Questions tagged as ['azure-active-directory']

The subject wraps up my story pretty straight - Do I need second domain controller when we use AzureAD hybrid setup? We have one domain with only one domain controller what is on-prem, and its AD is synced to AzureAD service. As what as I know from my experience for best practice is to use at least two domain controllers so the question is - if we use AzureAD, is it worth looking at second DC? What I me ...

We have two AD forests "xprod.com" and "xtest.com". All users are in both of those forests - they are duplicated. There is no trust between the domains.

In both forests, the users are members of security groups.

We synchronize security groups with AzureADConnect from xprod.com to an AzureAD tenant. This works as it's supposed to.

When we synchronize security groups from xtest.com to the same AzureAD tena ...

We regularly face the situation where access to internal applications (e.g. PowerBI) by external users (guest users in our AAD) need to be troubleshooted (errors in application specific configs). Currently we can only reproduce these issues by having the external users themselves present and repeating what they did.

What would be the best way to create a test environment to simulate users which a ...

Hi all thanks in advance and sorry if my question is not properly structured, first time I ask instead of just lurk:

• I have a hybrid on-prem/azureAd environment using dirsync
• Laptops are imaged with a local administrator account with psswd set to "never expire"
• Users go through OOBE and join azureAD

After this, the "Administrator" account is disabled - Default windows10 behaviour, OK.

THIS IS MY ISSUE ...

Hello Collective intelligence,

I have a question that is bugging me,

I have a Yubikey 5C setup in Azure AD with passwordless auth and registered to my account, I can log into the PC using the FIDO key and PIN and have managed to get Windows 10 to lock when the key is removed.

What I am trying to do is remove the sign-in options specifically for the password and only allow FIDO logins.

I have read through  ...

The official Microsoft docs strongly discourage the practice of user accounts employed as service accounts. Instead, they recommend using service principals or managed identities.

Leaving aside MI's for the time being, I just had a question about this. Why is there such a strong recommendation against user accounts as service accounts in AAD? Consider the alternative of a service principal:

• Both requir ...

I have an existing O365 tenant with a custom domain name.

I also have a couple of VM's running in Azure and for all sorts of reasons I would like to add Azure Active Directory Domain Services.

Where it comes to chosing the domain name, the Azure Portal UI is defaulting to the existing O365 custom domain name.

I am a little unlcear as to whether I should choose this option, or change it to some other do ...

I have windows server 2019 OS with AD synced to Azure AD via Azure AD connect sync.

I recently changed my domain @mydomain for some of my old users. Unfortunately, I also erroneously changed the domain for the user that synchronises between AD and Azure AD. Later, I reverted back the change from @mydomain to @Istit.omnimicrosoft.com. On office365 (Azure AD) control panel the sync status of passwo ...

My actual simple infrastructure is composed by a VNET with inside these machines:

• Windows Server 2019 that acts as AD controller and DNS server, sync with Azure AD.
• Windows Server 2019 stand alone, not joined to the AD
• A file share storage configured to use the AD for granular permission with a private end point
• Linux box with OpenVPN server

From the AD server I mount the file share and add the righ ...

We are trying to setup SAML with Azure AD for zendesk when SAML is not the primary (can be JWT and SAML at the same time, we need JWT to be the primary).

We basically followed the instruction here: https://support.zendesk.com/hc/en-us/articles/360002090108-Using-different-SAML-and-JWT-SSO-single-sign-on-for-agents-and-end-users

We are using the direct link from azure to initiate the login, login seque ...

I work for a small company, 5 users with Office365 standard license + email with custom domain. We have an Azure account with a couple on VM for some legacy software. We would like to set up a file share system like Windows server file share with permission on files and folder, we don't want to use OneDrive, moreover I 'd like to a have a proper AD to manage credentials, single sign on and so on. At the ...

I am looking to find out if Mac devices can be registered (not joined) to Azure AD. I've tried to research on both Google and this site, but all information I was able to find pertained to joining Azure AD and/or enrolling the device in Intune. Note that we don't need the users to be able to sign into the device with Azure AD credentials. We just need the device to show up registered in Azure AD. ...

I'm testing Azure AD and Azure AD DS and I have some issues to bind to Azure DS using LDAP. I used the default AD tenant in my subscription, so i get a domain foo.onmicrosoft.com. Then I create a ADDS synchronized with this directory.

From a Linux VM, I tried to bind to the AD using ldapsearch and I got "invalid credentials" with the following command

ldapsearch -h <ip> -p 389 -b "dc=foo,dc=onmicr ...

I am looking to upgrade some of the systems for my church and wanted to run some questions. We currently are running on an antiquated version of Windows Server 2008 R2. This server has AD, DNS, users, PCs, etc. As we make upgrades I am curious to know if I can run the domain completely out of the Microsoft cloud. So, can I have AD running purely from Azure and then users with O365 subscriptions that are ...

I have an issue how to use Azure AD in context of my SaaS application. I have a feeling that Azure AD multi-tenant is a different term than SaaS multi-tenant. If I'm wrong, then I hope somebody will show my misinterpretation.

What is SaaS multi-tenant (IMO): separation of data and users in one application. In my case it is an application which works for many small companies. Application stores da ...

We've just set up Azure AD and federated it with our G Suite system. I see the provisioned users from G Suite and can log in to Azure and Office with them, no problem.

I also have a Windows 10 Pro PC and have joined it to Azure. Users on our onmicrosoft.com domain can log in to the computer without a problem. Federated users on our real domain, as imported from Google, cannot. It just says, "The  ...

How to restrict users from uploading files from Azure Virtual Desktop(AVD) to personal or public sites like gmail, google drive, personal onedrive, personal office365 account, dropbox, box, github, gitlab, bitbucket, azure git, etc. such site. Basically we want to restrict users from uploading files to any websites via browser or cli. Only exception should be to the sites which we want to allow. How to  ...

I'm trying to remove most users from the Azure AD Global Admin role in favor of dedicated admin accounts and/or use something like PIM.

My question is; If a user granted permissions for an Enterprise App, created a security token for app registrations, or some other process that required the admin privilege they had at that time, will removing them as a global admin and leaving them a normal user br ...

How can I log in to an Azure File Share (Azure Storage account with file sharing) with Azure AD credentials?

I would not like to deploy an Azure Domain Service.

Regards Stefan

I would like to be able to log into a VM in Azure using my Azure AD credentials via RDP. The login should be done over the internet from MAC and Linux clients (clients are not members in Azure AD). For security I use Just in Time Access. MFA is not activated Is this possible? How can I implement the project?

When I set it up, I get this message

Thanks for the support

Stefan

I am sorry if the question isn't so sharp or accurate but I am new to Azure, so feel free to ask for clarifications if needed.

I want to share a VM Image with other customers outside my organisation and AD. More precisely, we have a reseller relationship with them through CSP and I don't want to manually create the VM there every time, which entails installing and configuring a suite of applicati ...

I'm currently seeking some advice and guidance whether deploying additional Windows Server 2019 VM in Azure to run Active Directory Domain Controller / Global Catalog in separate AD sites called 'Azure' is really have any benefits or not?

At the moment my AD domain is just single forest AD, spread across multiple geographical locations throughout Asia Pacific.

Azure AD Connect runs Password Hash Syn ...

Folks,

I wonder what's the command or the steps in Azure Portal to disable not deleting Azure AD Cloud only account?

Because so far I can only delete the account and resetting the password, but not disabling the Azure AD account like in the OnPremise.

Thanks in advance.

@ServerFault Community - I have a straight forward question. Does anyone know if it is possible to create a trust relationship between a Google Managed AD and [O365 Active Directory Service] Azure Active Directory Domain Service2

I need to modify access rights in Azure Active Directory Domain Services (AD DS) for a specific container in ADSI.

Usually in an on-prem Active Directory this is possible with having the correct access rights on an object and changing the Control Access Right (ACE) in the Access Control Lists (ACL) of the object. This usually means I need Enterprise / Domain Admin Rights in the first palace to mo ...

Our on premises windows domain is not public, it is myDomain.local. In Azure Active directory we have created a custom public domain publicDomain.com and we have the legacy domain publicDomain.onMicrosoft.com. We want to sync users from myDomain.local to publicDomain.com but they are created inside publicDomain.onMicrosoft.com.

According to Microsoft support the only way to achieve this goal is to re-ins ...

My work is currently migrating from a fully on-prem environment to Microsoft 365 and SharePoint. However, due to various reasons, we've had to keep our on-prem domain active. Our domain controller runs on Windows SBS 2011 (Yes, I am aware that this is very, very old software, but the budget hasn't been there to upgrade it). Therefore, we have a virtual machine running Server 2012 that runs AD Sync. We h ...

The question is short, what can the Azure administrator (with active directory) do in my machine? Is the same answer for an OSX machine?

I work for a company that wants to make our computers fully managed. We work remotely and suddenly I have questions in terms of privacy. From what I understand the admin can run commands as root, so potentially do whatever he wants. Is it true ? If so I will jus ...

In January I installed AAD Cloud Sync Agent and it worked till the end of July. Checking Azure AD in the cloud the domain is in quarantine status and the installed agents list reports none. First question: was my agent, which worked for months, automatically removed from the list ?

Executing AAD Cloud Sync Agent Wizard again it reports the following error:

PowerShell: System.Net.WebException: Remote ...