Hi All

how to create a employee Information list from Azure AD in PowerBI report. We synced our onpremise AD to Azure. Now, the Power BI report should show Emp Name, TItle, Dept, Telepone and few custom attribute (Directorate, Employee ID). how to acheive this?

Hi All,

I need to read and write in a azure sql table from SharePoint Online list. How to achieve this?

Hi all,

Lets start with my 'end goal'

#End goal

My goal is to use the Azure Active Directory app to read and write SMIME certificates to Azure Active Directory so that all users withing the company can use the certificate in Outlook or Exchange Online.

I don't know for sure if that is possible so that is why I started with 'Getting access to MailboxSettings'. Even that seem to be a bridge to far with the current documentation.

#8 mile road

The documentation is absolute crap. Not really Microsoft standards. I am writing a piece of code to update MailboxSettings by using the Microsoft Graph API. At least that was the plan.

I created an App in Azure, added all the "application permissions" that I could possible think off. Granted permission by Administrator within the Azure Active Directory dashboard.

Step 1) Getting the access_token by following the client_credentials flow. So far so good. I can access my profile and from other users within the Azure Active Directory.

Step 2)..............#fatal_error. I found 3 references to MailboxSettings. In Office365 API, ExchangeOnline API and Microsoft Graph API............Okeeeeeeeeeeeee. That makes things a whole lot clearer......#nope

A) There is no explanation at all that you actually need an Office365 subscription to even use the API.

B) There is no explanation when and how MailboxSettings are accessible. I discovered that You need to add Office365 subscription to a user to enable Mail.Office365.com access. Then it takes a while before you can even access the account through the API. No explanation whatsoever!

C) So, now finally I can access the account through the Office365 API. After discovering that you need to request an access_token by changing the scope to "https://outlook.office365.com/.default" or "https://outlook.office.com/.default".

The image below tells me 'Mail is not part of'

At this moment I am out of options. Can someone point me in the right direction? To be specific:

1) What endpoint do I need

2) What scope is used for what endpoint and/or settings

3) Where can I find specifics about which direction Microsoft is actually heading? At some pages I read 'Microsoft Graph API' will be the main entry point but then I want access specific data and you get a message "Sorry not supported yet, go to <other api>'.

4) What resources are accessible with what subscriptions? There is absolutely NOTHING documented about this.

5) https://docs.microsoft.com/en-us/graph/api/message-get?view=graph-rest-1.0&tabs=http The only actual usefull way of documenting API's. However, its limited to "ME" and there is no endpoint for 'MailboxSettings'. The 'beta' API does have this option. https://docs.microsoft.com/en-us/graph/api/user-get-mailboxsettings?view=graph-rest-beta&tabs=http Hoever, there is no explanation in requirement, subscriptions, whether or not Outlook.com users, Live.com user or only Office365.com users are able to be updated. How can I access this?

6) Eventhough my app has: 

And I request an access_token by using the "client_credentials" flow with scope set to https://graph.microsoft.com/.default. I can not list the users. I get the message:

https://graph.microsoft.com/beta/users/

Connecting to an external company with SSO, and we were initially going to use local ADFS using the SID. they are needing to use SID rather than email due to email addresses changing(ie: staff gets married and email changes).

But, this doesn't appear to be something that will work with Azure SSO.. I know this is likely something simple that im just overthinking.

Hi,

We've been using Azure AD DS for the past 6 months without any issues and today I had to create a new set of test accounts for usage on our VMs that are using Domain Services and upon inspection the User logon name (pre-Windows 2000) it's coming through as:

Domain\test (CEDD46B9)

This is causing issues with out applications that are using Windows Authentication as they can't validate the user logon name correctly.

Just wondering if there is something that I am doing wrong suddenly or if there was a change recently?

Steps to create the account:

1. Open Azure Active Directory
2. Add New User
3. Assign Name and Username (testaccount@mycompany.com)
4. No Profile, Default Properies, No Group and Directory Role User
5. Click Create
6. Wait for the new account to replicate over to Azure AD Domain Services
7. Open the account in Active Directory Users and Computers
8. See that the username is partially cut off Domain\test (CEDD46B9) with random text added at the end.

Thank you.

Hi,

GPO is configured and applied to the workstations.

Computer Configuration > Policies > Administrative Templates > Windows Components > MDM > Enable automatic MDM enrollment using default Azure AD credentials

But owner information is not updating in Hybrid Azure Portal. Please help what is the thing missing.

Regards, Boopathi

i'm trying to create domain services by running the code below.
the code runs fine to the line containing:

New-AzResource -ResourceId "/subscriptions/$AzureSubscriptionId...

then i get:

VERBOSE: Performing the operation "Creating the resource..." on target "/subscriptions/guid/resourceGroups/aadds-resgrp-01/providers/Microsoft.AAD/DomainServices/xxx.domain.com".
New-AzResource : The operation failed because resource is in the: 'Failed' state. Please check the logs for more details.
At E:\__FVHS\!!!!!__Azure_AD_etc\create_Azure_Active_Directory_Domain_Services.ps1:168 char:2+     New-AzResource -ResourceId "/subscriptions/$AzureSubscriptionId/r ...+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : CloseError: (:) [New-AzResource], InvalidOperationException+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceCmdlet

here's the code:

## code is based on https://docs.microsoft.com/en-us/azure/active-directory-domain-services/powershell-create-instance


if ($PSVersionTable.PSVersion.Major -ne 5) {
	write-host 'this script must be run in powershell 5.n, aborting...'
	return;
}

$module_names = @("Az", "AzureAD")
# $module_names = @("AzureAD")

foreach ($module_name in $module_names) {
	# if (!(Get-InstalledModule -Name $module_name)) {
	# 	Install-Module -Name $module_name -AllowClobber -Scope AllUsers
	# } 
	Get-InstalledModule -Name $module_name

	# if (!(Get-Module -ListAvailable -Name $module_name)) {
	# 	Import-Module -Name $module_name
	# } 
	Get-Module -ListAvailable -Name $module_name
}

function create_Azure_Active_Directory_Domain_Services {
	
	$ErrorActionPreference = 'Stop'
	
	Set-Alias -Name wh -Value write-host
	
	clear

	# Change the following values to match your deployment.
	$AaddsAdminUserUpn = "email"
	$ResourceGroupName = "aadds-resgrp-01"

	$Vnet = "aadds-vnet-01"
	$Vnet_AddressPrefix = "10.0.0.0/16"

	$SubnetDs1 = "aadds-subnet-DS01"
	$SubnetDs1_AddressPrefix = "10.0.0.0/24"

	$SubnetDs2 = "aadds-subnet-DS02"
	$SubnetDs2_AddressPrefix = "10.0.1.0/24"

	$AzureLocation = "eastus"
	$AzureSubscriptionId = "guid"
	$ManagedDomainName = "xxx.domain.com"
	$AaddcGroupName = "AAD DC Administrators"
	$ResourceProvider = "Microsoft.AAD"

	$pwd = ConvertTo-SecureString 'pwd' -AsPlainText -Force
	$pscred = New-Object System.Management.Automation.PSCredential (
		"email", 
		$pwd
	)

	# Connect to Azure AD directory.
	Connect-AzureAD -Credential $pscred

	# Login to Azure subscription.
	Connect-AzAccount -Credential $pscred


	# Create the service principal for Azure AD Domain Services.
	if (! $(Get-AzADServicePrincipal | ? { $_.ApplicationId -eq "2565bd9d-da50-47d4-8b85-4c97f669dc36" })) {
		New-AzADServicePrincipal -ApplicationId "2565bd9d-da50-47d4-8b85-4c97f669dc36"
		wh "created ServicePrincipal 'Domain Controller Services'"
	}
	else {
		wh "ServicePrincipal 'Domain Controller Services' already exists"
	}


	# Create the delegated administration group for AAD Domain Services.
	if (! $(Get-AzureADGroup | ? { $_.DisplayName -eq $AaddcGroupName })) {
		New-AzureADGroup -DisplayName "AAD DC Administrators" `
			-Description "Delegated group to administer Azure AD Domain Services" `
			-SecurityEnabled $true -MailEnabled $false `
			-MailNickName "AzAdDcAdministrators"
		wh "created AzureADGroup '$AaddcGroupName'"
	}
	else {
		wh "AzureADGroup '$AaddcGroupName' already exists"
	}
	# First, retrieve the object ID of the newly created 'AAD DC Administrators' group.

	$GroupObjectId = Get-AzureADGroup `
		-Filter "DisplayName eq '$AaddcGroupName'" | `
		Select-Object ObjectId

	# Now, retrieve the object ID of the user you'd like to add to the group.
	$UserObjectId = Get-AzureADUser `
		-Filter "UserPrincipalName eq '$AaddsAdminUserUpn'" | `
		Select-Object ObjectId

	$GroupId = ($GroupObjectId.ObjectId).toString()
	$UserId = ($UserObjectId.ObjectId).toString()

	# Add the user to the 'AAD DC Administrators' group.
	if (!(Get-AzureADGroupMember -ObjectId $GroupId | ? { $_.UserPrincipalName -eq $AaddsAdminUserUpn } )) {
		Add-AzureADGroupMember -ObjectId $GroupId -RefObjectId $UserId
	}

	# Register the resource provider for Azure AD Domain Services with Resource Manager.
	if (! $(Get-AzResourceProvider | ? { $_.ProviderNamespace -eq $ResourceProvider })) {
		Register-AzResourceProvider -ProviderNamespace $ResourceProvider
		wh "registered resource provider '$ResourceProvider'"
	}
	else {
		wh "resource provider '$ResourceProvider' was already registered"
	}


	# Create the resource group.
	if (! $(Get-AzResourceGroup | ? { $_.ResourceGroupName -eq $ResourceGroupName })) {
		New-AzResourceGroup -Name $ResourceGroupName -Location $AzureLocation
		wh "created resource group '$ResourceGroupName'"
	}
	else {
		wh "resource group '$ResourceGroupName' already exists"
	}

	# Create the dedicated subnet for AAD Domain Services.
	$AaddsSubnet = New-AzVirtualNetworkSubnetConfig `
		-Name $SubnetDs1 `
		-AddressPrefix $SubnetDs1_AddressPrefix


	$WorkloadSubnet = New-AzVirtualNetworkSubnetConfig `
		-Name $SubnetDs2 `
		-AddressPrefix $SubnetDs2_AddressPrefix

	# Create the virtual network in which you will enable Azure AD Domain Services.
	$AaddsVirtualNetwork = New-AzVirtualNetwork `
		-Name $Vnet `
		-ResourceGroupName $ResourceGroupName `
		-Location $AzureLocation `
		-AddressPrefix $Vnet_AddressPrefix `
		-Subnet $AaddsSubnet, $WorkloadSubnet
	

	# Enable Azure AD Domain Services for the directory.
	New-AzResource -ResourceId "/subscriptions/$AzureSubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.AAD/DomainServices/$ManagedDomainName" `
		-Location $AzureLocation `
		-Properties @{ `"DomainName" = $ManagedDomainName; `"SubnetId"   = "/subscriptions/$AzureSubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Network/virtualNetworks/$Vnet/subnets/DomainServices"
	} `
		-Force -Verbose
}

create_Azure_Active_Directory_Domain_Services

i can't find any logs for this domain services object.
the only error i can find is the powershell error.

thanks for your help.

tom johnson

Need to know how to "restore" a deleted Guest User in Azure past the 30 day limit.  In OneDrive for Business, we deleted a Guest User >30 days.  It was permanently deleted.  Now when re-adding the same Guest User (same email address), access to any OneDrive share errors out with the message "This link is not available to you"

Audit log contains a failure classified as

How can I get the security audit events like Account Logon (Audit Kerberos Authentication Service) in Azure AD Domain Services?

I am new to Azure and my requirement is to get Network Information and Account Information from the computers connected to Azure AD Domain Controller (Doc: 4768(S, F): A Kerberos authentication ticket (TGT) was requested).

I enable the security audits for Azure Active Directory Domain Services (Doc: Enable security audits for Azure Active Directory Domain Services) which stream security events to targeted resources. I configured the target resource as Azure Log Analytics Workspace but still unable to get the Kerberos Authentication Audit events from the connected computers in Log Analytics workspace.

I configured the Azure AD domain services and Join a couple of Windows Server virtual machine to a managed domain and then configured security audit policy settings in windows server VM to generate audit events. (Doc: Advanced security audit policy settings)

As Azure AD DS is a domain managed by Microsoft so we do not have full control of the domain controller. Please let me know how can I get security audit events from Azure AD DS

P.S.: Unable to attach links as account is not verified.

Thanks and Regards,

Hrishikesh

Hey --

I have deployed an Azure Function in an Function App and change the authentication to be OAuth using a custom App Registration so access is secure using Oauth instead of function keys. This is fine. I have then defined an App Registration (my_backend_app) that I've set as a prerequisite on the Function App under Authentication (using the Express config option). Lastly I've created an App Registration for the accessing client app (my_client_app) and created a client_secret for that App Registration. The client app uses the client_credentials flow to obtain an access token which I then supplied as a Bearer token when accessing the secured function. I supply the Application URI of my_backend_app in the scope parameter (<app uri>/.default) when requesting the access token to ensure the access token is valid for the app set to secure the Function App.

Now to my issue...

The issue is that I do not need to create any link between the backend app (my_backend_app) and the client app (my_client_app) in Azure AD or Azure Functions in order for me to request an access token with the aud-claim set to the Application URI of my_backend_app. This means I can request an access token for my_backend_app even though I haven't explicitly been granted access to that app i.e. there is no link between the app registrations.

I would think that it should be a requirement as the Application URI is then simply another client secret if you would.

Comments very welcome. Thanks!

Hi, we're planning to allow a subset of our users to authenticate via Azure AD Domain Services via secure LDAP. We have a mixture of cloud-only Azure AD users, and internal Active Directory sync'd to Azure AD accounts. The accounts we want to enable LDAPS for are all synced from our internal AD. The cloud-only Azure AD accounts won't need this functionality.

We have Azure AD Domain Services setup (not yet set for LDAPS), and we have Azure AD Connect setup for password hash sync, and we have the write-back passwords to on-premise directory set.

We have NOT yet run the PowerShell scripts on our Azure AD Connect machines to enable legacy password hash sync for NTLM and Kerberos, and I'm not 100% positive that's even necessary, but the documentation implies that it is.

My big questions are:

1) If it is necessary to run the PowerShell scripts to enable the legacy hash sync, will that have any impact on our cloud-only Azure AD accounts?

2) And, if that hash sync change is necessary, will that have any impact on the current users who have been successfully synced from our on-premise AD?

Thanks for your help.

Hi,

I want to apply corporate Wallpaper, Screensaver and lock screen in client computers through Intune. Clients are using Windows 10 professional operating system and currently no configuration available for change wallpaper in Intune for Win10-Pro.

That's why I have applied through Powershell script option. below simple commands are run through script file.

For Wallpaper:

Set-ExecutionPolicy Bypass -scope Process -Force
set-itemproperty -path "HKCU:Control Panel\Desktop" -name Wallpaper -Value “c:\Windows\Web\Wallpaper\Windows\wallship.jpg”
rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $true

For ScreenSaver:

Set-ExecutionPolicy Bypass -scope Process -Force

New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name ScreenSaveActive -Value 1 -PropertyType String
New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name ScreenSaverIsSecure -Value 0 -PropertyType String
New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name ScreenSaveTimeOut -Value 60 -PropertyType String
New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name SCRNSAVE.EXE -Value “c:\windows\Web\Wallpaper\Ethics.scr” -PropertyType String

After run this scripts through intune status is showing successful but not changed anything in Client laptop. Also pls help how to change Lockscreen.

is these correct scripts to change wallpaper, screensaver ? 

Please help

Thanks in advance

I have added guest user, and microsoft created @company.onmicrosoft.com mail. I have granted all possible roles, and I have added licence to @company.onmicrosoft.com account.

I also added guest users email to Sharepoint, and it is working - I am able to access to documents and edit ones.

I am unable to access anything regarding Office with this account. What I need to do is to create and edit notes in OneNote.

If you need me to provide any more information, please let me know.

Thanks,

Namik

I created a Web Forms application a LOOONG time ago. There's no start up folder, startup.cs, startup anything. There's a default page that redirects to the original login page I created. That's what I have NOW.

What I want is to do away with the custom login page in favor of using Azure AD. Everything that I have found to do this mentions a startup file and folder that I do not have. 

Question: Is there a way to use AD in the OLD web form applications (literally no startup file, I can create one but I'm sure there's more to this than just naming a file "startup") or is my only option to upgrade my entire project?

We have a number of companies that share a single on-premise AD, but each of those companies has their own Office 365 tenant. And we want to be able to synchronize passwords from our AD to O365 and from O365 to our AD. I've read the threads that suggest adding multiple copies of the sync software on different servers, but that's not a viable option given the number of companies that are sharing the environment.

We're not opposed to using a third-party package for this, if anyone has any suggestions.

How to Sync User profiles from Dynamics CRM to Azure AD B2C?

Appreciate any help.

Dear all,

 I have an AD Directory Synchronization, So, now i want to migrate them to cloud. So I would like to get any advice or resource regarding to this.

- Window Server 2008 R2 Standard (SP1) ( Virtualization )

- PowerShell Version 3.0

- DirSync 1.1.561.0

Thank you