Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Azure AD indentity certificate sharing with other apps in iPhone

$
0
0

Hello,

I have configured Cisco AnyConnect with Azure AD as a SAML IdP and I want to use the conditional access - device compliance to restrict access to the VPN.

However I have encountered a small problem: Anyconnect uses integrated browser and by default it can't see the system certificates and use them in the device identification. Because of that Azure AD can't see device identifier (identity certificate)[ https://i.imgur.com/87DYqO5.png ].  Certificates must be imported into anyconnect manually or by MDM, URI, SCEP. On Android it can be done easily by enabling browser access in a company portal [https://i.imgur.com/6RC2Uc0.jpg],  however iPhone doesn't have such an option.

Is there a way to share (use different) Azure AD identity certificate with Anyconnect on iPhone? and use it for IdP and conditional access?

Intune can deploy the VPN profile to the client devices. VPN profile can define the certificate, which can be used for authentication. But I didn't found the way to define azure AD issued certificate, only custom.

Registration of new bots for skype

$
0
0

Good day. I was faced with the urgent need to create a Skype bot, but registration of new bots was terminated.

In this regard, I have several questions:

  1. Will an alternative technology for automatically sending messages to skype (possibly through teams) be provided?

  2. will registration of new bots be renewed, if so how soon?

  3. is it possible to register a bot as an exception? Since it is extremely important for the further development of our software product.

Conditional access not prompting users for MFA

$
0
0
Hi,

Hoping someone has seen this and can point me in the right direction.

We have a couple of conditional access policies set up in AAD, one that blocks users that arent on a trusted site and another that allows users access from untrusted locations if MFA is applied. Users are assigned one policy or the other not both. The block policy works fine, but the MFA policy allows the user to connect regardles of location.

The What IF tool shows the users getting the policy correctly based on IP:

Windows10_Allow_Untrusted_MFA
Require multi-factor authentication

And according to the sign in log MFA was required and done, the result says:
  • USER
     
    Kathryn Janeway
  • USERNAME
     
    kat.janeway@blahblahblah.com
  • APPLICATION ID
     
    00000006-0000-0ff1-ce00-000000000000
  • APPLICATION
    Microsoft Office 365 Portal
  • CLIENT
     
    ;Windows 10;Edge 16.1629;
  • LOCATION
     
    Somewhere
  • IP ADDRESS
     
    ::Untrusted IP::
  • DATE
     
    5/17/2018, 8:44:37 AM
  • MFA REQUIRED
     
    Yes
  • MFA AUTH METHOD
     
  • MFA AUTH DETAIL
     
  • MFA RESULT
    MFA requirement satisfied by claim in the token
  • SIGN-IN STATUS
     
    Success

I'm obviously missing something but we need the users to be prompted for MFA every time they sign in when not on once of our sites.

sAMAccountName attribute in Azure AD

$
0
0


Almost all the enterprise applications use sAMAccoutName attribute as a username to applications that's using AD/SAML for authentication.

So, wondering if there an attribute that stores username of the account in Azure AD?

Thanks

Gateway Timeout During AAD DS Deployment

$
0
0

During the "Write Domain Service" phase of DS deployment I'm receiving a "GatewayTimeout" error with message:

"The gateway did not receive a response from 'Microsoft.AAD' within the specific time period."

This has been happening for two days and I haven't been able to discern on my own what the problem might be.

I have a Virtual Interface with valid subnet configured, an attached Network Interface, and the default Network Security Group with all necessary ports and services open. I've deleted and reconfigured all of those areas twice, and also deleted and recreated the AAD directory.

I'm not sure where to continue troubleshooting from here, but is there any more data I need to provide to assist with resolving this?


After getting auth token for SharePoint online get HTTP 401 with it

$
0
0
Hello,

I am developing native app: C++ with HTTP so please don't suggest .NET or JavaScript libraries :) The app should access SharePoint Online. I used to use X-Forms-Auth and "FedAuth" cookie but now need to migrate to OAuth.

1) I have registered the app in azure portal (got secret, marked redirect URI, added read/write permissions for SharePoint)

2) Then I perform OAuth flow by opening browser with

https://login.microsoftonline.com/common/oauth2/authorize
 ?client_id=<CODE FROM AZURE PORTAL>
 &response_type=code
 &redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
 &resource=https://testorg.sharepoint.com/

it redirects to my redirect URI and I parse out the code, as expected. Then I do

POST https://login.microsoftonline.com/b51447fd-f997-4080-bf24-833070bc14bd/oauth2/token
client_id=<CODE FROM AZURE PORTAL>
&client_secret=<SECRET FROM AZURE PORTAL>
&grant_type=authorization_code
&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
&resource=https://testorg.sharepoint.com/
&response_mode=form_post
&code=<CODE FROM PREVIOUS STEP>

this also returns the expected JSON from where I get "access_token".

3) Later I call any SharePoint/WebDav API on https://testorg.sharepoint.com with the obtained token in auth header (Authorization:Bearer <TOKEN>) but get 401. However, all works fine when I follow X-Forms-Auth.

Can anyone help me here please?

Delta token

$
0
0
What can be the maximum length of delta token and How many results will be returned in delta query by default? Is there a way to control the result count in delta query?

Gateway Timeout During AAD DS Deployment

$
0
0

During the "Write Domain Service" phase of DS deployment I'm receiving a "GatewayTimeout" error with message:

"The gateway did not receive a response from 'Microsoft.AAD' within the specific time period."

This has been happening for two days and I haven't been able to discern on my own what the problem might be.

I have a Virtual Interface with valid subnet configured, an attached Network Interface, and the default Network Security Group with all necessary ports and services open. I've deleted and reconfigured all of those areas twice, and also deleted and recreated the AAD directory.

I'm not sure where to continue troubleshooting from here, but is there any more data I need to provide to assist with resolving this?



Synchronizing AD to Multiple O365 Tenants

$
0
0

We have a number of companies that share a single on-premise AD, but each of those companies has their own Office 365 tenant. And we want to be able to synchronize passwords from our AD to O365 and from O365 to our AD. I've read the threads that suggest adding multiple copies of the sync software on different servers, but that's not a viable option given the number of companies that are sharing the environment.

We're not opposed to using a third-party package for this, if anyone has any suggestions.

Log on times don't match between Active Directory, Azure & Exchange

$
0
0
When I run Active Directory reports for Audits, I am showing a bunch of users that have not logged on in over 45 days which requires them to be disabled. When I check these same users against Azure and Exchange reports,they have logged into these services within the 45 days which means that they are still active. How can I get these logins to sync between AD/Azure/Exchange without having to run three different reports and compare them?

Is there a way to get the report of Guest Accounts created using B2B Sharing for last 7 days ?

$
0
0

I believe there is no WhenCreated attribute and found only RefreshTokensValidFromDateTime.

Other Microsoft article says this value changes for the users every 90 days ? Is there any specific setting on the tenant to keep this attribute "RefreshTokensValidFromDateTime" consistent ? If yes, how to view those settings ? 

Experiencing authentication issues

$
0
0
Experiencing authentication issues
The portal is having issues getting an authentication token. The experience rendered may be degraded. Additional information from the call to get a token: Extension: microsoft_azure_ad Resource: microsoft.graph Details: AADSTS53000: Device is not in required device state: compliant. Trace ID: 942fdded-8283-42aa-b8ff-71599bb7dc00 Correlation ID: 6fa65cda-2529-4a98-99bc-81956fc8eaf6 Timestamp: 2019-11-19 08:25:08Z


Unable to add API permissions

$
0
0

Hi,

I'm trying to add API permissions to my app but there doesn't seem to be a button for me to do so. I've managed to do this a few days ago but the button that I was using seems to be gone.

Here's a link showing what I'm seeing - https://ibb.co/7GF9V38

Am I missing something here? Would appreciate any help.

Thanks.


How to hook up existing application to Azure AD B2C?

$
0
0

Dear all, 

My current task is to "hook up" an existing application to Azure AD B2C. Before they can access the actual application, users should be able to sign up / sign in, change password, etc using Azure B2C. This is somehow a test to check if it would be possible to add AAD B2C (and custom sign up pages) to other existing projects.

I tried to use the connected services wizard provided in VS 2019 (Enterprise v. 16.3.9) to add AAD B2C. The application itself is an MVC Web application using NET 4.8.

I followed the instructions provided by the wizard. As ClientID, I used my test application's ID created in Azure under 'Azure AD B2C - Applications'. As for the domain name, I used [domainName].onmicrosoft.com. When prompted, I added the secret set for my test application created in Azure AD B2C - Applications. Upon finishing the wizard I got the following error message

Azure application reply URL: https://localhost:44347/Adding Azure application user-delegated permission to enable sign-on and read user's profiles.Adding Azure application user-delegated permission to read directory data.Error:Unable to add or update Azure AD application https://[domainName]/[applicationName]: Updates to converged applications are not allowed in this version.Error:Adding Azure AD Authentication to the project failed: Unable to add or update Azure application.


I came across this post here in the forum describing a similar issue, but given that fact that the post dates back a few years and that there was no definitive answer, I figured that things might have changed and it might give it a shot. It would be grand if somebody could

  • explain the errors and how to resolve them
  • provide a solution how to go about adding an AAD B2C login to existing projects, preferably without dismantling the existing code and/or adding classes. 

Thanks a mil in advance for your help. Please do get in touch, if you require additional information.


How to delegate 'Enterprise Applications' access to a user in Azure AD

$
0
0
How to delegate 'Enterprise Applications' access to a user in Azure AD

AD - IDX20803: Unable to obtain configuration from: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'.

$
0
0
Hi All, 

I am using Azure AD Claim based Authentication in my ASP.Net MVC project. Application was running fine for 6 months suddenly intermittently it started throwing below error

I put logs in my application and found that when request gets invalidated, then system tries toAuthentication.Challenge for redirection (Code Snippet below) to external AD login page, but login page never comes up. When I restart the IIS, it again starts working then same process after 3-4 hours same error start and it stops application for all users.

Please provide any help on this issue


var properties = new AuthenticationProperties { RedirectUri = ApplicationRedirectUri };
if (!string.IsNullOrEmpty(userName.Trim()))
{
properties.Dictionary[XsrfKey] = userName;
}
else
{
string uid =  Common.GetUIDCookie(Constants.UserID_Cookie);
if (!string.IsNullOrEmpty(uid))
properties.Dictionary[XsrfKey] = uid;
}

HttpContext.GetOwinContext()
   .Authentication.Challenge(properties, OpenIdConnectAuthenticationDefaults.AuthenticationType);




Inner Exception
IDX20804: Unable to retrieve document from: '[PII is hidden by default. 
Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'.  
at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.<GetDocumentAsync>d__8.MoveNext()  --- End of stack trace from previous location where exception was thrown ---     at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)    at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.<GetAsync>d__3.MoveNext()  --- End of stack trace from previous location where exception was thrown---     at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()     at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.<GetConfigurationAsync>d__24.MoveNext()

Message   
IDX20803: Unable to obtain configuration from: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'.
  
  
Stack Trace
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.<GetConfigurationAsync>d__24.MoveNext()  --- End of stack trace from previous location where exception was thrown ---     at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)     at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)     at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationHandler.<ApplyResponseChallengeAsync>d__c.MoveNext()  --- End of stack trace from previous location where exception was thrown ---     at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)     at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)     at Microsoft.Owin.Security.Infrastructure.AuthenticationHandler.<ApplyResponseCoreAsync>d__b.MoveNext()  --- End of stack trace from previous location where  ----------....................

Is it possible kerberos authentication in azure active directory without AD DS integration?

$
0
0

Is it possible to Kerberos authentication in Azure AD? According to this document https://docs.microsoft.com/bs-latn-ba/azure/active-directory/hybrid/how-to-connect-sso it mentions that it is required to use AD domain server but we do not want to use AD DS. 

Microsft 365 AD Join

$
0
0
We are trying to setup Microsoft 365 and when trying to connect a device to Azure AD we receive the error 8018000a.   After entering the user's account information we receive a confirmation message "make sure this is your organization" it looks correct and we then click "join"  Result: "something went wrong. This device is already enrolled. Contact your admin. 8018000a"  Any insight would be appreciated.

Kevin

Azure AD Joined devices comms to on-prem services

$
0
0

Hi

Azure AD tenant with various domains added - companya.com, companyb.com.

On-prem forest/domain for companya.com

Azure AD joined Win10 devices.

user signs in as usera@companya.com and can access resources on-prem such as fileserver.companya.com seamlessly.

*********

On-prem domain for companyb.com resides elsewhere.

We don't wish to consolidate users from companyb into companya neither do we have forest trusts. End goal being that both companya and companyb relinquish from their onprem AD forests and are pure cloud / AzureAD.

We can configure Azure AD connect in companya onprem forest to pull users from companyb.com (using a s2s vpn to target that DC). Understand without forest trusts in place we could only do password hash sync and not PTA.

When userb@companyb.com signs into Win10 Azure AD joined device, on their local network and have line of sight to dc.companyb.com and fileserver.companyb.com would they be able to access their on-prem resources seamlessly also?

Trying to understand the relationship between user signing in to Win10 azure ad joined device and their on-prem resources on their logically separate on-prem domain.

Hope thats clear?

So common azure ad tenant, win10 azure ad joined devices but logically separate on-prem domains and on-prem resources which we wish to retain as separate for the immediate future with a view to moving user and device (we can do) to the azure ad tenant as primary auth.

Azure AD keys

$
0
0

this https://login.microsoftonline.com/common/discovery/keys is accessible for anyone from Internet. I know these are public keys but I am being asked to protect these keys. Is it possible? if so, please send documents

Thanks

Viewing all 16000 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>