Dear,
Which services are supported and which aren't when we plan to do Azure App Service VNET integration? Can someone be more clear on this?
On the docs page, it is states that AD Integration is not supported, meaning we will loose almost all functionality.
Link: https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
Kr. Cédric
Hello,
I have DUO configured as our 3rd Party MFA method through AAD - Conditional Access.
This seems to work with no problem as this MFA method prompts when logging into portal.office.com (or any other Microsoft cloud app / site).
I do encounter issues when attempting to join a device to AAD: the device recognizes that a the conditional access rule requires MFA, but it does not recognize that DUO MFA is the method being required. It simply uses and thinks that Microsoft MFA needs to be set up for the user, so the MFA push is never initiated.
To work around this, I have to exclude the user from the Conditional Access Policy, join their device (using their account) to AAD and then remove the exclusion.
Does anyone run into these types of problems? Did I set something up incorrectly?
Hi I'm korean Mr. chae
I want to connect On-promise AD with Azure Ad.
But on-promise AD and AzureAD have different domains.
How can i do connect?
I don't know how to explain it.
On-promise AD will be transferred to Azure AD.
I'm going to delete the On-promise AD.
ex) on-promise AD(abc.co.kr) -> Azure AD(def.co.kr)
On-premises and Azure AD domain are in different domain
help me ...
I'd like to integrate an application via OAuth/OpenID Connect to Azure Active directory. So far I've created an app registration and the application can authenticate a user and obtain an ID & Access Token (JWT).
Unfortunately, the application requires the user's phone number in the access token. I tried adding the phone number to the optional claims in the App's manifest, but without success.
How is it possible to include the phone_number claim in the access token?
Hi,
I have a question about "Azure AD Scim provisioning for groups". Say I have create a group and assign a bunch of users to the new group. Then either force a scim sync or wait for the sync to happen (assuming scim provisioning is already started), we have observed that Azure likes to do PATCH operations for the group with 1 user at a time. Isn't this the least efficient way of doing things? For example, we the group membership exceeds hundreds of users (like> 300), then Azure would be "spamming" a Scim server with over 300 individual PATCH requests just for a single group.
Can this be optimized by the Azure team in handling provisioning? PATCH does allow for handling multiple operations or adding multiple memberships.
Thanks
Al
Is there a way in which we can send IEF , Proxy IEF App id, graph api extensions app ids , or any user defined variables constant for an environment as input parameters to the policy or may be in the Top header <TrustFrameworkPolicy>
Tag and use across the policy
Something like in For example : <TrustFrameworkPolicy>has tenant id and the same is used in the policy in the following syntax {tenant}
Even when following this document https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-ldaps to the letter I'm getting the same response.
Activity log (as referred in the error message) hold no information whatsoever.
I'm looking for either a place to check logs or potentially do the whole process through Powershell and get debug information there?
Anyone having insights?
Hi Guys,
I tried to rollover my Keberos key as described by Microsoft.
But if enter the last command (Update-AzureADSSOForest -OnPremCredentials $creds)to update it fails with the error message:
PS C:\Program Files\Microsoft Azure Active Directory Connect> update-AzureADSSOForest -OnPremCredentials $creds
[09:02:16.671] [ 8] [INFORMATIONAL] UpdateComputerAccount: Locating SSO computer account in XXXXXX...
[09:02:16.671] [ 8] [INFORMATIONAL] GetDesktopSsoComputerAccount: Searching in global catalog(forest) and XXXXXXX for computer account AZUREADSSOACC
[09:02:16.703] [ 8] [INFORMATIONAL] TrySearchAccountUnderGlobalCatalog: Object was found in global catalog(forest), hence skipping XXXXXX search
[09:02:16.703] [ 8] [INFORMATIONAL] UpdateComputerAccount: Found SSO computer account at CN=AZUREADSSOACC,CN=Computers,DC=XXXXXXX,DC=local. Updating its properties...
[09:02:16.703] [ 8] [INFORMATIONAL] UpdateComputerAccount: Granting full control to account admins and enterprise admins for computer account CN=AZUREADSSOACC,CN=Computers,DC=XXXXXXXXXX,DC=local...
[09:02:16.718] [ 8] [WARNING] Failed to remove inherited permissions on Sso computer account CN=AZUREADSSOACC,CN=Computers,DC=XXXXXXXXX,DC=local. Error : Es ist eine Beschränkungsverletzung aufgetreten.
update-AzureADSSOForest : Es ist eine Beschränkungsverletzung aufgetreten.
In Zeile:1 Zeichen:1
+ update-AzureADSSOForest -OnPremCredentials $creds
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Update-AzureADSSOForest], DirectoryServicesCOMException
+ FullyQualifiedErrorId : System.DirectoryServices.DirectoryServicesCOMException,Microsoft.KerberosAuth.Powershell
.PowershellCommands.UpdateAzureADSSOForestCommand
Any ideas? Not sure which inherited permissions are meant.
Sorry, can't post images, maybe someone can verify my account?
Hi Folks,
current i have a ADDS to manage identity while have azure ad tenant for office 365 and they are not connected. i am wondering if anyone know how to set the federation relationship between them ?
Thanks
Hi,
I have a B2C tenant with 3 applications - 1 web api and two web apps
App 1 uses "b2c_1_signinAP1" app2 uses "b2c_1_signinAp2".
Now how should I configure web API with both policies for signin signup so that the API authenticates tokens from both web apps with out issues.
I tried adding both the signin policies in webAPI but this give application error.
Need any pointers that you can give me
Rkasani.DU05
Hi All,
We have received the alert from Azure AD Connect Health - ADFS.
| STATE | Active |
| RAISED | 10/27/2019, 11:42:00 AM |
| LAST DETECTED | 10/27/2019, 11:42:00 AM |
| ISSUE | The trust between the federation server proxy and the Federation Service could not be established or renewed. |
| FIX |
|
Event after fixing the alert my ADFS and WAP Servers Health is OK.
Issue : Alert is still active and not getting any option to mark this alert resolved manually. Please suggest.
Hi All,
We have received the alert from Azure AD Connect Health - ADFS.
| STATE | Active |
| RAISED | 10/27/2019, 11:42:00 AM |
| LAST DETECTED | 10/27/2019, 11:42:00 AM |
| ISSUE | The trust between the federation server proxy and the Federation Service could not be established or renewed. |
| FIX |
|
Event after fixing the alert my ADFS and WAP Servers Health is OK.
Issue : Alert is still active and not getting any option to mark this alert resolved manually. Please suggest.
I have an azure account at Company 1 taniaw@company1.co.za and this account is linked to my.visualstudio.com. My email address at Company 1 used to be taniw@oldcompanyname.co.za. This was never used as a Microsoft account though.
I am doing work at Company 2 and I have been added as a guest on their Azure platform and on their Azure DevOps. Most things are working fine, except when I try to configure an Azure DevOps Git repository on the Azure Data Factory. I can add the repo fine, however when I try to access it from Azure Data Factory I receive an "Invalid GIT Configuration" error. ADF Invalid GIT Configuration
On further investigation I find that there is an HTTP 401 Access Denied error being returned from Azure DevOps referencing my old email address as though it is an account. How do I investigate where this old email address is being inserted into the process? I do not have access to the AAD where I am defined as a guest user.
Error message:
{"$id":"1","innerException":null,"message":"TF400813: The user '34de334b-xxxx-xxxx-xxxx-xxxxxxxxxd65\taniaw@oldcompanyname.co.za' is not authorized to access this resource.","typeName":"Microsoft.TeamFoundation.Framework.Server.UnauthorizedRequestException, Microsoft.TeamFoundation.Framework.Server","typeKey":"UnauthorizedRequestException","errorCode":0,"eventId":3000}>
I am trying to create an application that can connect to ARM (https://management.azure.com) retrieve some information from it. I already created one that use Microsoft Graph (https://graph.microsoft.com) and works fine, however now I need to get information that is only available on ARM.
I look up on internet about the permissions required, specially on Microsoft Docs, however all the documentation that I was able to find refers only to Microsoft Graph or Windows Graph.
Do you know which permissions should I request through the portal?
publicString getAccessToken()throwsMalformedURLException,InterruptedException,ExecutionException,ServiceUnavailableException,InvalidKeyException,IllegalBlockSizeException,BadPaddingException,NoSuchAlgorithmException,NoSuchPaddingException{AuthenticationContext objContext;AuthenticationResult objToken;ExecutorService objService;Future<AuthenticationResult> objFuture;
objService =null;
objToken =null;try{
objService =Executors.newFixedThreadPool(1);
objContext =newAuthenticationContext(this.getAuthorize(),false, objService);
objFuture = objContext.acquireToken("https://management.azure.com",this.getApplicationID(),this.getUsername(),SecureText.getInstance().decode(this.getPassword()),null);
objToken = objFuture.get();this.getLogger().info("Connection to Azure Resource Manager".concat(this.getClass().getSimpleName().toLowerCase()).concat(" successfully stablished"));}finally{
objService.shutdown();}if(objToken ==null){thrownewServiceUnavailableException("Authentication Service is not available");}return objToken.getAccessToken();}The following error is displayed:
com.microsoft.aad.adal4j.AuthenticationException: {"error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'e1b0615a-911d-4ccf-bf16-e8d0c1c2f8b5' named 'XXXXXXX'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 9731e9b7-116d-4c5e-b219-ab96e12c4300\r\nCorrelation ID: faa9a023-3237-4367-9c66-eec9b77e2805\r\nTimestamp: 2019-09-26 11:20:54Z","error":"invalid_grant"}
So we have 3 ad forests that are trusted. In forest A we have the majority of users and computers and the exchange server. In forest B we have users and computers and the users have linked mailboxes on the exchange server in forest A. In forest C we have users and computers and the users have seperate users with "normal" mailboxes on the exchange server in forest A. They just use the separate login information to connect to the mailbox in outlook and then save credentials.
We now want to move all mailboxes to O365 via Exchange Hybrid and we already installed AADConnect in forest A. The question is on how to do the user matching in this szenario because it is not a classic exchange resource forest scenario.
The end goal is to merge the forests in to one but we are far away from this.
Whats the best way to do the user matching here?
One other idea was to migrate the mailboxes (about 200) from forest B and C with a 3rd party tool to O365 first and convert their mailboxes in forest A to mail users with a target address that will not be synced to O365.
Can conditional access be used (or something else) to require MFA for a user based on role assignment or task executed within in app? The intent is to require a higher degree of auth for elevated activities within an app.
THX> Eric