Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Individual who was Global Admin left company taking the keys to the castle with him

October 3, 2019, 3:04 pm
$
0
0

Hello!

A former client of mine recently had their SSL certificate expire.  I was going to help them purchase and set up a new Azure App Service certificate through the portal when they dropped this bomb on me:   The only person who had credentials for their Azure portal is no longer with the company and conveniently left no information behind.  I am only a guest user in their Azure AD.  I would like to help them take back control of their Azure account if possible as their business is pretty much running from that Azure directory.

What do you guys advise?

Thanks!

Search

Azure AD SCIM Error

October 1, 2019, 6:43 am
$
0
0

Hi All,

We are building a new application which will sync users attributes from Azure AD to an application. Here is the link for the application documentation (Building a SCIM endpoint using Microsoft CLI libraries) we have built this application on Azure vm and opened the required port but when we are registering the SCIM endpoint in Azure AD getting an error on the provisioning page.i.e.

1. In the Provisioning Mode menu, select Automatic.

2. In the Tenant URL field, enter the URL of the application's SCIM endpoint. Example:https://api.contoso.com/scim/

3. If the SCIM endpoint requires an OAuth bearer token from an issuer other than Azure AD, then copy the required OAuth bearer token into the optionalSecret Token field. If this field is left blank, Azure AD includes an OAuth bearer token issued from Azure AD with each request. Apps that use Azure AD as an identity provider can validate this Azure AD-issued token.

4. Select Test Connection to have Azure Active Directory attempt to connect to the SCIM endpoint.

It's Failing in the Test connection giving failure event code as "Invalid Credentials" but as per the documentation we are giving the tenant url ashttp://<ipaddress>:9000 and leaving Secret token as blank as mentioned in the step 3. 

Not able figure out whose side error it is. Looks like Azure AD is not able to establish connection with the application end point.

Let us know if someone has knowledge on this particular area. 


userinfo_endpoint content-type

October 3, 2019, 4:54 pm
$
0
0

Hi,

when calling OIDC userinfo_endpoint (https://graph.microsoft.com/oidc/userinfo) with a valid access token, it returns the user info with a Content-Type =  text/html, altough there is a json document in the body. Is it the expected behaviour?

thanks

Pass-through Authentication could not be enabled due to an unexpected error.

September 13, 2019, 12:32 am
$
0
0

Hi, 

I am trying to enable pass-through authentication but getting an error as -


AzureADConnect.exe Error: 0 : Passthrough authentication enable - failed. Error Your Azure AD Connect Authentication agent wasn't registered properly. Please upgrade to the latest version of Azure AD Connect or Azure AD Connect Authentication agent and retry.

--------------------------------------------------

Latest logs available at location - C:\ProgramData\Microsoft\Azure AD Connect Authentication Agent\Trace

AzureADConnectAuthenticationAgentService.exe Error: 0 : UpgradeProxyTrustSettingsLocation: Cannot start connector service since the connector is not registered.
    ThreadId=1
    DateTime=2019-09-13T07:15:14.3509966Z
AzureADConnectAuthenticationAgentService.exe Error: 0 : Unhandled exception was thrown in Main: 'System.Configuration.SettingsPropertyNotFoundException: ProxyTrustCertificateThumbprint
   at Microsoft.ApplicationProxy.Connector.Common.Runners.ServiceRunner`1.UpgradeProxyTrustSettingsLocation()
   at Microsoft.ApplicationProxy.Connector.Common.Runners.ServiceRunner`1.Run(String[] args, ITracingHelperLogger logger)'
    ThreadId=1
    DateTime=2019-09-13T07:15:14.3559969Z

------------------------------------------------

Latest logs available at location - C:\ProgramData\AADConnect\Trace

AzureADConnect.exe Information: 0 : 'IPassthroughAuthenticationService' channel recreated successfully. 
AzureADConnect.exe Error: 0 : Passthrough authentication enable - failed. Error Your Azure AD Connect Authentication agent wasn't registered properly. Please upgrade to the latest version of Azure AD Connect or Azure AD Connect Authentication agent and retry.
[12:59:39.474] [ 24] [ERROR] Unable to enable passthrough authentication. Error: Your Azure AD Connect Authentication agent wasn't registered properly. Please upgrade to the latest version of Azure AD Connect or Azure AD Connect Authentication agent and retry.
[12:59:39.474] [ 24] [ERROR] Failed to enable pass-through authentication. Error: Microsoft.Online.Deployment.PSModule.Utility.PassthroughAuthConfigurationException: Your Azure AD Connect Authentication agent wasn't registered properly. Please upgrade to the latest version of Azure AD Connect or Azure AD Connect Authentication agent and retry.
   at Microsoft.Online.Deployment.PSModule.Tasks.PassthroughAuth.ConfigurePassthroughAuth`1.Execute()
[12:59:39.474] [ 24] [INFO ] Task 'Configure Passthrough Authentication' has finished execution
[12:59:39.475] [ 16] [ERROR] Microsoft.Online.Deployment.PSModule.Utility.PassthroughAuthConfigurationException: Your Azure AD Connect Authentication agent wasn't registered properly. Please upgrade to the latest version of Azure AD Connect or Azure AD Connect Authentication agent and retry. ---> Microsoft.Online.Deployment.PSModule.Utility.PassthroughAuthConfigurationException: Your Azure AD Connect Authentication agent wasn't registered properly. Please upgrade to the latest version of Azure AD Connect or Azure AD Connect Authentication agent and retry.
   at Microsoft.Online.Deployment.PSModule.Tasks.PassthroughAuth.ConfigurePassthroughAuth`1.Execute()
   --- End of inner exception stack trace ---
   at Microsoft.Online.Deployment.PSModule.Tasks.PassthroughAuth.ConfigurePassthroughAuth`1.Execute()
   at Microsoft.Online.Deployment.Framework.Workflow.WorkflowTask.ExecuteWrapper()
Exception Data (Raw): Microsoft.Online.Deployment.Framework.Workflow.WorkflowTaskException: The task 'Configure Passthrough Authentication' has failed. ---> Microsoft.Online.Deployment.PSModule.Utility.PassthroughAuthConfigurationException: Your Azure AD Connect Authentication agent wasn't registered properly. Please upgrade to the latest version of Azure AD Connect or Azure AD Connect Authentication agent and retry. ---> Microsoft.Online.Deployment.PSModule.Utility.PassthroughAuthConfigurationException: Your Azure AD Connect Authentication agent wasn't registered properly. Please upgrade to the latest version of Azure AD Connect or Azure AD Connect Authentication agent and retry.
   at Microsoft.Online.Deployment.PSModule.Tasks.PassthroughAuth.ConfigurePassthroughAuth`1.Execute()
   --- End of inner exception stack trace ---
   at Microsoft.Online.Deployment.PSModule.Tasks.PassthroughAuth.ConfigurePassthroughAuth`1.Execute()
   at Microsoft.Online.Deployment.Framework.Workflow.WorkflowTask.ExecuteWrapper()
   --- End of inner exception stack trace ---
   at Microsoft.Online.Deployment.Framework.Workflow.WorkflowTaskGroup.CheckTaskCompletion(Int32 currentTaskIndex)
[12:59:39.475] [ 16] [VERB ] Cleanup: Starting cleanup for task 'Configure Passthrough Authentication'
[12:59:39.475] [ 16] [VERB ] Task 'Configure Passthrough Authentication': No cleanup defined
[12:59:39.475] [ 16] [VERB ] Marking task 'Check Installed Components' as Skipped
[12:59:39.475] [ 16] [VERB ] Marking task 'Deploy AAD Health Agent' as Skipped
[12:59:39.475] [ 16] [VERB ] Marking task 'Deploy AAD Sync' as Skipped
[12:59:39.475] [ 16] [VERB ] Rolling back task Deploy Microsoft Azure AD Connect Authentication Agent

-------------------------------------------------------

Thanks,

Getting access token as AD B2C user in ASP .NET Core app

September 29, 2019, 1:04 pm
$
0
0

I have an  ASP .NET Core 2.2 web app that's using Azure AD B2C for authentication. My user flows are working correctly, users can sign up and sign on using custom flows.

My code follows this sample very closely: https://github.com/Azure-Samples/active-directory-b2c-dotnetcore-webapp

Issue is I keep getting unauthorized errors if I try to request an access token using the authenticated user ID and use it to make API calls.

I set up an Azure Function and it works perfectly using a web browser, redirecting to my custom sign on page for authentication and then executing correctly. But I get 401 error when trying to make an HTTP request to it using a bearer token I acquire this way: https://github.com/Azure-Samples/active-directory-b2c-dotnetcore-webapp/blob/6dbb7e83ddc1bdfae64e94292f0e400c88b93de7/WebApp-OpenIDConnect-DotNet/Controllers/HomeController.cs#L57

Any ideas?

401 Unauthorized Error on AAD/AAG protected App Service

October 2, 2019, 5:06 am
$
0
0

I have an App Service protected with AAD Authentication blade.  There is an AAG url also for this.

Connecting using Client Credentials, I am able to get Token, but cannot access service with the token.  It is throwing 401 Unauthorized error.

However the same app service works correctly in Non-AAG environments.

How to fix this error?

How can I get detailed information on this error?

Please advice.

Failed to login AAD seeing PAM: System error

October 3, 2019, 11:07 pm
$
0
0

Hello,

When I tried to login to Azure ubuntu (version 18) vm using my AAD login its failing and after a long time it is prompted for password. I logged in the same machine without AAD and found the following error in the server auth log file.

Oct 
4 04:41:22 vm-name sshd[4222]: Connection closed by authenticating user name@company.com 10.x.x.x port 58950 [preauth]

Oct  4 04:48:10 vm-name sshd[8606]: pam_aad(sshd:auth): Version: 1.0.008500001; CorrelationId: 1180824b-ddef-48ec-acec
Oct  4 04:50:20 vm-name sshd[8606]: pam_aad(sshd:auth): CURL: Failed to call https://management.azure.com/metadata/endpoints?api-version=2017-12-01 (7)
Oct  4 04:50:20 vm-name sshd[8604]: error: PAM: System error for name@company.com from 10.x.x.x
Oct  4 04:53:13 vm-name sshd[8604]: Connection closed by authenticating user name@company.com 10.1.1.4 port 33328 [preauth]

THe VM shell is not prompting for  https://microsoft.com/devicelogin prompt.

Regards

<style type="text/css">p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Helvetica Neue'} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Helvetica Neue'; min-height: 14.0px} </style>

Wierd issue while Syncing AD to an exteral application

October 1, 2019, 1:57 am
$
0
0

Dear all,

We have an Azure AD with different groups and users coming from different cross domains

What is happening is when we try to sync the AD into an external application, we suddenly have a group which is added as a Nested group of an otehr group, but in fact when I browse my AD those 2 groups does not have any relation

Does anyone have met this behaviour and how can I isolate the issue?

Thanks for help

regards

serge

Search

How can i migrate my traditional active directory to Azure AD?

October 4, 2019, 5:12 am
$
0
0

Hey guys,

I have a 2008R2 DC and 2016 ADC, I want to get rid of them and switch to azure active directory completely. I want to hear your experience for this issue. Where should I start and do you think I can implement it? How can I do it the shortest and easiest way?

There are about 50 users in the company,  we use Office 365 E3 and Azure VM. I can implement our ERP software to azure ad.

What do you suggest?

Thank you.

Firat

Regarding WS-Fed and SAML

October 4, 2019, 4:27 am
$
0
0
Hi,

We have a customer using ADFS 3.0 (configured in a Windows server environment). For the Single Sign On we implemented the WS-Fed protocol in our .NET web application.
We have another client that wants to use SAML (in an Azure SSO environment) and not WS-Fed.

Questions:
Is WS-Fed not going to work with Azure SSO in the near future?
Is it possible to write code such that the web application can support both SAML and WS-Fed in Windows/Azure?

Thanks,
Sunil

Connect local SCCM to Microsoft Store for Education

October 4, 2019, 7:06 am
$
0
0

Hello-

 I am trying to connect our local SCCM to our education store to push out apps.  I've followed the instructions to create an Azure service in SCCM, logged in and that part seems to work.  The next step of adding the app in the store as a management tool does not, the tool I created in SCCM does not appear.  I also don't know where in Azure I would look to see if the tool was created correctly.  Anyone have any insight into what I might need to do to make this work?  Thanks.

-Rich

Self Service Password Writeback Issue

October 4, 2019, 7:36 am
$
0
0

If anyone has seen this before, please help.  I'm sure it's something simple I'm overlooking.

Current Config: On premise domain (AD Users & Computers->Azure AD Connect Server->Azure Active Directory->Office 365

  • Azure AD Connect is provisioned to sync select test OU and Optional features (Password has sync and Password writeback) are enabled.
  • Synchronization is successful
  • Test users in sync'd OU are assigned correct Azure Premium License for password writeback
  • Azure AD portal shows the message "Your on-premises writeback client is up and running."

Here's the issue?  Logged into office 365 test user account.  Go to Settings-> Change password ->  Enter old password and new password twice and I get the message "Make sure your entry is correct" and I'm absolutely positive that the old password is correct as well as the new password meeting all password requirements.  I've tried this with several test accounts, all with different profiles and passwords.  They all have the same results.  

Any help would be greatly appreciated!



Cant remove custom login branding after Azure AD Pemium trial expires

September 29, 2019, 5:14 pm
$
0
0
Title. I had a Premium P2 Trial and I applied custom branding, but since then our logo has changed, so I would like the branding removed at the least or changed if I can. Thanks in advance!

Windows 10- Encountered an error enrolling your device

October 4, 2019, 9:35 am
$
0
0

We see this error when a user signs into the Outlook desktop app on Windows 10 for the first time.  They still get logged in but the Work account doesn't get added to the computer and they need to sign into every office app individually.  We see the same error when we try to add the Work account through the Settings screen. 

I gave the user an Intune license and then the error went away but why?  I don't want to manage the device in Intune.  Currently our goal is to manage only company owned Android devices with Intune MDM and Personal Android devices with MAM.  We use group policy to manage Windows devices currently.

What do I need to check to make sure the user can add their work account to the computer without an Intune license?

We have modern authentication enabled as well as AD Connect Sync.

Failed-Search Ad Connect

April 8, 2019, 7:57 am
$
0
0

Hello,

We are getting this error 0x55 failed search error from time to time on our ad connect servers.  I contact microsoft support and they told me its a network issue.  I am able to reach the DC.  This happens at different times of the day and will be down for hours.  Has anyone encountered this?  Does anyone know how to turn on verbose logging for ad connect?

Thanks

Search

Guest accounts and time bounded access

October 4, 2019, 1:05 pm
$
0
0
Guys, i'm confused around guest account access. I wish to allow 3rd parties time bound access to our SAAS apps for support. For example, I'd like to enable a 3rd party via their email joe.bloggs@gmail.com and enable this access to a single SAAS application for 24 hrs. Is this possible natively without some complex scripting externally? 

AzureAD Recycle Bin - Users and Groups

October 4, 2019, 1:12 pm
$
0
0

Guys, does the recycle bin apply to both users and groups (assuming its enabled)? For example:

  1. If a group is deleted in AzureAD, does it go the bin? I know users do.
  2. If a user/group sync from on-premise AD goes out of scope of sync, does it go to the bin?
  3. If an item is restored from the bin, does it also restore assignments like group memberships, app assignments etc.? 

AD FS Certificate Rollover - NextTokenSigningCertificate still listed under Office 365 after failed rollover

January 28, 2019, 7:57 am
$
0
0

Our AD FS certificate was set to autorenew at 50 days before expiry, then roll over 10 days later

This didn't auto-rollover in Office 365 as I understand that starts checking at 30 days for a new certificate.

We set the rollover to manual, updated the certificate, forced O365 to use the new certificate, which allowed people to authenticate.

However, when I now check the certificates, there is no NextTokenSigningCertificate listed under AD FS, but there is still a NextTokenSigningCertificate listed in Office 365 - which expires before the current token signing certificate.

If I set this back to to autorollover, will Office 365 try to use the NextTokenSigningCertificate it has listed? Can I remove this?

Secondly, if I change the autorenew at 50 days before expiry, then roll over 21 days later, would this then give Office 365 time to start checking for a new signing certificate (at 30 days), account for any delay by giving it the extra day before rolling over? 

And will it then renew the NextTokenSigningCertificate I see in AD FS under Office 365?


AB2C Custom Policy

October 5, 2019, 11:08 pm
$
0
0
is there anyway to use custom policy and user flow (built-in policy) in same ADB2C tenant?

How to join a local servers to AADDS

October 1, 2019, 11:08 pm
$
0
0
We've setup a AADDS and a site to site VPN connection. Unable to join a server to AADDS. 
Viewing all 16000 articles
Browse latest View live
Search