Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

‘Azure Active Directory’ forum will be migrating to a new home on Microsoft Q&A (Preview)!

October 30, 2019, 10:46 pm
$
0
0

We’ve listened to your feedback on how we can enhance the forum experience. Microsoft Q&A (Preview) allows us to add new functionality and enables easier access to all the technical resources most useful to you, like Microsoft Docs and Microsoft Learn.

Now until November 27, 2019:

From November 27, 2019 until December 13, 2019:

  • New posts – We invite you to post new questions in the ‘Azure Active Directory’ forum’s new home on Microsoft Q&A (Preview). The current forum will not allow any new questions.
  • Existing posts – Interact here with existing content, answer questions, provide comments, etc.

December 13 onwards:

We are excited about moving to Microsoft Q&A (Preview) and seeing you there.          Learn More

Search

I want to connect On-promise AD with Azure Ad.

October 28, 2019, 5:46 pm
$
0
0

Hi I'm korean Mr. chae

I want to connect On-promise AD with Azure Ad.
But on-promise AD and AzureAD have different domains.
How can i do connect?
I don't know how to explain it.
On-promise AD will be transferred to Azure AD. 
I'm going to delete the On-promise AD.

ex) on-promise AD(abc.co.kr) -> Azure AD(def.co.kr)
On-premises and Azure AD domain are in different domain

help me ...




Download MFA Server

October 31, 2019, 12:30 am
$
0
0
I can't see the option to download the MFA server under Azure Multi-Factor Authentication > Server settings.

Account has global admin rights.

I have a credit card under Cost Management + Billing > Cost Management: Azure subscription 1 > Pay-As-You-Go > Payment methods.

Join Azure AD directly from on-prem device

October 16, 2019, 1:40 am
$
0
0

Hi All,

I have search on internet, seems an approach is using Azure AD Connect to sync on-prem AD to Azure AD. But this approach is need an AD server exist at on-prem.

May i know is it possible a on-prem, new deployed, window server vm join Azure AD directly if i do not have any existing AD at on-prem?

Getting "403 Forbidden" from Azure AD Graph API trying to reset a user's password

March 26, 2019, 3:46 am
$
0
0

We're trying to reset user password using Azure AD Graph API but receiving a "403 Forbidden" when we try to do the reset operation. The call fails in both the scenario where the user is signed-in with the Web API and when they are signed-out. The call is made from our Web API application which has what we think are the correct permissions:

  • "Read and write directory data" - Directory.ReadWrite.All
  • "Sign in and read user profile" - User.Read
  • "Access the directory as the signed-in user" - Directory.AccessAsUser.All

Here are the details of the password reset operation we are doing: https://docs.microsoft.com/en-gb/previous-versions/azure/ad/graph/api/users-operations#reset-a-users-password--

Any suggestions as to why this isn't working?

I am not entirely sure how to interpret this section of the documentation:

"Either delegated scope User.ReadWrite.All or Directory.AccessAsUser.All is required to reset a user's password. In addition to the correct scope, the signed-in user would need sufficient privileges to reset another user's password."

Does our application only have these delegated scopes when a user is signed-in? When it refers to "the signed-in user" could this mean our application? Or do we need a special admin user to complete this operation?

Any help at all appreciated :).

Running RBAC on AKS in integration with Azure Active Directory

October 23, 2019, 12:24 am
$
0
0
Hi All, I am implementing rbac in my aks cluster in integration with azure active directory. After creating proper role and rolebindings with respective user/group objectID's, below are my observations:

1. User with "Azure Kubernetes Service Cluster User Role" and "Reader Role" can access cluster according to assigned rolebinding with command "az aks get-credentials -g <rg> -n <name>".
2. When above user tries using "az aks get-credentials -g <rg> -n <name> --admin" command, they are not allowed to.
3. However, if same user is assigned "Azure Kubernetes Service Cluster User Role" and "Contributor Role" in active directory, they can easily get admin credentials with "az aks get-credentials -g <rg> -n <name> --admin" command which should not happen.

Is there anyway to restrict user with "Contributor Role" to get admin credentials? Or am I doing something wrong?

@

AD Connect with Azure Domain Services

October 31, 2019, 5:28 am
$
0
0

Hi

We have a local AD that is synchronized with our Azure AD via AD Connect. The "Password Hash Sync" feature is enabled in Azure AD.

Now we want to create a Azure Domain Service linked to our Azure AD. We want to join Azure VMs to this Azure Domain Services so that user can login to these vm with their local account.

The Password Hash Sync is already enabled, so do we need to change something to ou AD Connect ? If yes how can I check if it is already done ?

Thanks

How do I subscribe to (or enable) access to a multi-tenant application in another domain?

October 31, 2019, 5:40 am
$
0
0
We expose an OData feed for customers to use in Excel/PowerQuery and PowerBI and we wish to enable 'Organizational Account' access. I've created a multi-tenant application in our Azure AD which has an application ID URI of our feed.

When PowerQuery makes the 'Bearer' request to our application, and I return an authorization URL which is the authorization URL from our domains .well-known/openid-configuration endpoint and has parameters of the client id of the application in our domain, and the redirect URL of our OData feed, users in our Azure AD are able to access the feed.

If customers in another domain try to access the OData feed, then they get an error about their user not being in our domain, which is fair enough.

If I return an authorization URL which is the authorization URL from the clients domain .well-known/openid-configuration endpoint and has parameters of the client id of the application in our domain and the redirect URL of our OData feed, the error is "AADSTS650052: The app needs access to a service ([our OData feed]) that your organisation [customer org] has not subscribed to or enabled".

How do our customers subscribe to or enable the multi-tenant application in our domain?
Search

Using on-prem services accounts in Azure

October 31, 2019, 5:53 am
$
0
0

Our setup is that we have two directories in Azure. One that is linked to our on-premises with AD Connect. The other directory is intentionally separate and includes more of our development and web applications. We have implemented the ability for our development and IT team to log into our Azure resources using Windows Authentication by pulling them into the development directory as guests in an external Azure Active directory.

We would like to also be able to do this with service accounts. We are looking to use our on-prem AD to control all logins. So I was able to add the service account to the Azure AD on the development directory, but the status is 'invited user'. From a security point of view, I don't want a service account to have login capabilities on Azure. I also would like to not have a assign an email licence and open an email account for every Service Account just so that I can accept the invitation. From testing it looks like I can still use this user in our SQL setup even if the service account hasn't accepted the invitation, but I am wondering is there a more seemless way of doing this for service accounts?

<style><br _moz_dirty="" /></style>

AzureAD Backup

October 24, 2019, 3:52 pm
$
0
0
Guys, how to protect against rouge/dumb global admin deleting app assignments etc? Is there any way to back this stuff up other than script an inventory?

Adding external users to Windows Virtual Desktop

October 31, 2019, 6:29 am
$
0
0
Our Windows Virtual Desktop is currently working perfectly.

I could added some Azure Active Directory users and run RemoteApp and everything was ok.

We are trying to add external accounts to Windows Virtual Desktop. It could be possible?

If not, Can we add external users to manage web app management tool? (https://github.com/Azure/RDS-Templates/tree/master/wvd-templates/wvd-management-ux/deploy)


B2C No Client ID

October 31, 2019, 6:53 am
$
0
0

Hi,

Since my applications hosted at a certain place, is it possible to tell B2C assume client ID is xyz if they're coming from these different IPs? This way I don't have to include ClientId at all in the code. Otherwise one way or another user can figure out my Client Id which I am not sure whether it poses a threat.

What should the SRV record _ldap._tcp.dc._msdcs.domainname.com point to in Azure AD?

June 9, 2018, 2:49 pm
$
0
0


I administer Office 365 for our company widgetsRus.com, and I am trying to join my desktop computer to the domain. I also administer the DNS server for that domain, so I can add or change records.

I can see our domain, users, and devices at portal.azure.com.

When I try to join the domain, I get an error message:

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "netorgft3xxxxxxx.onmicrosoft.com":

The error was: "DNS name does not exist." (error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.netorgft3xxxxxx.onmicrosoft.com

I gather that I need to add some more records to the zone file, starting with the SRV record mentioned. How can I find out what that should be?



Delete User Account?

October 21, 2019, 1:59 pm
$
0
0

Hi,

We are sync'ing our on prem AD to Azure in preparation to migrating to Office 365, Intune and such.  Working with a consultant who says our migration from on prem Exchange 2007 to hosted Exchange is being blocked by an errant account in Azure AD and Office 365 administration.

The account is mine in the form of <myaccountname>1877@<mydomain>.onmicrosoft.com.  There is another account for myself which is <myaccountname>@<mydomain.com>.

In Azure AD the delete button is grayed out.  In Office 365 Admin it tells me:

"Couldn’t delete this user because the account is synchronized with your on-premises servers. You can delete the user from your on-premises server."

How do I find this user on my on-premises server?  When I search for my account I only find the one that I use every day, I sure hope I don't have to delete that account.  Could it be that I have two Azure AD accounts being synchronized from the one on-prem account?  If so, how do I unhook the one I don't want?

Thanks in advance!

Dirsync account or Azure AAD connect account

October 31, 2019, 7:50 am
$
0
0

The account under synchronized directories is a global admin and enterprise admin. It is my understanding that once the dir sync has been installed and running and sync is working it doesn't require these rights anymore. I just wanted to make sure before i remove microsoft.com\serviceaccount from domain enterprise admins group. Also, how do auto updates works for dirsync if i reduce the rights for this user to a regular domain user.




John

Search

Azure B2B- Way to verify that the invitation has redeemed or not

October 31, 2019, 8:23 am
$
0
0

Hi,

How to verify in Azure B2b that user has redeemed or not the invitation via Graph API ?

Via Powershell: I;m able to get the result.

Get-AzureADUser -Filter "UserState eq 'PendingAcceptance'" 

How to get the same via Graph API ?



‘Azure Active Directory’ forum will be migrating to a new home on Microsoft Q&A (Preview)!

October 30, 2019, 10:46 pm
$
0
0

We’ve listened to your feedback on how we can enhance the forum experience. Microsoft Q&A (Preview) allows us to add new functionality and enables easier access to all the technical resources most useful to you, like Microsoft Docs and Microsoft Learn.

Now until November 27, 2019:

From November 27, 2019 until December 13, 2019:

  • New posts – We invite you to post new questions in the ‘Azure Active Directory’ forum’s new home on Microsoft Q&A (Preview). The current forum will not allow any new questions.
  • Existing posts – Interact here with existing content, answer questions, provide comments, etc.

December 13 onwards:

We are excited about moving to Microsoft Q&A (Preview) and seeing you there.          Learn More

Unable to update Azure AD users email address through powershell

March 15, 2018, 7:11 am
$
0
0

Hello All,

I want to update email address  for bulk Azure AD users.Is there any way to update email address(not alternate email) through azure power shell?

Tried Set-MsolUser commmad but i dont find email address property. Please help

Thanks in advance 

 

Can we generate JWT based on LDAP ?

October 31, 2019, 9:24 am
$
0
0

Can we generate JWT based on LDAP?

cause, I understand we request some endpoint /auth and the services internally review de user/pass from LDAP and generate some JWT, after that, we can send the Authorization token and we need to validate on another endoiint /auth/validate as example... but if we are using some gatewat tool (istio) the calls are directly to the endpoints? or need to pass by istio? 

short live app secret

October 31, 2019, 9:26 am
$
0
0

Hello,

Is there a way to create short live app secret in azure AD? Here is my goal: I want to use security principal with terraform but using plain text app secret is not safe so I would like to expire secret let's say after few hours. is there a way to expire app secret let's say in 8 hour so user are force to create a new one?

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>