Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Restrict guest user from being added to certain Azure applications

November 25, 2019, 2:19 pm
$
0
0

We have an existing Azure tenant, and would like to open up some PowerBI reports to some external users that are customers.  The detail within these reports will contain only customer information.  

One idea that we have been tossing around is to invite some customers to our Azure tenant in order to allow this.  Our security team has some concerns with this plan.  Since a guest user will show up in Azure AD as a user, there is the potential that these external guest users could accidentally be added to other Azure resources incorrectly, therefore gaining access to these other areas.  Example: A guest user could accidentally be added to an internal SharePoint site, and have access to internal data of some sort.  

I was trying to think of a way to prevent this from occurring, and the best I could come up with is through leveraging "access reviews" (part of Identity Governance).  However, my understanding of access reviews is that they are a scheduled item (weekly, monthly, etc), and are therefore an action that would occur after the access has already been granted to the guest user. 

Entitlement Management looks like it might have something that could be leveraged to do this, but I am unfamiliar with the details of this Azure function, so I am not sure if it solves the problem or not.  

Basically we need some form of secondary authorization, or potentially a blocking mechanism, that only kicks in when an application admin (SharePoint admin for instance) tries to add a guest user, but does not kick in when that same application admin tries to add a normal domain user (person within the company).  Does anybody have any ideas on where I could look to find such a solution>

Search

On-premise application published on Microsoft Azure AD "Myapps"

November 22, 2019, 7:12 am
$
0
0

What will be the best way to publish a «on-premise» application into Azure AD «MyApps»?

1- Using the Application Proxy?
2- Create a VPN betwenn Azure and customer site?
3- Put the application in front of the Internet through Firewall and WAF? 

We need to consider about 5000 simultaneous users during peak periods.

I know which one is my favotite, but I need the opinions of others... 

Many thanks.

Martin R.

Azure Application Users and Roles

November 24, 2019, 1:14 am
$
0
0

Through Powershell, I can list all the users who are assigned to a Azure application. But how can I list all the users assigned to an Azure Application, as well as which roles these users belong to in the application? It seems I can either list all the users assigned to an app or list all the roles for the app, but haven't found a way to list them together, to show all the users and which roles in the app each user belongs to, through Powershell? Thanks in advance.



Which account used to signin

November 25, 2019, 3:11 pm
$
0
0
When using Connect-AzureAD or connect-AZAccount to login through Powershell, sometimes you forget what account was used to login to cloud through Powershell. Is there a command in AzureAD and AZ moduels that can tell which current account is signed in the current session? Thanks.

I can't sign-in. Message: AADSTS50020: etc. See below

November 25, 2019, 4:08 pm
$
0
0

Sign in

Sorry, but we’re having trouble signing you in.

AADSTS50020: User account 'tomteresi@UNICOTC.onmicrosoft..com' from identity provider 'https://sts.windows..net/5a8fdb5d-80e7-47ca-8ef6-759f3cc02c11/' does not exist in tenant 'Microsoft' and cannot access the application '405e80fc-f8e6-40e6-b6b9-e5bcc7e6813e'(Redirection Ux Prod) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Request Id: 204daf92-0d18-46f7-9636-719a77005300
Correlation Id: cc661a15-b32f-4f8a-b918-a93de66887de
Timestamp: 2019-11-26T00:02:16Z
Message: AADSTS50020: User account 'tomteresi@UNICOTC.onmicrosoft..com' from identity provider 'https://sts.windows..net/5a8fdb5d-80e7-47ca-8ef6-759f3cc02c11/' does not exist in tenant 'Microsoft' and cannot access the application '405e80fc-f8e6-40e6-b6b9-e5bcc7e6813e'(Redirection Ux Prod) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

Remove-MsolUser Access Denied

November 25, 2019, 5:10 pm
$
0
0

Hello,

I have an issue where I'm trying to remove an orphaned user account in Office 365. The account still exists in Office 365 and shows up in the global address list, however it's been deleted on-prem and sync is working fine. So I've found articles saying to manually wipe it on Office 365 using the following command. However, I keep getting an Access Denied error every time. I'm using elevated powershell, I'm a global admin in office 365 and I don't think it's a UPN issue because I'm able to use the Get-MsolUser and find the account. Any other ideas? Thanks!

Remove-MsolUser -UserPrincipalName account_name

Remove-MsolUser : Access Denied. You do not have permissions to call this cmdlet.

A "Get-MsolUser -UserPrincipalName account_name" returns the user account just fine.

When install / configure AD connect -- should we filter or just select all users/devices?

November 25, 2019, 3:02 pm
$
0
0

What does the warning refer to?   Does it mean that "synchronize all users and devices" is for production deployment only? (see the 2nd link below).  And we should generally filter only for pilot deployment?   

Why should we filter?

For production, if we are to filter and we only want users and groups to be synch from on premise AD to Azure AD is there an option to synch  just the Users OU and security groups.   Should I select the OUs:  Builtinand Users.   see blue circles- step 6

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-configure-filtering

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-custom


dsk




Security concepts

November 25, 2019, 8:12 pm
$
0
0

hi

we are building an POC app to showcase the Azure capabilities to clients

need help in designing the Security 

we have 2 web applications

 1) FrontEndWebApp (Asp.net MVC)

 2) BackendRestService (web API)

we are planning to host these apps to Azure App Service platform.

we need  security configuration is similer like this.

  FrontEndWebApp (Asp.net MVC)--Should run one service account (managed Service Identity name FrontEndSPIdentity)

  BackendRestService Should be given permission to the FrontEndSPIdentity to call all services defined BackendRestService .

  Along with that BackendRestService should  have defined MSI name(BackedSPIdentity)

  BackedSPIdentity--Should have read access to AzureStorage,AzurekeyValut.

Please let me know to solve this.


Search

Azure App - AcquireTokenByUsernamePassword

November 23, 2019, 11:35 am
$
0
0

Hello. I'm attempting to log into my App that is registered in Azure. If I get the username or password incorrect I get the appropriate message that the user is unknown or the password was incorrect. However, If I enter the credentials correctly I receive the below message and stack trace.

I am using Unity to interact with the libraries. I have followed the examples online but I am still having issues with logging in correctly. Has anyone seen the same issue and what did you do to get it working?

Thanks for helping

---------------------------------------------------------------------------------

 Response status code does not indicate success: 406 (NotAcceptable). ---   

at Microsoft.Identity.Client.WsTrust.WsTrustWebRequestManager+<GetMexDocumentAsync>d__2.MoveNext () [0x00103] in <be6702be34b4420fba044c42668ddcee>:0 
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <567df3e0919241ba98db88bec4c6696f>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x0003e] in <567df3e0919241ba98db88bec4c6696f>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x00028] in <567df3e0919241ba98db88bec4c6696f>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x00008] in <567df3e0919241ba98db88bec4c6696f>:0 
  at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1+ConfiguredTaskAwaiter[TResult].GetResult () [0x00000] in <567df3e0919241ba98db88bec4c6696f>:0 
  at Microsoft.Identity.Client.WsTrust.CommonNonInteractiveHandler+<PerformWsTrustMexExchangeAsync>d__5.MoveNext () [0x00093] in <be6702be34b4420fba044c42668ddcee>:0 
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <567df3e0919241ba98db88bec4c6696f>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x0003e] in <567df3e0919241ba98db88bec4c6696f>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x00028] in <567df3e0919241ba98db88bec4c6696f>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x00008] in <567df3e0919241ba98db88bec4c6696f>:0 
  at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1+ConfiguredTaskAwaiter[TResult].GetResult () [0x00000] in <567df3e0919241ba98db88bec4c6696f>:0 
  at Microsoft.Identity.Client.Internal.Requests.UsernamePasswordRequest+<FetchAssertionFromWsTrustAsync>d__4.MoveNext () [0x00165] in <be6702be34b4420fba044c42668ddcee>:0 
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <567df3e0919241ba98db88bec4c6696f>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x0003e] in <567df3e0919241ba98db88bec4c6696f>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x00028] in <567df3e0919241ba98db88bec4c6696f>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x00008] in <567df3e0919241ba98db88bec4c6696f>:0 
  at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1+ConfiguredTaskAwaiter[TResult].GetResult () [0x00000] in <567df3e0919241ba98db88bec4c6696f>:0 
  at Microsoft.Identity.Client.Internal.Requests.UsernamePasswordRequest+<ExecuteAsync>d__3.MoveNext () [0x00159] in <be6702be34b4420fba044c42668ddcee>:0 
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <567df3e0919241ba98db88bec4c6696f>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x0003e] in <567df3e0919241ba98db88bec4c6696f>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x00028] in <567df3e0919241ba98db88bec4c6696f>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x00008] in <567df3e0919241ba98db88bec4c6696f>:0 
  at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1+ConfiguredTaskAwaiter[TResult].GetResult () [0x00000] in <567df3e0919241ba98db88bec4c6696f>:0 
  at Microsoft.Identity.Client.Internal.Requests.RequestBase+<RunAsync>d__14.MoveNext () [0x001d7] in <be6702be34b4420fba044c42668ddcee>:0 
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <567df3e0919241ba98db88bec4c6696f>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x0003e] in <567df3e0919241ba98db88bec4c6696f>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x00028] in <567df3e0919241ba98db88bec4c6696f>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x00008] in <567df3e0919241ba98db88bec4c6696f>:0 
  at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1+ConfiguredTaskAwaiter[TResult].GetResult () [0x00000] in <567df3e0919241ba98db88bec4c6696f>:0 
  at Microsoft.Identity.Client.ApiConfig.Executors.PublicClientExecutor+<ExecuteAsync>d__5.MoveNext () [0x000bb] in <be6702be34b4420fba044c42668ddcee>:0 
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <567df3e0919241ba98db88bec4c6696f>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x0003e] in <567df3e0919241ba98db88bec4c6696f>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x00028] in <567df3e0919241ba98db88bec4c6696f>:0 
  at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x00008] in <567df3e0919241ba98db88bec4c6696f>:0 
  at System.Runtime.CompilerServices.TaskAwaiter`1[TResult].GetResult () [0x00000] in <567df3e0919241ba98db88bec4c6696f>:0 
  at MSTeams+<>c+<<Start>b__0_0>d.MoveNext () [0x002aa] in D:\Refinitiv\Eikon\Assets\Scripts\Behaviors\MSTeams.cs:51 
UnityEngine.Debug:Log(Object)
<<Start>b__0_0>d:MoveNext() (at Assets/Scripts/Behaviors/MSTeams.cs:63)
UnityEngine.UnitySynchronizationContext:ExecuteTasks() (at C:/buildslave/unity/build/Runtime/Export/Scripting/UnitySynchronizationContext.cs:104)



AD user accounts defaulting to USA when it should be Australia. How do I change the default region location?

November 24, 2019, 10:06 pm
$
0
0
Everything was fine until a week or so ago. Now AD user accounts defaulting to USA when it should be Australia. How do I change the default region location?

Not able to create subscription in multi tenant

November 22, 2019, 5:57 am
$
0
0

Hi...

Have created an multi tenant app in Azure.

Am fetching authorization code.

Am fetching access token using this authorization code

Now am unable to create subscription using this oauth token.

Using this oauth token am able to fetch users from 2 different tenant. But am unable to fetch messages and create subscription.

Please let me know if there is any specific permission we have to give in our app to create subscription and get messages in multi tenant use case

Note: This application in azure works perfectly fine for single tenant use case.

Am getting below error

"error": {
    "code""InvalidRequest",
    "message""Subscription validation request failed. Must respond with 200 OK to this request.",
    "innerError": {
      "request-id""d68aa439-904e-41dd-9b8b-4d3ea3269f1b",
      "date""2019-11-22T13:46:42"
    }
  }

Can we install AAD Connect agent on another server?

November 20, 2019, 3:08 pm
$
0
0

Hi Experts,

Im trying to research and confirm this but I cant seem to find a solid answer so I am raising this dumb question here.  I wonder when I saw this recommendation from Azure AD.  Can we install AAD Connect agent on another server (additional install)?  Can you also share a guide on how to do this properly or we just have to mirror the settings we had on the existing AAD Connect agent installed?  Please advise.

Thank you so much!!

Logbi

queries related to Terms of use

November 26, 2019, 1:51 am
$
0
0

Hi,

I working on Mobile Application , in my project I am using Azure AD authentication for login process.

My future implementation is to Add user Acceptance in Terms of use during login.

I have gone through the link : https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/terms-of-use  and started implementing this in my mobile app. 

I have few queries to be clarified

  1. Can we update/re-upload the PDF in Existing Terms of use?
  2. If yes!. Then how to re-upload the PDF , If No! what is the alternative approach for this

Is there any way of generating a X.500 formatted SAML claim in Azure AD?

November 26, 2019, 2:11 am
$
0
0

Hello,

I'm trying to get the "user.jobtitle" attribute into a SAML claim that AWS can consume, however that does not seem to be possible with Azure AD. Ideally I would have wanted to use the AWS parameter "saml:organizationStatus", which AWS maps from the "0.9.2342.19200300.100.1.45"  X.500 claim (see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html 

The following is the format that AWS expects, according to AWS support:

<saml:Attribute Name="0.9.2342.19200300.100.1.45" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">    <saml:AttributeValue xsi:type="xs:string">NUcTzbkzle7i3vfM9iRDpJ1N4jznNKsWaPO8bU8MWY4=</saml:AttributeValue></saml:Attribute>

However generating anything looking like that is impossible with the rather limited "Manage claim" functionality in the Azure AD portal.

Does anyone know if there is a way of getting around this, or am I scuppered here...?

Thanks in advance!

For reference, below is the communication from AWS in case it can be useful to anyone:

please note that some condition keys are only supported in the role's trust policy, including saml:organizationStatus[] [1]. We have a few SAML-related condition keys that are supported in role permissions policies [2], including the following:
saml:namequalifier
saml:sub

saml:sub_type

I think the SAML attribute name in the assertion should be the same as the table entry in this doc [3], so I'd expect the following SAML attribute to map to saml:organizationStatus[]:
<saml:Attribute Name="0.9.2342.19200300.100.1.45" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">    <saml:AttributeValue xsi:type="xs:string">NUcTzbkzle7i3vfM9iRDpJ1N4jznNKsWaPO8bU8MWY4=</saml:AttributeValue></saml:Attribute>

The condition key saml:organizationStatus[] also seems to expect an array value like the following:
"StringLike": {
    "saml:organizationStatus": [
        "NUcTzbkzle7i3vfM9iRDpJ1N4jznNKsWaPO8bU8MWY4="
    ]
}
Please let me know if you have any issues with this, and I can do some further testing in my account to investigate further. Please also include the role name that you're testing with.
[3] Configuring SAML Assertions for the Authentication Response  - Mapping SAML Attributes to AWS Trust Policy Context Keys  - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html#saml-attribute-mapping

<style type="text/css">p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} </style>

Cannot elevate my Azure AD domain account to administrator in Autopilot provisioned computers

November 26, 2019, 2:18 am
Search

Syncing with Workplace by Facebook

November 26, 2019, 3:00 am
$
0
0
I'm trying to sync Azure AD with Workplace by Facebook. It appears to be working to create new accounts, but it doesn't deactivate accounts of people who leave the organisation, even though it is set to sync to a group which only contains live employees. Azure says I have sync errors and needs to start syncing from scratch, but I can't see a status of this anywhere. Can anyone help?

How to modify the setting/policy to change the SAML response condition?

November 26, 2019, 3:23 am
$
0
0

I am debugging an issue with the SAML response from Azure AD. Besides the claims, I have everything set by default. 

The conditions of the SAML response seems logical, not before -5 minutes before the IssueInstant time, and not after an hour after the IssueInstant.

However, I have logged in previously to Azure AD, before the condition. So, in the same SAML response, I have the AuthInstant few hours before the condition. Note that, based on the cookie info on browser, I have a 90 days of the login session validity. So, my SP failed my login due to the the issue instant not in acceptable window.

I have 2 questions here.

1. How do I modify the condition setting, so that the condition would be not before 90 days of the IssueInstant time?

2. Is it recommended to change the condition that what I am trying to do in #1?

Please help. Thanks!

Azure AD Join Error: 80192ee2

September 30, 2019, 9:05 am
$
0
0

I have a few computers behaving in the same fashion and looking for some help.

When I try to join a computer via Azure AD - I get the following error:

Server error code: 80192ee2
Correlation ID: not available
Server Message: not available

I can't seem to find any information about this error. However, I learned that if I disable the Geo Filtering in our comapny firewall it will join the domain no problem. 

So the question is - how can I determine which country needs to be whitelisted to alleviate this problem.

SSPR through Windows 10 Login screen requires machine restart

November 26, 2019, 4:25 am
$
0
0
User is not able to reset password from windows 10 login screen without restarting the PC or Laptop.

Enable to do bulk insert from azure blob(.csv file ) to azure sql database

November 26, 2019, 4:29 am
$
0
0
Task: We are trying to load the .csv file from blob storage to azure SQL by using bulk insert command.
To perform the bulk insert we do the below prerequisites and executed the bulk insert command. But we are getting file access error. Please help me out on this.

CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'abc@123';

GO
CREATE DATABASE SCOPED CREDENTIAL MyAzureBlobStorageCredential
WITH IDENTITY = 'SHARED ACCESS SIGNATURE',
SECRET = 'sv=**************8';

CREATE EXTERNAL DATA SOURCE MyAzureBlobStorage
WITH ( TYPE = BLOB_STORAGE,
          LOCATION = 'https://**********.blob.core.windows.net/container_name'
          , CREDENTIAL= MyAzureBlobStorageCredential
);
INSERT INTO testing with (TABLOCK) (name,city)
SELECT * FROM OPENROWSET(
   BULK  'test.csv',
   DATA_SOURCE = 'MyAzureBlobStorage',
   FORMAT ='csv',
   FORMATFILE='Test.csv',
   FORMATFILE_DATA_SOURCE = 'MyAzureBlobStorage'
    ) AS DataFile;

Error msg:

Msg 4860, Level 16, State 3, Line 12
Cannot bulk load. The file "Test.csv" does not exist or you don't have file access rights.

Alternatively we  tried other options :

1.created VM on azure and installed sql server

2.executed above command while executing below command 

CREATE EXTERNAL DATA SOURCE MyAzureBlobStorage
WITH ( TYPE = BLOB_STORAGE,
          LOCATION = 'https://*******.blob.core.windows.net/'
          , CREDENTIAL= MyAzureBlobStorageCredential

)

we are getting error incorrect  syntax near external

we are curious to know  is bulk insert will work on azure environment (Azure blob .csv to Azue SQL) because we tried multiple options as mentioned above.

your help in this regard will very appreciated

Thanks,

Ruchika. 

Viewing all 16000 articles
Browse latest View live
Search