Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Bind Refresh Tokens To Device using Windows OnBoard Tools

November 11, 2019, 12:39 am
$
0
0

Hi all,

I am new using this forum. I'd like to talk about refresh tokens one more time.  It is clear that these tokens have to be stored securely.

One  scenario we would like to prevent is, that when a device stores a refresh token and the device backup is stored in the cloud, an attacker could read from the token store in the case he was able to steal the backup

To avoid such a scenario, a solution could be to bind the token to the device on which it is stored, right?

Short time ago somebody told me that there is a MS Windows 10 onboard solution to bind tokens to a device. Unfortunately  he is not available anymore.

Is anybody aware of such an onboard solution to bind tokens to a device?

Thanks and kind regards,

Seb

Search

SAML 2 error message

November 12, 2019, 12:45 pm
$
0
0

Hello,

I am hoping you can help me with this minor configuration error on my side. I am trying to demo how customers can set up SSO using SAP Cloud Platform Single Sign on and Microsoft Azure. And I have a Very nice article from your team, how this can be achieved: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial

I could sign in using Application URL using my email address: a**t*.*a*r@sap.com successfully, however when I try to use amithnair7@gmail.com I have an issue where it says ‘Calling of URL https://my3***72s4hana.ondemand.com was terminated during SAML2 processing’

Also, while I am 'testing the application' I get a configuration error for the application that is hosted in SAP Cloud Platform. So, I know, this is a problem that is encountered for my gmail id. And Yes, I have the user for Gmail already created in my application.

To summarize, I can successfully SSO using my corporate domain, however, when using my gmail account, I get SAML2 error. 



Azure sync with office 365 online exchange

November 13, 2019, 5:31 am
$
0
0
Hello everybody, Me and my team are about to launch our CRM to the cloud and want to make it so that users can use their local computer passwords to sign in to it, but also to make it that they can do the same for their office 365 accounts. However they already have separate accounts for office made so when they sign in they use a different password. In AD users and computers they have an email set in the email box, if we sync their passwords over will they just link to their current accounts or will it create duplicates of the accounts without the current mailboxes. We need their mailboxes to sync with their passwords to make it easier. I'm asking for help because I have more experience with Server and not Azure, Thank you!!

Use One Azure Active Directory for both Dynamic 365 and O365

November 26, 2019, 12:15 pm
$
0
0

Hello Expert,

 

If an environment that has an existing D365 set up with an Azure Active Directory, can the same AAD tenant be used for O365?

Azure Privilege Identity Management

November 25, 2019, 10:35 am
$
0
0

I have a case where Privilege Identity management is configured for the organisation.  Each new project is given its own sets of subscriptions and AAD groups and then then the privilege identity management is applied on top controlling owner/contributor/reader access.

At the moment this is all done via the GUI however this is a long process take around 45mins per project. There are no powershell modules for this however is there a programmatic way to apply the settings we want? It would save a lot of time.

AD Connect: A member could not be added to or removed from the local group because the member does not exist

November 12, 2019, 8:27 am
$
0
0
Hi,

I'm unable to install the AD connect service. A member could not be added to or removed from the local group because the member does not exist. When I let AD connect create a new user, it makes the user in AD just fine, but failes with this error. When using the domain admin, the same error come's up. 

First: Starting: Temporarily adding the **usernamehere** account to the local Users group... - AzureActiveDirectorySuncEngine ID 904

Then: AzureActiveDirectorySyncEngine error 906 with:

SynchronizationServiceSetupTask:InstallCore - Caught unexpected exception. Details System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Runtime.InteropServices.COMException: **A member could not be added to or removed from the local group because the member does not exist.**

   --- End of inner exception stack trace ---
   at System.DirectoryServices.DirectoryEntry.Invoke(String methodName, Object[] args)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.AccountManagementAdapter.AddMemberToGroup(DirectoryEntry groupDirectoryEntry, String memberDirectoryEntryPath)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.AccountManagementAdapter.AddMembersToLocalGroup(SecurityIdentifier groupSid, DirectoryEntry[] memberEntries)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SyncServiceAccount.<>c__DisplayClass56_0.b__0()
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.Execute(Action action, String description)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InstallCore(String logFilePath, String logFileSuffix)

End with: Exception has been thrown by the target of an invocation. AzureActiveDirectorySyncEngine 906

Anyone suggestions? 

how to integrate azure advanced App Service Authentication / Authorization to access azure devops API (tasks, pipelines)

November 21, 2019, 4:26 am
$
0
0

 we are trying to make a webpage where user can see all his assigned tasks, pipelines using devops api. The question 

as we know azure supports the advanced app service authentication / authorization (EasyAuth) were tokens generally stored and managed from azure once user authenticates the request with azure AAD. so, how can we integrate this to have access the devops api.

Thanks.

How Terms of use work in mobile application

November 22, 2019, 1:12 am
$
0
0

Hi,

I am working on terms of use in the Azure portal for my Application, I have few doubts to be clarified.

  1. If I add terms of use for application, what about the the user which is already registered in Azure portal and already logged in to my application. how the existing user will come to know.?
  2. How do I edit the PDF which I have  uploaded, For example I want to change the new version of terms and condition PDF so how can I do that?
Search

Add-AzureADDirectoryRoleMember not working as it was a few weeks ago

November 26, 2019, 12:56 pm
$
0
0

I am trying to assign an Azure AD role to a service principal and I keep getting this message:

Message: Resource '22bb3d5a-6e9f-447c-a171-96b812bbde64' does not exist or one of its queried reference-property objects are not present.

I am using this command:

Add-AzureADDirectoryRoleMember -ObjectId 22bb3d5a-6e9f-447c-a171-96b812bbde64 -RefObjectId 5a14818e-e9b9-4e4e-b871-37272529075a

The service principal does exist, and 22bb3d5a-6e9f-447c-a171-96b812bbde64 is the coorect ObjectID for it. The RefObjectID is returned successfully when I run get-azureAdDirectoryRole 5a14818e-e9b9-4e4e-b871-37272529075a.

This command worked a few weeks ago without issue, has something changed recently? I don't see any updates on the docs.microsoft.com site for this command. I am running this command with a global admin account, so it shouldn't be any permissions issues.

Security concepts

November 25, 2019, 8:12 pm
$
0
0

hi

we are building an POC app to showcase the Azure capabilities to clients

need help in designing the Security 

we have 2 web applications

 1) FrontEndWebApp (Asp.net MVC)

 2) BackendRestService (web API)

we are planning to host these apps to Azure App Service platform.

we need  security configuration is similer like this.

  FrontEndWebApp (Asp.net MVC)--Should run one service account (managed Service Identity name FrontEndSPIdentity)

  BackendRestService Should be given permission to the FrontEndSPIdentity to call all services defined BackendRestService .

  Along with that BackendRestService should  have defined MSI name(BackedSPIdentity)

  BackedSPIdentity--Should have read access to AzureStorage,AzurekeyValut.

Please let me know to solve this.


Restrict guest user from being added to certain Azure applications

November 25, 2019, 2:19 pm
$
0
0

We have an existing Azure tenant, and would like to open up some PowerBI reports to some external users that are customers.  The detail within these reports will contain only customer information.  

One idea that we have been tossing around is to invite some customers to our Azure tenant in order to allow this.  Our security team has some concerns with this plan.  Since a guest user will show up in Azure AD as a user, there is the potential that these external guest users could accidentally be added to other Azure resources incorrectly, therefore gaining access to these other areas.  Example: A guest user could accidentally be added to an internal SharePoint site, and have access to internal data of some sort.  

I was trying to think of a way to prevent this from occurring, and the best I could come up with is through leveraging "access reviews" (part of Identity Governance).  However, my understanding of access reviews is that they are a scheduled item (weekly, monthly, etc), and are therefore an action that would occur after the access has already been granted to the guest user. 

Entitlement Management looks like it might have something that could be leveraged to do this, but I am unfamiliar with the details of this Azure function, so I am not sure if it solves the problem or not.  

Basically we need some form of secondary authorization, or potentially a blocking mechanism, that only kicks in when an application admin (SharePoint admin for instance) tries to add a guest user, but does not kick in when that same application admin tries to add a normal domain user (person within the company).  Does anybody have any ideas on where I could look to find such a solution>

Syncing with Workplace by Facebook

November 26, 2019, 3:00 am
$
0
0
I'm trying to sync Azure AD with Workplace by Facebook. It appears to be working to create new accounts, but it doesn't deactivate accounts of people who leave the organisation, even though it is set to sync to a group which only contains live employees. Azure says I have sync errors and needs to start syncing from scratch, but I can't see a status of this anywhere. Can anyone help?

Is there any way of generating a X.500 formatted SAML claim in Azure AD?

November 26, 2019, 2:11 am
$
0
0

Hello,

I'm trying to get the "user.jobtitle" attribute into a SAML claim that AWS can consume, however that does not seem to be possible with Azure AD. Ideally I would have wanted to use the AWS parameter "saml:organizationStatus", which AWS maps from the "0.9.2342.19200300.100.1.45"  X.500 claim (see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html 

The following is the format that AWS expects, according to AWS support:

<saml:Attribute Name="0.9.2342.19200300.100.1.45" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">    <saml:AttributeValue xsi:type="xs:string">NUcTzbkzle7i3vfM9iRDpJ1N4jznNKsWaPO8bU8MWY4=</saml:AttributeValue></saml:Attribute>

However generating anything looking like that is impossible with the rather limited "Manage claim" functionality in the Azure AD portal.

Does anyone know if there is a way of getting around this, or am I scuppered here...?

Thanks in advance!

For reference, below is the communication from AWS in case it can be useful to anyone:

please note that some condition keys are only supported in the role's trust policy, including saml:organizationStatus[] [1]. We have a few SAML-related condition keys that are supported in role permissions policies [2], including the following:
saml:namequalifier
saml:sub

saml:sub_type

I think the SAML attribute name in the assertion should be the same as the table entry in this doc [3], so I'd expect the following SAML attribute to map to saml:organizationStatus[]:
<saml:Attribute Name="0.9.2342.19200300.100.1.45" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">    <saml:AttributeValue xsi:type="xs:string">NUcTzbkzle7i3vfM9iRDpJ1N4jznNKsWaPO8bU8MWY4=</saml:AttributeValue></saml:Attribute>

The condition key saml:organizationStatus[] also seems to expect an array value like the following:
"StringLike": {
    "saml:organizationStatus": [
        "NUcTzbkzle7i3vfM9iRDpJ1N4jznNKsWaPO8bU8MWY4="
    ]
}
Please let me know if you have any issues with this, and I can do some further testing in my account to investigate further. Please also include the role name that you're testing with.
[3] Configuring SAML Assertions for the Authentication Response  - Mapping SAML Attributes to AWS Trust Policy Context Keys  - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html#saml-attribute-mapping

<style type="text/css">p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica} </style>

How to modify the setting/policy to change the SAML response condition?

November 26, 2019, 3:23 am
$
0
0

I am debugging an issue with the SAML response from Azure AD. Besides the claims, I have everything set by default. 

The conditions of the SAML response seems logical, not before -5 minutes before the IssueInstant time, and not after an hour after the IssueInstant.

However, I have logged in previously to Azure AD, before the condition. So, in the same SAML response, I have the AuthInstant few hours before the condition. Note that, based on the cookie info on browser, I have a 90 days of the login session validity. So, my SP failed my login due to the the issue instant not in acceptable window.

I have 2 questions here.

1. How do I modify the condition setting, so that the condition would be not before 90 days of the IssueInstant time?

2. Is it recommended to change the condition that what I am trying to do in #1?

Please help. Thanks!

queries related to Terms of use

November 26, 2019, 1:51 am
$
0
0

Hi,

I working on Mobile Application , in my project I am using Azure AD authentication for login process.

My future implementation is to Add user Acceptance in Terms of use during login.

I have gone through the link : https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/terms-of-use  and started implementing this in my mobile app. 

I have few queries to be clarified

  1. Can we update/re-upload the PDF in Existing Terms of use?
  2. If yes!. Then how to re-upload the PDF , If No! what is the alternative approach for this

Search

Azure AD B2C Resource Owner Password Credentials Authentication

November 26, 2019, 8:26 pm
$
0
0

In my application I want to call Azure Web API using Resource Owner Password Credential flow. I have implemented Azure AD b2c Auth for my Web API. I have created 2 Application in Azure, one for Web API and Native client App for ROPC. I gave WEB Api Access in ROPC app. I followed this article and got the Token from ROPC app. But when i pass my ROPC token to Web API I am getting 401. I dont know how to pass the scope of my web api scope in ROPC Token Request. Any help would be appreciated

Thanks in Advance,

Subbiah K

Approval Workflow for Self-Service registration

November 26, 2019, 8:29 pm
$
0
0

Hi - Currently Azure provides capabilities to the users to self-register the application from "MyApps Panel". This involves an approval workflow which would require Tenant admin to configure "Approvers" for each application. 

My questions is : Is it possible to customize this approval workflow using an API in the following way

If there are 2 approvers for the application - Approver1 and Approver2 , can we build an approval workflow where approval request first goes to Approver1 , adds some relevant comments and then approval request goes to Approver2. ? 

The business use case is that these approvers exist in different business functions and there needs to be some communication between them for approval. 

Microsoft Graph API keeps returning 429

November 26, 2019, 5:55 am
$
0
0

Hello,

I have a problem with the Graph API. Namely, for an hour now have I been sending requests for creating events in the Outlook Calendar and it keeps returning the 429 status code with an empty body.

This would be perfectly normal if the headers didn't have the following values:

["Rate-Limit-Limit" => "10000","Rate-Limit-Remaining" => "9996","Rate-Limit-Reset" => "2019-11-26T13:43:40.092Z",
]

In addition, not only do the headers have the specified values, but the events are getting created, all the while returning the 429 status code and an empty body.

Here's what I'm sending with the request:

["Subject" => "Event subject","Body" => ["ContentType" => "HTML","Content" => "Event body"
  ],"Start" => ["DateTime" => "2019-12-22T15:05:00","TimeZone" => "Europe/Belgrade",
  ],"End" => ["DateTime" => "2019-12-22T16:05:00","TimeZone" => "Europe/Belgrade",
  ],"Attendees" => [
    ["EmailAddress" => ["Address" => "johndoe@outlook.com","Name" => "John Doe",
      ],"Type" => "Optional",
    ],"ResponseRequested" => false,
]

What could be the reason this is happening? Note that I'm explicitly passing the `ResponseRequested` flag as false in order to prevent Outlook from sending emails.

Thanks in advance,

Miša

Azure Active Directory

November 24, 2019, 10:07 pm
$
0
0
I am working on a POC for SSO integration with Azure AD for our product(SAAS Based).
I am stuck at SSO integration with our system, where we want to allow our customers to login in our application via SSO with Azure AD.

Here we have configured as required, and able to make the Login request, and get the response back, but as the response is Encrypted, we are not able to parse and proceed further. Our application is developed in JAVA. Here your little technical help will complete our POC and we will be in a position to develop complete and release it as a feature of our product.

Also is there any way to fetch all users of Azure AD through API ?

Thanks 

Dinesh Radadiya


How we can get the guest user from azure active directory

September 25, 2019, 6:12 am
$
0
0

Hi Team,

We need to get the guest account from "Microsoft  Azure Active directory" using Microsoft Graph Api or any other mode.

When I was trying to get the guest account I am getting below issue as shown in below image.

Can you please suggest me step by step guide how we can get the guest user from azure active directory.

Thanks you in advance !!

Thanks & Regards

Deepak Chauhan

SharePoint 2010 & 2013 and Office-365 Branding and Front End Customization, UI Design

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>