Even though the user is logged in to a Domain member's PC, Microsoft AD Server event viewer is shown logged off(event id 4634) in the task category. This is happening over a network. This is confusing as the event 4634 is supposed to capture logoff event.
We were expecting that in the event log there should not be 4634. This seems to be against the standard logic. We tried different times to logoff and then we did not find event 4647 either. Can any one please explain.
Related
I have a simple azure logic app as follows.
Now I add a new action after the first one.
Select an email action.
Look for send email action
Now no mater what I do, I get this error
Please check your account info and/or permissions and try again. Details: REST API is not yet supported for this mailbox. This error can occur for sandbox (test) accounts or for accounts that are on a dedicated (on-premise) mail server. clientRequestId: 9295041e-4d27-4d7f-8ac7-9f90f1cc65ff serviceRequestId: 17c7df3b-7f07-6d27-4f7b-68a4475e9b55 More diagnostic information: x-ms-client-request-id is '51B43F16-6D7C-4BE7-9AE2-7B4A6B73BA49'.
I click Change Connection above and I see these increasing number of connection, and I find no way to delete them. See the last image at the bottom.
And when I click Save, I get this message.
Save logic app failed. Failed to save logic app vivek-logic-app. Some of the connections are not authorized yet. If you just created a workflow from a template, please add the authorized connections to your workflow before saving.
And finally when I click Api Connections, I find no connections to delete.
So two questions.
How to authorize hotmail account te be used by Azure Logic App
How to delete the un-necessary connections
Ok, here it is after a good 3 hour PIA.
For the connections to manage(or delete), look at the resource group and not the Logic app.
And next for the send email action, choose Outlook.Com connection and not Office 365 Outlook. Found the answer here. Mine is personal account and not for work or for school.
Once you setup this action successfully, you can take a look at this page for managing the connection access.
I've set up Zoom and DocuSign with SSO and Automatic provisioning in Azure AD Enterprise Applications. Just in Time provisioning works as expected after ensuring roles are correctly mapped. Automatic provisioning however only appears to add users the first time it runs. If I add an application user, change a user's Application Role, or Remove the user from the application nothing happens on the next provisioning run. I would expect the user to be added, the user's permissions to be updated at Zoom or DocuSign, or for the user to be disabled.
Documentation seems to show that updates and deletes should be handled through provisioning. What am I missing?
Second question is whether the timing of how often provisioning job runs can be changed. It is time consuming to test when I have to wait 40 minutes between tests.
updates and deletes are handled if they are configured to. https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/configure-automatic-user-provisioning-portal#configuring-automatic-user-account-provisioning
in the screenshot, you'll see there is actions that it can target, create, update, delete. if those are all selected, As a test, you should make sure the target actions are selected and try to change a different attribute, say add some characters to a name or something. it should trigger and update to the provider.
I believe changes of the User itself will trigger the provisioning changes,
The issue here is likely because app roles are specific to applications, they are not user or group attributes, nothing has actually changed on that user object. so it wouldn't detect any changes.
as per: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/how-provisioning-works#incremental-cycles
it will "Query the source system for any users and groups that were updated since the last watermark was stored."
if I take that literally, then changing the app role isn't a change to a user or a group, so it won't trigger a delta sync change
Deletes however should occur, if you unassign the user from the application. as per here: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/how-provisioning-works#de-provisioning
as for your second question, the interval I don't believe you can change that for the incremental schedules.
I am looking for a mechanism to identify the users who are added in a specific group and trigger an action based on user addition event. Looks like people are still waiting for it to be available from Azure. The details could be found here
The solution that i am thinking at the moment is have an Azure task/Function that goes through the audit logs and detect the "user added" event and then trigger an action.
Is there any other better method?
You could Integrate Azure AD logs with Azure Monitor logs, send the Azure AD AuditLogs to the Log Analytics workspace, then Alert on Azure AD activity log data, the query could be something like(just a sample, I have not test it, because there is some delay, the log will not send to the workspace immediately when it happened)
AuditLogs
| where TimeGenerated >= ago(1h)
| where OperationName == "Add member to group"
Sample:
You could set the Alert logic depending on your own requirement, e.g. Whenever count of results in Custom log search log query for last 1 hour is greater than 0. Evaluated every 10 minutes. and configure the action group, select the action type you want like Email, webhook.
a better way would be to trigger an automation runbook based on an alert based on a condition specific to that audit event. But I'm not sure adding a user is an audit event on azure level, it is probably an Azure AD event. I dont think Azure AD offers events based on that.
So you'd have to basically parse the events and figure out where you stopped last time based on time or something like that.
We have several external systems that work of the Display Name value in Active Directory. When a new account in AD is created, corresponding accounts in other applications are automatically created. When someone changes the display name of an existing user, the login for that user is no longer valid in other systems.
Is there a way to get an email notification or similar whenever the display name for an existing record is changed in AD?
If you have access to your domain controllers
Active Directory has certain "audit policies" that describes what it generates events for (in the Windows Event Viewer on each domain controller). Each can be turned on or off. The "Account Management" audit policy would generate events for changes to accounts. I believe the event contains the attributes changed. You can read more about those policies here.
If that policy is enabled in your environment, and you have access to the domain controllers, you could setup scheduled tasks on each domain controller with event-based triggers that fires when event ID 4738 happens (event IDs are listed here).
The scheduled task can then run a script that can do whatever you want it to. There are instructions here on how to run a PowerShell script on an event and to get the event that triggered it in the script.
If you don't have access to your DCs
Otherwise, you would need to keep a separate database mapping a unique identifier of each account (like the objectGuid) to the display name, and have a scheduled job that updates that and notices changes. You can read here about how to search AD for accounts changed after a certain date, which you can use to only find accounts that have been changed since the last time the job ran.
On a Windows Active Directory server, we can perform several actions on the accounts like add account, enable, disable, reset account, reset password etc.
Is there anyway that I can get an event log of any such actions that were performed on the accounts?
eg: If one of my computer/system say comp1 has an account listed on my AD server. If I log into my AD server and I do a "Reset Account" for my computer/system comp1 which is listed on there. Is this event logged anywhere so that if I search in the event log, I see that a "Reset Account" action was performed for comp1 ? How and where can I get those event logs ?
Thank you in advance for any help.
You can enable logging via group policy, below link will give you step by step details on activating this, at least I think it will be a good place to start. https://blogs.msdn.microsoft.com/servergeeks/2014/07/16/auditing-active-directory/