I had/have AD Connect set up on my old domain which has been fully compromised, we lost all the domain controllers and feel like we can't trust our backups so we made a new domain and am looking to try and move to our emails and users to the new domain
as quickly as possible. Ideally I want to make a temp domain on azure, save the old emails and then bring users up on the new clean domain, but I am struggling with how to do this cleanly and quickly. Any help would be highly appreciated.
↧
Migrate to a new clean domain after Ryuk Ransomware
↧
Getting "403 Forbidden" from Azure AD Graph API trying to reset a user's password
We're trying to reset user password using Azure AD Graph API but receiving a "403 Forbidden" when we try to do the reset operation. The call fails in both the scenario where the user is signed-in with the Web API and when they are signed-out. The call is made from our Web API application which has what we think are the correct permissions:
- "Read and write directory data" - Directory.ReadWrite.All
- "Sign in and read user profile" - User.Read
- "Access the directory as the signed-in user" - Directory.AccessAsUser.All
Here are the details of the password reset operation we are doing: https://docs.microsoft.com/en-gb/previous-versions/azure/ad/graph/api/users-operations#reset-a-users-password--
Any suggestions as to why this isn't working?
I am not entirely sure how to interpret this section of the documentation:
"Either delegated scope User.ReadWrite.All or Directory.AccessAsUser.All is required to reset a user's password. In addition to the correct scope, the signed-in user would need sufficient privileges to reset another user's password."
Does our application only have these delegated scopes when a user is signed-in? When it refers to "the signed-in user" could this mean our application? Or do we need a special admin user to complete this operation?
Any help at all appreciated :).
↧
↧
Fully disabling Azure AD Connect seamless SSO
Hello,
So, here's the context: I created a lab in Azure to test WVD and other functionnalities and, once completed, I deleted everything. Sadly, I didn't uninstall Azure AD Connect before deleting my VMs so the synchronization service broke.
I was able to stop the AzureAD synchronization and delete any reference to my deceased local Active Directory with the following command: Set-MsolDirSyncEnabled –EnableDirSync $false
The problem is, I enabled SSO to test it and now, my Azure AD tenant is still detecting a SSO relationship with the deceased AD domain, even though synchronization has been fully stopped. After a quick lookup, I found the Microsoft documentation to fully disable Azure AD SSO.
Problem is, the Azure AD Connect server does not exist anymore so I don't have access to the AzureADSSO PowerShell module to execute the following command: Enable-AzureADSSO -Enable $false
Is there another source for the AzureADSSO PowerShell module than a local installation of AzureAD Connect? Is there another way to disable/remove the SSO relationship between my AzureAD and the deceased Active Directory?
↧
Graph API: Getting "Managed By" attribute for a group synced with Azure AD Connect
I need to use the Graph API to get the "Managed By" attribute for a group that is synced to Azure AD from a Windows Server instance.
I've confirmed that the attribute is configured to be synced, and tried multiple variations of the groups metadata call, for exampled:
https://graph.microsoft.com/v1.0/groups/?$select=managedBy
Any ideas on how to pull this information?
Thanks!
↧
PasswordHashSync - Block all cloud access for any expired or disabled account from in onprem to AzureAD
Hi Team,
Using PasswordHashSync method.
How to make sure any expired or disabled account from onprem to AzureAD is blocked from signin to o365 or any AzureAD application ?
I know PTA and ADFS is best method here. But in case of PasswordHashSync how is it triggered ? Any idea how to achieve it in PassHashSync Method.
↧
↧
ADConnect and syncing a constructed attribute to Azure AD
How does one go about syncing a constructed attribute (msds-principalname) to Azure AD. When I setup the custom attribute flow in AD connect, the the wizard shows the attribute as an source option, but the attribute data is never filled in for a user object in the metaverse. Is there something different I need to use constructed attributes?
AD connect version 1.4.18.0
Domain controllers server 2019
↧
Azure provision filtering attributes
Hi,
Not sure where this one is supposed to go, so posting here.
I have synced a new extensionattribute from AD to AAD with a hope to use it in Slack scope filter for provisioning. I can see this attribute by checking a user via powershell:
get-azureaduser -objectid first.last@company.com |select-object -expandproperty extensionproperty
extension_391c602828_extensionAttribute5
But when I go to Dashboard -> Enterprise applications -> Slack -> Attribute Mapping -> Source Object Scope -> Add Scoping Filter, I do not see this attribute in filtering selection. I can see only extensionAttribute1,2,3,4... Any advice appreciated.
Not sure where this one is supposed to go, so posting here.
I have synced a new extensionattribute from AD to AAD with a hope to use it in Slack scope filter for provisioning. I can see this attribute by checking a user via powershell:
get-azureaduser -objectid first.last@company.com |select-object -expandproperty extensionproperty
extension_391c602828_extensionAttribute5
But when I go to Dashboard -> Enterprise applications -> Slack -> Attribute Mapping -> Source Object Scope -> Add Scoping Filter, I do not see this attribute in filtering selection. I can see only extensionAttribute1,2,3,4... Any advice appreciated.
MK
↧
How do I subscribe to (or enable) access to a multi-tenant application in another domain?
We expose an OData feed for customers to use in Excel/PowerQuery and PowerBI and we wish to enable 'Organizational Account' access. I've created a multi-tenant application in our Azure
AD which has an application ID URI of our feed.
When PowerQuery makes the 'Bearer' request to our application, and I return an authorization URL which is the authorization URL from our domains .well-known/openid-configuration endpoint and has parameters of the client id of the application in our domain, and the redirect URL of our OData feed, users in our Azure AD are able to access the feed.
If customers in another domain try to access the OData feed, then they get an error about their user not being in our domain, which is fair enough.
If I return an authorization URL which is the authorization URL from the clients domain .well-known/openid-configuration endpoint and has parameters of the client id of the application in our domain and the redirect URL of our OData feed, the error is "AADSTS650052: The app needs access to a service ([our OData feed]) that your organisation [customer org] has not subscribed to or enabled".
How do our customers subscribe to or enable the multi-tenant application in our domain?
When PowerQuery makes the 'Bearer' request to our application, and I return an authorization URL which is the authorization URL from our domains .well-known/openid-configuration endpoint and has parameters of the client id of the application in our domain, and the redirect URL of our OData feed, users in our Azure AD are able to access the feed.
If customers in another domain try to access the OData feed, then they get an error about their user not being in our domain, which is fair enough.
If I return an authorization URL which is the authorization URL from the clients domain .well-known/openid-configuration endpoint and has parameters of the client id of the application in our domain and the redirect URL of our OData feed, the error is "AADSTS650052: The app needs access to a service ([our OData feed]) that your organisation [customer org] has not subscribed to or enabled".
How do our customers subscribe to or enable the multi-tenant application in our domain?
↧
Azure AD Connect stopped after upgrade to Server 2019 from Server 2016
We use a hybrid Azure Connect to sync our on premise AD to our Office 365 online system. Everything worked great until we updated our
2016 standard server to 2019 standard. The sync is broken and the AD connect program shows an error that "no changes can be made at this time" when I try to open it. I tried reinstall (no luck). The services are running. What do we need to change/load/etc.
to make this work again?
↧
↧
Azure AD B2C, can we programmatically sign up/sign in user from app to azure ad within the application ?
I don't want the appilcation to open "login.microsftonline.com.".
I want it to be within my application. My own url I want to use. Is that possible ?
![]()
I want it to be within my application. My own url I want to use. Is that possible ?
↧
Populating a drop-down list with list values
Hello,
Imagine that I have a field Named Requested By. In that field, instead of entering a value, I would prefer to use a drop down list to select the proper person.
So, is it possible to use drop down list inside of Azure DevOps? If So, How can we set those?
Also, How do you add Name to that drop down list?
Regards,
Alain Le Page
↧
How to add Privacy policy/terms & condition in Azure AD login process
Hi , I am mobile application developer. I am using Azure Ad sign in process in my application. currently user can enter to the app as soon as login is successful without accepting privacy policy/terms & condition. Now I want to add Privacy policy and terms and condition in login process.
1. How to add Privacy policy/terms & condition in Azure AD login process
2. Is terms of use applicable for Mobile application also?
↧
DirectoryServiceException - AD Connect error
Hi,
synchronization informs about error "DirectoryServiceException". we try to synchronize account of shared mailbox (mailbox is not migrated - we only want to synchronize to have contack object in AAD). object is not creatd bc of this error "DirectoryServiceException". in raport mail we have (translated from polish):
"The reason for this error is unclear. An attempt to perform this operation again will be made during the next synchronization. If the problem persists, contact technical support"
thx for any tips.
The reason for this error is unclear. An attempt to perform this operation again will be made during the next synchronization. If
the problem persists, contact technical support
Voytas
↧
↧
Azure B2c custom UI
Actually I am trying to customize the UI experience when the sign up or sign in policies are called. For that I have added an html page on Azure Blob storage and I configured it to the policies but when i call the html from policy, I see that it is calling my custom html page but i don't see the background images or color that is defined on HTML page.
Below code snippet.
<!DOCTYPE html><html><head><title>Azure Custom Sign/SignUp Page</title></head><body bgcolor="#E6E6FA"><div id="api"></div></body></html>
↧
Need to rejoin deleted computer back to Microsoft Azure AD
Our company is using Microsoft Azure for all our computers. I have one user that was not able to go and connect her work account from the accounts settings on her Win 10 computer to be connected with MDM, but it does show she is connected to our work AD
domain. When trying to connect to the MDM It was giving them an error "Something went wrong. Here are some possible reasons Your device is already connected to your organization. Your device is already being managed by an organization" . So I went
in and deleted the computer from the All devices menu in the Azure portal, thinking I will be able to just connect the device again. Now I don't see the computer on all devices menu in Azure and I still can't connect the computer to MDM. I want to know what
I need to do to have the computer show up again on the Azure device list again and how can I connect computer to MDM successfully? Will I need to remove the computer from the AD and rejoin it?
↧
Azure AD IdP initiated SSO
I want to use Azure AD for signing in to the Opsgenie application. As far as I found, there are two ways of configuring Opsgenie application on the Azure AD. One of them is from the Application Gallery and the other one is from the application registration menu. I have tried both of them but couldn't successfully sign in to the Opsgenie application from the Access Panel. I am able to successfully log in to the application from the Opsgenie side, so the configuration seems to be correct.
However, when I try to access to the application from Azure, I am not able sign in to the application. Opsgenie shows an error message like "No SAML response was provided". Then I checked the HTTP request sent from Azure to Opsgenie, and I couldn't see any SAML data in the request. I wonder why I am not able to use IdP initiated SSO with Opsgenie and Azure.
I have a few questions about this issue.
- In the Opsgenie configuration tutorial from Azure AD, it is written that Opsgenie supports SP initiated SSO. However, I have seen other apps whose Azure configuration docs say "Both SP and IdP initiated SSO is supported". May I ask why Azure
does not support IdP initiated SSO for Opsgenie? I ask this here because it is only written in Azure docs. There is no such information about this on the Opsgenie documentations.
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/opsgenie-tutorial
- This document says that I need a "Subscription or Azure AD Premium" to use SAML SSO. Does this mean I need an Azure AD premium account to use IdP initiated SSO. Might this be the reason why I am not able to sign in from Access Panel?
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications
- I saw that legacy app registration menu support will end this month and new one does not support URLs that include query parameters. Thus I have configured my application by using the legacy app registration menu. My question is, will an application continue to work after the legacy support ends, if it is configured with a URL including query parameters. This question is related to already configured applications. I know that new applications will not be configured using URLs with query params.
Thanks!
↧
ERROR: Could not create a role assignment for ACR.
Have a good day everyone, May i know anyone got any clue on the role assignment for ACR when creating AKS cluster
az aks create --resource-group 'P1Test1ResourceGroup' --name 'P1AKSCluster' --node-count '1' --generate-ssh-keys --attach-acr /subscriptions/xxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/P1Test1ResourceGroup/providers/Microsoft.ContainerRegistry/registries/P1ACR1
az :
At line:1 char:1
+ az aks create --resource-group 'P1Test1ResourceGroup' --name 'P1AKSCl ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Waiting for AAD role to propagate[### ] 10.0000%
Waiting for AAD role to propagate[####### ] 20.0000%
Waiting for AAD role to propagate[########## ] 30.0000%
Waiting for AAD role to propagate[############## ] 40.0000%
Waiting for AAD role to propagate[################## ] 50.0000%
Waiting for AAD role to propagate[##################### ] 60.0000%
Waiting for AAD role to propagate[######################### ] 70.0000%
Waiting for AAD role to propagate[############################ ] 80.0000%
Waiting for AAD role to propagate[################################ ] 90.0000%
ERROR: Could not create a role assignment for ACR. Are you an Owner on this subscription?
↧
↧
Move AAD connect server from on-premise to Microsoft Azure.
Hi
I have two question in my mind:-
1.what is the process if moving the server?
2.what we need to check from on-premise side for smooth movement?
Please help me to understand for smooth movement.
↧
Do you want to be acknowledged as the next Azure AD Guru? Submit your work to Nov 2019 competition!
What is TechNet Guru Competition?
Each month the TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!
One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. Winners will be announced in dedicated blog post that will be published in Microsoft Wiki Ninjas blog, a tweet from the Wiki Ninjas Twitter account, links will be published at Microsoft TNWiki group on Facebook, and other acknowledgement from the community will follow.
Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.
If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in November 2019 and must be in English. However, the original blog or forum content can be from beforeNovember 2019.
Come and see who is making waves in all your favorite technologies. Maybe it will be you!
Who can join the Competition?
Anyone who has basic knowledge and the desire to share the knowledge is welcome. Articles can appeal to beginners or discusse advanced topics. All you have to do is to add your article to TechNet Wiki from your own specialty category.
How can you win?
- Please copy/Write over your Microsoft technical solutions and revelations to TechNetWiki.
- Add a link to your new article on THIS WIKI COMPETITION PAGE (so we know you've contributed)
- (Optional but recommended) Add a link to your article at the TechNetWiki group on Facebook. The group is very active and people love to help, you can get feedback and even direct improvements in the article before the contest starts.
Do you have any question or want more information?
Feel free to ask any questions below, or Join us at the official MicrosoftTechNet Wiki groups on facebook. Read More about TechNet Guru Awards.
If you win, people will sing your praises online and your name will be raised as Guru of the Month.
Thanks,
Kamlesh Kumar
If my reply is helpful please mark as Answeror vote as Helpful.
My blog |
Twitter | LinkedIn
Please, If you think your question has been answered click "Mark as Answer" if just helped click "Vote as helpful". This can be beneficial to other community members reading this forum thread.
↧
Windows Hello for Business "This Sign-in Option is only available when connected to your organization's network" error
Hey All,
Currently having an issue with a Windows Hello for Business Key Trust deployment and wanted to see if anyone had similar issues.
Current State:
I set up everything according to the Microsoft Documentation and have got it to work only on one domain joined computer(mine). We are using Azure AD Connect with password synchronization, and our devices are being sync'd and registered with AAD. I've done the GPO configuration to enable Windows Hello for Business on users.
Problem:
When trying to on-board other users to WHFB using a PIN, the options are grayed out with a message stating "This Sign-in Option is only available when connected to your organization's network". I have successfully added my account and can use either the pin or a fingerprint to authenticate, and was not given this error but every other user is receiving this.
I've checked all configurations and re-ran through the documentation for the deployment about 10 times now, and am still coming up short. Anyone know how to fix this issue?
↧