dsk
Hi All
I'm having an issue whereby I've installed Azure Active Directory Connect to get single signon working. All is showing healthy along with Password Writeback Enabled. All is synching OK and single signon working, but when I attempt to reset a users password I get the following in the Azure Portal:
"Unfortunately, you cannot reset this user's password due to a policy or error in your on-premises environment."
I cannot find any problem but in the event logs on the AAD server it also shows event ID 33009
TrackingId: f9167424-bf41-4b67-90ca-4fc16f1d800f, Reason: Synchronization Engine returned an error hr=80004001, message=Not implemented, Context: cloudAnchor: User_c0502f50-ca15-4527-8caf-79c8c05a7464, SourceAnchorValue: 4ZSaPy0nHESpBsVnxpraWA==, AdminUpn: admin@company.com, UserPrincipalName: user@company, Details: Microsoft.CredentialManagement.OnPremisesPasswordReset.Shared.PasswordResetException: Synchronization Engine returned an error hr=80004001, message=Not implemented
at AADPasswordReset.SynchronizationEngineManagedHandle.ThrowSyncEngineError(Int32 hr)
at AADPasswordReset.SynchronizationEngineManagedHandle.ResetPassword(String cloudAnchor, String sourceAnchor, String password, Boolean fForcePasswordChangeAtLogon, Boolean fUnlockAccount, Boolean isSelfServiceOperation)
at Microsoft.CredentialManagement.OnPremisesPasswordReset.PasswordResetCredentialManager.ResetUserPasswordByAdmin(String resetUserPasswordByAdminXmlRequestString)
and Event ID 6329:I'veonly found one article
An unexpected error has occurred during a password set operation.
"ERR_: MMS(9640): E:\bt\863912\repo\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMADoNormalization', 0x2
BAIL: MMS(9640): E:\bt\863912\repo\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(9640): E:\bt\863912\repo\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(9640): E:\bt\863912\repo\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveUserDelete', 0x2
BAIL: MMS(9640): E:\bt\863912\repo\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(9640): E:\bt\863912\repo\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(9640): E:\bt\863912\repo\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveComputerDelete', 0x2
BAIL: MMS(9640): E:\bt\863912\repo\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(9640): E:\bt\863912\repo\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(9640): E:\bt\863912\repo\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'SkipAdminCountCheck', 0x2
BAIL: MMS(9640): E:\bt\863912\repo\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(9640): E:\bt\863912\repo\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(9640): admaexport.cpp(2837): The server does not contain the LDAP password policy control.
BAIL: MMS(9640): admaexport.cpp(2839): 0x80004001 (Not implemented)
ERR_: MMS(9640): admaexport.cpp(2858): Failed to set the password using LDAP password policy control.
BAIL: MMS(9640): admaexport.cpp(3311): 0x80004001 (Not implemented)
ERR_: MMS(9640): ..\ma.cpp(8195): ExportPasswordSet failed with 0x80004001
Azure AD Sync 1.2.70.0"
I've only found one guy who said he has the same problem and has to rebuild the AAD server to get it to work, I don't really want to do that.
Any suggestions/help greatly appreciated. I don't think its permissions as I;'ve guiven the account:
Reset password
Change password
Write lockoutTime
Write pwdLastSet
Do I have to enable SSPR (Self Service Password Rest), seen that somewhere but don't want to do this at this time ?
Can someone please help me with the following question.
I am reading a book about Azure and 0365
The book says first of all setup a trail version of 0365 Enterprise E5, so I can learn and do the practices in the book (makes sense). I did this successfully and now have an <MyDomain>.onmicrosoft.com domain and email logon.
Next to book says I should setup a subscription to Azure AD as I will need to do things like 'Azure AD Domain Services' to complete some of the practices later in the book.
Hers is the thing,
I know 0365 is backed by Azure AD, therefore if I create a user in the 0365 admin portal, I am actually creating a user in Azure AD tenant e.g. <MyDomain>.onmicrosoft.com
I also realise an O365 subscription does not give you IaaS capabilities etc (as it is centred around SaaS).
So I can see why the book might say I need to also setup an Azure AD tenant, however I cannot user <MyDomain>.onmicrosoft.com when setting up the Azure AD tenant as this is already taken by my O365 subscription
I could create <MyDomain2>.onmicrosoft.com Azure AD tenant but, this would not appear to make much sense as any users in this tenant would be separate from my O365 tenant
So I am a bit confused about the best thing to do as the book does not make it clear/
Is there a way when setting up an Azure AD tenant to use my O365 admin logon, and therein automatically associate a new Azure AD tenant (to be used for things like Iaas and Paas) to my current O365 tenant ?
If not I guess I will have to invite my O365 users to my new Azure AD tenant to use any services in my Azure AD tenant ?
Please help
Thanks
CXMelga
(Posted in Azure Management Portal area, though this question is really about ARM template deployment - I couldn't find a better area)
I'm deploying linked ARM templates, as described here:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-linked-templates
I'm using SAS tokens, as suggested. I'm also using (or at least desire to use) network security on the storage account hosting the templates in blob storage, to limit which vnets and ip addresses can access the blob containers storing the templates.
The network security is preventing me from deploying the ARM templates - I receive the following error:
"error": {"code": "InvalidContentLink","message": "Unable to download deployment content from 'https://<storageaccount>.blob.core.windows.net/<blob-container>/<arm-template>.jsonc?<sas token>'. The tracking Id is '<guid>'. Please see https://aka.ms/arm-deploy for usage details."
}If I turn off the network security for the storage account, the ARM template deploy works as expected. The errors indicate that the ARM deployment involves HTTP requests to the storage account to fetch the linked templates from an IP address that isn't allowed.
My preferred solution (feature request) is to either have the ARM deploy servers included in the "trusted Microsoft services" that I've granted access to the storage account:
Image may be NSFW.
Clik here to view.
or (another feature option) add another checkbox to allow Azure Management servers to access this storage account.
Alternatively, I'd like a programmatic way to identify the IP address (or IP range) that the Azure Management server will be fetching the linked templates from, so I can (in code) add that IP address range to the allowed set before deploying the linked templates.
This problem isn't just about linked templates - it applies to any files which are hosted in a storage account, and fetched from a server I don't directly control (Azure Management servers) as part of the deploy process. Eg cloud-init files referenced from VM ARM templates.
The "easy" answer is just to turn off network security, which would mean I'm fully reliant on SAS tokens as a single line of defense. What I don't like about that is that theft or loss of a storage account key could make us vulnerable, so I'd strongly prefer 2 layers of security.
Hi Team!
Please, I was wondering why the Add member button is grey out in Azure Privileged Identity Management even when I logged in as an Admin.
Thanks.
dsk
Is there a way to match the results from the compute SKU API: https://docs.microsoft.com/en-us/rest/api/compute/resourceskus/list and the ratecard API: https://docs.microsoft.com/en-us/previous-versions/azure/reference/mt219005(v=azure.100)
SKU result sample:
Rate result sample:
Or is there another way to get the pricing for a certain SKU in a specific region via API?
Hi, I'm currently working on a solution at Company A which leverages Office 365 (SharePoint) and Azure (specifically with resources Web Apps, Web Jobs, Redis Cache and SQL Server). Company A just got acquired by Company B which has their own Office 365 and Azure tenant.
For O365, the plan is to migrate all SharePoint sites from Company A's O365 to Company B's O365.
For Azure, the plan is to keep both Azure tenants.
What are the pros and cons to keeping the resources in Company A's Azure rather than migrating the resources to Company B's Azure?
Hello Team,
I have created Automation Account and downloaded the script from the gallery, for VM's to Start/Stop but i am unable to add multiple VMs.
Please help me out how to configure the same.
Thanks
APK
I have deployed a react site to Azure App Services, I found this error "Failed to load resource: the server responded with a status of 404 (Not Found)" for 2 files, but when checked the deployment package, I found the 2 files
http://csemrqa.azurewebsites.net/
Hello,
I was trying to find out if there are any session expiration or inactivity timeout for Azure CLI V2 that is logged in a Linux VM. For example if a user forgot to log out from the Azure CLI, will it expire/timeout for a certain time XXminutes or XX hours?
Thanks in advance for those who will answer.
Hoping someone can clarify a few things regarding configuring device compliance policies.
First, if I have a device which is a member of two different groups (Group1 and Group2), and I specify to Include Group1 in the compliance policy, but Exclude Group2, I'm assuming the policy will not apply to the device (thinking exclude takes precedence) and the device would be marked as "non compliant"...is that correct?
Now, assuming the above is true, if I also enable the setting "Mark devices with no compliance policy assigned as Compliant", would this device then be marked as Compliant?
Thank you for any clarification or details you can provide.
Hi Everyone,
Which necessary role we should provide to user for giving Rights in Device setting in Azure Portal.
Image may be NSFW.
Clik here to view.
Regards,
Rahul
Hi,
May I know how to change the font settings in Azure web portal.
I have to set my desired font in the webpage portal.
I can able to see to color change option for azure portal,but font change option is missing.
Please assist.
Is this possible to configure Azure site to site ipsec VPN with AWS.
When I browse to "https://portal.azure.com/" I get a blue webpage that says
Hmmm … Looks like something went wrong
I rebooted my system, tried again with the same results.
Anyone know what gives?
Hey all,
I'm trying to make a policy that enforces the use of specific tags for example costcode and owner (I don't mind if these are separate policies)I know Azure has one that enforces tag and value but that doesn't work for me because the value of the tag will always be different.
Any help will be good.
Cheers,
Nick.
Can server A and server B with a LB move between availability zones?
dsk
We have three web servers where we want both balancing of the incoming traffic as well as redundancy of availability zones.
Are regional zones used for both HA and redundancy?
Should we use a cross zone scale set or should we use a LB?
Does it make sense to use two servers in a cross zone scale set?
If we have a system composed of a SQL AG which requires a internal LB and a application server does it make sense to availability zones if the connection between application server and SQL AG's must have a very low latency?
What do you recommend if we are wanting to keep both the SQL AG and Application in the same regional zone however you also want resiliency from a database location (regional zone) going offline (ie flooding)?
dsk