Dear All,

I have AD premium, Office 365 and AD on-premise.

I want to use directory Sync tool to two-way sync password (self-service password and password write back).

I follow the instructions: http://msdn.microsoft.com/en-us/library/azure/dn683881.aspx

I don't find " users enabled for password reset " 

My Pictures in AD Azure:

What should I do?

My Azure AD "web application" won't allow me to get an auth token using ADAL's AuthenticationContext.AcquireToken method with ClientCredential.

I am trying to use Microsoft.IdentityModel.Clients.ActiveDirectory version 1.0.3 (from NuGet).

(I can't use the overload that prompts the user to login because I'm writing a service, not an app.)

I configured my Azure AD web application as described in various tutorials/samples (e.g. [ADAL - Server to Server Authentication](http://code.msdn.microsoft.com/windowsazure/AAL-Server-to-Server-9aafccc1)).

My code looks like:

AuthenticationContext ac = new AuthenticationContext("https://login.windows.net/thommmondago.onmicrosoft.com");
ClientCredential cc = new ClientCredential("41151135-61b8-40f4-aff7-8627e9eaf853", clientSecretKey);
AuthenticationResult result = ac.AcquireToken("https://graph.windows.net", cc);

The `AcquireToken` line throws an exception:

    sts_token_request_failed: Token request to security token service failed.  Check InnerException for more details

The inner exception is a WebException, and the response received looks like an oauth error:

    { "error":"invalid_client",
     "error_description":"ACS50012: Authentication failed."
     "error_codes":[50012],
     "timestamp":"2014-03-17 12:26:19Z",
     "trace_id":"a4ee6702-e07b-40f7-8248-589e49e96a8d",
     "correlation_id":"b304af2e-2748-4067-99d0-2d7e55b121cd" }

Bypassing ADAL and using curl with the oauth endpoint also gives the same error.

My code works if I use the details of the Azure application that I found [here](https://github.com/MSOpenTech/AzureAD-Node-Sample/wiki/Windows-Azure-Active-Directory-Graph-API-Access-Using-OAuth-2.0):

AuthenticationContext ac = new AuthenticationContext("https://login.windows.net/graphDir1.onmicrosoft.com");
ClientCredential cc = new ClientCredential("b3b1fc59-84b8-4400-a715-ea8a7e40f4fe", "FStnXT1QON84B5o38aEmFdlNhEnYtzJ91Gg/JH/Jxiw=");
AuthenticationResult result = ac.AcquireToken("https://graph.windows.net", cc);

So it's not an error with my code. I think it's either an error with my Azure AD, or I've got the ClientCredential parameters wrong.

Someone on stackoverflow has the same issue and no answer: http://stackoverflow.com/questions/21797154/azure-active-directory-webapi-server-to-server?rq=1

Can anyone replicate creating a new Azure account, adding a web application to the Default Directory Azure AD, and authenticating with it using ADAL and ClientCredential?

Hi,

I have a really strange issue with"/oauth2/token" endpoint (grant_type: "client_credentials")... A few days ago it doesn't work anymore (the endpoint for that app has worked fine for ~6 months):

Request (HTTP POST https://login.windows.net/{MY_TENANT_ID}/oauth2/token?api-version=1.0)

{
  grant_type: 'client_credentials',
  client_id: {MY_CLIENT_ID},
  client_secret: {MY_CLIENT_SECRET},
  resource: '00000002-0000-0000-c000-000000000000/graph.windows.net@{MY_TENANT_ID}'
}

Response (HTTP 400)

{"error":"invalid_client","error_description":"ACS50012: Authentication failed.\r\nTrace ID: d96a48f7-8438-4e4c-b07d-e78467536a7f\r\nCorrelation ID: ae3f89e7-741c-430b-966f-d471ddc7129b\r\nTimestamp: 2014-11-17 15:51:47Z","error_codes":[50012],"timestamp":"2014-11-17 15:51:47Z","trace_id":"d96a48f7-8438-4e4c-b07d-e78467536a7f","correlation_id":"ae3f89e7-741c-430b-966f-d471ddc7129b"
}

Also, I tried creating a new app (always from Azure portal) but I'm getting the same error.

Any ideas? Thanks!

hi and greets from germany

it is possible to authenticate legacy apps (windows form apps) with azure active Single Sign On?

Thanks

Hi All,

I have two questions about AADSync requirements.

1) What functional level (domain and forest) is required for AADSync (like the old DirSync)?

2) What domain controler version/edition (Windows Server 2003 stand) is required for AADSync (like the old DirSync)?

Regards,

Błażej Miśkiewicz

Hi All

I am doing a comparison of Azure AD to Okta (I want to prefer Azure) and I am being told that one of the features of Okta is the ability to selectively enable Multi-Factor authentication for specific cloud providers and not just globally on or off base on the user. Can anyone confirm if there is an option to enable Multi-Factor Authentication in Azure AD base on the application being accessed? Or has there been any roadmap announced that this feature is coming?

Regards

Alan Burchill (MVP)
http://www.grouppolicy.biz

@alanburchill

I am working on a multi-tenant solution with Azure AD with web apps and a web api. The web app uses OpenIdConnect to retrieve a bearer token (which is cached in Azure Redis Cache), which is used in Angular to get JSON from the web api. User impersonation is used between the web app and web api (set up in Azure AD applications).

Problem

This works fine for about an hour, then the Identity suddenly disappears on the web api side. If I refresh the web app, I see that the page is redirected to the Microsoft login page, but no action is required since the user is just redirected back to the web app and everything works again. As far as I can see, the web app uses the same bearer token when it fails and after the refresh (same expire time) when it works again. AuthenticationContext.AcquireTokenSilent works in both scenarios.

I have tried to increase a lot of different timeouts, but nothing has helped. I have also disabled all but bearer token authentication on the web api. I do not understand why the identity disappears and why it helps to refresh the client. Any ideas? :)

Additional info

This is how the RequestContext.Principal.Identity looks for about an hour after login or a refresh (on the web api):

And this is after about an hour, which causes authentication to fail:

Some of the code changes I have tried out:

In web api HttpConfiguration:

config.SuppressDefaultHostAuthentication();
        config.Filters.Add(
            new HostAuthenticationFilter(
                new WindowsAzureActiveDirectoryBearerAuthenticationOptions().AuthenticationType));

This changed the unauthenticated principal from WindowsPrincipal to ClaimsPrincipal, but it still fails after an hour.

WindowsAzureActiveDirectoryBearerAuthenticationOptions BackChannelTimeout set to 5 days. Still fails

In the web app web.config:

sessionState timeout="525600" for RedisSessionStateProvider. Still fails

In the web app owin auth process, increased timespan and added sliding expiration. Still fails:

app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            CookieSecure = CookieSecureOption.Always,
            ExpireTimeSpan = TimeSpan.FromDays(5),
            SlidingExpiration = true,
            CookieHttpOnly = true
        });
        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = ClientId,
                Authority = Constants.CommonAuthority,
                UseTokenLifetime = false…

Question is also asked on Stackoverflow: http://stackoverflow.com/questions/26925463/identity-disappears-from-bearer-token-after-an-hour

Hello,

I'm unable to deploy, and all of my websites are displaying The service is unavailable upon visiting.  Is Azure experiencing downtime right now?  Luckily I'm not running anything non critical at the moment, but for those who are, this could be a very serious issue.  Please advise.

I followed the article at http://azure.microsoft.com/en-us/documentation/articles/active-directory-dotnet-how-to-use-access-control/ to the lettre, which successfully executes and displays correctly but it does not indicate how to get specific information from the claim such as the nameidentifier or the email. I tried several syntx to get properties or values for nameidentifier and others but everytime getting a different runtime or compile errors.

Can you provide a snippet of code on how it is possible to extract specific propertie from the claim in the code behind (Homecontroller)

Thanks

I am using the Azure Graph APIs and trying to get the owners for groups (both security groups and distribution lists).  No matter what I have tried, I never get any owners returned.  I also do not receive any errors.

Here is an example request that I have tried:

https://graph.windows.net/xxxx.onmicrosoft.com/groups('14bc6e52-a89e-4e4c-b461-5a4e995b8856')/owners?api-version=2013-11-08

Here is the response:

stdClass Object
(
    [odata.metadata] => https://graph.windows.net/xxxx.onmicrosoft.com/$metadata#directoryObjects
    [value] => Array
        (
        )

)
I have also tried to use $expand=owners but that does not return any data either.

Please let me know if this is a known issue or if I should be doing something different.

what is defualt expiration time of refresh token which comes with oauth token and used to generate new token when oauth token expires.on techforum some one mentioned that its 80 days.is it right?.

can we change its expiration timing like for our requirement we need after 1 month the refresh token should expire.

Regards,

Ashok

Hi,

am developing a windows store 8.1 app which uses Windows Azure active directory for Single Sign-On.

I have implemented it. I want to add my app logo in the Sign In page, 

I Have performed the steps which are explained in the below URL.

http://msdn.microsoft.com/library/azure/dn532270.aspx

My azure account has Microsoft Azure active directory premium trial

I have added all the necessary logos(with mentioned pixels) but

Still i'm unable to see the logo  in the sign in page.

After 2 to 3 hours of uploading the logos  i have checked the app and still it is not displaying the logo

How to display the logo in the sign in page?

hi all

i cannot re-enable the azure Directory Sync. The button is greyed out.

any ideas?

thank you

Hi - 

We are building a web application, which is expected to scale up to 50-100.000 users within a couple of years. There will be organizations accessing the application through licensing, and their authentication will be with their Office 365 login, others with Google accounts, some Facebook, others with one of two national authentication providers in Denmark (NemID and UNI-Login), and then some need to create a custom username and password. The web application could be supplemented by mobile applications later.  

We are trying to find the most appropriate architecture for authentication for this scenario. Using ASP.NET Identity seems to make sense. However, the question is whether Azure Active Directory would be a suitable part for handling authentication and claims, rather than just building it around ASP.NET Identity. 

What is your take and input? I very much value any opinion or input you may have. 

Thanks,

Anders

Lets say I have Azure set up for SSO. We can use Office 365 as my example. I know accessing through the portal works. What if I go directly to Office365.com and attempt to login? Or if I access it from outlook locally? How does this react? Does it still grab the login token from the federation?

Thanks,

Larry

Hi,

I want to use openid connect to authenticate a single page application to a rest api. I want to use azure active directory as an identity provider. To discover the configuration I do a http get to  https://login.windows.net/{guid}/.well-known/openid-configuration. This works fine using any client other than a browser, because there are not cors acces control allow origin headers set on the response. This makes the solution unusable from a browser. Have I not configured the directory correctly or is it simply not supported?

Kind regards,

Remko 

I am able to use OAuth2 to authenticate using the mechanism described here: http://msdn.microsoft.com/en-us/library/azure/dn645542.aspx - my intention is to allow my 3rd party WebApp to allow users to grant access to their SharePoint content via Azure OAuth. I am able to use the login.windows.net/common/oauth2 endpoints, and having registered my app in Azure, I do indeed get the right callback once the user authentiates, and I am able to post to the token endpoint.

At this point, I have an auth-token that I can use, but I don't know the URL to the user's default (or root) SharePoint site. I am required to provide a 'resource' URI so that authentication can succeed, and if I hard-code this value to a known URL, then it works like a charm.  Unfortunately, this makes my application specific to one particular tenant.  Far from ideal...

My question is - how can I detect the SharePoint URL to use as the resource parameter for access to - before the user logs-in? Or even better - is there a way to login using OAuth2 that allows me access to SharePoint endpoints, but which does not require me to know what the endpoints are ahead of time?

If not, I don't see how it is possible to write multi-tenant applications with this model. I must be missing something.   Help!

I have WCF service and I need to secure it with Azure Active Directory. I've already read all related questions here and at social.msdn but still can't get my sample working. I want authentication to work in following way.

1. No any popups displayed when user calls WCF service from client.
2. User passes username/password and receives auth token from Azure ADFS
3. Then in application (let it be console app for now) we open channel via CreateCreateChannelWithIssuedToken method and all subsequent calls are made with the token we get from AAD.

What I'm doing and what my problems are. I'm for now using VS 2012 and Identity and Access tool to generate proper config file for the WCF service. So my service has following address.http://localhost:1785/Service1.svc

I go to azure portal and create new Web application with name http://localhost:1785/Service1.svc, sign on urlhttp://localhost:1785/Service1.svc and app id url http://localhost:1785/Service1.svc

Then I check endpoints of the application and copy federation metadata which looks ashttps://login.windows.net/{some guid}/federationmetadata/2007-06/federationmetadata.xml

Using Identity and Access tools I add WAAD Identity provider to the Service project. My web.config file looks as below:

<?xml version="1.0"?><configuration><configSections><section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" /></configSections><appSettings><add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" /><add key="ida:FederationMetadataLocation" value="https://login.windows.net/34bb8966-5537-4b1b-85ed-f501a06c1225/federationmetadata/2007-06/federationmetadata.xml" /><add key="ida:ProviderSelection" value="productionSTS" /></appSettings><location path="FederationMetadata"><system.web><authorization><allow users="*" /></authorization></system.web></location><system.web><compilation debug="true" targetFramework="4.5" /><httpRuntime targetFramework="4.5" /></system.web><system.serviceModel><behaviors><serviceBehaviors><behavior><!-- To avoid disclosing metadata information, set the values below to false before deployment --><serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" /><!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information --><serviceDebug includeExceptionDetailInFaults="false" /><serviceCredentials useIdentityConfiguration="true"><!--Certificate added by Identity and Access Tool for Visual Studio.--><serviceCertificate findValue="CN=localhost" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" /></serviceCredentials></behavior></serviceBehaviors></behaviors><protocolMapping><add scheme="http" binding="ws2007FederationHttpBinding" /><add binding="basicHttpsBinding" scheme="https" /></protocolMapping><serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" /><bindings><ws2007FederationHttpBinding><binding name=""><security mode="Message"><message><issuerMetadata address="https://login.windows.net/adfs/services/trust/mex" /></message></security></binding></ws2007FederationHttpBinding></bindings></system.serviceModel><system.webServer><modules runAllManagedModulesForAllRequests="true" /><!--
        To browse web app root directory during debugging, set the value below to true.
        Set to false before deployment to avoid disclosing web app folder information.
      --><directoryBrowse enabled="true" /></system.webServer><system.identityModel><identityConfiguration><audienceUris><add value="http://localhost:1785/Service1.svc" /></audienceUris><issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry"><authority name="https://sts.windows.net/34bb8966-5537-4b1b-85ed-f501a06c1225/"><keys><add thumbprint="92B88C3DD981BF1EBCB244FCFA63C007706C79E0" /><add thumbprint="3270BF5597004DF339A4E62224731B6BD82810A6" /></keys><validIssuers><add name="https://sts.windows.net/34bb8966-5537-4b1b-85ed-f501a06c1225/" /></validIssuers></authority></issuerNameRegistry><!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.--><certificateValidation certificateValidationMode="None" /></identityConfiguration></system.identityModel></configuration>

Then I created console application and added service reference to the service project. After adding reference, config looks as

<?xml version="1.0" encoding="utf-8" ?><configuration><startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup><system.serviceModel><bindings><ws2007FederationHttpBinding><binding name="WS2007FederationHttpBinding_IService1"><security><message><!--<issuer address="http://schemas.microsoft.com/2005/12/ServiceModel/Addressing/Anonymous" />--><issuer address="https://login.windows.net/34bb8966-5537-4b1b-85ed-f501a06c1225/wsfed" binding="ws2007HttpBinding"/><issuerMetadata address="https://login.windows.net/adfs/services/trust/mex" /><tokenRequestParameters><trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType><trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize><trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm><trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith><trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith><trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm><trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm></trust:SecondaryParameters></tokenRequestParameters></message></security></binding></ws2007FederationHttpBinding><ws2007HttpBinding><binding name=""><security mode="TransportWithMessageCredential"><transport clientCredentialType="InheritedFromHost" /><message establishSecurityContext="false" /></security></binding></ws2007HttpBinding></bindings><client><endpoint address="http://localhost:1785/Service1.svc" binding="ws2007FederationHttpBinding"
                bindingConfiguration="WS2007FederationHttpBinding_IService1"
                contract="SomeService.IService1" name="WS2007FederationHttpBinding_IService1"><identity><certificate encodedValue="AwAAAAEAAAAUAAAACLf4gntwdBYHCTmyInF5gU9oXNYgAAAAAQAAANUBAAAwggHRMIIBOqADAgECAhAT1EWwzeLBk0ez5Bg+JKyVMA0GCSqGSIb3DQEBBQUAMBQxEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0xMjExMTUxNTMyMDdaFw0xNzExMTUwMDAwMDBaMBQxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtgkwd4GLTIwRtoHFjoSCBqrEcFgYMPh7f8aSWSYTrBGtaS9c2zOAuhxnaIAo1ELe3JLWUJmHq35IEu34gTwN9RfSna9Gis45TKrINY5nlAmKu0XpuI3ncf4WQRPbPx7hS6A0BHytXqQ3+FA1BSRr13iNUaaAkqwcCLWHXqno188CAwEAAaMkMCIwCwYDVR0PBAQDAgSwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4GBACKXEQpUUVm1g3BfpqRSn9hIYpuLojPX2wfySbIAan4jK5oo0dC5QUkbRjyEtqe6Io+POL3gbtoVzJOXnUDvYDUXRaR6dUmHJ5A4JLChUJZLHis0resLKO5yXrf4JqJSwEsL4Et5xiIRPoEvdPWWBhkDwuMvDGtQrzpp6ZYEt2sh" /></identity></endpoint></client></system.serviceModel></configuration>

I tried to launch console application, but the error that valid issue should be specified has raised. So I thought, that valid issue can be found in endpoints at Azure AD configuration page, and copied WS-Federation Single sign-on endpoint as an issuer.

Console program code is below.

var client = new SomeService.Service1Client();
            client.ClientCredentials.UserName.UserName = "<valid user name>";
            client.ClientCredentials.UserName.Password = "<password>";
            client.GetData(10);

When I call service, I see in fiddler, that request is sent to WS-Fed endpoint but in response endpoint sends me html page with error

AADSTS20012: An error occurred when we tried to process a WS-Federation message. The message was invalid.

Could you please suggest me where I'm wrong and what to do to implement scenario I described in the beginning of the question? Thanks.

Hi,

I want to integrate 3rd parth SaaS application with Azure AD that are available in Azure gallery. Right now I am working with three different application. Wrike, Microsoft Live account and Skype.

Can anyone provide me the concept or steps to implement complete single sign on for these application (Not Password Single Sign on).

My scenario is:-

1) Microsoft Live Account :- If I create an user in Windows Azure AD, it should be automatically provisioned in the Windows Live account if that particular user account is assigned to access the Windows Live account through Application Access Panel. We don't want to create an account for our enterprise users in Microsoft Live subscription. We need to control the provisioning of the Live account from the Active Directory. So in case if a user leaves the organization, we don't have to disable the account in Microsoft Live subscription, rather if we disable the user account in AD, it should automatically disable in Microsoft Live subscription.

For now, the user provisioning option is not available for these three SaaS applications while configuring the Single Sign on. Only two options are available. "Password Single Sign on" and "Exisiting Single Sign on (in case of ADFS)". We don't have ADFS in our environment and we don't have any plan to implement it.

2) Similarly we want to implement the same scenario with skype. We use skype also in our environment to communicate with the client. So inspite of using the personal skype account, we want to provide accounts that will be provided by our enterprise so that in case if an employee left the organization, his skype account can be permanently disabled an dhe cannot communicate with the client externally.

3) same is with Wrike also. We don't want to create separate Wrike account for all of our enterprise users. Anyone that has an identity in Azure AD should automatically be provisioned in Wrike and an account will automatically get created in Wrike with the user ID of Office 365 and has the same password as of on-premise AD user credentials.

Can it be achieved with Azure AD? I can't find a documentation for that. Can somebody help me with it.

Thanks and Regards,

Gaurav Ranjan (MCSA, MCTS)
NathCorp, India
+91-997-336-5924
+1-714-453-9646

Gaurav Ranjan

Can anybody help, I am developing applications for native windows 7(mainly WinForms) and need to find some documentation for Microsoft.Azure.ActiveDirectory.GraphClient API.  I am currently using V1 of this dll but I am having a problem finding any documentation to support it.

Nick