You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Learn how to find and fix [single sign-on](../manage-apps/what-is-single-sign-on.md) issues for applications in Azure Active Directory (Azure AD) that support [Security Assertion Markup Language (SAML) 2.0](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language).
25
25
26
26
## Before you begin
27
-
We recommend installing the [My Apps Secure Sign-in Extension](../user-help/active-directory-saas-access-panel-user-help.md#i-am-having-trouble-installing-the-my-apps-secure-sign-in-extension). This browser extension makes it easy to gather the SAML request and SAML response information that you need for resolving issues with single sign-on. In case you cannot install the extension, this article shows you how to resolve issues both with and without the extension installed.
27
+
28
+
We recommend installing the [My Apps Secure Sign-in Extension](../user-help/active-directory-saas-access-panel-user-help.md#i-am-having-trouble-installing-the-my-apps-secure-sign-in-extension). This browser extension makes it easy to gather the SAML request and SAML response information that you need to resolving issues with single sign-on. In case you cannot install the extension, this article shows you how to resolve issues both with and without the extension installed.
28
29
29
30
To download and install the My Apps Secure Sign-in Extension, use one of the following links.
30
31
@@ -35,15 +36,15 @@ To download and install the My Apps Secure Sign-in Extension, use one of the fol
35
36
36
37
## Test SAML-based single sign-on
37
38
38
-
To test SAML-based single sign-on between AAD and a target application:
39
+
To test SAML-based single sign-on between Azure AD and a target application:
39
40
40
-
1.Sign in to the [Azure portal](https://portal.azure.com) as a global administrator or other administrator that is authorized to manage applications.
41
-
2. In the left blade, click**Azure Active Directory**, and then click**Enterprise applications**.
42
-
3. From the list of Enterprise Applications, click the application for which you want to test single sign-on, and then from the options on the left click**Single sign-on**.
43
-
4. To open the SAML-based single sign-on testing experience, in the**Domain and URLs**section click **Test SAML Setting**. If the Test SAML Setting button is greyed out, you need to fill out and save the required attributes first.
44
-
5. In the **Test single sign-on** blade, use your corporate credentials to sign in to the target application. You can sign in as the current user or as a different user. If you sign in as a different user, a prompt will ask you to authenticate.
41
+
1.Sign in to the [Azure portal](https://portal.azure.com) as a global administrator or other administrator that is authorized to manage applications.
42
+
1.In the left blade, select**Azure Active Directory**, and then select**Enterprise applications**.
43
+
1.From the list of enterprise applications, select the application for which you want to test single sign-on, and then from the options on the left select**Single sign-on**.
44
+
1.To open the SAML-based single sign-on testing experience, go to**Test single sign-on**(step 5). If the **Test**button is greyed out, you need to fill out and save the required attributes first in the **Basic SAML Configuration** section.
45
+
1.In the **Test single sign-on** blade, use your corporate credentials to sign in to the target application. You can sign in as the current user or as a different user. If you sign in as a different user, a prompt will ask you to authenticate.
If you are successfully signed in, the test has passed. In this case, Azure AD issued a SAML response token to the application. The application used the SAML token to successfully sign you in.
@@ -53,51 +54,55 @@ If you have an error on the company sign-in page or the application's page, use
53
54
54
55
## Resolve a sign-in error on your company sign-in page
55
56
56
-
When you try to sign in you might see an error on your company sign-in page.
57
+
When you try to sign in, you might see an error on your company sign-in page that's similar to the following example.
To debug this error, you need the error message and the SAML request. The My Apps Secure Sign-in Extension automatically gathers this information and displays resolution guidance on Azure AD.
61
62
62
-
To resolve the sign-in error with the MyApps Secure Sign-in Extension installed:
63
+
### To resolve the sign-in error with the MyApps Secure Sign-in Extension installed
64
+
65
+
1. When an error occurs, the extension redirects you back to the Azure AD **Test single sign-on** blade.
66
+
1. On the **Test single sign-on** blade, select **Download the SAML request**.
67
+
1. You should see specific resolution guidance based on the error and the values in the SAML request.
68
+
1. You will see a **Fix it** button to automatically update the configuration in Azure AD to resolve the issue. If you don't see this button, then the sign-in issue is not due to a misconfiguration on Azure AD.
63
69
64
-
1. When an error occurs, the extension redirects you back to the Azure Ad **Test single sign-on** blade.
65
-
2. On the **Test single sign-on** blade, click **Download the SAML request**.
66
-
3. You should see specific resolution guidance based on the error and the values in the SAML request. Review the guidance.
70
+
If no resolution is provided for the sign-in error, we suggest that you use the feedback textbox to inform us.
67
71
68
-
To resolve the error without installing MyApps Secure Sign-in Extension:
72
+
### To resolve the error without installing the MyApps Secure Sign-in Extension
69
73
70
74
1. Copy the error message at the bottom right corner of the page. The error message includes:
71
-
- A CorrelationID and Timestamp. These values are important when you create a support case with Microsoft because they help the engineers to identify your problem and provide an accurate resolution to your issue.
75
+
- A CorrelationID and Timestamp. These values are important when you create a support case with Microsoft because they help the engineers to identify your problem and provide an accurate resolution to your issue.
72
76
- A statement identifying the root cause of the problem.
73
-
2. Go back to Azure AD and find the **Test single sign-on** blade.
74
-
3. In the text box above **Get resolution guidance**, paste the error message.
75
-
3. Click **Get resolution guidance** to display steps for resolving the issue. The guidance might require information from the SAML request or SAML response. If you’re not using the MyApps Secure Sign-in Extension, you might need a tool such as [Fiddler](https://www.telerik.com/fiddler) to retrieve the SAML request and response.
76
-
4. Verify the destination in the SAML request corresponds to the SAML Single Sign-On Service URL obtained from Azure Active Directory
77
-
5. Verify the issuer in the SAML request is the same identifier you have configured for the application in Azure Active Directory. Azure AD uses the issuer to find an application in your directory.
78
-
6. Verify AssertionConsumerServiceURL is where the application expects to receive the SAML token from Azure Active Directory. You can configure this value in Azure Active Directory, but it’s not mandatory if it’s part of the SAML request.
77
+
1.Go back to Azure AD and find the **Test single sign-on** blade.
78
+
1.In the text box above **Get resolution guidance**, paste the error message.
79
+
1.Click **Get resolution guidance** to display steps for resolving the issue. The guidance might require information from the SAML request or SAML response. If you’re not using the MyApps Secure Sign-in Extension, you might need a tool such as [Fiddler](https://www.telerik.com/fiddler) to retrieve the SAML request and response.
80
+
1.Verify that the destination in the SAML request corresponds to the SAML Single Sign-On Service URL obtained from Azure AD.
81
+
1.Verify the issuer in the SAML request is the same identifier you have configured for the application in Azure AD. Azure AD uses the issuer to find an application in your directory.
82
+
1.Verify AssertionConsumerServiceURL is where the application expects to receive the SAML token from Azure AD. You can configure this value in Azure AD, but it’s not mandatory if it’s part of the SAML request.
79
83
80
84
81
85
## Resolve a sign-in error on the application page
82
86
83
87
You might sign in successfully and then see an error on the application's page. This occurs when Azure AD issued a token to the application, but the application does not accept the response.
84
88
85
-
To resolve the error:
89
+
To resolve the error, follow these steps:
86
90
87
-
1. If the application is in the Azure AD Gallery, verify you have followed all the steps for integrating the application with Azure AD. To find the integration instructions for your application, see the [list of SaaS application integration tutorials](../saas-apps/tutorial-list.md).
88
-
2. Retrieve the SAML response.
91
+
1. If the application is in the Azure AD Gallery, verify that you've followed all the steps for integrating the application with Azure AD. To find the integration instructions for your application, see the [list of SaaS application integration tutorials](../saas-apps/tutorial-list.md).
92
+
1. Retrieve the SAML response.
89
93
- If the My Apps Secure Sign-in extension is installed, from the **Test single sign-on** blade, click **download the SAML response**.
90
94
- If the extension is not installed, use a tool such as [Fiddler](https://www.telerik.com/fiddler) to retrieve the SAML response.
91
-
3. Notice these elements in the SAML response token:
95
+
1. Notice these elements in the SAML response token:
92
96
- User unique identifier of NameID value and format
93
97
- Claims issued in the token
94
-
- Certificate used to sign the token. For information on how to review the SAML response, see [Single Sign-On SAML protocol](single-sign-on-saml-protocol.md).
95
-
4. For more information on the SAML response, see [Single Sign-on SAML protocol](single-sign-on-saml-protocol.md).
96
-
5. Now that you have reviewed the SAML response, see [Error on an application's page after signing in](../manage-apps/application-sign-in-problem-application-error.md) for guidance on resolving the problem.
97
-
6. If you are still not able to sign in successfully, you can ask the application vendor what is missing from the SAML response.
98
+
- Certificate used to sign the token.
98
99
100
+
For more information on the SAML response, see [Single Sign-on SAML protocol](single-sign-on-saml-protocol.md).
99
101
100
-
## Next steps
101
-
Now that single sign-on is working to your application, you could [Automate user provisioning and deprovisioning to SaaS applications](../manage-apps/user-provisioning.md), or [get started with conditional access](../conditional-access/app-based-conditional-access.md).
102
+
1. Now that you have reviewed the SAML response, see [Error on an application's page after signing in](../manage-apps/application-sign-in-problem-application-error.md) for guidance on how to resolve the problem.
103
+
1. If you're still not able to sign in successfully, you can ask the application vendor what is missing from the SAML response.
102
104
103
105
106
+
## Next steps
107
+
108
+
Now that single sign-on is working to your application, you could [Automate user provisioning and deprovisioning to SaaS applications](../manage-apps/user-provisioning.md) or [get started with conditional access](../conditional-access/app-based-conditional-access.md).
Copy file name to clipboardExpand all lines: articles/active-directory/devices/faq.md
+6
Original file line number
Diff line number
Diff line change
@@ -87,6 +87,12 @@ For down-level Windows OS versions that are on-premises Active Directory domain
87
87
88
88
---
89
89
90
+
**Q: Does Windows 10 device registration in Azure AD support TPMs in FIPS mode?**
91
+
92
+
**A:** No, currently device registration on Windows 10 for all device states - Hybrid Azure AD join, Azure AD join and Azure AD registered - does not support TPMs in FIPS mode. To successfully join or register to Azure AD, FIPS mode needs to be turned off for the TPMs on those devices
93
+
94
+
---
95
+
90
96
**Q: Why can a user still access resources from a device I disabled in the Azure portal?**
91
97
92
98
**A:** It takes up to an hour for a revoke to be applied.
Copy file name to clipboardExpand all lines: articles/active-directory/devices/hybrid-azuread-join-managed-domains.md
-2
Original file line number
Diff line number
Diff line change
@@ -54,8 +54,6 @@ This tutorial assumes that you are familiar with:
54
54
55
55
To configure the scenario in this article, you need:
56
56
57
-
- An on-premises Active Directory (AD) with a schema level of 85 or later. For more information, see [Upgrade your Active Directory Schema](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-device-based-conditional-access-on-premises#upgrade-your-active-directory-schema).
58
-
59
57
- The [latest version of Azure AD Connect](https://www.microsoft.com/download/details.aspx?id=47594) (1.1.819.0 or higher) to be installed.
60
58
61
59
Verify that Azure AD Connect has synchronized the computer objects of the devices you want to be hybrid Azure AD joined to Azure AD. If the computer objects belong to specific organizational units (OU), then these OUs need to be configured for synchronization in Azure AD connect as well.
Copy file name to clipboardExpand all lines: articles/active-directory/devices/hybrid-azuread-join-plan.md
+2-1
Original file line number
Diff line number
Diff line change
@@ -88,7 +88,7 @@ As a first planning step, you should review your environment and determine wheth
88
88
89
89
You can't use a hybrid Azure AD join if your environment consists of a single forest that synchronized identity data to more than one Azure AD tenant.
90
90
91
-
If you are relying on the System Preparation Tool (Sysprep), make sure you create images from an installation of Windows that has not been configured for hybrid Azure AD join.
91
+
If you are relying on the System Preparation Tool (Sysprep), make sure images created from an installation of Windows 10 1803 or earlier have not been configured for hybrid Azure AD join.
92
92
93
93
If you are relying on a Virtual Machine (VM) snapshot to create additional VMs, make sure you use a VM snapshot that has not been configured for hybrid Azure AD join.
94
94
@@ -112,6 +112,7 @@ If your Windows 10 domain joined devices are already [Azure AD registered](https
112
112
- Any existing Azure AD registered state would be automatically removed after the device is Hybrid Azure AD joined.
113
113
- You can prevent your domain joined device from being Azure AD registered by adding this registry key - HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, "BlockAADWorkplaceJoin"=dword:00000001
114
114
115
+
FIPS-compliant TPMs aren't supported for Hybrid Azure AD join. If your devices have FIPS-compliant TPMs, you must disable them before proceeding with Hybrid Azure AD join.
115
116
116
117
## Review how to control the hybrid Azure AD join of your devices
Copy file name to clipboardExpand all lines: articles/active-directory/hybrid/how-to-connect-health-agent-install.md
+3-3
Original file line number
Diff line number
Diff line change
@@ -114,7 +114,7 @@ In order for the Usage Analytics feature to gather and analyze data, the Azure A
114
114
1. Click **Start**, point to **Programs**, point to **Administrative Tools**, and then click **Local Security Policy**.
115
115
2. Navigate to the **Security Settings\Local Policies\User Rights Assignment** folder, and then double-click **Generate security audits**.
116
116
3. On the **Local Security Setting** tab, verify that the AD FS 2.0 service account is listed. If it is not present, click **Add User or Group** and add it to the list, and then click **OK**.
117
-
4. To enable auditing, open a Command Prompt with elevated privileges and run the following command: <code>auditpol.exe /set /subcategory:"0CCE9222-69AE-11D9-BED3-505054503030" /failure:enable /success:enable</code>
117
+
4. To enable auditing, open a Command Prompt with elevated privileges and run the following command: <code>auditpol.exe /set /subcategory:{0CCE9222-69AE-11D9-BED3-505054503030} /failure:enable /success:enable</code>
118
118
5. Close **Local Security Policy**.
119
119
<br /> -- **The following steps are only required for primary AD FS servers.** -- <br />
120
120
6. Open the **AD FS Management** snap-in. To open the AD FS Management snap-in, click **Start**, point to **Programs**, point to **Administrative Tools**, and then click **AD FS 2.0 Management**.
@@ -127,7 +127,7 @@ In order for the Usage Analytics feature to gather and analyze data, the Azure A
127
127
1. Open **Local Security Policy** by opening **Server Manager** on the Start screen, or Server Manager in the taskbar on the desktop, then click **Tools/Local Security Policy**.
128
128
2. Navigate to the **Security Settings\Local Policies\User Rights Assignment** folder, and then double-click **Generate security audits**.
129
129
3. On the **Local Security Setting** tab, verify that the AD FS service account is listed. If it is not present, click **Add User or Group** and add it to the list, and then click **OK**.
130
-
4. To enable auditing, open a command prompt with elevated privileges and run the following command: ```auditpol.exe /set /subcategory:"0CCE9222-69AE-11D9-BED3-505054503030" /failure:enable /success:enable```.
130
+
4. To enable auditing, open a command prompt with elevated privileges and run the following command: ```auditpol.exe /set /subcategory:{0CCE9222-69AE-11D9-BED3-505054503030} /failure:enable /success:enable```.
131
131
5. Close **Local Security Policy**.
132
132
<br /> -- **The following steps are only required for primary AD FS servers.** -- <br />
133
133
6. Open the **AD FS Management** snap-in (in Server Manager, click Tools, and then select AD FS Management).
@@ -139,7 +139,7 @@ In order for the Usage Analytics feature to gather and analyze data, the Azure A
139
139
1. Open **Local Security Policy** by opening **Server Manager** on the Start screen, or Server Manager in the taskbar on the desktop, then click **Tools/Local Security Policy**.
140
140
2. Navigate to the **Security Settings\Local Policies\User Rights Assignment** folder, and then double-click **Generate security audits**.
141
141
3. On the **Local Security Setting** tab, verify that the AD FS service account is listed. If it is not present, click **Add User or Group** and add the AD FS service account to the list, and then click **OK**.
142
-
4. To enable auditing, open a command prompt with elevated privileges and run the following command: <code>auditpol.exe /set /subcategory:"0CCE9222-69AE-11D9-BED3-505054503030" /failure:enable /success:enable.</code>
142
+
4. To enable auditing, open a command prompt with elevated privileges and run the following command: <code>auditpol.exe /set /subcategory:{0CCE9222-69AE-11D9-BED3-505054503030} /failure:enable /success:enable.</code>
143
143
5. Close **Local Security Policy**.
144
144
<br /> -- **The following steps are only required for primary AD FS servers.** -- <br />
145
145
6. Open the **AD FS Management** snap-in (in Server Manager, click Tools, and then select AD FS Management).
0 commit comments