Problems Logging In Due to Multi-Factor Authentication
At the moment, I am unable to log in to Azure with my account (Global Administrator). Although I am also a Microsoft Partner and have 10 credits for support requests, I cannot create a support request here. Therefore, I have to post in this forum. I can log in to Office 365, PowerApps, Power Automate, and other services with MFA without any issues. However, when I log in to portal.azure.com, I am prompted for authentication again immediately after logging in, and I cannot proceed further from there. I have created two tickets with Office 365 and Microsoft Entra ID, but neither ticket has successfully resolved the issue. Here is what we have tried so far: Disabled MFA, but MFA still appears. Successfully removed my guest account from other organizations. The problem still persists. What can I do here? Can Microsoft Azure contact me since I still have 10 credits?
AVD Authentication Type
I have just completed a setup with Azure AVD for remote desktop and an application and I'd like to know if there's a way to change the authentication or login type when using Azure AVD. Or if a prompt can be enabled in the settings of AVD. We only have 10 users spread across 2 AVD VMs. I have a Windows Server AD virtual machine running in my Azure tenant on the same vnet as the AVD setup. These were domain joined using the AVD deployment process and assigned to a specific OU in my domain. My Active Directory is using .local usernames and my Azure tenant does have an authenticated and valid domain for users and email. I did expand my AD to include the UPN alternative suffixes and I've adjusted the accounts so that my Office365 tenant logins match the AD logins. However, when I connect to my AVD workspace using Remote Desktop App, I cannot connect and it sends an error of 0x83886163 during the configuring gateway process. The Session Desktop and my app is published properly to the Remote Desktop App, but I simply cannot connect. Basically, is it possible to adjust AVD to prompt for a username once I click on the Session Desktop or my published application? I did locate some authentication settings in the RDP properties and connection information of the host pool. Thanks for any suggestions or input.access Azure File share on Azure AD joined Devices with Azure AD Credentials
Hi everyone We're currently testing Azure File for a customer. The customer already has an AVD environment, and we need an Azure File share for a specific application that runs on the AVD instance. We can mount the Azure File share on AVD with no problems and Azure AD credentials. All local and physical Windows Devices from the employees, which they use to open the AVD Application, are Azure AD joined. However, we also need to mount the Azure File share locally on every Azure AD joined Device. Problem is that we're not able to do that. We're able to mount the Azure File share with the storage account key, but this is a no-brainer. We're not giving out the storage account key to achieve this. Tbh, I'm not very fit in all these Azure Stuff but I think it's an authentication issue, because we're able to mount the Azure File share locally with the Storage Account Key. If we want to mount the share with the user logged on Azure AD credentials, it throws an error back that the network path could not be found (0x80070035). I think there is smth I'm missing out, which prevents me to mount the Azure File share on a Azure AD joined Devices and authenticate it with the user logged on AAD creds. Thanks for every reply, advice & help ❤️
API Management – Validate API requests through Client Certificate.
Azure APIM – Validate API requests through Client Certificate using Portal, C# code and Http Clients Client certificates can be used to authenticate API requests made to APIs hosted using Azure APIM service. Detailed instructions for uploading client certificates to the portal can be found documented in the following article - https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients Steps to authenticate the request – Via Azure portal Once we have setup the certificate authentication using the above article, we can test an operation for a sample API (Echo API in this case). Here, we have chosen a GET operation and selected the “Bypass CORS proxy” option. Once you click on the “Send” option, you would be asked to select the certificate that you would have already installed on your machine. Note – This is the same certificate that you would have uploaded for your APIM service and added to the trusted list in the certificate store of your workstation. After successful authentication and request processing, you would receive the 200 OK response code. Upon maneuvering to the trace logs, you can also see the certificate thumbprint that was passed for authentication. The inbound policy definition used for this setup is as below: (Kindly update the certificate thumbprint with your client certificate thumbprint) <choose> <when condition="@(context.Request.Certificate == null || context.Request.Certificate.Thumbprint != "BF3D644C46099A9D7C073EC002312878B8F9B847")"> <return-response> <set-status code="403" reason="Invalid client certificate" /> </return-response> </when> </choose> Through C# or any other language that supports SDKs- We can use the below sample C# code block to authenticate API calls and perform API operations. Kindly update the below highlighted values with your custom values before executing the sample code attached below Client certificate Thumbprint: BF3D644C46099A9D7C073EC002312878B8F9B847 Request URL: https://testapicert.azure-api.net/echo/resource?param1=sample Ocp-Apim-Subscription-Key: 4916bbaf0ab943d9a61e0b6cc21364d2 Sample Code: using System; using System.IO; using System.Net; using System.Security.Cryptography.X509Certificates; namespace CallRestAPIWithCert { class Program { static void Main() { // EDIT THIS TO MATCH YOUR CLIENT CERTIFICATE: the subject key identifier in hexadecimal. string thumbprint = "BF3D644C46099A9D7C073EC002312878B8F9B847"; X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser); store.Open(OpenFlags.ReadOnly); X509Certificate2Collection certificates = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false); X509Certificate2 certificate = certificates[0]; System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; ServicePointManager.ServerCertificateValidationCallback = new System.Net.Security.RemoteCertificateValidationCallback(AcceptAllCertifications); HttpWebRequest req = (HttpWebRequest)WebRequest.Create("https://testapicert.azure-api.net/echo/resource?param1=sample"); req.ClientCertificates.Add(certificate); req.Method = WebRequestMethods.Http.Get; req.Headers.Add("Ocp-Apim-Subscription-Key", "4916bbaf0ab943d9a61e0b6cc21364d2"); req.Headers.Add("Ocp-Apim-Trace", "true"); Console.WriteLine(Program.CallAPIEmployee(req).ToString()); Console.WriteLine(certificates[0].ToString()); Console.Read(); } public static string CallAPIEmployee(HttpWebRequest req) { var httpResponse = (HttpWebResponse)req.GetResponse(); using (var streamReader = new StreamReader(httpResponse.GetResponseStream())) { return streamReader.ReadToEnd(); } } public static bool AcceptAllCertifications(object sender, X509Certificate certification, X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors) { return true; } } } Through Postman or any other Http Client To use client certificate for authentication, the certificate has to be added under PostMan first. Maneuver to Settings >> Certificates option on PostMan and configure the below values: Host: testapicert.azure-api.net (## Host name of your Request API) PFX file: C:\Users\praskuma\Downloads\abc.pfx (## Upload the same client certificate that was uploaded to APIM instance) Passphrase: (## Password of the client certificate) Once the certificate is uploaded on PostMan, you can go ahead and invoke the API operation. You need to add the Request URL in the address bar and also add the below 2 mandatory headers: Ocp-Apim-Subscription-Key : 4916bbaf0a43d9a61e0bsssccc21364d2 (##Add your subscription key) Ocp-Apim-Trace : true Once updated, you can send the API request and receive a 200 OK response upon successful authentication and request processing. For detailed trace logs, you can check the value for the output header - Ocp-Apim-Trace-Location and retrieve the trace logs from the generated URL.
Azure runbook is failing to execute due to Authentication issue with azure storage account
Iam facing one issue with authentication of storage account for automation runbook in azure. Scene:- Runbook will runasaccount and its based on service principle. This runbook will get the azurevm status and triggers to store that to storage account every two days. Issue: Runbook execution is successful if I put networking as publicly accessible Runbook is failing to store vm data in storage account if changed networking to selected network. In selected networking, I added resource instance of runbook and allowed trusted azure service, But still it is showing authentication issues. I provided contributor and storage blob data contributor role to the service principle also,still authentication issue. Any idea how to resolve this. Note:I don't want to make storage account publicly accessible.Setting up Application Gateway with an App Service that uses Azure Active Directory Authentication
First published on MSDN on Nov 21, 2017 This blog post is going to guide you through setting up an Azure Application Gateway in front of an Azure App Service that uses Azure Active Directory authentication and a custom domain.
Setting up Application Gateway with an App Service that uses Azure Active Directory Authentication and URL Authorization Rules
First published on MSDN on Nov 21, 2017 This blog post is an optional extension of my previous post about properly configuring an Azure App Service using authentication behind an Azure Application Gateway.
Issues signing in with Azure Site Recovery Tool
I am setting up ASR for an OnPrem VMWare setup. I have the OVF template imported and running, a VPN connection to our Azure instance, along with Internet access. The setup wizard validates the Internet connection and prompts for credentials. I enter the same creds I used to the create the vault, and it thinks for a while then prompts for my password again using our AD validation page. If I enter my password and hit enter, it immediately clears the screen and acts like it wants the password again. I have tried no password, and it figures that out. Also, an invalid password produces and error message. A valid password just causes the whole process to repeat. Any help with this issue would be appreciated. In a thought we could avoid this second prompting, we did join the VM to our domain and reboot. This did not effect this problem and we have the same behavior. Thanks.Azure VPN Gateway and MFA Timeout Issue for Point to Site Connections
Hi, I'm having trouble getting MFA working with an Azure P2S IKEv2 VPN using RADIUS auth. It seems that the auth response timeout on the gateway is set so low (looks like 5 sec) that I don't have enough time to authenticate using MFA. I've verified this both with DUO Auth and Azure MFA; both have the same result. I initiate the VPN connection, enter credentials, and before I can answer the phone call to verify MFA, another request is initiated and a second call comes through. If I successfully verify either or both calls, the connection fails. However, if I use a push notification to the cell phone for verification and I can verify in under 5 sec, the connection is completed. I've also pointed my Palo Alto VPN device (where I have a specified timeout of 60 sec) at my MFA server and was able to log in successfully to that VPN - this determines the issue is not with my MFA server setup. I've created a bug request with Microsoft on this as there doesn't seem to be a way to change the timeout. Has anyone else encountered this issue or found a workaround??
