Why do different update results occur for equally synchronized users? - azure

I have the Azure AD users that are synced from my on-premises AD.
When I updated the user's properties (such as displayName, department, and so on), some users succeeded in updating, but some users failed to update.
In Azure AD, the audit logs of the update successful user and the failed user are as follows.
////////////////// update success user
{
"id": "Directory_xxxxxxx_112926480",
"category": "UserManagement",
"correlationId": "xxxxx",
"result": "success",
"resultReason": "",
"activityDisplayName": "Update user",
"activityDateTime": "2022-02-07T07:03:44.6467812Z",
"loggedByService": "Core Directory",
"operationType": "Update",
"initiatedBy": {
"user": null,
"app": {
"appId": null,
"displayName": "xxxx",
"servicePrincipalId": "xxxx",
"servicePrincipalName": null
}
},
"targetResources": [
{
"id": "xxxx",
"displayName": null,
"type": "User",
"userPrincipalName": "xxxx#xxxx",
"groupType": null,
"modifiedProperties": [
{
"displayName": "Included Updated Properties",
"oldValue": null,
"newValue": "\"\""
},
{
"displayName": "TargetId.UserType",
"oldValue": null,
"newValue": "\"Member\""
}
]
}
],
"additionalDetails": [
{
"key": "UserType",
"value": "Member"
},
{
"key": "User-Agent",
"value": "Apache CXF 3.2.14"
}
]
},
////////////////// update fail user
{
"id": "Directory_xxxx_118537500",
"category": "UserManagement",
"correlationId": "xxxx",
"result": "failure",
"resultReason": "Microsoft.Online.Workflows.PropertyUpdateNotAllowedException",
"activityDisplayName": "Update user",
"activityDateTime": "2022-02-07T07:03:04.9716261Z",
"loggedByService": "Core Directory",
"operationType": "Update",
"initiatedBy": {
"user": null,
"app": {
"appId": null,
"displayName": "xxxx",
"servicePrincipalId": "xxxx",
"servicePrincipalName": null
}
},
"targetResources": [
{
"id": "xxxx",
"displayName": null,
"type": "User",
"userPrincipalName": "xxxx#xxx",
"groupType": null,
"modifiedProperties": [
{
"displayName": "MethodExecutionResult.",
"oldValue": null,
"newValue": "\"Microsoft.Online.Workflows.PropertyUpdateNotAllowedException\""
},
{
"displayName": "TargetId.UserType",
"oldValue": null,
"newValue": "\"Member\""
}
]
}
],
"additionalDetails": [
{
"key": "UserType",
"value": "Member"
},
{
"key": "User-Agent",
"value": "Apache CXF 3.2.14"
}
]
},
Could you tell why the results are so different?
Any help would be appreciated.


Some user details are failed to update because of the error:
Microsoft.Online.Workflows.PropertyUpdateNotAllowedException
The above error usually occurs for many reasons like:
There may be some attributes that violate formatting requirements which restrict characters and character length of attribute values.
The attributes that require unique values may have duplicate attribute values in existing user account (on-prem AD).
May be the user principal name (UPN) was changed after the initial synchronization and must be updated manually.
Some attributes may match exclusion rules for directory synchronization.
The domain value that's used by AD DS attributes hasn't been verified.
To resolve this error, please check the below workarounds if they are helpful:
Use the IdFix DirSync Error Remediation Tool to check for duplicates, missing attributes, and rule violations.
Update AD DS attributes to remove duplicates, rule violations, and scoping exclusions.
Make sure the user properties can’t contain accent characters and the size of displayName, department etc… are under the maximum limits.
For more information in detail, go through below references.
References:
One or more objects don't sync when the Azure Active Directory Sync tool is used - Active Directory | Microsoft Docs
Troubleshoot directory synchronization errors with event 6941 - Office 365 | Microsoft Docs

Related

Possibility to manage user PermissionSets

I can't see any docs about this, only for User and Groups.
The target app has Users with PermissionSets which grants permissions (obviously), with an Schema like this:
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"id": "5ac6643a62513c08d6c21516",
"userName": "foo.bar#myapp.com",
"name": {
"givenName": "Foo",
"familyName": "Bar"
},
"emails": [
{
"primary": true,
"type": "work",
"value": "foo.bar#myapp.com"
}
],
"UserType": "user",
"PermissionSets": [
"5aff2aa36c3b5ea72975db35"
],
"active": false,
"meta": {
"resourceType": "User"
}
}
I want to grant them using Multi-Value list Parameter with rules. Does it mean I need /PermissionSets API endpoint which PUTs and GETs the PermissionSet to the user? Because I can't see any PermissionSet when I try to setup the parameter.
Many thanks in advance.

Single Sign on with personal Microsoft account doesn't work in registered app in Azure

We registered an app in Azure with our corporate account.
We've set it as a web-app type, and set the signInAudience to AzureADandPersonalMicrosoftAccount
It works when we sign into our web-app with a corporate account, but when we use a personal microsoft account with hotmail address, we get the following message:
AADSTS50020: User account '*********#hotmail.com' from identity provider 'live.com' does not exist in tenant '*********' and cannot access the application '******'(***-api) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
We double checked all settings and they look valid. We've ran out of ideas
Here's a version of our manifest:
{
"id": "**********",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": 2,
"addIns": [],
"allowPublicClient": null,
"appId": "*********",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2020-08-04T14:32:25Z",
"groupMembershipClaims": "None",
"identifierUris": [
"https://***.company.be"
],
"informationalUrls": {
"termsOfService": "https://www.company.be/legals/gebruiksvoorwaarden",
"support": null,
"privacy": "https://www.company.be/legals/privacy",
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": "https://secure.aadcdn.microsoftonline-p.com/...",
"logoutUrl": null,
"name": "***-api",
"oauth2AllowIdTokenImplicitFlow": true,
"oauth2AllowImplicitFlow": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"optionalClaims": {
"idToken": [
{
"name": "email",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "family_name",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "given_name",
"source": null,
"essential": false,
"additionalProperties": []
}
],
"accessToken": [],
"saml2Token": []
},
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [
{
"customKeyIdentifier": null,
"endDate": "2299-12-30T23:00:00Z",
"keyId": "**********",
"startDate": "2020-08-04T14:47:56.759Z",
"value": null,
"createdOn": "2020-08-04T14:47:58.647043Z",
"hint": "gIh",
"displayName": "*****-api clientSecret"
}
],
"preAuthorizedApplications": [],
"publisherDomain": "company.be",
"replyUrlsWithType": [
{
"url": "http://localhost:3000/link/microsoft/callback",
"type": "Web"
},
{
"url": "https://api.copmpany.be/link/microsoft/callback",
"type": "Web"
},
{
"url": "https://api.copmpany.be/auth/microsoft/callback",
"type": "Web"
},
{
"url": "https://api.staging.copmpany.be/link/microsoft/callback",
"type": "Web"
},
{
"url": "https://api.staging.copmpany.be/auth/microsoft/callback",
"type": "Web"
},
{
"url": "http://localhost:3000/auth/microsoft/callback",
"type": "Web"
}
],
"requiredResourceAccess": [
{
"resourceAppId": "***",
"resourceAccess": [
{
"id": "****",
"type": "Scope"
},
{
"id": "***",
"type": "Scope"
},
{
"id": "***",
"type": "Scope"
},
{
"id": "***",
"type": "Scope"
},
{
"id": "***",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": "https://www.company.be",
"signInAudience": "AzureADandPersonalMicrosoftAccount",
"tags": [
"webApp",
"notApiConsumer"
],
"tokenEncryptionKeyId": null,
"verifiedPublisher": {
"displayName": null,
"verifiedPublisherId": null,
"addedDateTime": null
}
}

In addition to Sarthak's answer if your business scenario doesn't need to access your tenant's resource like call MS Graph API for your tenant, You could change your authority Uri to common endpoint which supports MSA without inviting into tenant. Please refer the documentation on for the authority endpoints. Depending upon your business scenario, choose your solution.

From your manifest file I can see that your app is already registered as multi-tenant, so no need to change any settings there.
The user should be invited before we sign or connect with our azure active directory as an external user, follow the below steps:
Visit here https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/MsGraphUsers
Invite as a guest user
Then the invited user will get an invitation, accept that first.
Retry to access the web app.
Definitely it would work.

Sign in option AzureADandPersonalMicrosoftAccount only works with v2.0. Hence, the authority URL should be this:
https://login.microsoftonline.com/common/v2.0
In addition to that, for multitenant applications, ValidateIssuer option should be disabled. You can do that in this way:
auth.AddOpenIdConnect(authScheme, displayName, options =>
{
options.TokenValidationParameters.ValidateIssuer = false;
)};

The app should be registered as multi-tenant for this to work.

Creating AAD user in API Management using ARM also creates Basic

When adding/updating AAD user with ARM template/resources.explorer, why does a Basic user also get created?
This is the payload:
{
"apiVersion": "2017-03-01",
"type": "users",
"name": "user1",
"properties": {
"firstName": "FirstName",
"lastName": "LastName",
"email": "[parameters('user1Email')]",
"state": "active",
"identities": [
{
"provider": "Aad",
"id": "[parameters('user1UserId')]"
}
]
}
}
As you can see i do not include the
{
"provider": "Basic",
"id": "basic.userg#basic.com"
}
I don't want to create Basic Auth, I only want Azure AD.
When creating AD user from the developer portal we don't get this behaviour, but with ARM it also creates Basic.

The only way I see at the moment is to do a second PATCH (!) request with same payload but no Basic identity.

Update Azure AD App appRoles through MS Graph Explorer

I am trying to update AppRoles of my Azure AD app through MS Graph Explorer. The App is for setup SSO with our AWS account.
The URI looks like below. GET query returns all the properties of the Service Principal correctly.
https://graph.microsoft.com/beta/servicePrincipals/2141b14a-096a-4f26-a73f-4175a4f475f7
But when trying to "PATCH" the section of "appRoles", I received the error below:
{
"error": {
"code": "Request_BadRequest",
"message": "One or more properties on the service principal does not match the application object.",
"innerError": {
"request-id": "0408c2a3-1f1c-4dd6-aacf-6c2c1cca8b98",
"date": "2018-08-10T01:13:40"
}
}
}
The Request Body is as below (The code is slightly modified for masking)
{ "appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "AWS Developers",
"id": "7dfd756e-8c17-4472-b2b7-38c17fc5de79",
"isEnabled": true,
"description": "Developers",
"value": "arn:aws:iam::12345678910:role/developers-SAML-AzureAD,arn:aws:iam::12345678910:saml-provider/AzureAD"
},
{
"allowedMemberTypes": [
"User"
],
"displayName": "AWS Admins",
"id": "7dfd756e-8c27-4412-b1b7-38c17fc1de83",
"isEnabled": true,
"description": "AWS-Admins-SAML-AzureAD",
"value": "arn:aws:iam::12345678910:role/Admins-SAML-AzureAD,arn:aws:iam::12345678910:saml-provider/AzureAD"
},
{
"allowedMemberTypes": [
"User"
],
"displayName": "IT MGMT",
"id": "7dfd756e-8c17-4172-b1b7-38c11fc1de81",
"isEnabled": true,
"description": "ITS-MGMT-SAML-AzureAD",
"value": "arn:aws:iam::12345678910:role/ITMGMT-SAML-AzureAD,arn:aws:iam::12345678910:saml-provider/AzureAD"
},
{
"allowedMemberTypes": [
"User"
],
"displayName": "S3 Bucket Admins",
"id": "7dfd756e-8c17-4412-b1b1-31c17fc1de18",
"isEnabled": true,
"description": "AWS-S3-Admins-SAML-AzureAD",
"value": "arn:aws:iam::12345678910:role/AWS-S3-Admins-SAML-AzureAD,arn:aws:iam::12345678910:saml-provider/AzureAD"
},
{
"allowedMemberTypes": [
"User"
],
"displayName": "EC2 Admins",
"id": "7d1d756e-8c27-4471-12b7-38c17fc5de78",
"isEnabled": true,
"description": "AWS-EC2-Admins-SAML-AzureAD",
"value": "arn:aws:iam::12345678910:role/AWS-EC2Admins-SAML-AzureAD,arn:aws:iam::12345678910:saml-provider/AzureAD"
},
{
"allowedMemberTypes": [
"User"
],
"displayName": "Network Admins",
"id": "1dfd756e-8c27-4472-b2b7-38c11fc5de67",
"isEnabled": true,
"description": "AWS-Network-Admins-SAML-AzureAD",
"value": "arn:aws:iam::12345678910:role/Network-Admins-SAML-AzureAD,arn:aws:iam::12345678910:saml-provider/AzureAD"
},
{
"allowedMemberTypes": [
"User"
],
"displayName": "msiam_access",
"id": "7dfd756e-8c21-1471-b1b7-11c27fc5de5e",
"isEnabled": true,
"description": "msiam_access",
"value": null
}]}
I validated the JSON codes but MS Graph Explorer still tells me things are missing.
I tried to run the PATCH query with all properties of the Azure AD App, but received the same error.
Did anyone encounter this before? What is your fix?

Creating a Meeting in JSON Format issue

Is there any way to create a Calendar entry using a mailfile where the Organizer is not the mailfile Owner?
For example:
http://mycompanycom/mail/utils.nsf/api/calendar/events
I want to use a gereric mailfile where DAS is enabled and make all request against it; otherwise I'll need to query every Organizer's mailfile.
The only way I can make it to work is when I set the organizer the same as the mailfile owner, for example:
http://mycompany.com/mail1/ndev1.nsf/api/calendar/events
Here Notes Dev1 is the Owner for ndev1.nsf
{
"events": [
{
"summary": "TEST FEB 2018",
"location": "TEST LOCATION - NOT NEEDED",
"description": "",
"CalendarDateTime": {
"date": "2018-02-26",
"time": "17:00:00",
"utc": true
},
"start": {
"date": "2018-02-26",
"time": "17:00:00",
"utc": true
},
"end": {
"date": "2018-02-26",
"time": "18:00:00",
"utc": true
},
"class": "public",
"transparency": "opaque",
"sequence": 0,
"x-lotus-noticetype": "I",
"attendees": [
{
"role": "chair",
"status": "accepted",
"rsvp": false,
"displayName": "Notes Dev1/MYCOMPANY",
"email": "notes.dev1#mycompany.com"
},
{
"role": "req-participant",
"status": "needs-action",
"rsvp": true,
"displayName": "Pablo Solano/MYCOMPANY",
"email": "pablo.solano#mycompany.com"
},
{
"role": "req-participant",
"status": "needs-action",
"rsvp": true,
"displayName": "Notes Dev2/MYCOMPANY",
"email": "notes.dev2#mycomany.com"
},
{
"role": "req-participant",
"userType": "room",
"status": "accepted",
"rsvp": true,
"email": "maar#teradyne.com"
}
],
"organizer": {
"displayName": "Notes Dev1/MYCOMPANY",
"email": "notes.dev1#mycompany.com"
}
}
]
}
I found this url: http://www-10.lotus.com/ldd/ndseforum.nsf/xpTopicThread.xsp?documentId=CB20A0E36EE82AB385258154003B0A86
with this text:
One important caveat: The organizer property must match the owner of the database as specified in the request URL (/{database}/api/calendar/events).

I see few options for you:
Quick&dirty - change/add current user as owner of the calendar on the fly every time. Not recommended.
Make your code to work on behalf of universal identity, which is also owner of the calendar. Caveat: meeting will be arranged by that identity.
Create the meeting from user's calendar. Probably that's not what you want.

Resources