According to Microsoft you won't be able to use, Configurable Token Lifetime policy after 1 November 2019. AD Conditional Access would replace this option.

So I made a CA that would apply to "Office 365 Exchange Online"and with the condition that it would only apply when accessed through a browser. I changed the Sign-in frequency to 1 hour as a test.

An hour after being signed-in I can still access outlook.office.com without having to sign in again. Anyone know what I am doing wrong?

We still use ADFS 2016.

Hi All,

I am trying to setup the web api security using the Azure Ad Client Creds Grant Flow. I have flowed complete instruction in the below link. but when i am setting up the client application to api permission with Application Permission. Application Permission is missing. can you please you help here to identity what is mistaken here?

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow

 Thanks,

Naveen T

Naveen Kumar

Hello,

Has anyone solved the issue where you get:

"Set-AIPAuthentication : Unable to authenticate and setup Microsoft Azure Information Protection At line:1 char:1 ..."

when trying to get the security token using the parameters -webAppId -webAppKey -nativeAppId for AIPScanner?

I am using a demo tenant (m365xxx.onmicrosoft.com) and a test domain (testdomain.local).

The two apps have been created in AAD following the documentation.

My local AIP service account is synced via ADConnect and has local logon rights to my AIPScanner server.

I am running the Set-AIPAuthentication with powershell running as my service account.

If I run *just* the Set-AIPAuthentication cmdlet, I am asked to provide credentials (service account), and I get a token.

If I run with *any ONE parameter* it seems to work.

If I run with *any TWO parameters" it seems to work.

If I run with *all THREE* parameters, I get the error.

I noticed someone else has a similar posting, with no resolution.  Has anyone found the explanation for this error?

Thanks!

According to Microsoft you won't be able to use, Configurable Token Lifetime policy after 1 November 2019. AD Conditional Access would replace this option.

So I made a CA that would apply to "Office 365 Exchange Online"and with the condition that it would only apply when accessed through a browser. I changed the Sign-in frequency to 1 hour as a test.

An hour after being signed-in I can still access outlook.office.com without having to sign in again. Anyone know what I am doing wrong?

We still use ADFS 2016.

Hi,

One of my subscription is in a strange state. I'm the one who created the subscription and I'm the account admin as well. However, when I go to the Azure Active Directory -> Properties page I don't see that I have any role (pic. 1) on the directory, the directory properties also looks strange (pic. 2), and many menu item is disabled for me (also I don't have access to the User Settings as well). What I see also, that there is no any user (pic. 3)

I there anyone who had this issue before? Is it possible that I lost the control over my subscription?

Thanks,

Pal

Pal Wagner

We are trying to get MFA rolled out (Ping ID), however as soon as users are added to the security group for the CA policy, we are seeing some weird behaviour with their Mail syncing. 

At first, I put this down to their client using a Basic auth profile and therefore getting blocked with trying to use Legacy authentication. However we have been getting folks to recreate their mail profile using the "Sign In" option and use Modern Authentication. However I've become aware of at least one other example where they've done this, it's started to work and then they've received a message from Exchange stating their access has been blocked:

You are receiving this message because your IT department has blocked your email access. This could be due to temporary conditions, like your network location.

Potential red herring - I've also noticed users devices going into a Quarantine state in the Exchange Mobile devices portal. Again, we have been manually approving them and it may or may not relate to the above, but any guidance would be great.

Below is the CA policy conditions. Any help is greatly appreciated! 

Client Apps:

Browser, Mobile Apps and Desktop Clients, Modern Auth Clients, Exchange ActiveSync Clients, Other Clients (ticked)

Apply policy to only support platforms (unticked)

Hi,

So I have a business Azure Tenant. I am the only user and have MFA enabled on the user account. Unfortunately, I only setup one verification method which is the MS Authenticator app. I recently bought a new iPhone and somewhere in my migration process, I lost MFA code access. This means I am unable to login.

I have contacted MS Support (Mindtree Ltd) and they have informed me I need a tenant ID to provide any support. The problem is, I can't actually login to see my tenant ID. Any help would be greatly appreciated.

Thanks,

Dan

Hello,

I have set up a ADFS 3.0 single server (2012R2)  farm and 3 Azure AD connect installations (2 for staging) with the latest version.

Now I want to add a second ADFS Server (Windows 2019) to the farm and upgrade the ADFS-Farm to 5.0 or 4.0.

What is the best method to do this? Add the Server to the farm manually (or can it be done by AADConnect) and then inplace-upgrade the primary ADFS-Server to 2019?

By now the AADConnect is configured with the serverhostname of the ADFS-Server. How to do it, when I have 2 nodes in the Farm? 

Thank you 

Regards Butters

Hi Team,

We need to get the guest account from "Microsoft  Azure Active directory" using Microsoft Graph Api or any other mode.

When I was trying to get the guest account I am getting below issue as shown in below image.

Can you please suggest me step by step guide how we can get the guest user from azure active directory.

Thanks you in advance !!

Thanks & Regards

Deepak Chauhan

SharePoint 2010 & 2013 and Office-365 Branding and Front End Customization, UI Design

We have users with Azure AD Premium (P1) licenses, and MFA status on account will remain Disabled (not Enabled or Enforced) but rather we will use the Conditional Access policies in specific applications to require MFA to sign-in. 

We would like a route via Microsoft Graph API (preferably, or through predecessor Azure AD Graph API in the meantime) that we can put into our intranet and other in-house apps of choice. Our primary use-case is during a new campaign to pre-enroll many users of a particular SSO app, so our Intranet could see if a user is a member of a group, then API call to check if the user has enrolled in MFA. If they haven't enrolled in MFA, provide a specific alert/banner that reminds them of the upcoming deadline for the app requiring MFA and click here to enroll and setup MFA for their account. 

Again, this is not about whether the account is enabled for MFA, but rather if the user has gone through the enrollment process and setup their account. 

As admins, we'd like to also be able to pull this data via API and perhaps in PowerBI show what percentage of our users have enrolled, and why what means they have setup their primary method (text, phone call, Microsoft Authenticator app). 

Thanks in advance, hoping this is possible or will be very soon. Would be great to get some better messaging internally from Microsoft Graph API on this. We also would like this for Self-Service Password Reset (SSPR) but that's a post for another day. :)

Chris

We are testing Azure AD SSO as IdP for CUCM. CUCM is configured for multiserver certificate (SAN) and it's currently working with OKTA as IdP. The CUCM metadata contains an entityID and several URLs for Assertion Consumer Service, this ACSs contain an index for each node in the CUCM cluster.

For authentications requests CUCM sends the authentication request with the same entity ID but different ACS index (depending on the node that is making the authentication request). Okta "knows" where to send the authentication token since it contains the "reply URL" with its corresponding index. Since Azure SSO configuration doesn't have this "index" configuration option it always reply to the default reply URL, so authentication only works for one server. I have seen that Index option is also availble in ADFS.

I don't see any option on Azure SSO configuration to configure something like this. Do I have an option to make this work?

We have a hybrid exchange and AzureAD Connect setup and want to move fully cloud, removing the last on-premise exhcange server and the AzureAD Connect.

My concern is what happens to mail enabled security groups that are currently AD synched and what happens to the users, is there anything that we need to do as we want to keep them in the cloud?

This is especially important as we have used mail enabled security groups to secure areas of Sharepoint Online.

Many thanks for any help.

Alan

Alan Hughes

I had previously posted about having trouble getting my domain verified for my app (to allow for OAuth without the "Unverified" stamp). Since then, the docs have been updated to explain that the content-type for the `microsoft-identity-association.json` file must *exactly* match "application/json" and that it cannot match "application/json; charset=utf-8". 

However, modern servers (like those built on Node Express) often don't even allow the use of the application/json header without the appended charset, because browsers have begun to require it for security purposes and they don't want to give programmers the option of bypassing a security feature.

So that means that I, and presumably many others, *cannot* satisfy the non-standard exact-match requirement without rather extensive workarounds, despite that requirement not making any sense by today's security standards.

Now I'm off to find a workaround, but I hope that Microsoft fixes this for future devs.

Hello everyone,
we have a problem installing azure ad connect on a windows server 2019. when installing the syncronization service an error occurs.this is a first time installation on a brand new server (only AD DS, DNS and DHCP has been installed).
In Azure AD Connect installation wizard, we use the express settings.AD DS Enterprise Admin credentials and Azure AD Global Admin credentials are correct. A service user account issuccessfully auto-generated during the installation.
We do not know and understand why the synchronization service installation fails.
Parts of the logs (in German) attached...

[14:06:53.576] [ 21] [INFO ] Starting Sync Engine installation
[14:06:57.425] [ 21] [ERROR] PerformConfigurationPageViewModel: Caught exception while installing synchronization service.
Exception Data (Raw): System.Exception: Unable to install the Synchronization Service.  Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt.  Please see the event log for additional details. ---> System.NullReferenceException: Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt.
   bei Microsoft.Azure.ActiveDirectory.Synchronization.Framework.AccountManagementAdapter.RemoveMembersFromLocalGroup(SecurityIdentifier groupSid, DirectoryEntry[] members)
   bei Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SyncServiceAccount.<>c__DisplayClass54_0.<RemoveFromLocalAdministratorsGroup>b__0()
   bei Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.Execute(Action action, String description)
   bei Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InstallCore(String logFilePath, String logFileSuffix)
   bei Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.ExecuteWithSetupResultsStatus(SetupAction action, String description, String logFileName, String logFileSuffix)
   bei Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
   --- Ende der internen Ausnahmestapelüberwachung ---
   bei Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.ThrowSetupTaskFailureException(String exceptionFormatString, String taskName, Exception innerException)
   bei Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
   bei Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstallCore(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
   bei Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstall(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
   bei Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.PerformConfigurationPageViewModel.ExecuteSyncEngineInstallCore(AADConnectResult& result)

AzureActiveDirectorySyncEngine Error: 906 : SynchronizationServiceSetupTask:InstallCore - Caught unexpected exception. Details System.DirectoryServices.AccountManagement.PrincipalServerDownException: Mit dem Server konnte keine Verbindung hergestellt werden. ---> System.DirectoryServices.Protocols.LdapException: Der LDAP-Server ist nicht verfügbar.
   bei System.DirectoryServices.Protocols.LdapConnection.Connect()
   bei System.DirectoryServices.Protocols.LdapConnection.SendRequestHelper(DirectoryRequest request, Int32& messageID)
   bei System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   bei System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)
   --- Ende der internen Ausnahmestapelüberwachung ---
   bei System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)
   bei System.DirectoryServices.AccountManagement.PrincipalContext.DoServerVerifyAndPropRetrieval()
   bei System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name, String container, ContextOptions options, String userName, String password)
   bei System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name)
   bei Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SyncServiceAccount.GetPrincipal(Boolean isDomainController, AccountManagementAdapter localAccountManagementAdapter, AccountManagementAdapter& domainAccountManagementAdapter)
   bei Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SyncServiceAccount.ResolveSid(Boolean isDomainController)
   bei Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InstallCore(String logFilePath, String logFileSuffix)
AzureActiveDirectorySyncEngine Error: 906 : SyncServiceAccount:RemoveAccountRights - no SidString available
AzureActiveDirectorySyncEngine Information: 904 : SyncServiceAccount:RemoveFromLocalAdministratorsGroup:
AzureActiveDirectorySyncEngine Information: 904 : Starting: Removing the Sync Service account from the local Administrators group...
AzureActiveDirectorySyncEngine Error: 906 : Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt.

Hi,

I have a task to write some custom attributes to user objects in Azure Active Directory.

As far as I know I have "application" option when attribute looks looks like "extension_e5e29b8a85d941eab8d12162bd004528_wWWHomePage"

Details are here

https://docs.microsoft.com/en-us/powershell/azure/active-directory/using-extension-attributes-sample?view=azureadps-2.0

In the same time I can see outputs from where can be present attributes like CompanyName or something like that.

And I heard that Azure AD scheme can be extended for all users, but I can't find that information in the Internet.

So I would like to heard is it possible to add custom attribute to Azure AD scheme, how it can be done, pros and cons.

Thanks.

1

Hello,

I am trying ti setup provisioning with the gallery application Salesforce.

I receive a failure with accounts I am trying to provision. The failure is Process Escrow. Details below:

Status Reason:
We are retrying an operation that previously failed. Identifier: username@comany.com Object type: User Directory: Azure Active Directory; Error: An error occured while evaluating this function: 'Replace.'. This operation was retried 1 times. It will be retried again after this date: 2019-09-21T01:08:14.2481484Z UTC

Details:

Background: 

I'm assessing functionality between PingFederate and Azure AD.  We currently use PingFederate.  As a need, some of our clients use an 'Reference ID Adapter' (https://www.pingidentity.com/developer/en/resources/agentless-integration-kit-developers-guide.html) as a means to provide PingFederate with information that it can then use to customize claims.  The customization could be as simple as a transformation, or a lookup against Active Directory for additional information.

Example, imagine an application that's used to grant users access to file containers.  How this is determined is based on a claim that's returned within a SAML response.  A user is a member of a group in AD which will correspond to this location (a very easy lookup).  Let's say this user is a member of many groups, which in turn corresponds to many containers on the site.  You can easily filter the groups and submit a claim for each, but the user only wants to be granted access to a single one of containers of their choosing.  Without the user being able to pre-select what gets sent in the claim, there's no way to limit this access to a single container.  How we accomplished this was to perform a first mile/ last mile approach.  The user would be authenticated, and a claim sent to a 3rd party, trusted site, that displayed all the users pertinent groups (or possible containers).  The user would then select a single container, which initiates another SSO, but also sends this group name to PingFederate to include within a claim.  The result is the final claim to the application will only contain 1 group, instead of all that meet the filter criteria. For those familiar with AWS, how would you authenticate to a single app?

Question:

Does Azure AD provide similar functionality where a client can send parameters during the SSO process that can then be acted on for claim creation?  This can be either within the initiation URL, or behind the scenes with a possible Graph call.  Links to documentation detailing this would be much appreciated (I'm not having luck on my own).

Thanks!