I'm not able to find the correct Azure active directory in Apply filter/Filter account -window. AAD settings should be fine and I can see tens of other directories, but not this particular one that I need to connect to the DevOps-project. Any ideas where to search for solution?
Apply filter
I have tried to restart VS, logged out and login, Checked AAD user settings and compared to the colleague's settings which seems to be similar. No success.
Ok, AAD invitation wasn't accepted. So it was pending and after approval the directory showed up.
Related
The problem: I'm getting errors from Google while attempting SSO through Azure AD and can't even begin to guess why or how to go about debugging the issue.
The story:
My org is looking at leveraging Microsoft's nonprofit benefits by setting up Azure for web hosting and Sharepoint to start with, which also entails using Active Directory. As it stands right now, we've successfully gotten our website running and accessible to the world on our custom domain, and our AD is populated with a copy of what's in our Google Workspace directory so we can use Active Directory as our authoritative directory.
We've been trying to implement SSO with the Azure/Gsuite connector, to have them auth with their Azure credentials to get into GMail, Docs, Drive, etc, but Google Workspace seems to choke. I have gone over the setup instructions repeatedly, ensured we're using all of the proper URLs in the Connector's SAML settings and in Workspace's "SSO with third party IDPs" settings, the proper certificate is in place... Provisioning is set up but not active, and I have successfully provision-on-demanded my account and an unprivileged test account.
Here are my settings in Azure:
Here are my settings in Google:
And to test this here's what I've done:
I open up a fresh InPrivate/Incognito window.
I go to https://myapplications.microsoft.com/ and am prompted to login. I use my unprivileged test account credentials.
Upon auth I click on the Connector app to attempt to go to my Gmail inbox.
After a wait on a white screen, I get a Google error screen with "Invalid Email - We are unable to process your request at this time, please try again later."
If I disable the SSO settings for my org in Google Admin, I'm able to log into the account just fine with Google, get to the gmail inbox, etc.
Conversely, if I attempt the same steps with my admin account, I get a similar page with a slightly different message, "Server Error - We are unable to process your request at this time, please try again later."
I have been bashing my head against this for two whole nights and can't make any headway. What gives? I can't even figure out how to debug these errors.
Somebody (me) failed their perception check repeatedly because the problem was that the Unique User Identifier SAML claim in Azure was set to user.mail instead of user.userprincipalname as it should have been as per the tutorial.
I'll see myself out now.
Today I was trying to add an external user to VSTS and got below error message.
You are trying to invite a user from outside your directory, but
something went wrong. Please try again later. If the issue persists,
please contact support.
I have followed the step mentioned in below link and "External guest access" is enabled.
https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/add-external-user?view=azure-devops&viewFallbackFrom=vsts&tabs=new-nav
Not sure where I am going wrong with this and looking for a solution.
After signing-out and sign-in again it works.
It seems this happened after password reset for my AAD account.
The reason was a missing refresh of the user AAD token. After
completely signing out from Azue DevOps (deleting all browser caches)
it was working.
Source: https://developercommunity.visualstudio.com/t/you-are-trying-to-invite-a-user-from-outside-your/395999
Before this will work, you need to have the external domain added as an approved domain for collaboration. Then you will be able to invite them to your Office 365/Azure tenant. I had to have this approved through Global Security and then the work was done for our organization.
For future reference, I had a similar issue and discover that Project Collection Administrators/Owners manage the policy: Allow team and project administrators to invite new users.
Source Azure DevOps Documentation
I have two directories in a single login of Azure.
When I hit the Graph Explorer API to get the users, it automatically goes to the default AD.
https://graph.microsoft.com/v1.0/users
I want to switch the directory and then get the users.
I just found this documentation where an app needs to be registered and you provide directory name in the tenant.
Please help.
The document you found is for the registered app to communicate with Azure AD. It's not for Graph Explorer.
As I known, it's not possible to switch Directory in Graph Explorer. I test both Microsoft Graph and Azure AD Graph. I can only get users from the Default Directory.
My suggestion is that you can login Graph Explorer with another account which has another default directory.
You can also feedback Microsoft Graph in this UserVoice Forum.
Hope this helps!
This information came from: https://stackoverflow.com/questions/60931681/how-to-query-another-azure-active-directory-tenant-from-graph-explorer
Today that's possible if you pass the tenant query string parameter like this:
https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=mydomainname.onmicrosoft.com
Note that you need to logout before going to this URL with the tenant query string. It'll ask you to login again. After login you can issue queries against the other tenant you have access to (not your home tenant where your account was originally created on).
I have granted access to a couple of users with different roles against resource group on Azure portal. User whom I have granted access rights do not see the resource group when they login to azure portal.
Have I missed something while granting access rights?
You are probably in the wrong Azure directory. You can solve this issue with the following steps.
Login to the azure portal here: https://portal.azure.com/ with your
credentials
Click the top right icon which shows a generic person
icon and opens a drop down about your profile/account
Click 'Switch Directory' and switch into the directory of the
organization where you have been granted access.
Look over to the left. You should now see the resources that you
were granted access to under 'All Resources'
I encountered the same issue. Portal just needed refreshing. Just switched the user directories and came back to the user directory I had given access to, then I could see the resource group under that user.
Honestly, Azure really does make stuff a lot harder than need be sometimes. In my case I needed to go to portal settings (gear icon in top bar), click on the default subscription filter and enable all subscriptions.
I installed a Kentico 9.0 website and everything worked fine. Then I tried to configure Windows Active Directory authentication using this documentation: https://docs.kentico.com/display/K8/Configuring+Windows+AD+authentication. However, when I open the URL, the login popped up, I used my working login credentials and the login pops up back constantly.
I changed back the web.config and saw the event log, and there was nothing logged about my numourous login attemps.
The documentation was straight forward, so I am guessing there is a permission issue in my environment. There is one little warning in the documentation but it doesn't say how to do it:
Prerequisite
For Windows authentication to work, the application must be able to access the following attributes of user objects in Active Directory (i.e. the attributes cannot be protected or confidential):
memberof
userAccountControl
My application is in a virtual server in a domain. And the Active Directory service is in different server in the domain. Does it mean I need to do something for my application's permission to AD? I am using NetworkServices application pool identity.
Thanks.
You (your laptop) have to be in company intranet and logged in to your laptop with your AD credentials. If you meet those conditions IE or Chrome should not even prompt you for credentials as they are already known, so browser just passes your AD account information to Kentico.
Once you see the prompt continuously there is something wrong with your setup. Make sure
you configured everything according to documentation (Kentico + IIS)
server/host is in domain
you're in intranet and logged in with AD creds
Usually how Active Directory authentication works is you need to pass it a AD Username and password that has access to read the users. I would check that user's permissions.