Have a few hundred devices already joined by users, want to block new requests to join new devices. If I change this setting, will it in anyway impact my current user base and devices?
↧
Azure AD / Join Restrictions
↧
AAD Authentication is not being successful
Hi
I have the Power BI report which uses the analysis services (Azure based) for which I need to do the authentication to connect to the data source. When I am doing the OAuth2 and Organizational the AAD popup window opens and when I select my id It says :
Sorry, but we’re having trouble signing you in.
AADSTS90015: Requested query string is too long.
Request Id: 1d6704a0-7bf0-4341-904f-5b39c4810c00
Correlation Id: 851ae2fd-528c-486c-8c40-014b93fc1f4d
Timestamp: 2019-10-07T04:17:23Z
Message: AADSTS90015: Requested query string is too long.
Advanced diagnostics:
Disable
If you plan on getting support for an issue, turn this on and try to reproduce the error. This will collect additional information that will help troubleshoot the issue.
Can somebody help me on this?
Its not only for this source but for most of the sources and when ever AAD Auth is required.
thanks
sai
sakusuma
↧
↧
Wish list: Could Azure portal show the kind of account I am logged in with
When I log into partner centre with my work account I can see the dogtag icon on my profile.
However when I login to portal.azure.com with my work account I just see a user icon on my profile.
It would be great if the portal.azure.com icon displayed the dogtag similar to the way partner centre works.
↧
Upgraded 1.2.70.0 to 1.4.18.0 sets DesktopSsoEnabled to false
Hi Microsoft and/or others,
Is it know to you that a Azure AD Connect setup with 1.2.70.0 with S3O with PTA enabled and you upgrade it to 1.4.18.0, that in the configuration of Azure AD Connect the setting DesktopSsoEnabled is revert to false?
The actual S3O was not disabled, but in the configuration export of Azure AD Connect.
I have the pre and post update configuration files if needed.
↧
New policy button in Conditional Access is grayed out
Hi, I am trying out Azure Cloud on the administration side of it. One of the main concern here in my company is authentication.
I set out to try this on my own, signed up for a pay-as-you-go subscription, activated AD premium P2, to get a glimpse of Conditional Access setting.
I get to the Azure Active Directory blade > Conditional Access, but the New policy button was grayed out. Underneath it there is a banner saying that points to activating the trial Premium P2 (but I just did, and Azure wouldn't let me do it again).
Anything I should do to create a new policy and check on how CA is used? Your advice would be very much appreciated.
↧
↧
Azure AD compliance
Hi
Would someone be able to explain to me why when a device is registered within azure AD it creates two instances of this device.
See below.
Why are 2 instances of the device required and what is the difference between each?
machinename1 | <svg aria-hidden="true" class="fxs-portal-svg" focusable="false" height="100%" role="presentation"
width="100%"><use href="#FxSymbol0-075"><svg class="fxs-portal-svg" data-type="8" focusable="false" id="FxSymbol0-075" role="presentation" viewBox="0 0 16 16" xmlns:svg="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink"><g><circle class="msportalfx-svg-c36" cx="8" cy="8" r="8"></circle><path class="msportalfx-svg-c01" d="M3.553 8.291a.406.406
0 0 1 .022-.575l.835-.772a.407.407 0 0 1 .57.022l2.136 2.292 3.807-4.875a.402.402 0 0 1 .566-.073l.906.699c.173.128.21.377.08.554l-4.868 6.233a.5.5 0 0 1-.76.033L3.553 8.291z"></path></g></svg></use></svg>Yes | Windows | ip address | Azure AD registered | dan jones | None | N/A | 3/11/2019, 12:35:56 PM | 5/9/2019, 8:29:20 AM | |
machinename2 | <svg aria-hidden="true" class="fxs-portal-svg" focusable="false" height="100%" role="presentation"
width="100%"><use href="#FxSymbol0-075"><svg class="fxs-portal-svg" data-type="8" focusable="false" id="FxSymbol0-075" role="presentation" viewBox="0 0 16 16" xmlns:svg="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink"><g><circle class="msportalfx-svg-c36" cx="8" cy="8" r="8"></circle><path class="msportalfx-svg-c01" d="M3.553 8.291a.406.406
0 0 1 .022-.575l.835-.772a.407.407 0 0 1 .57.022l2.136 2.292 3.807-4.875a.402.402 0 0 1 .566-.073l.906.699c.173.128.21.377.08.554l-4.868 6.233a.5.5 0 0 1-.76.033L3.553 8.291z"></path></g></svg></use></svg>Yes | Windows 10 Enterprise | ip address | Hybrid Azure AD joined | N/A | None | N/A | 3/11/2019, 1:26:44 PM | 10/3/2019, 9:43:01 AM |
↧
On premises Windows Server and Windows 10 joined to Azure AD DS [via VPN]?
Hi,
Sometimes, on premises Windows Server is necessary, which often requires AD DS. Having on-premises AD DS is relatively complex.
Windows Server can't join Azure AD (only via hybrid Azure AD join).
Is there a way round this?
- Setup Azure AD.
- Setup Azure AD DS.
- Setup a Azure Windows Server VM that is joined to Azure AD DS.
- Now make this Azure Windows Server VM a VPN server, (RRAS | Always On | SSTP)
- Connect on premises Windows Server and Windows 10 to this VPN; from there, join to Azure AD DS.
- Now, you have the benefits of on premises AD DS, but without needing an on premises domain controller
It would look like this;
Here's the same graphic, but showing the Internet and Internet router;
Is this possible? Anyone tried?
↧
userinfo_endpoint content-type
Hi,
when calling OIDC userinfo_endpoint (https://graph.microsoft.com/oidc/userinfo) with a valid access token, it returns the user info with a Content-Type = text/html, altough there is a json document in the body. Is it the expected behaviour?
thanks
↧
Conditional Access - allow Word, Excel and Powerpoint but not Outlook from non-domain device
Hi, I have recently inherited our Azure / Office 365 rights management from a colleague who left the company. We have set up a Conditional Access policy that allows access with client applications only from Hybrid AD joined devices. For non-domain devices there is only Web access.
Now I'm confronted with the request in the subject. So, we would like to allow Microsoft Excel on a personal Windows computer to sign in to Office 365 and open a file from our Sharepoint Online, but we would NOT like to allow Microsoft Outlook on a personal Windows computer to sign in to Office 365 and open our corporate mailbox.
It seems to me that this is simply not possible. Is that right, or did I overlook something?
↧
↧
Azure AD Connect fails to synchronize groups memberships
Hi, I have installed Azure AD Connect on a Windows Server 2012 computer to synchronize with an Azure AD instance (using password hashes). I have filtered the synchronization to apply to a custom OU only. The user accounts synchronize fine, the groups synchronize as well, only they are empty in Azure as the group memberships fail to synchronize.
In the Synchronization Service Manager I can see completed-discovery-errors on theDelta Import operation: for each group to synchronize there is a Discovery Error of typereference-value-not-ldap-conformant on the member attribute.
The IdFix utility does not suggest any fix.
Any suggestion?
↧
Azure AD PowerShell - OData filter for deviceId
Hi everyone,
I am trying to get a device by the deviceId, not by the objectId via the AzureAd PowerShell. Reason is simple: I don't have the objectId, I only have the deviceId. I tried it with:
Get-AzureADDevice -Filter "deviceId eq 'device-id-example-000-123456'"
But I got that error:
Get-AzureADDevice : Error occurred while executing GetDevices Code: Request_BadRequest Message: A binary operator with incompatible types was detected. Found operand types 'Edm.Guid' and 'Edm.String' for operator kind 'Equal'.
Ok, I thought I should cast the deviceId to string, but:
Get-AzureADDevice -Filter "cast(deviceId, Edm.String) eq 'device-id-example-000-123456'" Get-AzureADDevice : Error occurred while executing GetDevices Code: Request_BadRequest Message: The child type 'Edm.String' in a cast was not an entity type. Casts can only be performed on entity types
I am not very familliar with OData queries, so is there a way to build the filter that I can get a device with the deviceId? And I want to use the OData filter unless the OData implentation simply doesn't allow it.
I am aware that a workaround would be to simply use a where clause:
Get-AzureAdDevice -All:$true | where {$_.DeviceID -eq "device-id-example-000-123456"}But this way it is super slow, if I have to work with a list of device IDs. Of course there is another way to handle this, getting all devices into an array and then search through the array, but that is another workaround.
So if anyone can help me with the correct OData syntax it would be highly appreciated.
Thank you very much!
↧
Add Existing Microsoft Account User to Azure Active Directory
Is there a way to add an existing Microsoft account user to Azure Active Directory? My coworker is trying to add other developers to our Azure account so we can all manage our APIM. When we receive the invite, it forces us to create a new account. One
of my coworkers created a new one, but now Azure recognizes that she has two accounts both with the same email, just different passwords. This is not very intuitive, and actually pretty confusing. This functionality used to exist in the "classic"
Azure portal as we found a question about it two years ago, and as part of that answer it stated that this functionality was not yet in the new Azure portal (the one being used today). The classic portal no longer seems to work as it redirects to the new one.
Has this functionality been ported over during the last two years? Based on what I can find in the online Azure documentation the answer seems to be no. If anyone has an answer to this, it would be very helpful. Thank you.
↧
How can we validate JWT signature in Angular 6
How to validate JWT token in Angular 6.o manually to validate JWT Signature of JWT token?
↧
↧
Azure B2C Custom policy Error
Working on account linking custom policy. Added MSA as Identity Provider. After logging into local account failing to connect to MSA with Error:
AADB2C90289: We encountered an error connecting to the identity provider. Please try again later.
Correlation ID: 68e466ea-c62c-4d26-ad48-b9fe68ecd058
Timestamp: 2019-06-26 19:41:41Z
:server_error
In other instance while running policy from Portal receiving:
invalid_request: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is a URI which matches a redirect URI registered for this client application.
How do you setup the Redirect uri?
↧
Azure AD Risky Sign-ins Leaked Credentials
After viewing leaked credentials daily, new entries have appeared in the discovered column from 3 months ago; what does the 'Discovered (UTC)' column signify?
↧
Cookie based OpenId authentication
Dear All,
We have an asp.net 4.6 and asp.net core application Integrated with Azure AD for the authentication. We are using Cookie based OpenId authentication.
Our Requirement is
- Entry forms are time taking so user will be entering the data in the from at least 3 - 4 hours then they will be submitting the data.
- User’s should not be asked to login again until unless they logged out manually in the application.
Please let us know how do we achieve this..
Thanks,
Selvakumar Rathinam
↧
Change #EXT# affix for guest users
Hi!
As you know, all guest users will have #EXT# in their UPN.
Now we have some application and we have to use the UPN as username there for SSO with "enterprise application".
But this application interdict hastags in usernames.
Is there any way to change this #ext# or to remove it from UPN on default? I now I can change it with SetAzureADUser -UserPrincipalName, but I don't want to change later, but direct create guests without it.
Best,
Robin
↧
↧
Azure AD B2c - Custom Policy claims
I've been trying to configure my Azure AD B2C to use custom policies.
I managed to make it work by following this link:
The problem I have is:
The "oid" claim returned when i authenticate with a Microsoft Account is the Object Id created to the user in my B2C directory. I need to add the claim of the object ID from the original tenant. Any help on how I could do that?
↧
Azure Active Directory CA Policy on IMAP
Several of my Exchange online accounts are subject to frequent login attempts by various means. Recently I have a bunch of attempts
using IMAP from foreign countries. IMAP is disabled for that account, but SMTP is allowed (for the time being until I can test my third party SMTP tonight). We we have one CA policy which applies which blocks login from foreign country. When I test using
the What If tool these foreign logins using IMAP are indeed blocked. But yet the user account is getting locked and the logs show multiple breakin attempts. What is going on? Shouldn't the CA policy and IMAP restriction prevent the login attempt
from the first place, or will the log continue to grow with failed logins from IMAP while locking the account? I confirmed in PowerShell that IMAP is indeed disabled for this account. Every few minutes I see in the logs a sign in error code
50053 (account locked).
↧
Azure B2C Blazor and how to handle different events in the custom application after signup with Azure B2C
Hello,
Need some guidance on how to go about Azure B2C redirecting to some custom URL in my Blazor application so I can do additional processing i.e. Creating a newly signed up user in my custom repository?
Thanks
↧