

My Email - v-ajswam@microsoft.com