Hi,
Based on B2C docs, it looks like the B2C data is hosted in the US,Europe and China. Does this mean if I want to use B2C, say in Canada, my data will be hosted in either of those 3 locations only? Are you aware of any near-term plans to make the B2C storage available in other countries?
Thanks
There's a surprising lack of examples or articles on this. Any articles I do find are about authenticating against Azure AD. I'm getting the feeling it isn't possible, but want to confirm. I want to join PCs to an Azure AD Domain via PowerShell/C#. Is this possible?
I am aware of joining via the Windows Configuration Designer. While this is nice, it's not nearly as flexible as it needs to be (plus requires a physical flash drive and a not fully unattended setup).
Hi,
I have a task to write some custom attributes to user objects in Azure Active Directory.
As far as I know I have "application" option when attribute looks looks like "extension_e5e29b8a85d941eab8d12162bd004528_wWWHomePage"
Details are here
In the same time I can see outputs from where can be present attributes like CompanyName or something like that.
And I heard that Azure AD scheme can be extended for all users, but I can't find that information in the Internet.
So I would like to heard is it possible to add custom attribute to Azure AD scheme, how it can be done, pros and cons.
1
Is there any provision to create azure active directory programmatically by using sdk or api or even powershell
i had tried powershell and graph api and management sdk but i was unsuccessful.
Please provide some resolution for this
Hi,
I'm getting this recommendation for MFA not enabled on accounts with owner permissions on your subscriptionin Azure Security center.
MFA should be enabled on accounts with owner permissions on your subscription- Enable Multi-Factor Authentication (MFA) for all subscription accounts with administrator privileges to prevent a breach of accounts or resources.
However user is already triggered under Azure Baseline policies for Global Admin.
Q1. Is there any specific Conditional access policy we need to enable to trigger for Azure Subscription ? i.e owner or co-administrator ? Any Specific action to be taken ?
Q2. In conditional access policy if user is a Global admin then automatically he will be triggered for MFA irrespective of any application he access from Azure ?
HI,
I wish that a VM run command to be run remotely. However, the desired scenario is, an azure function should trigger the api. How can I create a bearer authorization inside an azure function. Any help is appreciated.
I have a few computers behaving in the same fashion and looking for some help.
When I try to join a computer via Azure AD - I get the following error:
Server error code: 80192ee2
Correlation ID: not available
Server Message: not available
I can't seem to find any information about this error. However, I learned that if I disable the Geo Filtering in our comapny firewall it will join the domain no problem.
So the question is - how can I determine which country needs to be whitelisted to alleviate this problem.
I'm integrating Azure AD login authentication to my web app. I have created an account in azure development portal and registered my app as web app. In the app registration settings, I have provided the redirect URL like below,
redirect URL: https://mdb-dev-ext.xyzcde.com/my.dashboard/azureLogin.html?
In my java web app, I have implemented the logic to acquire the azure 's token in the above mentioned end point (azureLogin.html). I have used ADAL java library to implement the below code logic
private AuthenticationResult acquireTokenByAuthorizationCode(String authCode) { String authority = System.getProperty("dashboard.azure.authority.url", "https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxx/oauth2/token"); String clientId = System.getProperty("dashboard.azure.client.id", "xxxxxxxxxxxxxxxxxxxxxxxxx"); String clientSecret = System.getProperty("dashboard.azure.client.secret", "xxxxxxxxxxxxxxxxxxxxxxxxxxxx"); String redirectUrl = System.getProperty("dashboard.azure.redirect.uri", "https://mdb-dev-ext.xyzcde.com/my.dashboard/azureLogin.html?"); AuthenticationResult result = null; ExecutorService service = null; try { service = Executors.newFixedThreadPool(1); AuthenticationContext context = new AuthenticationContext(authority, false, service); ClientCredential credential = new ClientCredential(clientId, clientSecret); Future<AuthenticationResult> future = context.acquireTokenByAuthorizationCode(authCode, URI.create(redirectUrl), credential, null); result = future.get(); } catch (Exception e) { LOGGER.error("Error occurred while acquiring token from Azure {}", e.getMessage()); throw new Exception(String.format("Error occurred while acquiring token from Azure. %s", e.getMessage())); } return result; }
Note: i have not provided value for "home page URL" i believe this is not mandatory
Now while doing the following steps I'm facing the error
Login to portal.office.com
sign in with my account credentials
After landing to the office 365 home page , I can see my web app's icon listed
on clicking my web app's icon/button , i'm getting redirected and finally throwing the below error. there are no log updates in my web app's server log. i'm sure that this has not reached my web app.
"You
cannot access this application because it has been misconfigured. Contact your IT department and include the following information:
Undefined
Sign-On URL for application"
If I provided my web app's login URL for home page URL field like below,
home page URL: https://mdb-dev-ext.xyzcde.com/my.dashboard
then while trying to open the my app from office 365 , it is opening my web app's login page (where it will prompt to enter application's DB username & password). this is not what i'm looking for.
what i want to achieve is -> login to office 365 -> click my web app button -> the redirect URL mentioned in the azure portal during my app registration should load - > which will eventually call the code logic written in my web app to acquire the azure token and login to my app with the azure returned token stored in session.
please let me know what I miss here. why i'm getting this Undefined Sign-On URL for application error ?
I'm trying to roll this out in our infrastructure, which is a single forest set up using a AD Hybrid config. I've got a mix of 2012 R2/2016 DC's and have just started replacing some of the 2012's with 2019 (about 2 so far). On the 2016 servers I install the DC agent and everything appears to go okay. On my proxy server I run the Get-AzureADPasswordProtectionDCAgent command and I can see that the servers showing the AzureTenant are most of my 2016 servers. However the 2012 DC's are almost all blank in the tenant field. Password Policy and hearbeat UTC fields are current. They have the correct version of the software, which is the latest general release. Check in the logs on these DC's I see:
Admin -
The forest has not been registered with Azure. Password policies cannot be downloaded from Azure unless this is corrected.
Resolution steps: an administrator must run the Register-AzureADPasswordProtectionForest cmdlet which is installed as part of the Azure AD Password Protection Proxy software.
And at the same time in the Trace log:
Event ID: 30014
ForestCertificateManager: Unable to convert forest cert at CN=90A4E8C0-9775-4099-97F2-C19267EE16BA,CN=Forest Certs,CN=Azure AD Password Protection,CN=Services,CN=Configuration,DC=xxxxxx,DC=LOCAL
and
ForestCertificateManager: Exception: System.Exception: DecryptBufferNcrypt() failed with hr=2147500037
at ServiceCommon.Utility.ServiceCommonHelperInterop.DecryptBuffer(IntPtr hDecryptionIdentityToken, IntPtr pbData, UInt32 cbData, IntPtr& pbDecryptedData, UInt32& cbDecryptedData)
at ServiceCommon.Utility.DPAPIHelper.Decrypt(Byte[] bytesToDecrypt)
at Microsoft.DCAgent.BL.ServiceComponents.ForestCertificateManager.QueryAllForestCerts(DCLdapConnection dcLdapConnection)
I checked the permissions in ADSI and everything appears to be correct, all the required services are running,servers are all patched and updated, I've registered the proxy and the forest and gotten no errors. The weirdest part is a few minutes after those warnings show up in the logs I see:
The service is now enforcing the following Azure password policy.
Event ID 30006
Enabled: 1
AuditOnly: 1
Global policy date: 2019-02-17T00:00:00.000000000Z
Tenant policy date: 2019-08-05T15:55:22.140848600Z
Enforce tenant policy: 1
But with in 15 minutes the errors come back. And if I enable it in the Azure AD portal and see the change in the logs, I can still use a password that violates the policy we set up so I know it's not working correctly.
Hello Everybody,
I need help with the Upgrade of Azure AD Connect. After putting in my Credentials as a global Administrator. I get an error that says that the Assembly \Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll couldn't load, becouse it was not found with this name. Check the name of the assembly and repeat the process.
The further informations weren't any help.
The AD Connect ran since december 2018 perfectly. Because of the Upgrade the AD SyncCycle SchedulerSuspended gets flagged to true, so it can't run. I can reset it and trigger sync again, but new local AD Members are not getting synchronized to Azure AD.
I use a Windows Server 2012 R2 with all Updates (10/03/2019) installed. Also there ist the latest .net Framework 4.8.03761 installed.
Has anyone an idea, what I can do to resolve this? Google isn't much of a help...
Thank you!
Created a new Azure account and I'm attempting to Add a Windows 10 Laptop to Azure AD. I have added a custom domain and its status is verified. I have also added the laptop to the Azure AD via this.
https://docs.microsoft.com/en-us/azure/active-directory/user-help/user-help-join-device-on-network
I have also added the user as a local admin to the laptop.
However, when I attempt to login to the laptop using my Azure AD Account it says the password is invalid.
Hi All,
Two of Azure Enterprise applications were showing below options till yesterday night under Manage blade:
Properties, Owners, Users and Groups, Provisioning, Application Proxy and Self-Service.
But, today I am seeing only three options, rest are missing: Properties, Owners and Provisioning
In absence of Users and Groups, owner of the applications can't add users or groups to these application.
In spite of having global admin access I can't see those missing options, owner of these two Enterprise Applications also can't see those missing options.
None, of the MS article talks about this issue, can someone please help how to get those options back.
Thanks,
Alok Dubey
Hi,
Trying to figure how i can block inheritance permission when i create a new resource group on azure all the inherited permissions also start flowing in.
regards
Sathya
Sathya Paul
Hi,
I need to run scripts on a server that only has powershell 4 and, at the moment, I can not put powershell 5 because the client is afraid something on the server is impacted.
I also need to invite guests to this AzureAD using powershell. What alternatives do I have to cmdltsNew-AzureADMSInvitation, Connect-AzureAD and Get-AzureADUser using powershell 4?
Many thanks,
JD
Hi Team,
Is there a way to assign user for particular application access so that the particular application administrator can see and configure his own application ?
Don't want to assign application administrator role as it will allow user to configure other applications as well. Need to give restricted access to end user for a particular application e.g. Salesforce application.
Making Application Owner will give the user access to see Provisioning TAB ?
Regards,
Rahul
Hi Team,
Is there any specific directory role for accessing MFA authentication page in Azure AD except Global Admin role ?
How to unblock user from MFA fraud alert user without Global Admin role ?
MFA setup is Cloud only this is not On-premises environment.
A previous member of staff has already set up Azure Active Directory Connect with successful synchronisation.
However, the Source Anchor chosen is the SamAccountName. And the SamAccountName can change if a user has a name change. And there may be the duplication of a SamAccountName in the event of a member of staff leaving, and a new member of staff with the same name starting soon after.
I believe that it is advisable to user the objectGUID as the Source Anchor and we are considering changing the Source Anchor.
I understand that the Source Anchor on an instance of Azure Active Directory Connect cannot be changed. But I also know that the current instance of Azure Active Directory Connect can be uninstalled, and then a new instance installed and configured.
Would there be any issues or problems that occur if we were to uninstall our current instance of Azure Active Directory Connect where the Source Anchor is the SamAccountName, then install and configure a new instance of Azure Active Directory Connect where the Source Anchor is the objectGUID, given that we already have our Azure Active Directory populated with users?
And are there any methods, steps, etc. that I need to consider if we were to created a new instance of Azure Active Directory Connect with a different Source Anchor to help ensure a good transition of the Source Anchor?
I have five problem machines here who won't correctly apply the provisioning package that I was provided with. Five different machines, five different flash drives doing the imaging/provisioning. I've successfully imaged/provisioned loads of other machines using these same flash drives, but these five won't take the network profiles. I have a theory as to where the failure is happening, and how to resolve it. After you finish cringing from how wrong my theory is going to be, hopefully someone can help me figure out this nightmare.
I'm unable to attach any pictures, because my freshly made account has to be verified still (never got any email). As such, I'll just type out the error displayed on the screen.
"Set or change network connectivity settings - Failed"
Every other step in the provisioning step applied. Enroll in Azure, setting device name, creating local admin, and applying policies. Just that one last step failed, which gives me more reason to suspect it's what I suspect, later in the post.
Now, an error from the event logs obtained after clicking the handy dandy "Get logs" button in that picture"
ProvXML category 'Connectivity' failed with '0x80070426' at CSP node 'WiFi/Profile/CSUSA-STUDENTS/WlanXml'. No connectivity.
And finally, the theory. Is the provisioning process jumping up and down in frustration, because it's trying to apply WiFi security policies to computers without WiFi capabilities? Four of the machines exhibiting this error are old ass desktops, and they most certainly do not have WiFi radios on the mainboard. They don't have expansion card radios either, or a USB radio. They rely 100% on a hardwired connection to access the network, and as a consequence, the internet. Is a possible solution to modify the provisioning package, and remove any WiFi security policies so the package doesn't try to apply them? It can't be that simple can it? Or can it?
Hi,
My user in my organization has all the permissions and is in the same groups than other ones (the original people in the company) but they still can make some things in the portal that I cannot, for example, in Azure Active Directory --> Enterprise Applications, I cannot add a new application and they can.
Is there some super user permissions when you're the subscription creator? Is there any way to match those permissions in some new user?
Thanks,
Xurxo
Hello,
I have a very strange behaviour at my client. He got on premise Active Directory, synchronized with Azure, without any issues, I've set up the GPO stuff to enable auto registration into Intune. So for now all my OnPremise joined computer, when started with an account with a Intune licence, also join the MDM and everything is fine.
The problem come from a remote site, with no link to the OnPremise AD, only a small xDSL internet connection, so we tried to join the 10ish computers on this remote site, but with the join "Hybrid Azure Ad join" option from the Windows 10 1903.
The join is okay, despite the internet latency, but when the computer is joined, we can only use local account on the computer, can't use any of the Azure Accounts, even if the computer is declared as member of the MDM, and/or declared as "professional" computer.
I'm pretty sure I'm missing something, but can't find it