Hi all,
Does anyone know if it's possible to have different business units in azure ad? For example. I have location A with 30 users, and location B with 50 users. I'd like to have a admin only for that location. So he can manage those users, and nothing else. Only the global admins can see everything.
We're running everything in the cloud, with on-prem as backup. Also are using office 365. Thanks :)
The docs for Azure cover RelayState (https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-portal) as it's a fixed parameter. In the SAML world, it is used for Service Provided (SP) initiated SSO flows to allow
the redirect to happen for different URLs.
The RelayState parameter in ADFS is generated according to these docs (https://social.technet.microsoft.com/wiki/contents/articles/13172.ad-fs-2-0-relaystate-generator.aspx). Does Azure AD have similar encoding for it? I'm unable to find any mentions
of whether RelayState works the same way as it does in the ADFS setting.
Evening all...
Attempted to set up AzureAD today for my corporate environment.
gone through the installation of Azure AD connect and syncronisation appears to be working.
we selected to use AD FS though, which doesnt appear to be working. on the portal, federation shows as "disabled"
we used an existing working adfs server, which we specified during the configuration and everything seemed to go through without any errors.
Im hoping that someone with a far greater understanding of this can shed some light on where to begin troubleshooting it. its my first interation with Azure AD and AD FS too.
Thank you
I configured Workday to use Azure AD for single sign-on. Logging in works fine. However,when logging out, I receive the following error message (screenshot here):
AADSTS20012: An error occurred when we tried to process a WS-Federation message. The message was invalid.
As per the Microsoft documentation on Workday integration with Azure AD (https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/workday-tutorial), in Workday, theLogout Redirect URL is set to https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0, and theLogout Response URL is also set to https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0.
The SAML configuration of Workday from the Azure side also follows Microsoft documentation.Screenshot here.
Some research has lead to the following MSDN post from December 2017 about using a specific URL for sign-out, instead of the aforementioned "generic" URLs. I don't know what the "specific" URL would be, and do not know where this is documented outside of this MSDN post. Link here:
Any ideas on what is going on?
Whenever we add someone - either via the GUI or in Powershell, we get the same response. Removing and adding them back doesn't fix it. Has anyone seen this?
User details: Skip reason = NotEffectivelyEntitled, Active = True, Assigned = True, Passed scope filter: True
Hi,
Trying to figure how i can block inheritance permission when i create a new resource group on azure all the inherited permissions also start flowing in.
regards
Sathya
Sathya Paul
Hi,
I have one user that will not sync to Office 365 through AD Connect. There is duplicate upn and proxy address detected. If checked everything, but ther is no duplicate proxy or upn anymore. The user that it is conflicting with successfully synced.
I also tried to hard match the on prem user with the Office 365 account. immutalble id's are now the same. But it will not sync.
Any other ideas?
Best regards,
Robin
Hello everyone,
I've discovered (I'm sure many have) that I can get full functionality out of asingle Azure Active Directory Premium P1 license ($6/user) for all of my users (12 at this time, but will grow to 50 very shortly). Functionality does not change whether or not every user is licensed with AAD Premium P1.
My question is: Is only paying for a single license for (lets say) 50 users legal? Is there anything explicitly stating each AAD user must be licensed w/ AAD Premium P1 if that user intends on receiving related services?
ok, im following this guide: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial
but i can't make it work, it displays me this error: Sorry, but we’re having trouble signing you in. AADSTS750054: SAMLRequest or SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding. sharepoint
1- I think im configuring something bad in the $realm variable, so can you tell me what i need to put in it?
2- is there something im missing?
3- my site it's local, so i think i cannot test it via web
This post it's re-open (https://social.msdn.microsoft.com/Forums/en-US/e7b9bde5-ec86-4b8d-ba61-abea2b0bf83f/problem-with-single-signon-on-sharepoint?forum=WindowsAzureAD)
I need help to demonstrate that it's possible to connect a SharePoint on-Premises with Azure AD Services
Yordy Corrales
I am the operations manager of a small company who uses Office365 with Azure Active Directory. In trying to setup a new laptop for a new employee and I am getting the following error in the Windows setup process after logging in with my Microsoft work account.
Server error code: 801c0003
Server message: User 'xxxxxxxxxxxx' is not eligible to enroll a device of type 'Windows'. Reason 'DeviceCapReached'
I have determined that I have met the quota for the maximum number of devices per user, which was set to 50, so the error is no longer a mystery, but my question is how to go about removing devices without any negative side effects.
The reason all of these devices are assigned to me is that when new employees are hired, I set up the computer by signing in as myself, then I install all the necessary software and configure it for the employee, and then hand it off to the employee.
I need to know how to resolve the situation correctly.
I know that I can simply increase the quota for the number of users, but that seems more like a band-aid than a solution.
Hello,
I am trying ti setup provisioning with the gallery application Salesforce.
I receive a failure with accounts I am trying to provision. The failure is Process Escrow. Details below:
Status Reason:
We are retrying an operation that previously failed. Identifier: username@comany.com Object type: User Directory: Azure Active Directory; Error: An error occured while evaluating this function: 'Replace.'. This operation was retried
1 times. It will be retried again after this date: 2019-09-21T01:08:14.2481484Z UTC
Details:
Hi
I was try to audit RBAC assignment and found a few principalId without detail record.
Here is what I have try:
1. find out the rbac assignment list:
<style type="text/css">p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000} span.s1 {font-variant-ligatures: no-common-ligatures} </style>az role assignment list --all --subscription [my subscription id here]
2. from the out put, if principalType is User, then I took the principalID to show more details
for example:
<style type="text/css">p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #fc2118} span.s1 {font-variant-ligatures: no-common-ligatures} </style>az ad user show --id a7f016cf-59bc-402c-8a25-2588e5516711
Resource 'a7f016cf-59bc-402c-8a25-2588e5516711' does not exist or one of its queried reference-property objects are not present.
I have another 5 principalId showing the same error message. Many other user's principalId do return the detail values as expected.
I wonder those principalID might have been deleted or disabled from AAD but somehow RBAC still keep the records.
Best Regards,
Ping Wu
Hi
I was try to audit RBAC assignment and found a few principalId without detail record.
Here is what I have try:
1. find out the rbac assignment list:
<style type="text/css">p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000} span.s1 {font-variant-ligatures: no-common-ligatures} </style>az role assignment list --all --subscription [my subscription id here]
2. from the out put, if principalType is User, then I took the principalID to show more details
for example:
<style type="text/css">p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #fc2118} span.s1 {font-variant-ligatures: no-common-ligatures} </style>az ad user show --id a7f016cf-59bc-402c-8a25-2588e5516711
Resource 'a7f016cf-59bc-402c-8a25-2588e5516711' does not exist or one of its queried reference-property objects are not present.
I have another 5 principalId showing the same error message. Many other user's principalId do return the detail values as expected.
I wonder those principalID might have been deleted or disabled from AAD but somehow RBAC still keep the records.
Please advise.
Best Regards,
Ping Wu
When adding user to group using Graph API I get an error message
The code part which is used to call the API:
User userToAdd = await graphClient.Users[strID].Request().GetAsync();
await graphClient.Groups[groupList[i].Id].Members.References.Request().AddAsync(userToAdd);
Error Message:
Code: Request_BadRequest
Message: Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration.
Inner error
I have a local AD account setup for myname.org. I created ONE user, with a UPN of me@myname.org.
I used the Azure Active Directory Connect tool, with default / express configuration.
This went soso. Despite making SURE that my AD SPN/UPN was setup correctly, i.e. me@myname.org, as well as MYNAME\me, in the Active Directory The AD Sync has created not one but FOUR accounts in Azure Active Directory that all seem to be 'me'.
I have a Member user type with the user name of me@myname.org ... this seems to be associated with my O365 account.
I have a Member user type with the user name of me.MI@myname.onmicrosoft.com ... no idea where this came from
I have a Member user type with the user name of me4200@myname.onmicrosoft.com ... no idea where this came from, nor the number 4200. It's not significant for anything. The source of this one says it's Windows Server AD; I think it incorrectly created this user instead of synchronizing with me@myname.org as it should have.
If this happens with my client, we will have a right disaster.
I have a Member user type with the user name of randomResourceMailbox@myname.org ... no idea where this came from. The "RandomResourceMailbox" was associated in O365 as "CTO@myconsultancy.com" and is a small resource mailbox with no user license, and no login. The name "CTO@myname.org" was created out of whole cloth.
The last two accounts were NEVER in Active Directory. One of them was in Office365 as randomresourcemailbox@anotherTLD.com as an additional resource mailbox only with no user license.
I NEVER had any duplicated accounts in AD nor in O365.
I elected not to use the alternative ID method as the point was to make this migration simple. Any ideas why me@myname.org and me@myname.org failed?
I found a synchronization error. It says my O365 account UPN is me@myname.org, and my AD Account is me4200@myname.org which is absolutely incorrect.
It then says my Proxy Address is wrong; the AD account is SMTP:me@myname.org but my Existing object (the O365 account) is an amalgamation of:
smtp:nickname@myname.org
smtp:me@myname.onmicrosoft.com;SMTP:me@myname.org
So, the UPN got modified by the AD sync tool incorrectly, and the O365 SMTP address is incorrectly parsed, as well as becoming a multiple value field for a proxy address (which is incorrect).
What's worse, is despite the fact that my UPN's were setup correctly, the tool decided to use a non-editable field called "Proxy Address" for the match, and made this be a multiple value field, which means I'd have to update my email addresses (part of Exchange administration) in my AD and keep them synced. That seems wrong.
How does this get fixed?
== John ==
== John ==
Running an on site domain, using AD Connect to sync devices to Azure. I have been following the guide https://docs.microsoft.com/en-au/azure/active-directory/devices/enterprise-state-roaming-enable and I've enabled device sync, I can see the device in question in my Azure AD devices as Hybrid Azure AD joined.
I have enabled my test user to allow sync.
However when I check sync settings on that machine with that user, I get an error about sync not being available on this account.
I have verified that the same account is listed under Email & App Accounts.
I have also assigned a license in Azure AD "Enterprise Mobility + Security E3"
Not sure what else to check? Any suggestions?
Hi,
Is it possible to invite users from external organisation which do not have AAD?
Thanks,
Yuji
Hello,
I have an system service that periodically accesses a mailbox to check for emails.
Is it possible to create an app-registration (OAuth2) for this service that only permits "Mail.Read" for a specific mail account?
Thanks.
Hi Team,
As per discussion, kindly provide a remote assistance from your end to resolve the DNS issue,
We are in the process of Integrating a third party MDM (on-premise) with Autopilot in AAD portal to enable Windows 10 OOBE. We want to achieve this by leveraging an on-premise Core Enterprise Application server in Azure. We have configured the following so far which is not working as expected. Also Can't find any relevant event logs within "User Device Registration" or "DeviceManagement-Enterprise-Diagnostics-Provider" :
NB: All of the above and a host of other requirements was double checked and tested several times. Device is able to enrol when InTune is used as the MDM server (by adding the InTune application to my Azure AD)
A Test Device out of the box was used to run the following test scenarios in Azure with an E5 incl. mdm + security subscription.
During our tests we got the following error:
****> we are not able to enroll Azure AD due to : Redirect UI> [https://login.microsoftonline.com/WebApp/CloudDomainJoin/10] is not> formed correctly****After some googling i read this could be caused by DNS issues, outbound proxy issues, or a variety of other reasons.
I also read this can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. We might have sent the authentication request to the wrong tenant but checked this with a colleague today and granted all necessary permissions as required. Didnt do the trick
I also read this could simply be due to a general Authentification Failure which still looks very generic to me.
Anyone has any clues on how to troubleshoot these kinds of problems based on the error reported. Tips Will be very much appreciated.