I have three laptops and one desktop joined to Active Directory hosted on Azure. I am trying to join a new workstation to Azure AD using the email address of a person who has a laptop connected to Azure.
Here are my steps.
Connect to Work or School.
Connect.
Join this device to Azure Active Directory.
Enter user's email address and password.
I receive the following error when trying:
"Looks like the MDM Terms of Use endpoint is not correctly configured."
I've checked whether "Users may join devices to Azure AD" is set to ALL. (It is.)
The number of devices per user is set to 20.
Where do I go the portal to resolve the issue?
I know that this is an old question but I'm hoping it can help others avoid hours or days trying to figure out. Even Microsoft couldn't figure this one out which is sad. Their documentation actually even contradicts the solution.
During your domain setup, there are two CNAME records that you are instructed to create: EnterpriseEnrollment and EnterpriseRegistration. What they don't tell you is that this is only used if you are using the free MDM for Office 365 solution. If you are using, or switch to a license of Active Directory Premium and/or Intune, you MUST remove these CNAME records in order to allow your devices to register. It worked for me instantly upon removing the records on Cloudflare, though there may be a delay depending on who you use for DNS management.
I hope this helps anyone encountering this issue. Microsoft really needs to work on the detail of their error messages.
I see you got a couple answers on Reddit - but here goes,
Firstly, make sure you have one of the more advanced AAD services (such as P2) not the free one which has almost nothing whatsoever to do with AD.
AAD seems to "propagate" slowly ala Y2K Domains. I get this error often and there might be more than 1 root cause (thanks to the cryptic message in the first place).
Similar symptoms:
MDM TOU error when activating brand-new PC
Vague error regarding connectivity when setting PIN
"Successfully" connecting to work but no listing in Intune
For all of the above, I find simply waiting about 24 hours before trying again often helps as the newly created user/device/passport/hello propagates through Microsofts complex cloud ID servers.
I have had it fail with your message and then retry 30-seconds later and it works (forever from then-on) and I have had devices which "join the workplace successfully" but not show up in Intune/AAD for almost 48 hours!
Related
I resolved my issue on my own. After doing this I reread the question and with the knowledge I now have I as a different user I would have known exactly what I needed and would have answered that user with about 3 sentences
Reboot your PC after setting up the Azure database
Review the table schema of your access database and make any name changes that might be a conflict with sql server
Get SSMA which is the migration tool for Access - Must have
4 - follow the instructions - so easy
I stand by the question. Sometimes we tend to either over engineer a question or answer when the most obvious is the simplest
Problem - set up db on azure now I can't figure out how to migrate an access db because that is not an option like other db's in the list.
Answer - Oh I had the problem when I first signed up with Azure - you need to do the following
(See above)
First of all I am not stupid by any means and have been developing software since 1992, but the interface for this whole Azure thing is just horrible and the overhead to do anything is so extreme. With that said I created and azure database service using my company ID Created the server and database Went to the migration services. I am migrating a mission critical access accdb backend to this azure site to see how it performs At first I thought I could use SSMS locally to see the database but I could not. So, knowing that there is no more "upsizing" I figured the site would walk me through. I answered the questions ( none about the source) but when I try to save or continue the buttons are disabled I did install the hybrid worker as instructed as well I do not understand where why there cant just be an option that says upload an acees database and it go from there. lol or why I can't see it from SSMS on my machine
Use the tool for the job: Microsoft SQL Server Migration Assistant 8.12 for Access.
Domain is with Godaddy, status changed to pending delete yesterday. I talked with Godaddy support and they said they can't do anything now, it is too late to redeem the domain. They said I can manually register the domain when it is available again, or backorder it. Should I spend money on backordering or manual registration is enough?
PendingDelete is the last phase of the life-cycle of a GTLD.
Backorder (or drop catching) means to have a software deployed to ‘try to register’ a domain as soon as it becomes available at the registry (the end of the life-cycle is reached). What a back-ordering service does is check at the registry for domain name availability at regular intervals and try to register it as soon as it is available.
There are various providers you can google. Some are CatchTiger, NameJet, SnapNames, DropCatch and even GoDaddy itself.
Backordering always stands a better chance than manually re-registering, as the registrars would know first (via automated software) of domain availability before you will.
Note: A serious domainer will back-order at several services — only one should win and the others should refund you (still, please check individual cases).
Catch.Club says it can kind of aggregate services so that we do not need to back-order at different service providers — but the site is yet to launch. There should be more like this.
Yes, there is nothing you can do. My advice, just wait until the domain is available again and then you can register again. If you pay in redemption period, it will be very expensive.
I work for a company and we are setting up a customer base in China to use it. We are having a couple of issues with content being blocked and breaking the site. We need to find a VPN to emulate the fact that we are based in China when looking at the website.
I have tried pureVPN and tunnelbear but they don't seem to be affected by the firewall that blocks everything. I understand that this is the opposite of what a lot of people use VPNs for when it comes to China but I need to find a way around this in order to get our app working correctly.
I have sorted this all out by purchasing a server from aliyun.com and VNCing into the box with Ubuntu desktop installed. This works perfectly.
The boxes are really cheap as well and there is a 15day free trial on their ECS instances which are essentially a clone of AWS's EC2 boxes.
I've looked at the various questions on this topic but none of them QUITE fit the problem I'm having.
I've developed an MVC4 app which utilizes DNOA to call into a particular provider (Intuit). All worked perfectly on my local IIS (testing) but when I deployed to Windows Azure I get the proverbial wonderful "strange, intermittent" behavior. Specifically, 99% of the time, the initial sign-in request results in the "No OpenID Endpoint Found" error; however, SUBSEQUENT sign-ins go through without a hitch.
I've added the code referred to here: ServiceManagerCode, to no avail. I've checked and the OpenID URL is correct. I've also attempted to add log4net to see what might be occurring but have been unable to do this correctly, some other answers seem to suggest this returns nothing anyway. I've also asked Intuit but, so far, no responses.
Again, if this wasn't occurring on just the first attempt then there would be numerous relevant posts but with this peculiar behavior I am wary of wasting inordinate amounts of time on a wild goose chase.
Any suggestions, however slight, would be very much appreciated.
I am not familiar with OpenID. Is the OpenID sign in service hosted by you in Windows Azure as well? Please make sure the sign in service has started without any problems, one suggestion is to check the federation configuration. Most federation providers require you to configure the realm and return URL. If they’re not properly configured, the application won’t work.
Best Regards,
Ming Xu.
Since you say that your Azure relying party works reliably after the first failed attempt, perhaps you can workaround it by having your app_start event in your Azure web role call DotNetOpenAuth's OpenIdRelyingParty.CreateRequest method, not doing anything with its result, just to 'prime the pump'?
We would like to run a wireless access point for public use. However, in case of misbehavior, we would like some personal information to be able to pass on to law enforcement.
The proposed solution involves a captive portal where users enter their email addresses, and are then given ten minutes to check their email and verify, after which they are given unrestricted access.
The problem, as I see it, is that once a user is authenticated, anyone can come along, spoof the MAC or IP, and then have access. If they commit a crime or copyright infringement, the user who entered the email address is now blamed.
Now, we could solve that by using WPA and requiring users to preregister. But as I said, we would like to allow anyone to just drive up and use it, and we don't want to provide any technical support.
The other alternative is not collecting email addresses, but then in case of an investigation or lawsuit, we wouldn't have anything to hand over, and thus risk the possibility of being shut down.
Is there any way out of this dilemma?
Collecting email would also be futile since you have no good way of confirming it without also providing compromised access. You should simply log the traffic that the user generates.
The answer is to not care about unsatisfiable demands from law enforcement for the personal information of your users. If that's not an acceptable answer, then the answer is to stop trying to provide a public access point. If that's not an acceptable answer either, then the answer is the proposed solution you already have. How you go about living with yourself afterward, for collecting personal information from law abiding people that will only ever be used by criminals to cover their tracks, is a personal matter and out of scope for this site. Good luck.
Having the end-user accept a legal disclaimer that you (the provider) are not responsible and they (the end-user) is responsible, and that they should not do illegal things is usually good enough. Just log that they clicked "I agree" and their IP and MAC at the time. They should have to do this every time they connect.
Asking for an email is basically worthless; many will use a made-up email, or enter a typo, then complain they never got it - many will use a disposable email - many will use a junk account they create with one of the free webmail providers.
A system that sends their mobile phone a TXT message with a unique (random) code, and having that entered on the captive portal page to gain access is a better system IMHO. I've done this before and it works OK, except for kids who have mommy's iPad or another tablet but no phone. You save all this data for 90+ days, or however long your lawyers tell you.
Realize that implementing any of this significantly decreases the actual use of your hotspot, users don't have the patience and will be frustrated and abandon the process.
Most captive portal products can log the MAC and IP lease every client gets, and where they go on the Internet (at least that's how I do it) so if a legal request comes along, you can give law enforcement the data you have. It's up to law enforcement to then steak out or track down the device with that MAC, which depending on their competency level is possible, or impossible for them, either way it's not your job to do their job for them.
I also advocate filtering the obvious porn and malware domains, not just to save on bandwidth, but to limit your liability. Any good captive portal product can do this.
Your public wireless network should at the least be NAT'd to a separate static IP, so you can differentiate legal requests that reference that IP, as opposed to say your private office network. You can do this with separate firewalls, or a firewall that supports multiple LAN interfaces.