Disclaimer: Some messages/menus are translated from Dutch and might not match literally.
So, in my search for enabling Account settings sync in Windows, i ended up in Azure, but there I stranded.
My goal is to enable Account settings sync in Windows (found under Start->Settings->Accounts->Sync your settings) This is now grayed out with a red message at the top "Synchronization is not available for your account. Please contact your system administrator to resolve this."
Apparently this has something to do with my Office 365 account being listed under the Start->Settings->Accounts->Access to work or school as "Connected to Azure AD from [company name]"
When i try to disconnect my PC from this organisation network it says "This PC is not added to a domain"
So searching on it lead me to the Azure AD portal when i should enable the "User may sync settings and app data" found under Azure Active Directory->Devices->Device Settings. However, this setting is missing from my portal. Comparing with screenshots found on the internet it seems to be the only setting on that page that is missing.
That lead me to enable Enterprise State Roaming found under Azure Active Directory->Devices->Enterprise State Roaming, but this is missing completely from the navigation menu.
Am i missing something in any of the steps?
I've read some people are trialing an Azure subscription, but i'm not. I only have an Office 365 Business
subscription.
Look like your system is not in the Domain. You can put the your system in Domain as below --
Go to PC>>Properties>>Change Setting>>Change(under Computer Name)>>Put the Domain Name(under Member Of)>>OK
After that you should add system to Azure AD as below path -
Start->Settings->Accounts->Access to work or school as "Connected to Azure AD from [company name] .
and should able to login through Azure AD authentication.
Yeah, if you're connected to the domain it's at the behest of the domain settings whether or not you can synch and there's not much a user can do about that, and if you disconnect from the domain just to get away from the domain settings to enable it you're not going to have access to the domain.
If you want to synch AND be a part of the domain you have to contact the domain admin.
Related
My team already has a working Azure DevOps account. I would like to start an Azure subscription / Active Directory to begin linking our DevOps to App Services and other Azure products.
However, any time I click on a link to get started with Azure, I am met with a perplexing paradox trying to log in.
First I'm told that I can't log in because my MS account isn't found:
But if I try to "Create one!" or "get a new Microsoft account", I'm told it already exists:
I've taken out the email address being used, but I've confirmed they are the same between the two screens (I'm not even typing anything; all I'm doing is clicking "Next" on each screen).
I know that this MS account is valid. It's the same one I use to sign in with Azure DevOps and many other MS services. I'm not sure why I can't log in to the Azure set up platform. And there doesn't seem to be any kind of support options with Azure before you become a subscriber, so I thought I'd try my luck posting the issue here.
Thanks for any help!
You can connect your Azure DevOps organization to Azure Active Directory (Azure AD). Kindly checkout this document - About accessing your organization via Azure AD
Just to clarify, I hope you are an administrator on the subscription.
https://learn.microsoft.com/azure/devops/organizations/accounts/faq-azure-access?view=azure-devops
When your sign-in address is shared by your personal Microsoft account and by your work account or school account, but your selected identity doesn't have access, you can't sign in. Although both identities use the same sign-in address, they're separate: they have different profiles, security settings, and permissions.
Sign out completely from Azure DevOps by completing the following steps.
Closing your browser might not sign you out completely.
Sign in again and select your other identity.
https://learn.microsoft.com/azure/devops/organizations/accounts/faq-azure-access?view=azure-devops
To connect your organization to Azure AD.
Sign in to your organization, https://dev.azure.com/{yourorganization}).
Select gear icon > Organization settings.
Select Azure Active Directory, and then select Connect directory.
I have added an MDM (On-Premise) to Azure AD tenant in order to auto-enroll users (on windows 10) to a third party MDM once they sign in with their Azure AD accounts. When users try to sign in on Access work or school >> Connect >> Join this device to Azure Active Directory they got this error: Something went wrong. Looks like we can't connect to the URL for your organization's MDM terms of use.
Checking the MDM's server logs I realize that Azure AD never calls/redirect the user to the MDM's terms of use URL, in other words, on the MDM server there is no sign that Azure AD is trying to reach it.
Would you please give me some hints why this happens?.
On Azure AD tenant I have configured the following:
Enabled P2 license for each user.
Scope of the MDM is set to Some and for a Group where its members need to be enrolled to the third party MDM.
On MDM Settings (on Azure AD) the reply URL (just one) is set correctly.
MDM terms of use URL and discovery are set correctly.
The MDM config on Azure AD looks like this:
Azure AD MDM URL configuration.
The MDM Properties on Azure AD look like this:
Azure AD MDM properties.
In advance thanks a lot.
The Azure AD Premium P2 license allows you to join Azure AD with the Windows client, but it does not include Intune.
I would check settings to see if you auto-enroll is configured for Intune. That could explain the above message.
Also, please ensure that you have the right App ID URI and App ID configured as setting the wrong one here can also cause this error.
I ran into this problem today from an OOBE and all of my searching pointed to licensing issues, which turned out to not be the fix for me.
The object in Azure AD had been disabled. This was strange because it was an autopilot device and was disabled in AAD straight from the vendor, which hadn't been the case for other devices I had been receiving for years. I searched for and enabled the device in AAD and it joined without issue. I poked around and found about 30 other devices were in the same state. Hopefully this isn't a new step I'll have to do for all autopilot devices going forward.
Some customers of ours are using external Microsoft accounts to access AAD services.
Since we're not linked with their domain, and some of them use Gmail account, adding their entire domain to our AAD is hardly possible.
The old portal (manage.windowsazure.com) had the following screen:
The new portal has a guest system which hardly works (adding an external guest results in a generic B2BError: Unable to invite user with no other details -- even if the old portal still works), and "New user" can only create users with registered domains.
Is there a way, in the new portal (portal.azure.com), to add Microsoft accounts?
I'm asking this now, since this is technically a duplicate of How do I add a Microsoft account to Azure Active Directory?, because the old portal is sunsetting on November 30, 2017, at which point working like this will no longer be possible.
Running New-AzureADMSInvitation helped me to get it working, with some more steps for our own setup:
Executed New-AzureADMSInvitation -InvitedUserEmailAddress account-to-invite#gmail.com -SendInvitationMessage $True -InviteRedirectUrl "http://mybusiness.com"
New-AzureADMSInvitation failed with an error, but one I could understand this time: The object either is sourced from an on prem directory or is undergoing migration
Went to check our on-prem AD if it had a user with the affected e-mail. It did not. Huh.
Ran a complete AD Sync cycle, just in case, on our on-prem AD with Start-ADSyncSyncCycle -PolicyType Initial
Waited until (Get-ADSyncScheduler).SyncCycleInProgress went back to False
Reexecuted New-AzureADMSInvitation, which worked this time.
Has anyone successfully restricted Visual Studio Team Services access by IP address? The following blog post says it is possible by connecting the VS Team Services with Azure AD.
https://blogs.technet.microsoft.com/ad/2015/06/25/azure-ad-conditional-access-preview-update-more-apps-and-blocking-access-for-users-not-at-work/
After signing up will see the Visual Studio Team Services application on the application tab of the Azure AD portal. You can then go to the application's configure tab and set access rules, just like you would for other applications. (Like the Twitter example above.)
I have connected Team Services with Azure AD, but when I go in the Azure AD portal, click on applications under my domain and then click on "Visual Studio Online" all I get is a "Dashboard" with usage graphs. There is no "Configure" tab as the blog post says there should be. I have backed my Team Services account with TFS. Any ideas?
Thanks.
Think I found the issue. In the below link it says:
These capabilities will be available to customers that have purchased an Azure Active Directory Premium license.
https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-azuread-connected-apps/
Since I'm not subscribed to Azure AD Premium that is most likely why I don't get the configuration tab and the option to restrict access by IP address. Some what annoying that you would have to pay for Azure AD Premium access to get such a standard feature when already paying for VS Team Services.
You can do this in the AD: azure-ad-conditional-access-preview-update-more-apps-and-blocking-access-for-users-not-at-work:
Blocking external access
In other cases only users on the corporate network may be allowed to
access a SaaS application. This rule can help prevent data leakage and
in some cases can help you meet regulatory requirements.
When an app is on-premises you would have easily been able enforce
this policy at your network boundary. With the app in the cloud this
becomes more challenging.
We've helped address by adding the block access when not at work rule.
This rule can be applied to any of your Azure AD applications that
support conditional access.
The page below shows the option on the same Twitter configure tab as
above.
When you choose this option only users coming from an IP address that
falls within an IP range you have identified will be allowed access to
the application.
I am unable to view any services in my azure portal. A couple of days back everything was visible.
I think there's some permissions issue. I am logging as Global Admin on the portal.
[UPDATE]: I was trying to publish a web application from visual studio to my azure account and when I select my account, it says "There are no Azure subscriptions associated with this account". Is it that my account is suspended or deactivated or so?
You are signed in to the classic portal with an AAD subscription. These subscriptions don't support using other services. You might be signed in to the wrong directory. Use the "Subscriptions" menu at the top to switch. If you don't have that, you could also be signed in to the wrong account. Some people have used "work/school" (AAD) email addresses to sign up for a "personal" (Microsoft Account) account. If that happens, you'll see a prompt to pick one of the two when you sign in. If you don't see your subscription, it may be assigned to the personal/MSA account. You can grant access to the other one to avoid this.