I'm trying to get the ManagementCertificate for a subscription located in Germany central (Frankfurt). For a non-german Subscription, I can obtain the certificate using the old manage.windowsazure.com portal but unfortunately the old portal is not available for a subscription located in Germany central.
I already tried to retrieve the publishsettings file (which contains the ManagementCertificate) using the Azure PowerShell cmdlet. Get-AzurePublishSettingsFile:
Get-AzurePublishSettingsFile -Environment AzureGermanCloud
This will open the web page https://manage.microsoftazure.de/publishsettings/index But the site is not available...
How do I retrieve the ManagementCertificate for a subscription located in Germany central?
Looks like this is not yet supported. However, I sent the certificate to a microsoft employee who could upload the certificate.
Related
As the Pre-Requisite For migration , we have AADDS(Azure Active directory Domain Services) used instead of on premise Active directory
So got error during validation with identitymapLog.csv file
""No Match Found (Check Azure AD Sync)""
AD synch tool cannot be used for AADDS .So any suggestions on solving this issues?
After opening the log directory noted in the data migration tool's output we could see the file IdentityMapLog.csv, it contains the generated mapping of AD to Azure AD identities. It's recommended that you review the identity map log file, IdentityMapLog.csv, for completeness before kicking off an import.
According to the doc: You and your Azure AD admin will need to investigate those users marked as No Match Found (Check Azure AD Sync) to understand why they aren't part of your Azure AD Connect sync.
We could refer to this doc for more details.
Yes followed that, but found that SID of Azure ADDS and SID of Azure active directory is not same .. so on that note is there any way to customized the identityLogMap.csv with UPN attribute instead of SID –
When you adding a user to Azure Active Directory via the old portal you see this screen:
It allows you to add a user with an existing microsoft account.
I need to import many users with existing microsoft accounts. I'm planning on writing a powershell script to achive that.
How do I add an exising microsoft account to Azure AD with a powershell script?
New-AzureADUser complains that "userPrincipalName" is invalid, as can be seen in this question. Is there another way?
Unfortunately, Azure PowerShell modules do not support adding Microsoft accounts to Azure Active Directory. The only way to utilize this feature is to use the old Azure Portal https://manage.windowsazure.com/
This works using New-AzureADMSInvitation.
> Install-Module AzureAD
> Import-Module AzureAD
> Connect-AzureAD
> New-AzureADMSInvitation -InvitedUserEmailAddress 'test#test.com' -InviteRedirectUrl 'https://portal.azure.com'
Your output will contain an InviteRedeemUrl that the invitee should open in a browser which is already logged in with their Microsoft Account. There are other optional parameters that can be passed to New-AzureADMSInvitation. See the documentation here.
Are you sure you want to import all of the accounts? Azure Active Directory supports B2B model.
B2B is based on invitation model which lets you enable access to your corporate applications from partner-managed identities. You can provide email along with the applications you want to share and send invitation to your partners, customers or anyone else who have account in Azure Active Directory. Azure AD sends them an email invite with a link. The partner user follows the link and is prompted to sign in using their Azure AD account or sign up for a new Azure AD account.
In my opinion you don't have to import users. More info here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2b-collaboration-overview/
There are good instructions available here on changing the VSTS connection from one Azure AD to another: Change VSTS AD.
But what if you just want to remove the Azure AD integration, and just revert to using Microsoft Accounts?
I successfully performed all the steps in the instruction, up to the point of attaching a new target Azure AD. You'd think when the VSTS account was unlinked in Azure, it would no longer show up in VSTS.
But going to https://[AccountName].visualstudio.com/_admin/_home/settings still shows account being backed by the source directory.
Attempting to add a Microsoft Account based user at https://[AccountName].visualstudio.com/_user fails to find the account, presumably because it is looking the the Source Azure AD.
This is an important capability when transferring ownership of an account. Thanks for taking a look!
You can follow the steps here: Disconnect your Team Services account from Azure AD.
To stop using Azure AD and revert to using Microsoft accounts, you can
disconnect your Team Services account from its directory.
Here's what you'll need:
Microsoft accounts added to your Team Services account for all users.
Team Services account owner permissions for your Microsoft account.
Directory membership for your Microsoft account as an external user
and global administrator permissions. Azure AD members can't
disconnect Team Services accounts from directories.
With the help of Microsoft Premium Support, we did manage to get this worked out.
The problem was the Team Services was not disconnected from the associated Azure AD before it was unlinked. Then once it was unlinked, it appeared gone from Azure, leaving no way to disassociate Azure AD.
The documentation does show to first disconnect the VSTS account from Azure AD, and then “unlink” the account. Where I got into trouble was by using the new portal. It's pretty hard to even find the old portal anymore BTW).
The new portal has this nice handy unlink button, which is practically irresistible. If clicking it, then it declares success. There is nothing in the UI that prevents you from unlinking while still leaving the AD association. There is no option at all in the new UI portal, as far as I could find, to disconnect Team Services from Azure AD.
Once unlinked, the only fix is to relink, and then redo it all in the old portal as is indicated by the documentation.
This is much more difficult than it should be because it seems like something that should be simple to achieve through the web UI. These posts helped me, but I wanted to add my 2 cents:
In order to disconnect VSTS from AAD you need to be able to use the disconnect button on the configure tab in the old portal seen here. However, you can only use that button if you're the VSTS account owner and if your account is not sourced from the currently linked active directory (i.e. - a MS Account). But you can't make the VSTS account owner a MS account if you've used the portal's interface to add the MS Account to your AAD as an external user. This is because external users are added as Guest account type by default (rather than Member type). If you try to set the MS account as VSTS owner you get the "AAD guest users are not allowed to be collection owners" message seen here.
It's a chicken/egg thing which is made more difficult by the fact that the official documents for this process make no mention of the conflict you'll face. They read as if this should just work.
The answer is that (as of today) you can't do this without using Powershell or an AAD API to convert the MS Account from a "Guest" to a "Member" user type. There are a number or articles out there which walk through the older APIs to do this. Here is what I did with the latest PS:
First, log in to the directory you wish to unlink with an account which has permissions to modify members. Ideally an admin or owner.
Connect-AzureAD
Next, find the account you want to modify using this command:
Get-AzureADUser
Find the ObjectID of the user you want to convert from Guest to Member and then run this command:
Set-AzureADUser -ObjectId [ObjectID GUID Here] -UserType Member
This will convert the MS Account in the AAD you want to unlink to a 'member' type. In my situation I found that I had to remove the MS Account from VSTS and re-add it in order to trigger a refresh which allowed me to set it as account owner.
Now you just follow the documented steps:
set MS account as project owner. Save.
log in to old portal, go to configure tab, and disconnect
log back in everywhere to see the changes
Im kinda new to Windows server, but have been checking out Microsoft Azure and like the IaaS.
Just a question about SSO verse Azure Active Directory Sync.
Im moving my infrastructure into Azure, my base is a AD server, "dirsync" or AD FS server and a few web servers etc. We use Google Apps for Email, Calendar and Drive.
So I see that there are two ways to keep my AD directory and Azure directory in sync. SSO and Azure Active Directory Sync.
If I use Azure Active Directory Sync and not setup AD FS on a server with SSO, will I still be able to use SSO with my Azure Directory to Apps the Microsoft have in the Azure portal?
The only reason I would need a AD FS server if I had Apps/Services on site that I wanted to use SSO with, correct?
I plan to run, kayako and CrashPlan in two VM's in Azure. Both will use LDAP/AD for usernames/password authentication. But would be cool to get SSO for both webapps so employees can sing-on via the myapps.microsoft.com portal.
The two ways are DirSync and AAD Sync. Refer: Synchronization Previews Now Available for Microsoft Azure Active Directory.
Sync = Same Sign On between on-premise and cloud
Sync + ADFS = Single Sign On between on-premise and cloud
Update
myapps.microsoft.com is for third-party vendors like SalesForce who have asked Microsoft to add them as a SaaS application to AAD. It's not for company specific apps.
For company specific apps., you need ADFS as above.
Having done that, if your user SSO's into your app. and then wants to use e.g. SalesForce, they won't have to login again.
When I execute Get-AzureAccount, I see the Azure account of the domain account I am logged into Windows with. So, when I run Get-AzureSubscriptions, I see the associated subscriptions. I want to get the subscriptions associated with a different account (one with which I cannot login into Windows) but I cannot figure out how this is done. Of course, Add-AzureAccount would seem to be the way to go but despite reading the TechNet help page on it, I don't see how another account can be added.
Thanks!
-Rohan.
Azure subscriptions are stored in "C:\Users\%username%\appdata\Roaming\Windows Azure Powershell" (or "%AppData%\Windows Azure Powershell) per user. The contents of that dir is an xml file containing the user's subscriptions. Each subscription is linked to a certificate that needs to reside in the same user's cert store in order to connect.
Anyways, using
Get-AzureSubscription -SubscriptionDataFile <path to the other user's xml file>
you should be able to read those subscriptions, if you have access to his/her profile folder (which would require local admin permissions on a normal system).