Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

1 user, 2 different roles, 1 email address... and a question about SSO

November 25, 2019, 10:42 am
$
0
0

ill try to keep this as short as possible.

If i have a user that currently has 2 roles(example: and employee and a volunteer). This user needs to do different trainings for these roles, but some trainings would be doubled up due to standard corporate trainings. User reports to 2 managers, so each manager needs to see only the trainings that pertain to their department.

Now we add that we are setting up SSO for the entire enterprise(using O365/Azure sso) to the training portal(3rd party). Is it possible for a single user, and single email account to have 2 separate logins without having 2 emails? Like an alias?

i don't think its possible, but im being tasked with confirming.

Search

Missing role claims in issues JWT Token

November 9, 2017, 1:11 pm
$
0
0

I am using Micrsoft Graph APIs to programatically register a client app, resource server and assign role from the resource server to the client app. Here are the steps followed:

1. Get Access Token --> https://login.windows.net/<Tenant_Id>/oauth2/token/?api-version=1.6

2. Client App Registration --> https://graph.windows.net/<Tenant_Id>/applications/?api-version=1.6

3. Client Service Principal

4. Resource Server Registration with below app role in manifest:

"appRoles": [
        {
            "allowedMemberTypes": [
                "Application"
            ],
            "description": "Description of Role - Resource_API_11092017",
            "displayName": "Role_Resource_API_11092017",
            "id": "5ff0033d-fa87-4a77-9b3d-b4b201dfc32e",
            "isEnabled": true,
            "value": "Read_Only_Resource_API_11092017"
        }
    ],

5. Resource Server Service Principal creation

6. Assigning Role to client App.

When i am trying to get the access token using the credentials of the client app, I am not getting any roles in the JWT nor any information of the resource server.

I even Grant Permission from the portal in the client app to the role of the resource server. But still no luck.

Any help will be appreciated. Let me know if you need more details.

Thanks.

Azure AD DS Questions

November 25, 2019, 1:29 pm
$
0
0

Hello all. I am learning quickly about Azure AD DS but am lacking on some needed information and was hoping someone could help.

We manage a customer that has 5 locations, all in a workgroup environment. They use Office 365 and I understand this means they use Azure AD (not-AD DS) on the back end. 

We would like to setup Azure AD DS for this customer but I am not sure I am really understanding what is available. Most of the guides show the setup, which I understand, and then they show someone setting up an Azure VM and joining the Azure AD DS domain. I can't find a clear answer on the following...

Can we setup Azure AD DS and join remote computers to this Azure AD DS hosted domain and apply group policies to these computers, all without an on-premise AD server? It seems like each of these tasks can be completed seperately, but can they all be completed together. 

Also, if so, each site is running off sub-domains for Office 365. Meaning site 1 uses user@site1.customer.com and site 2 uses user@site2.customer.com. We have delegated access to the subdomains but not the customer.com domain. What is the best way to approach this when setting up Azure AD DS?

The end result we would prefer is to join computers in site 1 to the Azure AD DS domain, have users log in with their site specific sub-domain on their Azure AD DS domain joined PCs, have those accounts sync with Office 365, and apply some group policy settings such as password policies. Is this possible using only the infrastructure I have mentioned?

Thank you!

Microsoft Azure with Microsoft Graph

November 28, 2019, 11:08 pm
$
0
0

Hello,

Currently I am implementing a rest web-service where i want to read emails of an office 365 account users in my tenant using Microsoft graph. And I want to read emails and attachments by username filter.

Please find below configuration steps which i performed till now :-

  1. I have registered an application under Azure Active directory. also created client secret and add application permission for daemon service to read emails. Application access is defined as multi-tenant directory as of now.
  2. I have tried to generate access and refresh token using https://login.microsoftonline.com/{tenant_id}/oauth2/token from postman rest client with body params like grant_type = password, client_id, client_secret, scope, resource, username and password. then i tried to reset password from Azure Active Directory for this account but it not allowed.
  3.  Firstly i tried with my custom domain login credentials but is fails with error :   "error_description": "AADSTS50056: Password does not exist in store for this user.\r\nTrace ID: be810185-6b2d-47c9-9f99-dd56f3a1b000\r\nCorrelation ID: 83f754ee-21d9-4dc6-ad59-ffe64ec924ef\r\nTimestamp: 2019-11-29 06:52:19Z",
  4. Then I created new user from Azure Active Directory which takes domain as NETORGFT5672423.onmicrosoft.com. then I have reset password. then try step3 with this account username and password. and it works.
  5. But when i try read emails or users it fails with error : "code": "ResourceNotFound", "message": "User not found".

     Note I have created both the users in same organisation.

      Please let me know how can i go ahead and suggest if i need to look into different direction. I am struggling with this from        last few days. Please help me out with the solution if any. 

Thank you,

Rakesh Sorathiya.

      



Migrate AD to Azure AD

November 18, 2019, 12:52 am
$
0
0

Dear all,

 I have an AD Directory Synchronization, So, now i want to migrate them to cloud. So I would like to get any advice or resource regarding to this.

- Window Server 2008 R2 Standard (SP1) ( Virtualization )

- PowerShell Version 3.0

- DirSync 1.1.561.0

Thank you

Cannot elevate my Azure AD domain account to administrator in Autopilot provisioned computers

November 26, 2019, 2:18 am
$
0
0

I have no idea why my thread got moved to TechNet Windows Server forum when it doesn't involved any Windows Server. As far as I can tell it's an Azure AD/Intune/Windows 10 operational relationship.

https://social.msdn.microsoft.com/Forums/en-US/WindowsAzureAD/thread/2ae659db-6cba-4032-867d-c1e04c0dff07/#2ae659db-6cba-4032-867d-c1e04c0dff07

PASTE DETAILS HERE FOR LOOKUP EASE

When I first tested out Windows Autopilot + Microsoft InTune following the steps in
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm

I was able to successfully join a Windows 10 Enterprise VM operating in my home computer (Hyper-V), but the deployment profile initially defined new users as standard. I was thus unable to perform any admin-level activities (e.g. System properties config sections)

On a second Windows 10 Vm operating within our company Hyper-V server, the deployment profile was adjusted to let new user be administrator type. My colleague tested the Autopilot process on that VM. Subsequently, I signed into that VM as well, but noted that I being the second user was considered a standard user as well.

My colleague (global administrator for Azure AD) adjusted the domain devices settings, enabling the [Additional local administrators on Azure AD joined devices] policy and declared my user account as part of that group.

It's been nearly 24 hours and the policy does not appear to have flowed through to the computers despite multiple sync attempts. When signed in as my account, I still get challenged for administrator credentials. Are there still additional configuration steps we missed? Or does this particular policy take an awfully long time to sync and take effect?

Furthermore, with the second VM, I noticed that my account setup procedure isn't fully complete and am not sure why.

Azure AD Connect vs ADFS

August 14, 2015, 2:17 am
$
0
0

Hi Folks!

Just a quick question, is Azure AD Connect replace ADFS? All I need to know do I need anymore ADFS?

Thanks

Azure active Directory Solution

November 10, 2019, 10:47 pm
$
0
0

I am sizing solution for my customer below are my customer requirements please let me know what plan/Tier will be use in pricing calculator for my customer?

Free

P1

P2 

Customer wants annual pricing and may go with 1-2 local servers  with Azure AD and approximate users are 130-150, on multiple locations, he may start from different number or location.<o:p></o:p>

Mudasir

Search

Azure b2c using powershell

December 1, 2019, 10:50 pm
$
0
0

Hi,

How to create user in azure b2c and populate built-in as well as custom attributes?

Thanks

Lost ownership of the Global Admin priveleges of the Azure account

November 21, 2019, 10:12 am
$
0
0

Hello, we have an Azure account which has been created a long time ago by previous IT company, which provided services to our organization. We retained the login information of one account, but it does not seem to have all the permissions needed to fully manage all options in Azure portal. Using powershell we did find 2 accounts listed under "Company Administrator" with email addresses ending with .onmicrosoft.com, however, we are unable to login as any of these accounts. Is there a way to add Global admin privileges for the account we currently use to login to Azure, provided, we can prove the ownership of this account.

Thank you.

GraphAPI beta (calls and online meetings)

September 9, 2019, 8:16 am
$
0
0

Hello,

I got an error:

HTTP/1.1 403 Forbidden
Cache-Control: private
Content-Type: application/json
request-id: 3af01d59-1441-489b-97a6-59e4bfecd156
client-request-id: 3af01d59-1441-489b-97a6-59e4bfecd156
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"West Europe","Slice":"SliceC","Ring":"5","ScaleUnit":"002","RoleInstance":"AGSFE_IN_21","ADSiteName":"WEU"}}
Duration: 166.6818
Strict-Transport-Security: max-age=31536000
Date: Mon, 09 Sep 2019 15:13:37 GMT
Content-Length: 257

{
  "error": {
    "code": "7504",
    "message": "Insufficient enterprise tenant permissions, cannot access this API.",
    "innerError": {
      "request-id": "3af01d59-1441-489b-97a6-59e4bfecd156",
      "date": "2019-09-09T15:13:38"
    }
  }
}

with the request:

POST https://graph.microsoft.com/beta/app/calls HTTP/1.1
Content-Type: application/json
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6IlQ4eHBzMUp4emU3MEZJeVFvREJNazgwOHhfYTkteTdmc0tndWVDQjRsQ2MiLCJhbGciOiJSUzI1NiIsIng1dCI6ImllX3FXQ1hoWHh0MXpJRXN1NGM3YWNRVkduNCIsImtpZCI6ImllX3FXQ1hoWHh0MXpJRXN1NGM3YWNRVkduNCJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8zNDE3YWZjMi01MTRlLTRjMDQtYjgyNy0zZjBiNmU3MDU3NTMvIiwiaWF0IjoxNTY4MDQxNzE3LCJuYmYiOjE1NjgwNDE3MTcsImV4cCI6MTU2ODA0NTYxNywiYWlvIjoiNDJGZ1lOQ2I1clI1Z3BxTTNRbWRvcE1OeTZKZUF3QT0iLCJhcHBfZGlzcGxheW5hbWUiOiJhY29uaXRhc0VjaG9Cb3QiLCJhcHBpZCI6IjAwNWE5YzQ4LTcxZWQtNGUwYy1hYTAzLTA0N2U2Zjc3MDY5MiIsImFwcGlkYWNyIjoiMSIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzM0MTdhZmMyLTUxNGUtNGMwNC1iODI3LTNmMGI2ZTcwNTc1My8iLCJ0aWQiOiIzNDE3YWZjMi01MTRlLTRjMDQtYjgyNy0zZjBiNmU3MDU3NTMiLCJ1dGkiOiI3QS1zNmx5c2FVRzc4eEQ1Ym9WQUFBIiwidmVyIjoiMS4wIiwieG1zX3RjZHQiOjE1MjgxNzc5MjN9.1tGWOadOmzb2PSm49wjmNbXdTdhSwqHzNZLFFHdeiItzFXLz2hcEMRUWUztPM9gvyNUR42w7O7LVGONjrKVHOcdvoEKgSYiMFO2tOJRvFFwMcei6F__ZSwdApKHmb4pBBu6GIbZx1ov2JRnGzEGOl0ZLoD9X01Vd0Nao6pfdup7dciOGl0O9Hq3FpAxC23phsPc2GrQ-r-RGH1vhEV2hVePpiLCb10936Yrbox0Ctx7st3kfMXUZAWHzMlhHqEHjnO9W8QXCuK4ukVf5ljw4mqCVnmoWfsWUhwtddEx3c_RKG9Vb7JYJbWu-tYxH0O1rZ2B18iJjJYfo4TgrVmEPfA
Host: graph.microsoft.com
Content-Length: 338
Expect: 100-continue

{
  'source': {
    'identity': {
        'application': {
          'id': '005a9c48-71ed-4e0c-aa03-047e6f770692'
        }
    },
  },
  'subject': 'Test Call',
  'targets': [
    {
      'identity': {
        'phone': {
          'id': '09067092518',
          'displayName': 'Nina Home'
        }
      }
    }
  ]
}

Could not find any explanation.

Conditional access policy issues for some users

March 18, 2019, 3:46 am
$
0
0

Hi,

Some users are getting errors accessing Excel Online - "your office 365 admin has set a conditional access policy that restricts your access to excel online."

We have a conditional access policy that requires MFA when coming from external locations. MFA is used to access office.com successfully, then when user clicks Excel icon they get the error. Outlook, Teams etc all work fine. It doesn't happen to all users though, and I cannot recreate the error myself. I've checked the Azure AD audit for the users and there are no failed logins, and a What-If on the conditional access policies for the user should not restrict access to Office 365. Any ideas?

Logged on the Office 365 support but they sent me here.

Thanks!


Single logout with Azure AD (SAML)

December 11, 2018, 2:23 am
$
0
0

Hello.

I'm trying to sort out all info from Azure documentation to understand the proper way of configuring SAML-based SLO.

I have configured application, with single sign-on. Application was added via Azure Active Directory -> Enterprise Applications -> Non-gallery application. 

Here I can download metadata and also see IDP Logout Url https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

Then I went to Application registration and added logout url. (BTW, why this action can't be done while adding app in Enterprise Application section? And what is the difference between Application Registration and Enterprise Applications, if app was added in one of them, after this I can see it in other)

However according to documentation Single Logout should be implemented this way https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-out-saml-protocol 

So, which approach is right:

1) Use steps from this link and send LogoutRequest to url from metadata: 

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.microsoftonline.com/{id}/saml2" />

or 

2) GET https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

Also there is a note in documentation that application LogoutUrl and signing key should be fetched by IDP from app's metadata, however I can't find where app's metadata can be uploaded to Azure.


How to delete saved Bitlocker recovery keys from Azure AD device objects?

September 2, 2019, 11:55 pm
$
0
0

I use Azure AD and Intune, which automatically encrypt my AAD joined devices with Bitlocker and back up the recovery keys to Azure AD, accessible from the Azure AD device objects. 

That is great, but I can't seem to find any button to delete these keys after hard drive changes, re-imaging, decryption/re-encyption etc, which cause additional recovery keys to be uploaded but the old ones not automatically removed. 

This causes duplicate/stale keys on some devices. I understand that it is easy to tell which keys are good via the Bitlocker drive ID, but I'd imagine there should be a way to remove them if needed without deleting the entire device object.

Any information on this would be greatly appreciated.

WebApi token based Authentication and Authorization .net core 2.1

December 3, 2019, 4:39 am
$
0
0

I need to build .net core web API, which should be Authenticated and Authorize based on token sent in headers using .net core 2.1.

I am able to do Authentication using Azure AD app (client ID, Client secret, tenant id, etc.) but I want to do Authorization, I have created 3 groups in Azure AD and assign groups to the users as well.

1) How should I achieve this, as it is an urgent requirement, the consumer will be another website, that will be sent a request with a token to web API.

2) As per my understanding token should be generated using user credentials instead Azure AD app. I am able to do to Authorization in the MVC app, but not in WebApi.

3) For Authorization should I or can I maintain role mapping in SQL table?

Any help is much appreciated.

Search

AADSTS90056: This endpoint only accepts POST requests. Received a GET request.

February 13, 2018, 11:58 pm
$
0
0

Our company web-pages at sharepoint.com suddenly got an error for some of our users in the start of february. When users connect to our webpage. We use https://login.microsoftonline.com/login.srf?wa=wsignin1.0 (...) smart login URL as startup page in IE and this asks our ADFS serveres (I think) to authenticate our users. The webpages have worked 100% fine until these problems started and we are struggling to get the root cause. The issue is that the webpage loads and then the users are redirected to a

"Cannot login" (translated from norwegian).

AADSTS90056: This endpoint only accepts POST requests. Received a GET request.

"

But if the users close their IE and then re-open IE, then it often works fine! Also, this only happens on some users. Most users have no problems.

Anybody have a clue? We have done nothing with our ADFS infrastructure so I think it's not the root cause of this problem. And the problem only happens on some users, especially in the morning when they boot up their computer. I've never seen this problem on my user, for example. Do anybody know if there has been any changes to sharepoint online on 1-2. february 2018?



Add AAD DS Wants Me to Setup New Subscription

November 21, 2019, 10:48 am
$
0
0
I inherited an Azure account at work. There is no on-prem server. They originally setup an Admin account that is like “Geotech_admin@geotech.onmicrosoft.com”. I am one of these users listed as a “member”. I am able to log on using my credentials and create VMs. I have Azure Active Directory running with a number of users in it. However, when I try to setup Azure AD Domain Services for multiple logins, I am told “You cannot create a managed domain for this directory because you are not the administrator of this directory.” When logon as the main Admin account and try to create Azure AD Domain Services it wants to force me to create a Free Azure account with a new subscription. How do I work around this to setup Azure AD Domain Services on our Azure Account.

Walter

User gets locked out via soft lockout policy (AD FS), how can one unlock that account.

February 10, 2017, 1:36 pm
$
0
0

We are opening our AD FS externally by configuring the Web Application Proxy.

We are at the point now where we need to configure the soft lock policy settings.

Our policy would be to lock someone out (from external access) for a duration period of 30 minutes.

While a user is locked out, is there a way we can unlock such a user ? (via powershell etc...)

Or we have to wait the entire 30 minutes?

Please help!

Thanks!

Failed to configure secure LDAP on Azure AD Domain Services

January 30, 2018, 5:34 am
$
0
0
     I'm trying to enable secure LDAP on Azure AD Domain Services with the result getting below
     "Failed to validate the provided secure LDAP certificate. Confirm that the certificate is valid and the password specified is correct."
    Steps I have followed,
       1. Created a self-signed certificate using PowerShell
       2. Exported the secure LDAP certificate to PFX file
       3. Enabled secure LDAP for the managed domain using the Azure portal by providing PFX and password
         

   Please advise me to succeed in this configuration.

   -Thanks





Windows License details

December 5, 2019, 9:14 pm
$
0
0

Hi Team,

We have 30 users license for Windows 10 Enterprise E3(subscription basis). All the machine connected to Azure AD.

If we create a Windows AD server in Azure we sync this AD to Azure AD.

Will GPO in Windows AD server will reflect in Azure AD? For Example i am having a USB Block in Windows AD will that reflect in Azure AD Users.

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>