Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Issue with Azure AD join for users with first/last names containing special characters

October 7, 2019, 10:27 am
$
0
0

Hi,

I'm not sure why this is not an issue for more users, but it surely is a showstopper for deploying Azure AD Join:

when a Windows 10 device is joined to Azure Active Directory, the logon process creates the user's folder in this location: c:\users (as might be expected, this becomes the %USERPROFILE% path). The folder name appears to be constructed based on the user's First name and Last name, as entered in the Azure Active Directory.

However, when the user's first name or last name in the Azure Active Directory includes non-ASCII international characters (for ex. šđčćž), these will be included in the folder name. Although that's not a problem by itself, it generates a range of problems for a huge number of applications typically relying on %APPDATA% to store important settings. The applications having problems include Microsoft Office, Outlook, Google Drive, MS Teams, Skype and so on and they typically fail during either installation or startup.

The workaround is to change the First and Last name fields in Azure AD (prior to first time logon) so they contain only ASCII characters, or alternatively change the %USERPROFILE% folder name in the registry, but that's only a workaround to a bug.

Wouldn't it be logical to correct this so the logon process creates the %USERPROFILE% folder names stripped of any non-ASCII characters, as the majority Windows applications clearly do not tolerate non-ASCII characters in the user profile folder name?

Have any other users notice this behavior?

Thanks for any feedback.

Search

Moving domain from One.com

October 7, 2019, 11:59 am
$
0
0

Hi,

Im trying to transfer a domain from one.com to azure,

as part of this, One.com have asked me for my:

    IPS TAG

    Name Servers 

How do I find this info?

Add azure security group to mail enabled security group

September 20, 2019, 4:22 am
$
0
0

If I create azure security group, I can add it to mail enabled security group (created via office 365 ecp) using PowerShell.

The mail enabled security group is displayed in Azure portal. However, the "Add members" button is disabled.

The group chain (mail enabled security group -> azure security group) propagates Send On Behalf permission for azure security group

So, my question is: if SOB permission is propagated, why it is allowed to add azure group as a member only via PowerShell and not allowed in UI (including exchange admin center and exchange control panel)

Best regards,

Dmitry Alexandrov


Unable to activate single sign on from the ADconnect

September 24, 2019, 7:24 am
$
0
0
Please on my Active directory i deployed single sign on for all users but discovered it not really working so i decided to reconfigure it.while deploying there is section where i was asked to input domain administrator credential which i did but got an error that "an error occur while locating the computer account" mean while the username and password is correct.Kindly assist to rectify it.Thanks

Gmail SSO

October 7, 2019, 3:51 pm
$
0
0

I've followed the steps here (https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial) but am unable to get SSO fully working, and am unsure if the problem is on the Azure side or the Google side.

For random users (because I haven't found any reason or any settings that stand out) they are not redirected to the MS sign-on page, while some are.

I am also getting errors provisioning, but am unable to determine what they are (except the few where the existing GMail user can't be mapped to the Azure user, I fix these by deleting the GMail user and letting provisioning create the user). I get the E-mail"An internal error occurred. Please contact Azure Active Directory support." and my provisioning logs do not seem to get written to, except to say that the command to restart provisioning was a success.

b2c configuration custom page & javascript redirected to wrong url

September 27, 2019, 9:23 am
$
0
0

I have an azure b2c instance with 1 user flow making use of "Sign up v2". 

when I have javascript turned on, a custom idp selection page and a custom local account signup page the sequence fails. if javascript is off, or i use either of the built in pages it works.

the failure is that the body of the local signup age is not filled in (the email, password, etc boxes are missing).

the most interesting thing I can find out about this is the url's are different in the fail case & I cannot find an explanation for that. specifically, in the fail case the url is in the format:

https://<customer page host name>/<tenant name>.onmicrosoft.com/B2C_1_signup/api/ClaimsProviderSelection/selected?accountId=SignUpWithLogonEmailExchange

in the success case it goes to b2clogin with the format:

https://<tenant name>.b2clogin.com/<tenant name>.onmicrosoft.com/B2C_1_signup/api/ClaimsProviderSelection/selected?accountId=SignUpWithLogonEmailExchange

thoughts?

Azure AD / Join Restrictions

October 4, 2019, 10:37 am
$
0
0
Have a few hundred devices already joined by users, want to block new requests to join new devices. If I change this setting, will it in anyway impact my current user base and devices? 

AAD Authentication is not being successful

October 6, 2019, 9:24 pm
$
0
0

Hi 

I have the Power BI report which uses the analysis services (Azure based) for which I need to do the authentication to connect to the data source. When I am doing the OAuth2 and Organizational the AAD popup window opens and when I select my id It says :

Sorry, but we’re having trouble signing you in.

AADSTS90015: Requested query string is too long.

Request Id: 1d6704a0-7bf0-4341-904f-5b39c4810c00
Correlation Id: 851ae2fd-528c-486c-8c40-014b93fc1f4d
Timestamp: 2019-10-07T04:17:23Z
Message: AADSTS90015: Requested query string is too long.
Advanced diagnostics: Disable

If you plan on getting support for an issue, turn this on and try to reproduce the error. This will collect additional information that will help troubleshoot the issue.

Can somebody help me on this?

Its not only for this source but for most of the sources and when ever AAD Auth is required.

thanks

sai

sakusuma

Search

Wish list: Could Azure portal show the kind of account I am logged in with

October 6, 2019, 11:15 pm
$
0
0

When I log into partner centre with my work account I can see the dogtag icon on my profile.

However when I login to portal.azure.com with my work account I just see a user icon on my profile.

It would be great if the portal.azure.com icon displayed the dogtag similar to the way partner centre works.

On premises Windows Server and Windows 10 joined to Azure AD DS [via VPN]?

October 7, 2019, 3:21 am
$
0
0

Hi,

Sometimes, on premises Windows Server is necessary, which often requires AD DS.  Having on-premises AD DS is relatively complex.  

Windows Server can't join Azure AD (only via hybrid Azure AD join).

Is there a way round this?

  1. Setup Azure AD.
  2. Setup Azure AD DS.
  3. Setup a Azure Windows Server VM that is joined to Azure AD DS.
  4. Now make this Azure Windows Server VM a VPN server, (RRAS | Always On | SSTP)
  5. Connect on premises Windows Server and Windows 10 to this VPN; from there, join to Azure AD DS.
  6. Now, you have the benefits of on premises AD DS, but without needing an on premises domain controller

It would look like this;

Here's the same graphic, but showing the Internet and Internet router;

Is this possible? Anyone tried?


Azure AD Connect *without* single sign on or same password?

October 8, 2019, 12:56 am
$
0
0

Looking to update our internal network from Win 7 Pro desktops and 2008R2 DC to Win 10 Enterprise E3 and Server 2016 DC.  I Understand we need Azure AD Connect to activate Win 10 Pro Enterprise features.

We currently have Office365 subscriptions purely for email/calendar.  Most users access via Outlook on desktop or mobile - very few use web apps, and then only rarely.

Our internal AD domain schema has been rolled over and upgraded for many years from NT4 > 2003 > 2008R2, and uses a different internal domain name to our email address, and users have different user names to their email address.

As part of the upgrade I intend to set up and migrate to a fresh internal AD schema and new usernames, and logically these should match email address/domain.  Our Office365 subscription means that MS has already set up our users in Azure AD based on email addresses anyway.

My question is if we use Azure AD Connect, is it possible to have different passwords to authenticate internally against our AD domain controller versus that used to authenticate in Office365?

Thanks!

Required End points for Azure AD (for O365) are not enabled - but they are!

October 8, 2019, 2:09 am
$
0
0

Received alert from Microsoft:

The following set of end points required by the Exchange Online Services, Azure AD, and Office 365 are not enabled for the federation service:

  1. /adfs/services/trust/2005/usernamemixed
  2. /adfs/ls/

We then get an alert saying above has been resolved. Then we get the same alert again! 

Checked the ADFS servers and the mentioned endpoints are enabled on both extranet and intranet. 

These alerts from Microsoft started as soon as I disabled below endpoints (also recommended by Microsoft)

Windows Transport endpoints (/adfs/services/trust/2005/windowstransport and /adfs/services/trust/13/windowstransport)


M domain users can not login anymore

October 8, 2019, 2:13 am
$
0
0

When my domainusers try to login to my 2016 server, they get an "access denied" message.

This has been so for two days. The computer rebooted as result of internal error for some two days ago. I don't thinks this is the problem.

Now when I create a new 2016 server from scratch, build it up as domain controller - also my new domain users cant login - they also get "access denied".

Is this a CAL licence issue? I do not know how to procees.

MFA for Guest accounts

October 8, 2019, 3:09 am
$
0
0

so I have an enterprise application set up in AAD for an on premises app. AAD authentication works great for both my users and guest users. Outwith our locations MFA is required, again it all works as should however I have been asked if it is possible for the primary MFA authentication method for guest accounts to be set to their company email. The reasoning behind this is that these guest users work for third party organizations. I have no visibility into these so if a guest user leaves their organization (and then starts working for a rival) I don't know. If that guest user uses the microsoft app then they still could get access to our application. If they have to use email there is a very good chance that they would no longer have access to their company email and therefore could not complete MFA. 

My thought is that what is being asked is not actually possible but i would like to know if anyone has a workaround or any suggestions on how to handle this.

Powershell script to output corresponding UPN values to column B by reading Display Name value from Column in Excel

October 8, 2019, 4:34 am
$
0
0

Hi team,

Please help me in writing a powershell script to read "Display Name" value from column A and output corresponding UPN value to Column B in same Excel spreadsheet. if the UPN value is "Null" return as  "Not Found". 

I need to construct logic for reading and writing back to excel for the below command

Get-AzureADUser -Filter "DisplayName eq 'King,Jorge'" | select UserPrincipalName

Expected Output in Excel

Column AColumn B
King, JorgeJorge.King@contaso.com
Philip, AlbertAlbert.Philip@contaso.com
Jonathan, paulNot Found

Thanks


Search

Azure ADFS Setup - Error ""We cannot federate an azure AD domain while signed in to azure AD as a user in the same domain."

October 8, 2019, 5:14 am
$
0
0

Hi Support,

I've verified my domain in Azure AD as divar.com.au, created two VMs and installed Azure Active Directory connect.

Server one named DC1 and server two is ADFS. I am running Azure AD connect on DC server and I am able to go forward until the section "Select the Azure AD domain to federate with your on-premises directory"

My AD domain name is divar.com.au and Cert on ADFS server is adfs.divar.com.au

Not sure what's causing the issue. I've tried with different Azure AD account with Global Administrator privilege and made no difference.

Error message which I get is:

"We cannot federate an azure AD domain while signed in to azure AD as a user in the same domain.Please choose a different domain to federated or rest"art this wizard and provide different Azure AD global administrator credentials

Thank you,


Hitting [AADST165000: Invalid Request] for Modern Auth Sign-in

October 8, 2019, 5:44 am
$
0
0

Hi team,

I created a custom mobile app that signs in users with Modern Auth to access Exchange resources.

I tried to sign-in an account from another tenant that blocks users from approving new apps and I got the following error:

AADSTS165000: Invalid Request: The request tokens do not mach the user context. Do not copy the user context values (cookies; form fields; header) between different requests or user sessions; always maintain the ALL of the supplies values across a complete single user flow. Failure Reasons:[Token values do not match;]

Status: Interrupted

Sign-in error code: 65001

Failure reason: Application X doesn't have permission to access application Y or the permission has been revoked. Or the user or administrator has not consented to use the application ID X. Send an interactive authorization request for this user and resource. Or the user or administrator has not consented to use the application ID X. Send an interactive authorization request to your tenant admin to act on behalf of the App: Y for Resource: Z.

I tried to grant admin consent via the admin consent endpoint but still had the same error.

Could you please suggest how to resolve the issue?

Thanks,

Sandy

Leased privileged Gsuite provisioning sync admin

October 8, 2019, 7:05 am
$
0
0

Hi I'd like to get a leased privileged gsuite admin user defined to perform the provisioning sync from AzureAD. The azure tutorial says "Make sure to enable all Admin API Privileges so that this account can be used for provisioning" which is excessive given the Google Admin SDK scope prompt claims Azure will only update groups/users/contacts. 

Can I get a minimum viable Google Admin SDK privileges needed for the sync user role? I was able to get sync working with only users/groups scopes but want to make sure the other privileges (Org units, user security management, data transfer, schema management, license management, billing management, domain management) are ok to skip  

Publisher Domain verification fails because "Verification of publisher domain failed. Error getting JSON file from https://{publisher_domain}/.well-known/microsoft-identity-association. The server returned an unexpected content type header value. [f566g]"

July 29, 2019, 6:30 am
$
0
0

I'm trying to verify the publisher domain of my application but it's not working despite the json file being available when checking the link in a browser.https://{publisher_domain}/.well-known/microsoft-identity-association.

The instructions ask for the json file being hosted at https://{publisher_domain}/.well-known/microsoft-identity-association.json. I get the following error message:
Verification of publisher domain failed. Error getting JSON file from https://app.swydo.com/.well-known/microsoft-identity-association. The server returned an unexpected content type header value. [vquV0]

Does anyone know what can be the problem? 

Individual who was Global Admin left company taking the keys to the castle with him

October 3, 2019, 3:04 pm
$
0
0

Hello!

A former client of mine recently had their SSL certificate expire.  I was going to help them purchase and set up a new Azure App Service certificate through the portal when they dropped this bomb on me:   The only person who had credentials for their Azure portal is no longer with the company and conveniently left no information behind.  I am only a guest user in their Azure AD.  I would like to help them take back control of their Azure account if possible as their business is pretty much running from that Azure directory.

What do you guys advise?

Thanks!

Viewing all 16000 articles
Browse latest View live
Search