Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Azure AD Application Proxy started to return 302 redirect randomly

March 5, 2019, 11:38 am
$
0
0

Hi,

We are using Azure AD Application Proxy for over a year now and it started to return 302 randomly since the last 2 days.

We are accessing our internal WebApi hosted on-premise through the App Proxy's external url and we use access token for authorization. 

Starting on last Sunday, it started to return 302 Found randomly, similar a response that look like this:

HTTP/1.1 302 Found
Content-Length: 0
Location: https://login.microsoftonline.com/<tenantId>/oauth2/authorize?response_type=id_token&client_id=<clientId>&scope=openid&nonce=e7a73a84-926a-4666-a9b8-bae143c0ad08&response_mode=form_post&redirect_uri=https%3a%2f%2f<externalName>.msappproxy.net%2f&state=AppProxyState%3a%7b%22InvalidTokenRetry%22%3atrue%2c%22IsMsofba%22%3afalse%2c%22OriginalRawUrl%22%3a%22https%3a%5c%2f%5c%2f<externalName>.msappproxy.net%5c%2f<path>%22%2c%22RequestProfileId%22%3a%2269a6ba6c-268e-4ede-9dd8-bdf57c31479c%22%7d%23EndOfStateParam%23
Server: Microsoft-HTTPAPI/2.0
Set-Cookie: AzureAppProxyAnalyticCookie_<......>; path=/
Date: Tue, 05 Mar 2019 16:39:37 GMT

When hitting the url directly in the browser, we can see the redirect to login.microsoftonline.com for a second, then it redirects back to the original url and the request is processed, then we get our expected WebApi response.

There was no redirect before, this is new.

The issue is when we're making the call programmatically, we set the Authorization: Bearer <access_token> header but we also receive the 302, this is breaking all our applications.

Anyone aware of an update with potentially a breaking changes happening on Azure side last Sunday?
Maybe something related to Set-Cookie: AzureAppProxyAnalyticCookie being required now?

Any ideas?

Search

Create an Azure Active Directory programmatically

June 21, 2019, 12:21 am
$
0
0

Is there any provision to create azure active directory programmatically by using sdk or api or even powershell

i had tried powershell and graph api and management sdk but i was unsuccessful.

Please provide some resolution for this

Line of Business Program Requires Mapped Sharing a local Network (P2P) Shared Drive

October 8, 2019, 10:50 am
$
0
0

First of all I want to see if it is possible to set up a policy that will make available a Shared drive and Map it on all workstations that have the Basic O365 AD. The shared drive (File) contains a Line of Business Program that must be set up as a Mapped Drive. From what I have seen in documentation Azure AD would like creation of an online Azure file Share but do not want to go this way as I would have to set up and run a testing environment for using the line of business application and its performance before implementation. 

All Workstations are Windows 10 with latest updates including the Shared Mapped drive currently in use. I do have 1 new workstation that will need to be added to replace one that is going to be retired within next couple days.

Any Ideas, guidance, instruction or thoughts would be greatly appreciated.

Perpetual Geek In Training

AAD Connect with existing O365 accounts

October 8, 2019, 12:25 pm
$
0
0
I am looking to migrate our on-premises Exchange 2010 organization to Exchange online. As an initial part of this migration I'm going to get AAD Connect up and running. We have been running an E3/E3 tenancy for about a year testing end-user adoption and issues. Users have been testing email and using other portal features, including extensive use of teams, so when we set up AAD Connect, we hope to connect the on-premises accounts with the existing O365 accounts.

Before moving forward, I’d like to ask for your advice and input to make sure I understand the issues and interactions. Once we move forward, the plan will be to either do a minimal hybrid configuration or just do a straight cut-over. We only have about 100 users and most mailboxes are under 2 GB.
 
On-premises is a single flat domain on 2012R2 DC with:
UPN = uname@contoso.com (this is a publicly routable domain)
Primary SMTP: uname@fabrikam.com (published MX records)
Secondary smtp: uname@contoso.com (no public MX records)
Exchange accepted domains: fabrikam.com, contoso.com

O365 E3/E2 tenancy with:
UPN: uname@newfabrikam.com (this is publically routable domain)
Primary SMTP: uname@newfabrikam.com (published MX records)
Verified Domains: newfabrikam.com (default), newfabrikam.onmicrosoft.com, contoso.com, fabrikam.com
Exchange accepted domains: same as verified domains

My understanding is that since Primary SMTP addresses do not match, a soft match would then happen on UPN. My initial question is will it be necessary for me to first change all the usernames in O365 to uname@contoso.com? Or will sync see the verified domain contoso.com in O365 and simply update the existing usernames to match the local UPN suffix?

I did change a single test account in O365 to use the contoso.com UPN suffix, and logged in and sent email using the existing default newfabrikam.com address, so I imagine once email is migrated it will be a simple matter to make the fabrikam.com address the default and update the MX records.

Have I sorted this out properly? Many thanks!

Were trying to connect via LDAP to Azure. Were getting "cant contact LDAP server"

October 8, 2019, 1:08 pm
$
0
0
Were trying to connect via LDAP to Azure. Were getting "cant contact LDAP server"...we are using the default ports.

Add Existing Microsoft Account User to Azure Active Directory

October 7, 2019, 7:18 am
$
0
0
Is there a way to add an existing Microsoft account user to Azure Active Directory? My coworker is trying to add other developers to our Azure account so we can all manage our APIM. When we receive the invite, it forces us to create a new account. One of my coworkers created a new one, but now Azure recognizes that she has two accounts both with the same email, just different passwords. This is not very intuitive, and actually pretty confusing. This functionality used to exist in the "classic" Azure portal as we found a question about it two years ago, and as part of that answer it stated that this functionality was not yet in the new Azure portal (the one being used today). The classic portal no longer seems to work as it redirects to the new one. Has this functionality been ported over during the last two years? Based on what I can find in the online Azure documentation the answer seems to be no. If anyone has an answer to this, it would be very helpful. Thank you.

Change autogenerated UTF-8 %userprofile% path when logging into Windows 10 with Azure AD credentials

August 21, 2019, 3:16 am
$
0
0

Hi all

As a developer, I'm testing out various frameworks and what not. However surprisingly, an increased number of them break when the user profile path includes a UTF-8 character - in my case ø. Finding workaround for each case is super unproductive, so I want to change my name or the path at least :)

When logging in on a fresh machine (Windows 10) for the first time using my Azure AD account, I'm automatically allocated my full name (without spaces) as the %userprofile% path, so c:\users\SørenOxenhave\. Naturally, I could change my display name in Azure AD and then get an ASCII compatible path, but I feel like there should be another solution like fallback to first part of my email address or likewise.

Can I do anything in the Azure AD setup, or my profile setup or on the local machine to change this?

I appreciate any help.

Thanks!

Søren

Does Azure MSI support accessing Graph API?

November 13, 2017, 7:24 am
$
0
0
I have a VM created in Azure with MSI (Managed Service Identity) enabled and I also grant the contributor role of my subscription to the VM, so from this VM, I am able to call "localhost:50342" to get the access token and then use Azure Resource Manager API (endpoint: management.azure.com) to access Azure resources. Now when I tried to use the same way to access Azure Graph API (endpoint: graph.microsoft.com), I kept getting "[code] => Authorization_RequestDenied [value] => Insufficient privileges to complete the operation". So how am I able to grant permissions to the VM to access Azure Graph API when MSI is enabled? Thank you very much!
Search

AAD Authentication is not being successful

October 6, 2019, 9:24 pm
$
0
0

Hi 

I have the Power BI report which uses the analysis services (Azure based) for which I need to do the authentication to connect to the data source. When I am doing the OAuth2 and Organizational the AAD popup window opens and when I select my id It says :

Sorry, but we’re having trouble signing you in.

AADSTS90015: Requested query string is too long.

Request Id: 1d6704a0-7bf0-4341-904f-5b39c4810c00
Correlation Id: 851ae2fd-528c-486c-8c40-014b93fc1f4d
Timestamp: 2019-10-07T04:17:23Z
Message: AADSTS90015: Requested query string is too long.
Advanced diagnostics: Disable

If you plan on getting support for an issue, turn this on and try to reproduce the error. This will collect additional information that will help troubleshoot the issue.

Can somebody help me on this?

Its not only for this source but for most of the sources and when ever AAD Auth is required.

thanks

sai

sakusuma

Wanted: Serverless and Serverside Blazor Demos that Authenticate and Authorize using Azure

October 8, 2019, 8:53 pm
$
0
0

I was looking at those Blazor tutorials on Channel9.msdn.com and I want to create a serverless Blazor demo and a serverside Blazor demo where both demos would authenticate on Azure.

Apparently the serverless Blazor sites call a azure function for data (is this correct?). How do I use the features of Azure to most easily implement authentication and authorization?

I could could create a Azure SQL database maybe using Entity Framework. I'm hoping there is an easier way. I'm not familiar with Azure Active Directory -- can I implement authentication/authorization with azure AD?

What about gateways like Zuul and Kong? Are they easier that azure Active directory for authentication/authorization?

What is the simplest way?

Thanks 

Siegfried

siegfried heintze


Access azure datalake gen2 resources by Azure Active Directory B2C users

October 8, 2019, 10:28 pm
$
0
0

Hi,

We have an application where we need to do the following

1. Create folders and files under Azure datalake gen2

2. Create Active Directory B2C users (Using javascript single page as explained in https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp)

3. Add users created in step 2 to the Access control lists of one or more folders created in step1 programatically.

4. Allow users created in step to to access folders/files created in step 1 through javascript REST APIs

Are steps 3 and 4 possible?

Thanks,

Hema

MFA for Guest accounts

October 8, 2019, 3:09 am
$
0
0

so I have an enterprise application set up in AAD for an on premises app. AAD authentication works great for both my users and guest users. Outwith our locations MFA is required, again it all works as should however I have been asked if it is possible for the primary MFA authentication method for guest accounts to be set to their company email. The reasoning behind this is that these guest users work for third party organizations. I have no visibility into these so if a guest user leaves their organization (and then starts working for a rival) I don't know. If that guest user uses the microsoft app then they still could get access to our application. If they have to use email there is a very good chance that they would no longer have access to their company email and therefore could not complete MFA. 

My thought is that what is being asked is not actually possible but i would like to know if anyone has a workaround or any suggestions on how to handle this.

Azure Active Directory CA Policy on IMAP

October 7, 2019, 8:52 am
$
0
0
Several of my Exchange online accounts are subject to frequent login attempts by various means.  Recently I have a bunch of attempts using IMAP from foreign countries.  IMAP is disabled for that account, but SMTP is allowed (for the time being until I can test my third party SMTP tonight). We we have one CA policy which applies which blocks login from foreign country. When I test using the What If tool these foreign logins using IMAP are indeed blocked. But yet the user account is getting locked and the logs show multiple breakin attempts.  What is going on?  Shouldn't the CA policy and IMAP restriction prevent the login attempt from the first place, or will the log continue to grow with failed logins from IMAP while locking the account?  I confirmed in PowerShell that IMAP is indeed disabled for this account.   Every few minutes I see in the logs a sign in error code 50053 (account locked). 

Azure AD compliance

October 7, 2019, 2:43 am
$
0
0

Hi 

Would someone be able to explain to me why when a device is registered within azure AD it creates two instances of this device.

See below.

Why are 2 instances of the device required and what is the difference between each?

machinename1
<svg aria-hidden="true" class="fxs-portal-svg" focusable="false" height="100%" role="presentation" width="100%"><use href="#FxSymbol0-075"><svg class="fxs-portal-svg" data-type="8" focusable="false" id="FxSymbol0-075" role="presentation" viewBox="0 0 16 16" xmlns:svg="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g><circle class="msportalfx-svg-c36" cx="8" cy="8" r="8"></circle><path class="msportalfx-svg-c01" d="M3.553 8.291a.406.406 0 0 1 .022-.575l.835-.772a.407.407 0 0 1 .57.022l2.136 2.292 3.807-4.875a.402.402 0 0 1 .566-.073l.906.699c.173.128.21.377.08.554l-4.868 6.233a.5.5 0 0 1-.76.033L3.553 8.291z"></path></g></svg></use></svg>Yes
Windows
ip address
Azure AD registered
dan jones
None
N/A
3/11/2019, 12:35:56 PM
5/9/2019, 8:29:20 AM
machinename2
<svg aria-hidden="true" class="fxs-portal-svg" focusable="false" height="100%" role="presentation" width="100%"><use href="#FxSymbol0-075"><svg class="fxs-portal-svg" data-type="8" focusable="false" id="FxSymbol0-075" role="presentation" viewBox="0 0 16 16" xmlns:svg="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g><circle class="msportalfx-svg-c36" cx="8" cy="8" r="8"></circle><path class="msportalfx-svg-c01" d="M3.553 8.291a.406.406 0 0 1 .022-.575l.835-.772a.407.407 0 0 1 .57.022l2.136 2.292 3.807-4.875a.402.402 0 0 1 .566-.073l.906.699c.173.128.21.377.08.554l-4.868 6.233a.5.5 0 0 1-.76.033L3.553 8.291z"></path></g></svg></use></svg>Yes
Windows 10 Enterprise
ip address
Hybrid Azure AD joined
N/A
None
N/A
3/11/2019, 1:26:44 PM
10/3/2019, 9:43:01 AM

Azure AD Connect fails to synchronize groups memberships

October 7, 2019, 7:13 am
$
0
0

Hi, I have installed Azure AD Connect on a Windows Server 2012 computer to synchronize with an Azure AD instance (using password hashes). I have filtered the synchronization to apply to a custom OU only. The user accounts synchronize fine, the groups synchronize as well, only they are empty in Azure as the group memberships fail to synchronize.

In the Synchronization Service Manager I can see completed-discovery-errors on theDelta Import operation: for each group to synchronize there is a Discovery Error of typereference-value-not-ldap-conformant on the member attribute.

The IdFix utility does not suggest any fix.

Any suggestion?

Search

Cookie based OpenId authentication

October 7, 2019, 8:11 am
$
0
0

Dear All,

We have an asp.net 4.6 and asp.net core application Integrated with Azure AD for the authentication. We are using Cookie based OpenId authentication.

Our Requirement is

  1. Entry forms are time taking so user will be entering the data in the from at least 3 - 4 hours then they will be submitting the data.
  2. User’s should not be asked to login again until unless they logged out manually in the application.

Please let us know how do we achieve this..

Thanks,

Selvakumar Rathinam

Gmail SSO

October 7, 2019, 3:51 pm
$
0
0

I've followed the steps here (https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial) but am unable to get SSO fully working, and am unsure if the problem is on the Azure side or the Google side.

For random users (because I haven't found any reason or any settings that stand out) they are not redirected to the MS sign-on page, while some are.

I am also getting errors provisioning, but am unable to determine what they are (except the few where the existing GMail user can't be mapped to the Azure user, I fix these by deleting the GMail user and letting provisioning create the user). I get the E-mail"An internal error occurred. Please contact Azure Active Directory support." and my provisioning logs do not seem to get written to, except to say that the command to restart provisioning was a success.

Azure DevOps : Issue while using app id & secret in Azure Analysis Services Deployment

October 9, 2019, 1:32 am
$
0
0

I am trying to use variables while deploying azure analysis services.

Here the variable library contains the variables values which in turn uses other library values.
It did work for modelname. But when I try to inherit for app id & secret. It throws error as Invalid client secret.



This is how variable is cascaded.

Siddhesh Khavnekar

Azure ADFS Setup - Error ""We cannot federate an azure AD domain while signed in to azure AD as a user in the same domain."

October 8, 2019, 5:14 am
$
0
0

Hi Support,

I've verified my domain in Azure AD as divar.com.au, created two VMs and installed Azure Active Directory connect.

Server one named DC1 and server two is ADFS. I am running Azure AD connect on DC server and I am able to go forward until the section "Select the Azure AD domain to federate with your on-premises directory"

My AD domain name is divar.com.au and Cert on ADFS server is adfs.divar.com.au

Not sure what's causing the issue. I've tried with different Azure AD account with Global Administrator privilege and made no difference.

Error message which I get is:

"We cannot federate an azure AD domain while signed in to azure AD as a user in the same domain.Please choose a different domain to federated or rest"art this wizard and provide different Azure AD global administrator credentials

Thank you,


Issues with Azure AD Connect and SSO

October 9, 2019, 6:07 am
$
0
0

I have setup our on-premise to sync with Azure AD Connect. Azure reports everything working ok including SSO.

When I try to open https://myapps.microsoft.com or https://myapps.microsoft.com/mydomain.com I get the following error:

There was a problem processing your request

Support Information:

Correlation ID:
EUS#de50582d-363b-4253-ba29-27a8349f4838
Error code:
0
<input id="SupportInfo_Title_Collapsed" name="SupportInfo_Title" type="hidden" value="0" />

Viewing all 16000 articles
Browse latest View live
Search