I am trying to force trigger Azure AD Sync multiple times in parallel with the below command.
Start-ADSyncCycle -PolicyType Delta
Is there any issue if I trigger it multiple times in parallel ?
↧
Triggering Azure AD Sync Multiple times Simultaneously
↧
Hitting [AADST165000: Invalid Request] for Modern Auth Sign-in
Hi team,
I created a custom mobile app that signs in users with Modern Auth to access Exchange resources.
I tried to sign-in an account from another tenant that blocks users from approving new apps and I got the following error:
AADSTS165000: Invalid Request: The request tokens do not mach the user context. Do not copy the user context values (cookies; form fields; header) between different requests or user sessions; always maintain the ALL of the supplies values across a complete single user flow. Failure Reasons:[Token values do not match;]
Status: Interrupted
Sign-in error code: 65001
Failure reason: Application X doesn't have permission to access application Y or the permission has been revoked. Or the user or administrator has not consented to use the application ID X. Send an interactive authorization request for this user and resource. Or the user or administrator has not consented to use the application ID X. Send an interactive authorization request to your tenant admin to act on behalf of the App: Y for Resource: Z.
I tried to grant admin consent via the admin consent endpoint but still had the same error.
Could you please suggest how to resolve the issue?
Thanks,
Sandy
↧
↧
Getting access token as AD B2C user in ASP .NET Core app
I have an ASP .NET Core 2.2 web app that's using Azure AD B2C for authentication. My user flows are working correctly, users can sign up and sign on using custom flows.
My code follows this sample very closely: https://github.com/Azure-Samples/active-directory-b2c-dotnetcore-webapp
Issue is I keep getting unauthorized errors if I try to request an access token using the authenticated user ID and use it to make API calls.
I set up an Azure Function and it works perfectly using a web browser, redirecting to my custom sign on page for authentication and then executing correctly. But I get 401 error when trying to make an HTTP request to it using a bearer token I acquire this way: https://github.com/Azure-Samples/active-directory-b2c-dotnetcore-webapp/blob/6dbb7e83ddc1bdfae64e94292f0e400c88b93de7/WebApp-OpenIDConnect-DotNet/Controllers/HomeController.cs#L57
Any ideas?
↧
Trying to add users to an Enterprise application
Whenever we add someone - either via the GUI or in Powershell, we get the same response. Removing and adding them back doesn't fix it. Has anyone seen this?
User details: Skip reason = NotEffectivelyEntitled, Active = True, Assigned = True, Passed scope filter: True
↧
How can we validate JWT signature in Angular 6
How to validate JWT token in Angular 6.o manually to validate JWT Signature of JWT token?
↧
↧
Azure Portal Permissions
Hi,
My user in my organization has all the permissions and is in the same groups than other ones (the original people in the company) but they still can make some things in the portal that I cannot, for example, in Azure Active Directory --> Enterprise Applications, I cannot add a new application and they can.
Is there some super user permissions when you're the subscription creator? Is there any way to match those permissions in some new user?
Thanks,
Xurxo
↧
userinfo_endpoint content-type
Hi,
when calling OIDC userinfo_endpoint (https://graph.microsoft.com/oidc/userinfo) with a valid access token, it returns the user info with a Content-Type = text/html, altough there is a json document in the body. Is it the expected behaviour?
thanks
↧
Change Source Anchor and Change Immutable ID - what is the correct way?
A previous member of staff has already set up Azure Active Directory Connect with successful synchronisation.
However, the Source Anchor chosen is the SamAccountName. And the SamAccountName can change if a user has a name change. And there may be the duplication of a SamAccountName in the event of a member of staff leaving, and a new member of staff with the same name starting soon after.
I believe that it is advisable to user the objectGUID as the Source Anchor, and so we are considering changing the Source Anchor.
Given that we have only assigned O365 licenses to only 41 people so far (and nothing else assigned to make use of Azure AD), am I correct in thinking that this is the best way to change our Source Anchor?
a) Disable sync on Azure AD Connect.
b) Wait 72 hours, after which point the users in Azure AD will automatically have been converted to managed users.
c) Delete all Azure AD users apart from those that have a O365 license assigned.
d) For the remaining users in Azure AD, edit the ImmutableID attribute so that it matches the respective objectGUID for AD account (which I believe needs to be performed via Powershell as there is no way of doing this in a GUI).
e) Create a new instance of Azure AD Connect, where it is configured to have the Source Anchor as the objectGUID?
If there is any flaw in the above steps in the real world, then I would appreciate it if it could be made aware.
↧
AIP Scanner - error acquiring token
Hello,
Has anyone solved the issue where you get:
"Set-AIPAuthentication : Unable to authenticate and setup Microsoft Azure Information Protection At line:1 char:1 ..."
when trying to get the security token using the parameters -webAppId -webAppKey -nativeAppId for AIPScanner?
I am using a demo tenant (m365xxx.onmicrosoft.com) and a test domain (testdomain.local).
The two apps have been created in AAD following the documentation.
My local AIP service account is synced via ADConnect and has local logon rights to my AIPScanner server.
I am running the Set-AIPAuthentication with powershell running as my service account.
If I run *just* the Set-AIPAuthentication cmdlet, I am asked to provide credentials (service account), and I get a token.
If I run with *any ONE parameter* it seems to work.
If I run with *any TWO parameters" it seems to work.
If I run with *all THREE* parameters, I get the error.
I noticed someone else has a similar posting, with no resolution. Has anyone found the explanation for this error?
Thanks!
↧
↧
Publisher Domain verification fails because "Verification of publisher domain failed. Error getting JSON file from https://{publisher_domain}/.well-known/microsoft-identity-association. The server returned an unexpected content type header value. [f566g]"
I'm trying to verify the publisher domain of my application but it's not working despite the json file being available when checking the link in a browser.https://{publisher_domain}/.well-known/microsoft-identity-association.
The instructions ask for the json file being hosted at https://{publisher_domain}/.well-known/microsoft-identity-association.json.
I get the following error message:
Verification of publisher domain failed. Error getting JSON file from https://app.swydo.com/.well-known/microsoft-identity-association. The server returned an unexpected content type header value.
[vquV0]
Does anyone know what can be the problem?
↧
Build groups of guest users based on inviter ("users invited by johndoe")
Hi,
we want to delegate the management of customers to our distributors in our azure tenant.
We privileged some users to invite guests. These guests should be added to specific azure ad groups.
Planned workflow:
Manager A from distributor X invites customer K. This customer K should be added to group "distri-x-customers" automatically. In this group the manager A is owner and can remove the users invited by him.
Manager A should not get any other permissions on Azure AD. No roles. Just the "Guest invitation" role.
Now we have two problems:
1.) Is there a way to grant permission to the guest inviter so he can add new guest user to the group he is owner of?
Or is it possible to run a scheduled powershell to read the invited by and add user based on this information to a group? Is there a way to get the information from audit log from the guest user account?
2.) The group owner can view the group and he has the menu to remove users - but the users are not removed. They will stay in the group. I think because of missing group permissions.
Is there any way to implement the desired workflow in Azure? I tried to use Azure Security group for this. Is it possible with O365 Group? I was not able to set guest user as owner of o365 group and get just "Due to a tenant wide policy, guest users are not allowed to be owner of this type of group.". How can I disable this policy?
Best,
Robin
↧
Azure AIP Scanner - Set-AIPAuthentication Error
I am setting up Azure Information Protection Scanner and following the following support articles
Deploying the Azure Information Protection scanner to automatically classify and protect files
Admin Guide: Using Powershell with the Azure Information Protection unified client
As part of my AIPScanner set up, I first installed the Classic AIP Client, then Installed the Scanner (Install-AIPScanner), then Set up 2 applications (OnBehalfOf and AIP Client).
I am now at the part of the Admin Guide: Using Powershell with the Azure Information Protection unified client support article to set up AIP Authentication using the Set-AIPAuthenication cmdlet. However, when I run the PowerShell cmdlets specified in the support article and listed below. I get the following error...
Set-AIPAuthentication : A parameter cannot be found that matches parameter name 'WebAppId'.
It appears that the Parameter WebAppID cannot be found..
The PS cmdlet I am using is as follows:
$pscreds = Get-Credential "user@Domain.com"
Set-AIPAuthentication -WebAppId "xxxxxxxx-xxxx-xxxx-xxxx-xxxx" -WebAppKey "x_xx_xxx_xxxx" -NativeAppId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx" -OnBehalfOf $pscreds
Any ideas on what the issue can be?
Thank you
Pginnega69
↧
Windows 10- Encountered an error enrolling your device
We see this error when a user signs into the Outlook desktop app on Windows 10 for the first time. They still get logged in but the Work account doesn't get added to the computer and they need to sign into every office app individually. We see the same error when we try to add the Work account through the Settings screen.
I gave the user an Intune license and then the error went away but why? I don't want to manage the device in Intune. Currently our goal is to manage only company owned Android devices with Intune MDM and Personal Android devices with MAM. We use group policy to manage Windows devices currently.
What do I need to check to make sure the user can add their work account to the computer without an Intune license?
We have modern authentication enabled as well as AD Connect Sync.
↧
↧
b2c configuration custom page & javascript redirected to wrong url
I have an azure b2c instance with 1 user flow making use of "Sign up v2".
when I have javascript turned on, a custom idp selection page and a custom local account signup page the sequence fails. if javascript is off, or i use either of the built in pages it works.
the failure is that the body of the local signup age is not filled in (the email, password, etc boxes are missing).
the most interesting thing I can find out about this is the url's are different in the fail case & I cannot find an explanation for that. specifically, in the fail case the url is in the format:
https://<customer page host name>/<tenant name>.onmicrosoft.com/B2C_1_signup/api/ClaimsProviderSelection/selected?accountId=SignUpWithLogonEmailExchange
in the success case it goes to b2clogin with the format:
https://<tenant name>.b2clogin.com/<tenant name>.onmicrosoft.com/B2C_1_signup/api/ClaimsProviderSelection/selected?accountId=SignUpWithLogonEmailExchange
thoughts?
↧
Publisher Domain verification fails because "The JSON file located at {publisher_domain}/.well-known/microsoft-identity-association.json has a content length that is not set or otherwise invalid. [z6jyL]"
I'm trying to get my Python Flask app verified but keep getting this error.
I cannot make this "content-length" being returned by Flask.
Did anyone run into the same issue and found a solution?
I cannot make this "content-length" being returned by Flask.
Did anyone run into the same issue and found a solution?
↧
Leased privileged Gsuite provisioning sync admin
Hi I'd like to get a leased privileged gsuite admin user defined to perform the provisioning sync from AzureAD. The azure tutorial says "Make sure to enable all Admin API Privileges so that this account can be used for provisioning" which is excessive given the Google Admin SDK scope prompt claims Azure will only update groups/users/contacts.
Can I get a minimum viable Google Admin SDK privileges needed for the sync user role? I was able to get sync working with only users/groups scopes but want to make sure the other privileges (Org units, user security management, data transfer, schema management, license management, billing management, domain management) are ok to skip
↧
admin
need help on adding a virtual machine on Azure
↧
↧
Access azure datalake gen2 resources by Azure Active Directory B2C users
Hi,
We have an application where we need to do the following
1. Create folders and files under Azure datalake gen2
2. Create Active Directory B2C users (Using javascript single page as explained in https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp)
3. Add users created in step 2 to the Access control lists of one or more folders created in step1 programatically.
4. Allow users created in step to to access folders/files created in step 1 through javascript REST APIs
Are steps 3 and 4 possible?
Thanks,
Hema
↧
giving admin consent returns true yet permissions not granted
i've create a legacy app (native), added permissions to it (ad and graph). when i attempt to give consent for the permissions i use a url in the form
https://login.microsoftonline.com/<tenant>/adminconsent?client_id=<client_id>&state=12345&scope=openid&redirect_uri=http://localhost/myapp/permissionsthe browser provide's a dialog with the permissions list & I accept them.
the return url indicates success (http://localhost/myapp/permissions?admin_consent=true&tenant=<tenant id>&state=12345) yet when i look at the permission in the portal there is no change. when I try and use the application i still get a failure of consent not being given and when I retry to give consent it prompts me for the entire list again
how do i diagnose whats wrong here?
↧
Issue with Azure AD join for users with first/last names containing special characters
Hi,
I'm not sure why this is not an issue for more users, but it surely is a showstopper for deploying Azure AD Join:
when a Windows 10 device is joined to Azure Active Directory, the logon process creates the user's folder in this location: c:\users (as might be expected, this becomes the %USERPROFILE% path). The folder name appears to be constructed based on the user's First name and Last name, as entered in the Azure Active Directory.
However, when the user's first name or last name in the Azure Active Directory includes non-ASCII international characters (for ex. šđčćž), these will be included in the folder name. Although that's not a problem by itself, it generates a range of problems for a huge number of applications typically relying on %APPDATA% to store important settings. The applications having problems include Microsoft Office, Outlook, Google Drive, MS Teams, Skype and so on and they typically fail during either installation or startup.
The workaround is to change the First and Last name fields in Azure AD (prior to first time logon) so they contain only ASCII characters, or alternatively change the %USERPROFILE% folder name in the registry, but that's only a workaround to a bug.
Wouldn't it be logical to correct this so the logon process creates the %USERPROFILE% folder names stripped of any non-ASCII characters, as the majority Windows applications clearly do not tolerate non-ASCII characters in the user profile folder name?
Have any other users notice this behavior?
Thanks for any feedback.
↧