Azure AD Connect for Multiple Forest

October 29, 2019, 7:39 am

≫ Next: Questions concerning the implementation of MFA

≪ Previous: Setting permissions on a file share using Azure AD for Office 365

Hi Team,

I have a case where we have 3 forests in on-premises but currently we are syncing from only one single forest. I know as per Azure AD connect topolologies support multiforest (Multiple forests, single Azure AD tenant)

Issue is IT team used to manually create user in one forest which is in sync with Azure AD. (Now I have 2 same id's in different forest) since we are syncing from 1 forest we don't have any user object conflict. Now these synced id's are having Exchange Online mailbox associated with them how to preserve them if I go for Multi forest configuration in AAD connect. Because it will cause a conflict due to duplicate id's in each forest. What happened to the o365 mailbox ?

Example :

Forest-1= user1@abc.com , user2@xyz.com

Forest-2= user1@abc.com

Forest-3= user2@xyz.com

Currently Forest-1 is in sync with AzureAD. (Manually created user1 and user2 in Forest 1.)

Now to avoid manual user creation in Forest-1 if we configure Forest 2 and Forest 3 in AAD connect to sync to our existing Azure AD it will cause a user object conflict and how do I preserver their Exchange Online or O365 resources.

How to achieve this task ?

↧

Questions concerning the implementation of MFA

October 29, 2019, 7:33 am

≫ Next: What happens to the guest object, when a company gets federated?

≪ Previous: Azure AD Connect for Multiple Forest

Hi, I am writing in order to have several information about the possibility to enable MFA.

I have an E3 license (Premium 1). Thus, I was wondering if:

-is it possible to enable MFA with Microsoft Teams?If so, where can I find more information about it (for instance, a guide)?

-is it possible to integrate MFA with Identity systems (for instance, CA Identity Manager or similar)? Is there eventually a section where this is more thoroughly explained or addressed?

I already tried to find out more about it, but wasn't able to get any insights on the matter.

-is it possible to integrate Azure MFA with Splunk or Archsight - or, in general, with SIEM? I read on the website that as regards to Splunk, it is actually possible to configure the Azure Monitor Add-on. Shall this be considered sufficient to integrate the two?

On the other hand, as regards to ArcSight, I was (unfortunately) unable to find more information, besides an indication to contact ArcSight itself for more details. Is this correct? Does anybody have more information about it?

Thank you in advance for your help and your support.

↧

What happens to the guest object, when a company gets federated?

October 24, 2019, 6:11 am

≫ Next: Transform email address with Azure SSO to user.onpremisessamaccountname ??

≪ Previous: Questions concerning the implementation of MFA

Dear Community,

Our client has a scenario, where they will have the following type of users:

Internal users (Members of client)
Guest users (Users invited for the tenant)
Azure B2B customers (Users that are federated into the AD)

What happens to a guest user / object in the AD, if the company (For example: Google. All users with @google.com in their emails) gets federated with their own Azure AD through Azure AD B2B? Will the user simply be able to login with their @google.com account, and all the access rights will stay the same, or will a new object be created?

// Peter

↧

Transform email address with Azure SSO to user.onpremisessamaccountname ??

October 25, 2019, 9:06 am

≫ Next: Public Preview of synchronizing temporary passwords and "Force Password on Next Logon"

≪ Previous: What happens to the guest object, when a company gets federated?

I am running into an issue with configuring Azure SSO to connect to a third party application(oracle). Since we log into our Azure SSO with email address, it continues to send our email through as the login. This would work fine, but we have some staff that do not use email, and instead use their SAMAccountname to log in. I have tried everything I can think of to get the user.onpremisessamaccountname to be the login, but looking at trace logs, its still sending email address.

I have tried pretty much ever combination of transformation that I can think of.

Any ideas??

↧

Public Preview of synchronizing temporary passwords and "Force Password on Next Logon"

October 22, 2019, 7:54 pm

≫ Next: Login to Azure through Powershell command

≪ Previous: Transform email address with Azure SSO to user.onpremisessamaccountname ??

Hi,

I have trialled this Preview as per https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization#public-preview-of-synchronizing-temporary-passwords-and-force-password-on-next-logon

but when the user attempts to logon their account is Blocked in AzureAD. Is this an expected result?

↧

Login to Azure through Powershell command

October 29, 2019, 8:59 pm

≫ Next: How to add Privacy policy/terms & condition in Azure AD login process

≪ Previous: Public Preview of synchronizing temporary passwords and "Force Password on Next Logon"

I'm trying to login to Azure from Windows through Powershell. Command used is connect-azaccount -credential $cred. It was working fine but all the sudden today it started to give an error as the followings:

connect-azaccount : accessing_ws_metadata_exchange_failed: Accessing WS metadata exchange failed

I know my supplied credential was the correct one for certain. What else could went wrong? Thanks a lot.

↧

How to add Privacy policy/terms & condition in Azure AD login process

October 29, 2019, 10:34 pm

≫ Next: Active users can't be found in directory when accessing SharePoint online site

≪ Previous: Login to Azure through Powershell command

Hi , I am mobile application developer. I am using Azure Ad sign in process in my application. currently user can enter to the app as soon as login is successful without accepting privacy policy/terms & condition. Now I want to add Privacy policy and terms and condition in login process.

1. How to add Privacy policy/terms & condition in Azure AD login process

2. Is terms of use applicable for Mobile application also?

↧

Active users can't be found in directory when accessing SharePoint online site

October 29, 2019, 11:10 pm

≫ Next: Enable SSO over OAuth2 for Rails app

≪ Previous: How to add Privacy policy/terms & condition in Azure AD login process

Hello,

We are getting below error while accessing SharePoint online site for active users (internal as well as external):

We are sorry, but user can't be found in the directory. Please try again later, while we try to automatically fix that for you.

Users have Read access on the SharePoint site and are active users.

Please suggest some solution.

Thanks,

Sonali

↧

Enable SSO over OAuth2 for Rails app

October 23, 2019, 3:57 am

≫ Next: After getting auth token for SharePoint online get HTTP 401 with it

≪ Previous: Active users can't be found in directory when accessing SharePoint online site

Hi, my team's implementing SSO for Rails application based on AD
However, supported library for Rails app is outdated
Are there any other ways to integrate AD to my Rails app?

↧

After getting auth token for SharePoint online get HTTP 401 with it

October 15, 2019, 2:15 pm

≫ Next: Configuration between Azure Active Directory Domain and Azur eAD Tenant

≪ Previous: Enable SSO over OAuth2 for Rails app

Hello,

I am developing native app: C++ with HTTP so please don't suggest .NET or JavaScript libraries :) The app should access SharePoint Online. I used to use X-Forms-Auth and "FedAuth" cookie but now need to migrate to OAuth.

1) I have registered the app in azure portal (got secret, marked redirect URI, added read/write permissions for SharePoint)

2) Then I perform OAuth flow by opening browser with

https://login.microsoftonline.com/common/oauth2/authorize
?client_id=<CODE FROM AZURE PORTAL>
&response_type=code
&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
&resource=https://testorg.sharepoint.com/

it redirects to my redirect URI and I parse out the code, as expected. Then I do

POST https://login.microsoftonline.com/b51447fd-f997-4080-bf24-833070bc14bd/oauth2/token
client_id=<CODE FROM AZURE PORTAL>
&client_secret=<SECRET FROM AZURE PORTAL>
&grant_type=authorization_code
&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
&resource=https://testorg.sharepoint.com/
&response_mode=form_post
&code=<CODE FROM PREVIOUS STEP>

this also returns the expected JSON from where I get "access_token".

3) Later I call any SharePoint/WebDav API on https://testorg.sharepoint.com with the obtained token in auth header (Authorization:Bearer <TOKEN>) but get 401. However, all works fine when I follow X-Forms-Auth.

Can anyone help me here please?

↧

Configuration between Azure Active Directory Domain and Azur eAD Tenant

October 29, 2019, 2:02 am

≫ Next: Publish Exchange ActiveSync with Azure AD Application Proxy

≪ Previous: After getting auth token for SharePoint online get HTTP 401 with it

Hi Folks,

current i have a ADDS to manage identity while have azure ad tenant for office 365 and they are not connected. i am wondering if anyone know how to set the federation relationship between them ?

Thanks

↧

Publish Exchange ActiveSync with Azure AD Application Proxy

October 30, 2019, 2:36 am

≫ Next: Transform email address with Azure SSO to user.onpremisessamaccountname ??

≪ Previous: Configuration between Azure Active Directory Domain and Azur eAD Tenant

Does anyone know how to publish Exchange ActiveSync using Azure AD Application Proxy.

I was able to publish both OWA and ECP successfully but ActiveSync failed given error about authentication. Below is the error i got from remote analyzer

The Initial Anonymous HTTPS request didn't fail, but Anonymous isn't a supported authentication method for this scenario.
HTTP Response Headers:
Content-Length: 0
Date: Wed, 30 Oct 2019 01:45:50 GMT
Location: https://login.microsoftonline.com/a6004541-9c25-4f9b-bd12-31e3b64385ea/oauth2/authorize?response_type=code&client_id=b15051b8-d1f5-4c98-80db-e54777ae14da&scope=openid&nonce=6ebd0588-4a2d-4f67-a64e-2a74d9320c8b&redirect_uri=https%3a%2f%2fasonprem-olaga.msappproxy.net%2fMicrosoft-Server-ActiveSync%2f&state=AppProxyState%3a%7b%22InvalidTokenRetry%22%3anull%2c%22IsMsofba%22%3afalse%2c%22OriginalRawUrl%22%3a%22https%3a%5c%2f%5c%2fasonprem-olaga.msappproxy.net%5c%2fMicrosoft-Server-ActiveSync%5c%2f%22%2c%22RequestProfileId%22%3anull%7d%23EndOfStateParam%23&client-request-id=e2864e86-8929-474f-83d6-d83124ab67d4
Set-Cookie: AzureAppProxyAnalyticCookie_b15051b8-d1f5-4c98-80db-e54777ae14da_1.3=3|RwOtyzkLsF4AXTukEBMNBLyi1DlkWYG0V1BdSRoroeo/0MMiwRz21yLYPTHTzLvBxIrMGqe47VG80gZv58KR9B4v3264C/EPT8EQqmF2aF9PfRsw7gnFxvNXuAtwzRNxuJ36oTpOPL97Du1InQ8M7A==; path=/
Server: Microsoft-HTTPAPI/2.0
Elapsed Time: 801 ms.

Elapsed Time: 801 ms.

Senior Systems Analyst https://xvand.com/

↧

Transform email address with Azure SSO to user.onpremisessamaccountname ??

October 25, 2019, 5:37 am

≫ Next: Azure AD Connect stopped after upgrade to Server 2019 from Server 2016

≪ Previous: Publish Exchange ActiveSync with Azure AD Application Proxy

I have tried pretty much ever combination of transformation that I can think of.

Any ideas??

↧

Azure AD Connect stopped after upgrade to Server 2019 from Server 2016

October 30, 2019, 7:32 am

≫ Next: azure ad connect sharepoint online

≪ Previous: Transform email address with Azure SSO to user.onpremisessamaccountname ??

We use a hybrid Azure Connect to sync our on premise AD to our Office 365 online system. Everything worked great until we updated our 2016 standard server to 2019 standard. The sync is broken and the AD connect program shows an error that "no changes can be made at this time" when I try to open it. I tried reinstall (no luck). The services are running. Isupport Azure AD Connect. What do we need to change/load/etc. to make this work again?

↧

azure ad connect sharepoint online

October 28, 2019, 2:38 am

≫ Next: AADSTS20012: An error occurred when we tried to process a WS-Federation message. The message was invalid

≪ Previous: Azure AD Connect stopped after upgrade to Server 2019 from Server 2016

Hi,

I have SPA apps install in Azure. Autidenificate in Azure AD (apps registered and multitenant). How to connect to sharepoint online office 365 (document preview iframe) after authentication with login.microsoftonline.com/common/oauth2/v2.0/?

Thanks

↧

AADSTS20012: An error occurred when we tried to process a WS-Federation message. The message was invalid

October 27, 2019, 12:32 am

≫ Next: Room mailbox is syncing in Users

≪ Previous: azure ad connect sharepoint online

Getting the below error while logout.

AADSTS20012: An error occurred when we tried to process a WS-Federation message. The message was invalid

The application is SAML enabled in Azure AD. The app is working fine but getting an error while logout an application.

Any help is much appreciated.

↧

Room mailbox is syncing in Users

October 30, 2019, 10:58 am

≫ Next: Windows Hello for Business "This Sign-in Option is only available when connected to your organization's network" error

≪ Previous: AADSTS20012: An error occurred when we tried to process a WS-Federation message. The message was invalid

We have some room mailboxes in our on-prem AD and it is syncing to Azure AD via AD Connect.

The good news is.....I can add them as a room when booking a meeting. But why are they showing up under the "users" section in the admin center and not the "Rooms & Equipment" section?

Is there a way to migrate it over? Or is that just how it is?

Thanks in advance,

Eric

↧

Windows Hello for Business "This Sign-in Option is only available when connected to your organization's network" error

October 30, 2019, 11:42 am

≫ Next: Populating a drop-down list with list values

≪ Previous: Room mailbox is syncing in Users

Hey All,

Currently having an issue with a Windows Hello for Business Key Trust deployment and wanted to see if anyone had similar issues.

Current State:

I set up everything according to the Microsoft Documentation and have got it to work only on one domain joined computer(mine). We are using Azure AD Connect with password synchronization, and our devices are being sync'd and registered with AAD. I've done the GPO configuration to enable Windows Hello for Business on users.

Problem:

When trying to on-board other users to WHFB using a PIN, the options are grayed out with a message stating "This Sign-in Option is only available when connected to your organization's network". I have successfully added my account and can use either the pin or a fingerprint to authenticate, and was not given this error but every other user is receiving this.

I've checked all configurations and re-ran through the documentation for the deployment about 10 times now, and am still coming up short. Anyone know how to fix this issue?

↧

Populating a drop-down list with list values

October 30, 2019, 12:23 pm

≫ Next: Azure AD B2C, can we programmatically sign up/sign in user from app to azure ad within the application ?

≪ Previous: Windows Hello for Business "This Sign-in Option is only available when connected to your organization's network" error

Hello,

Imagine that I have a field Named Requested By. In that field, instead of entering a value, I would prefer to use a drop down list to select the proper person.

So, is it possible to use drop down list inside of Azure DevOps? If So, How can we set those?

Also, How do you add Name to that drop down list?

Regards,

Alain Le Page

↧

Azure AD B2C, can we programmatically sign up/sign in user from app to azure ad within the application ?

October 30, 2019, 6:32 pm

≫ Next: ‘Azure Active Directory’ forum will be migrating to a new home on Microsoft Q&A (Preview)!

≪ Previous: Populating a drop-down list with list values

I don't want the appilcation to open "login.microsftonline.com.".
I want it to be within my application. My own url I want to use. Is that possible ?

↧