Search This Blog

Thursday, December 9, 2021

Azure B2B Script to create Guest On-Prem Active Directory Account is Not Working

Description:

You are configuring Azure B2B to allow external users to access your on-premise application securely.
You have configure the Azure B2B setting and have publish the on-premise application using Azure AD Application Proxy. Now you want to use the Azure B2B script to create the Guest account in on-premise Active Directory automatically. 
You downloaded the script from https://www.microsoft.com/en-us/download/details.aspx?id=51495. 
However when you run it, you saw some error and the users never get created in on-premise Active Directory. 
During troubleshooting, you found out that the script has not enough application permission to connect or query to Azure AD. You even triple check the API permission, but cannot found the cause of the error.

Resolution:

The "AppProxy-GuestAccountCreation-v1.0.3.ps1" script is not updated. PowerShell script still uses deprecated Azure AD Graph API instead of MS Graph API. 
You can download the updated script from https://github.com/MicrosoftDocs/azure-docs/files/7090340/AppProxy-GuestAccountCreation-v1.0.3.txt.
Make sure you install Microsoft Graph PowerShell SDK prior to executing the script.

Error when using PowerShell Connect-MgGraph not recognized

Description:

You already install the Microsoft Graph PowerShell SDK on your machine. However when trying to run a script that has "Connect-MgGraph" command, you encountered not recognized cmdlet, function, script  error. You have also restarted the machine and make sure the Microsoft Graph Module was loaded.

Resolution:

There might be some conflict between Microsoft Graph module and other module on your machine. The possible conflict are with Azure AD or MSOnline modules.

Try to install the Microsoft Graph PowerShell SDK on other machine which has minimum or has only the default PowerShell module.

Wednesday, December 8, 2021

Intermittent ADFS Event ID 224 & 245 at WAP Server

Description:

At Web Application Proxy Server (WAP) configured to connect to ADFS, you saw several Event ID 224 & 245 intermittently appear. TCP Port 443 are already open between WAP and ADFS.



Resolution:

Make sure you have all the required certificate on WAP server, including the intermediate and trusted root of the SSL certificate.

Tuesday, December 7, 2021

Error 1297 when starting AD FS Service

Description:

When you try to start ADFS Service for the first time after finishing the configuration, you may encounter 1297 error.



Resolution:

You need to make sure that the service account that you use to run the ADFS Service has the following rights on the ADFS Server:

  • Logon As Service
  • Generate Security Audits

How to set mutisubnetfailover option on ADFS to SQL Database connection string

Description:

You want to use SQL Always On capability for your application. 

You need to change the Database Connection string.

Resolution:

Please run the following at PowerShell on all ADFS Server (one by one):

$temp= Get-WmiObject -namespace root/ADFS -class SecurityTokenService
$temp.ConfigurationdatabaseConnectionstring=”data source=<you sql instance>;multisubnetfailover=true;initial catalog=adfsconfiguration;integrated security=true”
$temp.put()

Set-AdfsProperties –artifactdbconnection ”Data source=<you sql instance>;multisubnetfailover=true;Initial Catalog=AdfsArtifactStore;Integrated Security=True”

Search Google