Hello,

When working with multiple tenants, the invitations process and api can generate confusion.

If Sharepoint is linked with one tenant:

• multiple result on lookup: invited users and native users in their tenant.
• inviting a user from another tenant does not work until the user is properly invited.
• previous question is valid on inviting a group (role)

What would you think of the proposition to:

• integrate azure ad invatitation api (users and groups).
• detect correlation between guest accounts (shadow users from primary tennant) and primary account in another tennant (configured in azurecp). So that only the primary account is shown.

thanks for the usefull tool!

Cédric

Hi,

After installing and integrating AzureCP with the AzureAD, the users are not able to get authenticated and neither I am getting any suggesions, but able to do a successful login.
below is the sptrustedprovider output. Please suggest

PS C:\Users\Admin> Get-SPTrustedIdentityTokenIssuer

ProviderUri : https://login.microsoftonline.com/e4f2b803-7c85
-4de5-b1f1-ebc51c172212/wsfed
ProviderSignOutUri :
DefaultProviderRealm : urn:azureadtest.sercotest.com
ProviderRealms : {}
ClaimTypes : {http://schemas.xmlsoap.org/ws/2005/05/identity
/claims/name, http://schemas.xmlsoap.org/ws/200
5/05/identity/claims/givenname, http://schemas.
xmlsoap.org/ws/2005/05/identity/claims/surname}
HasClaimTypeInformation : True
ClaimTypeInformation : {name, GivenName, SurName}
ClaimProviderName : AzureCP
UseWReplyParameter : False
UseWHomeRealmParameter : False
GroupClaimType :
RegisteredIssuerName :
IdentityClaimTypeInformation : Microsoft.SharePoint.Administration.Claims.SPTr
ustedClaimTypeInformation
Description : SharePoint secured by Azure AD
SigningCertificate : [Subject]
CN=Microsoft Azure Federated SSO Certificate

                            [Issuer]
                              CN=Microsoft Azure Federated SSO Certificate

                            [Serial Number]
                              78F11E8CBB478A8F4B03AA5C9647DBB8

                            [Not Before]
                              3/6/2018 1:55:38 PM

                            [Not After]
                              3/6/2021 1:55:37 PM

                            [Thumbprint]
                              **********************************

AdditionalSigningCertificates : {}
MetadataEndPoint :
IsAutomaticallyUpdated : False
Name : AzureADwithMS
TypeName : Microsoft.SharePoint.Administration.Claims.SPTr
ustedLoginProvider
DisplayName : AzureADwithMS
Id : **************
Status : Online
Parent : SPSecurityTokenServiceManager
Name=SecurityTokenServiceManager
Version : 273014
Properties : {}
Farm : SPFarm Name=UAT2_Others_Config
UpgradedPersistedProperties : {}

Hi, I am having trouble with getting the solution to work with all type of users within azure AD.

Currently we have the AzureCP configured to map claims/upn to property to query: mail.
This allows the following account types to login/resolve:
-Guest Users within a Federated Directory (B2B user with ADFS on their side)
-Guest User without a Federated Directory (B2B user without ADFS)
-AAD Security group roles
This configuration however does not work with:
-Local accounts created with an onmicrosoft.com address i.e [email protected]

When configured as default (claims/upn mapped to query UPN):
Accounts that work:
-Local accounts created with an onmicrosoft.com address i.e [email protected]
-Guest Users within a Federated Directory (B2B user with ADFS on their side)
Accounts that don't work:
-Guest User without a Federated Directory (B2B user without ADFS)

Can you confirm this is a limitation or is their a configuration change that can be made to have all account types work?

Regards
Ben.

With Microsoft announcing the retirement of ACS for November 2018, have you looked at migration options to authenticate directly with Azure AD, bypassing ACS?

@Yvand can't get AzureCP to pick up Groups:

http://schemas.microsoft.com/ws/2008/06/identity/claims/role UserType None SharePointGroupId User

Not working - "RED" in the claims mapping

Hello All,
I am an issue related to people picker search which is using Azure AD. I found related questions in discussions section of CodePlex version but I cannot see the answers there.
Click of any link will keep you on the same page and it is saying that the 'This project migrated to https://github.com/Yvand/AzureCP'.
I checked the issues in Git hub, but did not get the questions which was raised in CodePlex version.
Can we migrate those questions here as well? Or where else I can get the answers in Git Hub version?

My Issue:
If I am searching for Azure AD users in SharePoint people picker, it is saying 'no result found'. I can resolve on 'Ctrl+K'.

Thanks in advance.

I was able to install it and it seems to work but not like as expected. It I type joelhasler i got 3 Results:

1. from UserProfile Service: [email protected] --> should not be shown
2. from AzureCP solved as role --> which does not exists
3. from AzureCP solved as email --> correct

I expect if i search for a identity the AzureCP resolves only option 3 and if i look for a role only option 2. or do i understand something wrong?

Thanks for helping
Cheers Joël

I followed all instructions and installed AzureCP and created App in Azure AD. After changing the claims provider name as follows:
$trust = Get-SPTrustedIdentityTokenIssuer "AzureAD New"
$trust.ClaimProviderName = "AzureCP"
$trust.Update()

When i try to authenticate to SharePoint i get the following error in event log
EventID 8306
An exception occurred when trying to issue security token: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs..
EventId 8307
An exception occurred in AzureCP claim provider when calling SPClaimProvider.FillUserKeyForEntity(): Object reference not set to an instance of an object..
and attached .NET error
azurecperror.txt

There is a limitation in Hybrid Search where any objects with SAML based permissions submitted to SharePoint Online Search index are security trimmed.

This causes these SharePoint objects to be unsearchable when authenticating with AzureAD.

Reference (Hybrid Search supports Windows Claims only): https://blogs.msdn.microsoft.com/spses/2016/07/19/sharepoint-2016-hybrid-search-stuff-you-should-know-about-cloud-ssa/

Please vote to to make this a priority for the Microsoft product development team: https://sharepoint.uservoice.com/forums/282887-sharepoint-hybrid-or-migration-to-office365/suggestions/20037220-support-hybrid-search-on-premise-with-a-saml-authe

Hi,
After installing AzureCP when I try to put members in a SharePoint group, I have this message :"Sorry, you are not allowed to share this with external users."
But they are not external users.

STS Call Claims Windows: Problem getting output claims identity. Exception: 'System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.IO.FileNotFoundException: Could not load file or assembly 'Nito.AsyncEx, Version=4.0.1.0, Culture=neutral, PublicKeyToken=65dc6b5903b51636' or one of its dependencies. The system cannot find the file specified. at azurecp.AzureCP..ctor(String displayName) --- End of inner exception stack trace --- at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor) at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture) at System.RuntimeType.CreateInstanceImpl(B... 801a829e-75fe-f0e2-76ac-a29cd08d3d3c
...indingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes, StackCrawlMark& stackMark) at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes) at System.Activator.CreateInstance(Type type, Object[] args) at Microsoft.SharePoint.Administration.Claims.SPClaimProviderDefinition.CreateClaimProvider() at Microsoft.SharePoint.Administration.Claims.SPClaimProviderManager.get_EnabledAndTrustedClaimProvidersByName() at Microsoft.SharePoint.Administration.Claims.SPClaimProviderManager.d__2.MoveNext() at Microsoft.SharePoint.Administration.Claims.SPClaimProviderOperations.ClaimsForEntity(Uri context, SPClaimPr... 801a829e-75fe-f0e2-76ac-a29cd08d3d3c
...oviderOperationOptions mode, String[] providerNames, SPClaim entity) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.AugmentClaimsIdentityWithClaimProviders(SPRequestInfo requestInfo, IClaimsIdentity identity, SPClaim identityClaim) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.AugmentOutputIdentityForRequest(SPRequestInfo requestInfo, IClaimsIdentity outputIdentity) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)'. 801a829e-75fe-f0e2-76ac-a29cd08d3d3c

Thanks for the great way out i have implemented this for SharePoint 2010 but facing issue regarding Check Permission SharePoint.

1: Check Permissions functionality is implemented in this Azure CP code for Azure AD groups?
Like in which security group user belong. but keeping in mind Security group have Azure AD group to traverse users.

The installation is related to a test environment prior to implementing the AzureCP in the production environment.

While configuring AzureCP in accordance with the instructions, the following error pops up while testing the connection to the tenant ( the name, AppID and App secret are correct)

The error message:
"Unable to get access token for tenant '**********.onmicrosoft.com': One or more errors occurred".

Using ULS real time, we seem to be getting the following:
[] Unexpected error occurred while getting access token for tenant '**********.onMicrosoft.com': System.Net.WebException: The remote server returned an error: (407) Proxy Authentication Required., Callstack:
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)

There is no proxy that stands between the test platform and the internet.
Any ideas as to what this could be?
Any tips are greatly appreciated.

Regards
TK

I am using AzureCP v12.Beta, version committed May 14

AzureCP does not return results from Central Administration.

From the 'Add users to this group' dialog, I see "Sorry, we're having trouble reaching the server." From the Web Applications page -> User Policy -> Add Users -> 'Select People and Groups' dialog, I get the error "No results were found to match your search item. Please enter a new term or less specific term. This is true even when selecting 'Bypass Azure AD lookup' from the AzureCP configuration page.

These errors only exist in Central Administration, no other web application.

I see the following in ULS:

[Forced due to logging gap, cached @ 05/10/2018 11:05:04.64, Original Level: Verbose] TenantAppEtag record requested but there is no sitesubscription or tenantId for site {0} so we will use the WebApp Id for the cache.

[AzureCP] Unexpected error in FillSearch: System.ArgumentException: Exception of type 'System.ArgumentException' was thrown. Parameter name: encodedValue, Callstack:
at Microsoft.SharePoint.Administration.Claims.SPClaimEncodingManager.DecodeClaimFromFormsSuffix(String encodedValue)
at azurecp.RequestInformation..ctor(IAzureCPConfiguration currentConfiguration, RequestType currentRequestType, List`1 processedClaimTypeConfigList, String input, SPClaim incomingEntity, Uri context, AzureADObjectType[] directoryObjectTypes, String hierarchyNodeID, Int32 maxCount)
at azurecp.AzureCP.FillSearch(Uri context, String[] entityTypes, String searchPattern, String hierarchyNodeID, Int32 maxCount, SPProviderHierarchyTree searchTree)

Claims Search call failed. Error Message: Object reference not set to an instance of an object. Callstack: at Microsoft.SharePoint.WebControls.PeopleQueryControl.IssueClaimsQuery(String searchPattern, String providerID, String hierarchyNodeID, Int32 pageSize, SPProviderHierarchyTree spgroupTree).

The Active Directory spclaimprovider was disabled via the following:

$cpm = Get-SPClaimProviderManager
$ad = get-spclaimprovider -identity "AD"
$ad.IsVisible = $false
$cpm.Update()

we ahve successfully installed azureCP on a Front end and deployed dll with powershell to backend SP2016 server running on azure Servers (SAAS).
we get addres from on prem but nothinh from AAD. we are using guest users and normal users in AAD.
pleas hepl appeciated!

Permission with Nested Groups didn't work for me.. somebody else with this Problem?

Hi,
I had been using AzureCP from a long time and recently when I tried installing the latest version V12 of Azure CP, I can't see it under get-spclaimprovider, thus cannot associate it with my TrustedIdentityprovider. But on the same server if I try to install the old version of Azure CP (version 2) , it works perfectly fine.

is there any dependency or anything which I need to install or to worry off??

Hi Yvand,

Is it possible to change the "User identifier for 'Guest' users" setting in the global configuration of AzureCP using PowerShell?

I am working on a PowerShell script to switch the User Identifier to Mail then add the user using the mail attribute to the site collection, once complete then switch the User Identifier back to UserPrincipalName.

I am able to switch the User Identifier to Mail by running the following PowerShell to reset the claims config:
Add-Type -AssemblyName "AzureCP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=65dc6b5903b51636" $config = [azurecp.AzureCPConfig]::GetConfiguration("AzureCPConfig") $config.ResetClaimTypesList() $config.Update()

However I am unsure on how to change it back to UserPrincipalName using PowerShell.

This will assist me in allowing Guest users from other O365 tenancies into my SharePoint on-prem whilst still allowing Guest users with Windows Live accounts.

Hello Yvand,

I have one web application using ADFS authentication, I have a Trusted Identity Provider for that. Everything works fine with LdapCP.
I have a second web application in the same SharePoint farm where I want to authenticate Azure AD users.
Is it possible to create a second Trusted Identity Provider and use AzureCP to retrieve Azure AD users in the people picker ? Or can I configure LdapCP and AzureCP in the same Trusted Identity Provider ?

Thanks in advance.

I have installed AzureCP v13 on our on-prem SharePoint 2016 Farm. This installation seemed faultless, however when trying to add users to a site, the on-prem AD account is showing, and the Azure AD account is not showing in the people picker. In other words, I cannot select the correct Azure AD account (view attached screenshot).

Role claim appears as missing from ACS provider, although it is configured.

Hi,

How i can use AzureCP with SharePoint 2010?

Hi Yvan,

I am seeing the following behaviour after installing AzureCP. User account created in Azure AD appear as username_FQDN#EXT#@AzureDomain.onmicrosoft.com for a user with username@FQDN. This name appears in the picker in SharePoint 2013 and can be used for alerts, etc. (email and other property values are accessible), however, if you try to login with the email address and password, it fails. If I select, bypass Azure AD lookup, I can use the email address as a value in the picker and can login using the credentials, but the property values are not mapped, so alerts and emails do not work. Have you seen this behaviour before?

Thanks.

I am using AzureCP v12.Beta, version committed May 14 (but this issue was noticed while using the may 4th commit).

Clicking test connection on the AzureCPSettings.aspx refreshes the page without any indication of a successful or failed test. This behavior is repeatable on IE 11 and the latest version Google Chrome.

Hi Yvan,

I'd like to extend AzureCP and do it your approved way. I see that you have a developer samples download for LDAPCP, but can't find the same for AzureCP. I've looked over the developer sample for LDAPCP and LDAPCP itself, but am not sure if I can just follow that same pattern with AzureCP or not.

My specific project is to have multiple SP web applications in my farm, each with a tenant-specific AzureCP-based custom claims provider. AzureCP OOB works perfectly for the first tenant\first web application. Now I need the same functionality on the 2nd web application for the 2nd tenant, and so forth. It seems like the way to do this is create a farm solution for each web application, that inherits the base AzureCP class and uses a unique claim provider name and modifies the configuration for the specific tenant.

Am I headed in the right direction? Would you be able to publish a downloadable developer sample for how to extend this way?

Thanks,

Jeff

@Yvand, are custom domains allowed to use this solution? I am able to add accounts as guest such as @gmail.com, @yahoo.com, @live.com, however custom domains such as @customname.biz or @customname.com are not working. They get (Sorry, this site hasn't been shared with you) and I have put them in both as individual users to the SharePoint site and in Groups.

I am actually working with Microsoft Premier team and I want to ensure this is something that does not have to do with the CP Azure Web part? From the ULS logs I am seeing the following:

[AzureCP] Starting augmentation for user 'username_gmail.com#ext#@tenantname.onmicrosoft.com'. 8fbba99e-4d7f-b005-52f1-ebe6d6efeae7

AND

[AzureCP] Starting augmentation for user '[email protected]'. c8baa99e-1ded-b005-52f1-e68cd77ed592

Do you know why this might be happening? Because the [email protected] cannot access the SharePoint site, but they do appear to be getting through Microsoft Azure Authentication, again it is stating - (Sorry, this site hasn't been shared with you)

Hi, from my checking Azure AD already updating their interface therefore steps for above article is not working anymore. Could you please provide us with the latest steps based on the new interface of Azure AD?

Thank you!

Running v13 on SharePoint 2016.

Added an Office 365 Group (Unified Group) to any ACL (item, list, site, web app policy), and no one who is a member of that group can access the resource. Security groups work fine, but figured that since SPO can handle O365 Groups, then maybe on-prem can, as well.

After enabling verbose logging, I discovered that AzureCP only augments a claim with groups that are security-enabled. Fortunately, I had enough permissions on my Azure tenant to do this:

$group = Get-AzureADMSGroup -SearchString 'name of group'
Set-AzureADMSGroup -Id $group.Id -SecurityEnabled:$true

Once I security-enabled the group, AzureCP started picking up that group in claims augmentation.

Not sure how this should be handled moving forward...allow filtering of non-security-enabled groups? Flag non-security-enabled groups with a prefix/suffix? Just a documentation update?

When following the install instructions, I received an error "Claim provider with the name AzureCP does not exist." When I followed a previous issue that was logged, I confirmed that wsp is not deployed. I tried removing and redeploying with no success and have tried deploying through Central Administration and the manual deployment of the DLL suggested for servers not running SharePoint Foundation; none of which have been successful. Central Administration shows Deploying, then not deployed when the job completes. The Event Viewer and ULS logs record nothing for the deployment. Any guidance would be greatly appreciated. I am attempting to deploy version 11.

I am having an issue in powershell when trying to configure AzureCP. I have it installed and deployed in this single server farm and have verified the dll is in the gac. Server has been rebooted after install.

When I issue the powershell command:
$config = [azurecp.AzureCPConfig]::GetConfiguration("AzureCPConfig")

Nothing is being returned as when I type in $config or $config.ClaimTypes, nothing is shown.

Any ideas on what I am doing wrong?

By default Azure AD generate Access token with 1 hour Lifetime.
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes#configurable-token-lifetime-properties

This means that FedAuth cookie will be valid only for 1h.
(If you do not have Azure AD Premium for Conditional Access )

Technically, SharePoint reply 401 on the first call after Access Token expiration.

In the same Refresh Token Max Inactive Time is 90 days. If I understand it correctly, this mean that new access token can be acquired using the old one during this time frame.

The question

Is it possible to silently request token renewal from Azure AD (when token is close to expire, inside LogonTokenCacheExpirationWindow) and set new FedAuth cookie header in the response to make user's life happier?

I am using AzureCP v12.Beta, version committed May 14

When navigating to the page, I see the generic error:

Object reference not set to an instance of an object.

In the logs, the following is captured.

Application error when access /_admin/azurecp/AzureCPSettings.aspx, Error=Object reference not set to an instance of an object.
at azurecp.ControlTemplates.AzureCPGlobalSettings.PopulateFields()
at azurecp.ControlTemplates.AzureCPGlobalSettings.Initialize()
at azurecp.ControlTemplates.AzureCPGlobalSettings.Page_Load(Object sender, EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

I added the tenant as the GUID identifier initially before the updated to the May 14th commit. Once no results were returned from the claim picker, I added tenant.onmicrosoft.com as well as tenant.microsoftonline.com. Once the other two tenant identifiers were added, the configuration page threw the error shown above. The configuration change seems to have applied. Is there a way to clean this out and try again?

Sorry for the lack of helpful information. =/

We have started using this to support Multitenant deployments where each tenant has its own AzureAD Tenant for showing people to pick from, and at the moment we are making custom packages inheriting from the base AzureCP and overriding the CheckIfShouldProcessInput method to add a hardcoded filter against the context parameter. This works great to limit the people pickers output based on the tenant url to just their AzureAD, but for every new tenant we bring on board, we need to create a new custom AzureCP with a hardcoded URL to filter by. What I would like to ask for an upcoming version would be an additional data string field on the IAzureCPConfiguration so that we could actually pass in additional data from the settings UI, so then we could put in some JSON or simply the specific tenants URL in this case, and then we can use that in custom implementations versus hardcoding. I realize I would still need to make custom packages for each tenant but I could then make AzureCPCustom01 - 50, deploy them all at once and deploy in a new farm and then our Ops guys just need to go in and configure each adding an extra bit of information (the url) as they bring new tenants online over time reducing our need to wait for outage windows (since deploying the hardcoded tenant version restarts the farm).

I'm afraid I'm not understanding where this is coming from? Do I first need to create this? What is the procedure for getting this on prem? Thanks

Can you please give me a way to implement this for SharePoint 2010?
i am thinking to implement using Direct Graph Rest API call is it possible?

I have installed and tested AzureCP to authenticate a single SP WebApp against a single Azuer AD.
The questions are:

1. how to install and configure AzureCP to authenticate a SP WebApp against multiple Azure AD directories. For example I may have users from two or more partner companies logging in to my SP Web App.

2. How to install and confiure AzureCP to authenticate multiple SP WebApps, each against a different set of Azure AD directories. For example, I can share WebApp-A with AzureAD-1 and AzureAD-2, and then share WebApp-B with AzureAD-3 and AzureAD-4, where both WebApps are in the same farm.

Thanks,

What are the steps to create a new SPTrustedIdentityTokenIssuer. The directions require that you update an existing token issuer, however, if you are going from scratch, you won't have an existing token issuer created.

I am unsure about claim mappings, SignInUrl, Realm, IdentifierClaim, MetadataEndPoint, ImportTrustCertificate settings that are required when I generate the TrustedIdentityTokenIssuer.

Hi Yvand,

I had been using this lovely solution "AzureCP" from a long time for authentication via ACS. After installing the wsp, had created Application in Azure AD to get Client ID , Client Secret etc and then creating a SPcustomidentityprovider using powershell. In this new world of Azure AD authentication, slightly confused as in what to use and what not.....

Do you have any such documentation guiding step by step???

for example,
Create a Enterprise Application in Azure AD
Create a Azure AD application
Create a Custom Identity provider

But how to link it is my problem at the moment??

Couple of issues.

1. Keys missing
2. Console app, did you not remove that from the project?

I have configured azureCP with sharePoint 2013 following below reference. But when users are adding to sharepoint user group, its giving me error saying "user does not exist or not unique".

Further I can see that user with same email address is resolved with only their surname.

(shows only surname above)

This user with same email but display name differ.

Note: this exception only for some of the users on AD and some are working as expected.
Appreciate help.

I am going through - https://yvand.github.io/AzureCP/Register-App-In-AAD.html
below section

•Click on Keys: In “Password” section type a key description (e.g. “AzureCP for SP”), choose a Duration and Save.
Note: “Password” corresponds to the “Application Secret” in new tenant form in AzureCP.

I don't see "Keys" in the enterprise application in Azure.
can you help me where to find this

Hi Yvand;
i'm trying to install AzureCP, and when I type this command:
$trust = Get-SPTrustedIdentityTokenIssuer "NAME"
$trust.ClaimProviderName = "AzureCP"
i got the error:
Exception setting "ClaimProviderName": "Claim provider with name AzureCP does not exist."

Any idea Please :( ??

Hello

we installed azurecp and we're very happy :) now we have a problem at one of our customer..
we use azurecp, after installation it works fine.. now after some weeks one of our SharePoint tools stops working..

in the uls log and in the eventlog i found this errors:

An operation failed because the following certificate has validation errors: Subject Name: CN=graph.microsoft.com Issuer Name: CN=Microsoft IT TLS CA 2, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, S=Washington, C=US Thumbprint: 745AD3968D1CB3FB2B82950FA8855C16A4B30867 Errors: NotTimeValid: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. .

[AzureCP] Unexpected error(s) occurred while querying Azure AD tenant 'asdasdasd.onMicrosoft.com': [EXCEPTION 1]: System.Net.Http.HttpRequestException: An error occurred while sending the request.. Callstack:
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)

i reset already the configuration of the azurecp, setup a new azure ad application.. but no luck..
any idea?

For the PowerShell command > netsh winhttp show proxy I get "Current WinHTTP proxy Settings: Direct access (no proxy server).

With those results what instructions am I to follow? https://yvand.github.io/AzureCP/Configure-AzureCP.html

<system.net>
    <defaultProxy>
        <proxy proxyaddress="http://proxy.contoso.com:3128" bypassonlocal="true" />
    </defaultProxy>
</system.net>

Thank you in advance, also small type on page - •SharePoine central administration site should be - •SharePoint central administration site

When i click "test tenant connection", i get the following error:

Unable to connect to Azure tenantIt may be expected if w3wp process of central admin has intentionally no access to Azure.One or more errors occurred.Error detail: Insufficient privileges to complete the operation.

When i look at the error logs, I can see that error:
[AzureCP] Unexpected error while testing connectivity: System.Data.Services.Client.DataServiceQueryException: An error occurred while processing this request., Callstack:
at System.Data.Services.Client.QueryResult.EndExecuteQuery[TElement](Object source, String method, IAsyncResult asyncResult)
at System.Data.Services.Client.DataServiceRequest.EndExecute[TElement](Object source, DataServiceContext context, String method, IAsyncResult asyncResult)
at System.Data.Services.Client.DataServiceQuery1.EndExecute(IAsyncResult asyncResult) at Microsoft.Azure.ActiveDirectory.GraphClient.Extensions.DataServiceContextWrapper.<>c__DisplayClass4c2.b__4a(IAsyncResult r)
at System.Threading.Tasks.TaskFactory1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action1 endAction, Task1 promise, Boolean requiresSynchronization) --- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at Microsoft.Azure.ActiveDirectory.GraphClient.Extensions.DataServiceContextWrapper.<ExecuteAsync>d__4e2.MoveNext()

What could be my issue ?

I know this has been an issue before. However, I have two environmnets running both on Windows Server 2012.

I am using a different tenant for each environment, and I have checked, double checked and triple checked the settings and I keep getting the nasty:

1. Environment works perfect
2. Environment throwing the following error, and I will state all the Azure settings match up with Environment 1)

Unable to connect to Azure tenantIt may be expected if w3wp process of central admin has intentionally no access to Azure.One or more errors occurred.Error detail: Insufficient privileges to complete the operation. | Unable to connect to Azure tenantIt may be expected if w3wp process of central admin has intentionally no access to Azure.One or more errors occurred.Error detail: Insufficient privileges to complete the operation.

Any other suggestions. This is the last piece to close out my Proof of Concept (POC) for a company I am contracting for. Thank you for all you have done Yvand.

Is there any way to limit the people picker to show only members of a particular Azure AD group?

We have a scenario where a SharePoint farm is deployed for a subset of users within an Active Directory forest. Users are granted access by membership of an Azure AD group, and we'd like to restrict the people picker to show only members of that group.

Hi Yvand,

I have multiple authentication providers setup in SharePoint 2016. On-prem Active Directory for our internal users and Azure AD for Guest users.

I have Azure AD Connect synchronising all On-prem Active Directory accounts to our Office 365 Tenancy and noticed you have a setting in AzureCP to "Filter out Guest users on this tenant".

Would it be possible to put in a feature request to "Filter out Member users on this tenant" as we only really require AzureCP to lookup Guest users in our Tenancy.