Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Azure AD Connect *without* single sign on or same password?

October 8, 2019, 12:56 am
$
0
0

Looking to update our internal network from Win 7 Pro desktops and 2008R2 DC to Win 10 Enterprise E3 and Server 2016 DC.  I Understand we need Azure AD Connect to activate Win 10 Pro Enterprise features.

We currently have Office365 subscriptions purely for email/calendar.  Most users access via Outlook on desktop or mobile - very few use web apps, and then only rarely.

Our internal AD domain schema has been rolled over and upgraded for many years from NT4 > 2003 > 2008R2, and uses a different internal domain name to our email address, and users have different user names to their email address.

As part of the upgrade I intend to set up and migrate to a fresh internal AD schema and new usernames, and logically these should match email address/domain.  Our Office365 subscription means that MS has already set up our users in Azure AD based on email addresses anyway.

My question is if we use Azure AD Connect, is it possible to have different passwords to authenticate internally against our AD domain controller versus that used to authenticate in Office365?

Thanks!

Search

AAD Connect with existing O365 accounts

October 8, 2019, 12:25 pm
$
0
0
I am looking to migrate our on-premises Exchange 2010 organization to Exchange online. As an initial part of this migration I'm going to get AAD Connect up and running. We have been running an E3/E3 tenancy for about a year testing end-user adoption and issues. Users have been testing email and using other portal features, including extensive use of teams, so when we set up AAD Connect, we hope to connect the on-premises accounts with the existing O365 accounts.

Before moving forward, I’d like to ask for your advice and input to make sure I understand the issues and interactions. Once we move forward, the plan will be to either do a minimal hybrid configuration or just do a straight cut-over. We only have about 100 users and most mailboxes are under 2 GB.
 
On-premises is a single flat domain on 2012R2 DC with:
UPN = uname@contoso.com (this is a publicly routable domain)
Primary SMTP: uname@fabrikam.com (published MX records)
Secondary smtp: uname@contoso.com (no public MX records)
Exchange accepted domains: fabrikam.com, contoso.com

O365 E3/E2 tenancy with:
UPN: uname@newfabrikam.com (this is publically routable domain)
Primary SMTP: uname@newfabrikam.com (published MX records)
Verified Domains: newfabrikam.com (default), newfabrikam.onmicrosoft.com, contoso.com, fabrikam.com
Exchange accepted domains: same as verified domains

My understanding is that since Primary SMTP addresses do not match, a soft match would then happen on UPN. My initial question is will it be necessary for me to first change all the usernames in O365 to uname@contoso.com? Or will sync see the verified domain contoso.com in O365 and simply update the existing usernames to match the local UPN suffix?

I did change a single test account in O365 to use the contoso.com UPN suffix, and logged in and sent email using the existing default newfabrikam.com address, so I imagine once email is migrated it will be a simple matter to make the fabrikam.com address the default and update the MX records.

Have I sorted this out properly? Many thanks!

New policy button in Conditional Access is grayed out

October 7, 2019, 12:13 am
$
0
0

Hi, I am trying out Azure Cloud on the administration side of it. One of the main concern here in my company is authentication.

I set out to try this on my own, signed up for a pay-as-you-go subscription, activated AD premium P2, to get a glimpse of Conditional Access setting.

I get to the Azure Active Directory blade > Conditional Access, but the New policy button was grayed out. Underneath it there is a banner saying that points to activating the trial Premium P2 (but I just did, and Azure wouldn't let me do it again).

Anything I should do to create a new policy and check on how CA is used? Your advice would be very much appreciated.

Windows Virtual Desktop - Unable to join domain

August 20, 2019, 2:12 am
$
0
0

I'm trying to provision a set of Windows Virtual Deskop for my company's call center. I went through the official documentation docs.microsoft.com/en-us/azure/virtual-desktop/tenant-setup-azure-active-directory and did not encounter any error.

 

However when deploying the Hostpool using the WVD offering in Azure Portal, I'm getting this error :

VM has reported a failure when processing extension 'joindomain'. Error message: "Exception(s) occured while joining Domain 'mydomain.tech'

 

I've followed the tutorial to the letter and did not encounter any errors along the way. Can someone help??

Cant remove custom login branding after Azure AD Pemium trial expires

September 29, 2019, 5:14 pm
$
0
0
Title. I had a Premium P2 Trial and I applied custom branding, but since then our logo has changed, so I would like the branding removed at the least or changed if I can. Thanks in advance!

AAD Authentication is not being successful

October 6, 2019, 9:24 pm
$
0
0

Hi 

I have the Power BI report which uses the analysis services (Azure based) for which I need to do the authentication to connect to the data source. When I am doing the OAuth2 and Organizational the AAD popup window opens and when I select my id It says :

Sorry, but we’re having trouble signing you in.

AADSTS90015: Requested query string is too long.

Request Id: 1d6704a0-7bf0-4341-904f-5b39c4810c00
Correlation Id: 851ae2fd-528c-486c-8c40-014b93fc1f4d
Timestamp: 2019-10-07T04:17:23Z
Message: AADSTS90015: Requested query string is too long.
Advanced diagnostics: Disable

If you plan on getting support for an issue, turn this on and try to reproduce the error. This will collect additional information that will help troubleshoot the issue.

Can somebody help me on this?

Its not only for this source but for most of the sources and when ever AAD Auth is required.

thanks

sai

sakusuma

Created Azure Active Directory for the Windows Hardware Dev Center program, but can't sign into it

September 12, 2019, 10:34 am
$
0
0

Ultimately I need to get our driver signed for Windows 10, but first must register for the Windows Hardware Dev Center program.  It seems I need to create an Azure Active Directory.  So I end up at

https://partner.microsoft.com/en-us/dashboard/Registration/Tenant/CreateTenant

to sign up.

I entered the user name: steven@pulseinstruments.onmicrosoft.com and all goes well.  Does this have to be a working email address before creating the directory?  The contact email address is, but not the user name.  When I try to sign in by clicking the "Sign in to Azure AD" button  at

https://partner.microsoft.com/en-US/dashboard/Registration/Hardware?step=AzureADAccount,

I end up back at the Get Started page:  https://partner.microsoft.com/enUS/dashboard/Registration/Hardwarestep=GetStarted

How do I create an Azure AD that I can sign in to?

Change Source Anchor and Change Immutable ID - what is the correct way?

October 9, 2019, 7:53 am
$
0
0

A previous member of staff has already set up Azure Active Directory Connect with successful synchronisation.

However, the Source Anchor chosen is the SamAccountName. And the SamAccountName can change if a user has a name change. And there may be the duplication of a SamAccountName in the event of a member of staff leaving, and a new member of staff with the same name starting soon after.

I believe that it is advisable to user the objectGUID as the Source Anchor, and so we are considering changing the Source Anchor.

Given that we have only assigned O365 licenses to only 41 people so far (and nothing else assigned to make use of Azure AD), am I correct in thinking that this is the best way to change our Source Anchor?

a) Disable sync on Azure AD Connect.

b) Wait 72 hours, after which point the users in Azure AD will automatically have been converted to managed users.

c) Delete all Azure AD users apart from those that have a O365 license assigned.

d) For the remaining users in Azure AD, edit the ImmutableID attribute so that it matches the respective objectGUID for AD account (which I believe needs to be performed via Powershell as there is no way of doing this in a GUI).

e) Create a new instance of Azure AD Connect, where it is configured to have the Source Anchor as the objectGUID?

If there is any flaw in the above steps in the real world, then I would appreciate it if it could be made aware.

Search

Regarding WS-Fed and SAML

October 4, 2019, 4:27 am
$
0
0
Hi,

We have a customer using ADFS 3.0 (configured in a Windows server environment). For the Single Sign On we implemented the WS-Fed protocol in our .NET web application.
We have another client that wants to use SAML (in an Azure SSO environment) and not WS-Fed.

Questions:
Is WS-Fed not going to work with Azure SSO in the near future?
Is it possible to write code such that the web application can support both SAML and WS-Fed in Windows/Azure?

Thanks,
Sunil

Connect local SCCM to Microsoft Store for Education

October 4, 2019, 7:06 am
$
0
0

Hello-

 I am trying to connect our local SCCM to our education store to push out apps.  I've followed the instructions to create an Azure service in SCCM, logged in and that part seems to work.  The next step of adding the app in the store as a management tool does not, the tool I created in SCCM does not appear.  I also don't know where in Azure I would look to see if the tool was created correctly.  Anyone have any insight into what I might need to do to make this work?  Thanks.

-Rich

AzureAD Recycle Bin - Users and Groups

October 4, 2019, 1:12 pm
$
0
0

Guys, does the recycle bin apply to both users and groups (assuming its enabled)? For example:

  1. If a group is deleted in AzureAD, does it go the bin? I know users do.
  2. If a user/group sync from on-premise AD goes out of scope of sync, does it go to the bin?
  3. If an item is restored from the bin, does it also restore assignments like group memberships, app assignments etc.? 

Azure AD SCIM Error

October 1, 2019, 6:43 am
$
0
0

Hi All,

We are building a new application which will sync users attributes from Azure AD to an application. Here is the link for the application documentation (Building a SCIM endpoint using Microsoft CLI libraries) we have built this application on Azure vm and opened the required port but when we are registering the SCIM endpoint in Azure AD getting an error on the provisioning page.i.e.

1. In the Provisioning Mode menu, select Automatic.

2. In the Tenant URL field, enter the URL of the application's SCIM endpoint. Example:https://api.contoso.com/scim/

3. If the SCIM endpoint requires an OAuth bearer token from an issuer other than Azure AD, then copy the required OAuth bearer token into the optionalSecret Token field. If this field is left blank, Azure AD includes an OAuth bearer token issued from Azure AD with each request. Apps that use Azure AD as an identity provider can validate this Azure AD-issued token.

4. Select Test Connection to have Azure Active Directory attempt to connect to the SCIM endpoint.

It's Failing in the Test connection giving failure event code as "Invalid Credentials" but as per the documentation we are giving the tenant url ashttp://<ipaddress>:9000 and leaving Secret token as blank as mentioned in the step 3. 

Not able figure out whose side error it is. Looks like Azure AD is not able to establish connection with the application end point.

Let us know if someone has knowledge on this particular area. 


Cannot use IDN as callback URI for OAuth2

September 23, 2019, 5:48 am
$
0
0

I'm trying out Azure AD, to allow users to authenticate with their Microsoft account on my website. Oauth2 works fine when the redirect URI is http://localhost:8080/callback, but it fails when I try to enter the "real" IDN URI (https://södermalmsskolan.com/callback) in the portal, saying that the URI is invalid. I have also tried entering the punycode version (https://xn--sdermalmsskolan-8sb.com) but without any success. Am I doing something wrong?

Integrating MIM with ServiceNow

September 20, 2019, 9:08 am
$
0
0
Hi, We are thinking of connecting ServiceNow with Microsoft Identity Manager (MIM) to provision accounts into AD.  This is because the ServiceNow Ticket is the entry point through which AD accounts are created. Is it possible to pick up accounts from ServiceNow through MIM?

Not Getting Custom Field in SCIM Post Request

September 13, 2019, 12:40 am
$
0
0

We have created one custom field call "tags" in SCIM mapping. But when we create a user, the POST request doesn't contain "tags" field. The same field gets updated when next PATCH call happens during an update. Here is the mapping for"tags" field:

Join(":", [jobTitle], [department])    tags

Apply this mapping : Always

Also pasting request body for reference. Please check & let us know why "tags" field is not coming as part of POST request. "tags" is part of schema "urn:ietf:params:scim:schemas:core:2.0:User"

{
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],
    "externalId": "new.scim.user5",
    "userName": "new.scim.user5",
    "active": true,
    "displayName": "new.scim.user5 DN",
    "emails": [{
        "primary": true,
        "type": "work",
        "value": "new.scim.user5@BlueJeansNetwork.onmicrosoft.com"
    }],
    "meta": {
        "resourceType": "User"
    },
    "name": {
        "formatted": "new.scim.user5 FN new.scim.user5 LN",
        "familyName": "new.scim.user5 LN",
        "givenName": "new.scim.user5 FN"
    },
    "roles": [],
    "title": "QA Lead",
    "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
        "department": "Q&A Engineering"
    }
}

Search

Regarding OpenID Integration of Azure AD B2C

September 30, 2019, 5:41 am
$
0
0
I've created an b2c application and for which I have done open id connect configuration but when I'm authenticating user in that application I'm getting an null email address from azure for that user.Im getting firstname,lastname of that user for that azure ad b2c application but I want email address as well of the user in response for authenticating him in my application.Can anyone please look into this and help me to resolve this issue ASAP. 

Azure AD B2C authorize url not working.

September 28, 2019, 1:22 am
$
0
0

I have followed this document https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oidc 

to generate authorize url but I am getting below error

404 - File or directory not found. The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.

I have observed that authorize url works fine if we add p=B2C_1_LifrayB2c in query params not working without it.

But ideally it should not required to append that as per oauth2.0 standards and also it is not mentioned to document that this needs to be appended and my application is not appending it. I want authorize url to work without p=B2C_1_LifrayB2c.

Please guide me on this.


Azure Lighthouse manage Azure Active Directory Customer tenant from my tenant

September 27, 2019, 5:41 am
$
0
0

Hi All,

As a Cloud Service Providers  I'm a bit confused with Azure Lighouse. I followed the onboarding document

and I can then easily switch to the directory of my customer tenant from my management tenant. But how would I manage the customer tenant Azure Active Directory from my tenant? Is this at all possible? If not what if I want to create users on the tenant's behalf? So now I can easily create stuff in the Customer tenant, resource groups vnets vms, but I can'ts switch directories. Is there another role I can use in the JSON file?

Hope someone can help

Kind regards,

John

Process Escrow Failure when trying to Provision user to Salesforce App

September 21, 2019, 5:58 am
$
0
0

Hello,

I am trying ti setup provisioning with the gallery application Salesforce.

I receive a failure with accounts I am trying to provision. The failure is Process Escrow. Details below:

Status Reason:
We are retrying an operation that previously failed. Identifier: username@comany.com Object type: User Directory: Azure Active Directory; Error: An error occured while evaluating this function: 'Replace.'. This operation was retried 1 times. It will be retried again after this date: 2019-09-21T01:08:14.2481484Z UTC

Details:

EscrowType: Default; EntryType: User; EntryIdentifier: 5a389607-30bc-4c94-9fff-8b74b9bba21d; Matching value: username@comany.com; Modification: Add; Creation time: 2019-09-20T19:08:14.2481484Z; Count processed: 1; Origin: Source; Fault: ErrorCode: MappingEvaluationFailed, ErrorSource: None, ExceptionMessage: An error occured while evaluating this function: 'Replace.', Exception: , Scope: Entry, TenantActionable: True, Transient: False;
<label aria-hidden="true" class="azc-text-sublabel msportalfx-tooltip-overflow" data-bind="untrustedContent: $data" style="font-weight:inherit;float:right;margin-bottom:-1px;color:#595959;"></label>
<label class="azc-form-label" data-bind="untrustedContent: $data" for="azc-form-guid-55e1b0ec-284e-457a-a585-1507418f59df-for" id="azc-form-guid-55e1b0ec-284e-457a-a585-1507418f59df" style="font-weight:inherit;max-width:100%;line-height:normal;user-select:none;">ErrorCode</label>
MappingEvaluationFailed
<label aria-hidden="true" class="azc-text-sublabel msportalfx-tooltip-overflow" data-bind="untrustedContent: $data" style="font-weight:inherit;float:right;margin-bottom:-1px;color:#595959;"></label>
<label class="azc-form-label" data-bind="untrustedContent: $data" for="azc-form-guid-55e1b0ec-284e-457a-a585-1507418f59e2-for" id="azc-form-guid-55e1b0ec-284e-457a-a585-1507418f59e2" style="font-weight:inherit;max-width:100%;line-height:normal;user-select:none;">EventName</label>
EntryEscrowRetry
<label aria-hidden="true" class="azc-text-sublabel msportalfx-tooltip-overflow" data-bind="untrustedContent: $data" style="font-weight:inherit;float:right;margin-bottom:-1px;color:#595959;"></label>
<label class="azc-form-label" data-bind="untrustedContent: $data" for="azc-form-guid-55e1b0ec-284e-457a-a585-1507418f59e5-for" id="azc-form-guid-55e1b0ec-284e-457a-a585-1507418f59e5" style="font-weight:inherit;max-width:100%;line-height:normal;user-select:none;">JoiningProperty</label>
 username@comany.com

Access azure datalake gen2 resources by Azure Active Directory B2C users

October 8, 2019, 10:28 pm
$
0
0

Hi,

We have an application where we need to do the following

1. Create folders and files under Azure datalake gen2

2. Create Active Directory B2C users (Using javascript single page as explained in https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp)

3. Add users created in step 2 to the Access control lists of one or more folders created in step1 programatically.

4. Allow users created in step to to access folders/files created in step 1 through javascript REST APIs

Are steps 3 and 4 possible?

Thanks,

Hema

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>