Hi Team,
Is there any specific directory role for accessing MFA authentication page in Azure AD except Global Admin role ?
How to unblock user from MFA fraud alert user without Global Admin role ?
MFA setup is Cloud only this is not On-premises environment.
Should the federation server (s) be placed on premise or in the cloud?
This environment will have both the original AD domain (AD DS) and Azure Active Directory ( no Azure AD DS ).
We will be moving the on premise systems to the cloud with very few exceptions? We will also have a DR site.
O365 will be used and we will be keeping part of Exchange on premise physically for the VIP group until they are comfortable with moving to the cloud.
Physical network equipment and F-5 will be placed at a co-located site for administering the WAN between the primary site and DR site.
DMZ will also be hosted from this co-located site (equinox) as well for the primary site and DR site.
Please provide recommendations and/or best practices for this type of design?
dsk
Hi All,
I am trying to setup the web api security using the Azure Ad Client Creds Grant Flow. I have flowed complete instruction in the below link. but when i am setting up the client application to api permission with Application Permission. Application Permission is missing. can you please you help here to identity what is mistaken here?
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
Thanks,
Naveen T
Naveen Kumar
Hi,
We are setting up an environment with local AD, and Azure AD. And have a question regarding password sync. We are using a 3 party tool Fastpass so that users them self can change password My question is there a latency when changing password ? There are several sites with dc.
/Regards Andreas
We have created one custom field call "tags" in SCIM mapping. But when we create a user, the POST request doesn't contain "tags" field. The same field gets updated when next PATCH call happens during an update. Here is the mapping for"tags" field:
Join(":", [jobTitle], [department]) tags
Apply this mapping : Always
Also pasting request body for reference. Please check & let us know why "tags" field is not coming as part of POST request. "tags" is part of schema "urn:ietf:params:scim:schemas:core:2.0:User"
{Hi,
We have Xamarin based Native app developed.
The sign in for company employee (internal organization) is not working whereas any external user sign in works fine. The error message which we are getting are 'You cant get there from here. You cannot access the resource from this browser on your device. You need to use Safari, Intune Managed Browser or Edge' for iOS and for ANdroid we get 'Hekpn us keep your device secure. Your sign-in was successful, but your admin requires your device to be managed by XXX to access the resource'.
While investigating further we found that the user signing-in are part of some conditional access group and thats why they cant sign-in on this app. But they do have Company Portal on their device and Outlook also gets used. So then from Sign-in activity logs from Azure AD we found that Device details are not getting passed (Device ID is empty) and thats why Azure AD rejects the Sign-in requests coming from internal users.
As a solution to this, we are thinking to pass Device ID to Azure AD. But the question here is it advisable to pass device ID to Azure AD. Passing device info from any user to Microsoft, may categorized as a security issue. Referring to this article https://techcrunch.com/2012/03/24/apple-udids/?guccounter=1, it looks like Apple may reject our app on App Store.
Please advise if it is ok to pass Device details to Azure AD from security perspective. Also from GDPR compliance perspective should we need to take care of this or worry at all.
Regards
Sanjay Nipane
Sanjay Nipane
Hi all,
Does anyone know if it's possible to have different business units in azure ad? For example. I have location A with 30 users, and location B with 50 users. I'd like to have a admin only for that location. So he can manage those users, and nothing else. Only the global admins can see everything.
We're running everything in the cloud, with on-prem as backup. Also are using office 365. Thanks :)
Evening all...
Attempted to set up AzureAD today for my corporate environment.
gone through the installation of Azure AD connect and syncronisation appears to be working.
we selected to use AD FS though, which doesnt appear to be working. on the portal, federation shows as "disabled"
we used an existing working adfs server, which we specified during the configuration and everything seemed to go through without any errors.
Im hoping that someone with a far greater understanding of this can shed some light on where to begin troubleshooting it. its my first interation with Azure AD and AD FS too.
Thank you
Hi,
A computer (end user workstation) in a hybrid environment (Azure + onprem) is not recognizing user logons as Azure logons.
Judging from what I see in Azure and on the computer, computer seems to be correctly joined to Azure AD. User account seems to be also fine in Azure AD.
I tried with 2 user accounts and a test account, which I know to be free of this problem - but on this particular machine, the problem still occurs (so I don't think the problem is related to user's account).
This is causing Windows to refuse to upgrade to Enterprise edition based on the user's license.
In event viewer I am getting the event 360 and it contains this line : "User has logged on with AAD credentials: No"
I wanted to paste screenshots of dsregcmd /status but I am unable to. Interesting bit seems to be :
Would anyone be able to share some wisdom with me on this?
I've read everything I could find on the internet and still failed to solve this.
Thanks!
Michał
I have followed this link to setup Active Directory DS. I am not able bind user in ldp.exe tool.
Below is my connection output
ld = ldap_sslinit("ldaps.ad.pumahub.com", 636, 1);
Error 49 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 128 bits
Established connection to ldaps.ad.pumahub.com.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,DC=ad,DC=pumahub,DC=com;
currentTime: 9/23/2019 10:17:06 PM India Standard Time;
defaultNamingContext: DC=ad,DC=pumahub,DC=com;
dnsHostName: V8XIHHEM-YEF2AP.ad.pumahub.com;
domainControllerFunctionality: 6 = ( WIN2012R2 );
domainFunctionality: 6 = ( WIN2012R2 );
dsServiceName: CN=NTDS Settings,CN=V8XIHHEM-YEF2AP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=pumahub,DC=com;
forestFunctionality: 6 = ( WIN2012R2 );
highestCommittedUSN: 34195;
isGlobalCatalogReady: TRUE;
isSynchronized: TRUE;
ldapServiceName: ad.pumahub.com:v8xihhem-yef2ap$@AD.PUMAHUB.COM;
namingContexts (5): DC=ad,DC=pumahub,DC=com; CN=Configuration,DC=ad,DC=pumahub,DC=com; CN=Schema,CN=Configuration,DC=ad,DC=pumahub,DC=com; DC=DomainDnsZones,DC=ad,DC=pumahub,DC=com; DC=ForestDnsZones,DC=ad,DC=pumahub,DC=com;
rootDomainNamingContext: DC=ad,DC=pumahub,DC=com;
schemaNamingContext: CN=Schema,CN=Configuration,DC=ad,DC=pumahub,DC=com;
serverName: CN=V8XIHHEM-YEF2AP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=pumahub,DC=com;
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=ad,DC=pumahub,DC=com;
supportedCapabilities (6): 1.2.840.113556.1.4.800 = ( ACTIVE_DIRECTORY ); 1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = ( ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 ); 1.2.840.113556.1.4.2080
= ( ACTIVE_DIRECTORY_V61_R2 ); 1.2.840.113556.1.4.2237 = ( ACTIVE_DIRECTORY_W8 );
supportedControl (37): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = ( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION ); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT
); 1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN ); 1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET ); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME
); 1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE ); 1.2.840.113556.1.4.1340 = ( SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = ( PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( VLVRESPONSE
); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = ( QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = ( SHUTDOWN_NOTIFY ); 1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = ( FORCE_UPDATE
); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = ( DN_INPUT ); 1.2.840.113556.1.4.2064 = ( SHOW_RECYCLED ); 1.2.840.113556.1.4.2065 = ( SHOW_DEACTIVATED_LINK ); 1.2.840.113556.1.4.2066 = ( POLICY_HINTS_DEPRECATED ); 1.2.840.113556.1.4.2090
= ( DIRSYNC_EX ); 1.2.840.113556.1.4.2205 = ( UPDATE_STATS ); 1.2.840.113556.1.4.2204 = ( TREE_DELETE_EX ); 1.2.840.113556.1.4.2206 = ( SEARCH_HINTS ); 1.2.840.113556.1.4.2211 = ( EXPECTED_ENTRY_COUNT ); 1.2.840.113556.1.4.2239 = ( POLICY_HINTS ); 1.2.840.113556.1.4.2255;
1.2.840.113556.1.4.2256;
supportedLDAPPolicies (19): MaxPoolThreads; MaxPercentDirSyncRequests; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxBatchReturnMessages; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MinResultSets;
MaxResultSetsPerConn; MaxNotificationPerConn; MaxValRange; MaxValRangeTransitive; ThreadMemoryLimit; SystemMemoryLimitPercent;
supportedLDAPVersion (2): 3; 2;
supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;
And I am getting below while binding the user
53 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='ldaptest@pradippatelc2gmailcom.onmicrosoft.com'; Pwd=<unavailable>; domain = 'ad.pumahub.com'}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 80090346: LdapErr: DSID-0C09056D, comment: AcceptSecurityContext error, data 80090346, v2580
Error 0x80090346 Client's supplied SSPI channel bindings were incorrect.
While binding user I am selecting bind type Bind with credentials.
The user with which I am binding is Cloud AD user and also present in Administrator group. I have also reset the password of this user so AD DS can store password hashes but nothing worked.
I am the operations manager of a small company who uses Office365 with Azure Active Directory. In trying to setup a new laptop for a new employee and I am getting the following error in the Windows setup process after logging in with my Microsoft work account.
Server error code: 801c0003
Server message: User 'xxxxxxxxxxxx' is not eligible to enroll a device of type 'Windows'. Reason 'DeviceCapReached'
I have determined that I have met the quota for the maximum number of devices per user, which was set to 50, so the error is no longer a mystery, but my question is how to go about removing devices without any negative side effects.
The reason all of these devices are assigned to me is that when new employees are hired, I set up the computer by signing in as myself, then I install all the necessary software and configure it for the employee, and then hand it off to the employee.
I need to know how to resolve the situation correctly.
I know that I can simply increase the quota for the number of users, but that seems more like a band-aid than a solution.
I'm trying to pass the https://dynamics.microsoft.com/business-central/overview/app_access scope to the OAuth2 authorize URL and keep getting this error:
The resource principal named https://dynamics.microsoft.com/business-central/overview was not found in the tenant named {tenantid}. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
What does this mean?
Hello,
We are getting ready to migrate our exchange over to office 365. I'm getting AD sync prepped but to do that I need to register our public domain name.
WHen I go to Azure port, Azure AD, Custom Domains, it gives me the TXT record I need for our public DNS for it to register, I created it a few hours ago and I can check it using nslookup. However in the Azure portal verification I get this message When I click on verify. I've switched our domain name below with public domainname for privacy reasons.
This can be resolved using the internal or force domain takeover option.
Force domain takeover: If you are the IT admin of your organization and want to manage a single Azure AD with all users from Power BI or RMS to be migrated into this tenant, proceed with the force domain takeover option.
Internal takeover: If you wish to manage both directories in Azure AD and Office 365 to view users and their assigned Power BI and RMS subscriptions, proceed with the internal takeover option.
I honestly don't undestand the difference between force domain takeover and internal takeoveror if there is a way to find out why it thinks I need a takeover
I have enabled
Azure AD Seamless SSO in my Azure AD Connect instance (which is also configured with Password Hash Sync). I have also
rolled out the Seamless SSO feature to computers that are
Azure AD registered devices. I have Azure AD Conditional Access set up to require MFA for all Azure AD logins to all cloud applications (not using Azure MFA, but instead using a 3rd party service calledDuo).
Microsoft documentation states the following about Seamless SSO:
9. After evaluation, Azure AD either returns a token back to the application or asks the user to perform additional proofs, such as Multi-Factor Authentication.
However, it appears that users on Azure AD registered devices that have Seamless SSO rolled out are able to access applications protected by Azure AD without logging inand without performing any multi-factor authentication.
My understanding was that Seamless SSO would save users the effort of entering their passwords, but all other controls, such as MFA enforced through Conditional Access, would still be enforced. Is this not the case?
I have enabled
Azure AD Seamless SSO in my Azure AD Connect instance (which is also configured with Password Hash Sync). I havenot
rolled out the Seamless SSO feature to computers that are
Azure AD registered devices. I have Azure AD Conditional Access set up to require MFA for all Azure AD logins to all cloud applications (not using Azure MFA, but instead using a 3rd party service calledDuo).
Microsoft documentation states the following about Seamless SSO:
9. After evaluation, Azure AD either returns a token back to the application or asks the user to perform additional proofs, such as Multi-Factor Authentication.
However, it appears that users on Azure AD registered devices, even though Seamless SSO hasnot been rolled out, are able to access applications protected by Azure ADwithout logging in and without performing any multi-factor authentication.
My understanding was that Seamless SSO would save users the effort of entering their passwords, but all other controls, such as MFA enforced through Conditional Access, would still be enforced. Additionally, if this feature is not rolled out, I wouldnot have expected for Azure AD registered devices being able to seamlessly log in. Is this not the case?
Hi,
I am trying to implement Azure managed identities to authenticate with Blob storage and Azure Functions.
We are trying to follow the below article -
https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-msi
I am trying to call from on-prem asp.net site to access Azure Blob Storage and Azure Functions. We would like to use user managed identities for authentication. I created user managed identity in my tenant, I am trying to authenticate programatically using managed identities using the above article but I am getting "Status: 500 Internal Server Error"
Any help on this is highly appreciated
Thanks,
Vijay
Vijay
I have a local AD account setup for myname.org. I created ONE user, with a UPN of me@myname.org.
I used the Azure Active Directory Connect tool, with default / express configuration.
This went soso. Despite making SURE that my AD SPN/UPN was setup correctly, i.e. me@myname.org, as well as MYNAME\me, in the Active Directory The AD Sync has created not one but FOUR accounts in Azure Active Directory that all seem to be 'me'.
I have a Member user type with the user name of me@myname.org ... this seems to be associated with my O365 account.
I have a Member user type with the user name of me.MI@myname.onmicrosoft.com ... no idea where this came from
I have a Member user type with the user name of me4200@myname.onmicrosoft.com ... no idea where this came from, nor the number 4200. It's not significant for anything. The source of this one says it's Windows Server AD; I think it incorrectly created this user instead of synchronizing with me@myname.org as it should have.
If this happens with my client, we will have a right disaster.
I have a Member user type with the user name of randomResourceMailbox@myname.org ... no idea where this came from. The "RandomResourceMailbox" was associated in O365 as "CTO@myconsultancy.com" and is a small resource mailbox with no user license, and no login. The name "CTO@myname.org" was created out of whole cloth.
The last two accounts were NEVER in Active Directory. One of them was in Office365 as randomresourcemailbox@anotherTLD.com as an additional resource mailbox only with no user license.
I NEVER had any duplicated accounts in AD nor in O365.
I elected not to use the alternative ID method as the point was to make this migration simple. Any ideas why me@myname.org and me@myname.org failed?
I found a synchronization error. It says my O365 account UPN is me@myname.org, and my AD Account is me4200@myname.org which is absolutely incorrect.
It then says my Proxy Address is wrong; the AD account is SMTP:me@myname.org but my Existing object (the O365 account) is an amalgamation of:
smtp:nickname@myname.org
smtp:me@myname.onmicrosoft.com;SMTP:me@myname.org
So, the UPN got modified by the AD sync tool incorrectly, and the O365 SMTP address is incorrectly parsed, as well as becoming a multiple value field for a proxy address (which is incorrect).
What's worse, is despite the fact that my UPN's were setup correctly, the tool decided to use a non-editable field called "Proxy Address" for the match, and made this be a multiple value field, which means I'd have to update my email addresses (part of Exchange administration) in my AD and keep them synced. That seems wrong.
How does this get fixed?
== John ==
== John ==
Whenever we add someone - either via the GUI or in Powershell, we get the same response. Removing and adding them back doesn't fix it. Has anyone seen this?
User details: Skip reason = NotEffectivelyEntitled, Active = True, Assigned = True, Passed scope filter: True