使用本地域的Azure AD图API [英] Azure AD graph API using on-premise domain

问题描述

我正在尝试访问 Azure AD 图形API。我已成功将用户添加到测试环境（ ADFS ），并将其域更改为 {mytestdomain} .onmicrosoft.com 。使用 Azure AD Connect 进行密码同步即可。

现在我已经相应地设置了生产环境（包括 ADFS ），现在我正在同步用户，但是显然无法将域更改为 {mydomain} .onmicrosoft.com。用户现在具有 {mydomain} .net 并且我正在将用户同步到 Azure AD 中的已验证域。

尝试访问
时 https://login.microsoftonline.com/ {mydomain} .net / oauth2 / token
使用以下命令（是的，我知道 grant_type ，但这不是重点）

  grant_type：密码
用户名：{user}@{mydomain}.net 
密码：XXXX 
资源：https://graph.windows.net 
 client_id：{Guid} 
  

我得到：

AADSTS70002：验证错误凭据。

AADSTS50126：无效的用户名或密码

如果我使用 admin @ {mydomain} .onmicrosoft.com 正常。

在Azure门户中，我尝试更改主域从 {mydomain} .onmicrosoft.com 到 {mydomain} .net ，但这没有什么不同。 / p>

在管理门户网站中显示：

为{mydomain}配置联盟登录到您的Azure Active Directory，在本地网络上运行Azure AD Connect。

使用图形时是否适用API也一样？我是否必须在本地网络上设置联盟，还是有其他解决方法？

解决方案

在我曾尝试过将Azure的主要域从
{mydomain} .onmicrosoft.com 更改为 {mydomain} .net ，但不会使
有所差异。

我不清楚您的同步详情脚步。除了在Azure AD中验证您的自定义域外，您还需要其他一些配置，例如 Azure AD登录配置。您可以在

您还可以在此正式文件。

希望它会有所帮助！

I am trying to access the Azure AD graph API. I have successfully added users to my test environment (ADFS) and changed their domain to {mytestdomain}.onmicrosoft.com. The password synchronization using Azure AD Connect works.

Now I have setup the production environment (including ADFS) accordingly and I am now synchronizing the users, but obviously can't change the domains to {mydomain}.onmicrosoft.com. The users now have {mydomain}.net and I am synchronizing the users to a verified domain in Azure AD.

When trying to access https://login.microsoftonline.com/{mydomain}.net/oauth2/token using the following (yes, I know that grant_type is not recommended, but that's not the point)

grant_type: password
username: {user}@{mydomain}.net
password: XXXX
resource: https://graph.windows.net
client_id: {Guid}

I get:

AADSTS70002: Error validating credentials.
AADSTS50126: Invalid username or password

If I use an administrator like admin@{mydomain}.onmicrosoft.com it works fine.

In the Azure portal I have tried changing the primary domain from {mydomain}.onmicrosoft.com to {mydomain}.net, but it does not make a difference.

It says in the management portal:

"To configure {mydomain} for federated sign-on to your Azure Active Directory, run Azure AD Connect on your local network."

Does that apply when using the graph API as well? Do I have to setup federation on my local network or is there another way around?

解决方案

In the azure portal I have tried changing the primary domain from {mydomain}.onmicrosoft.com to {mydomain}.net, but it does not make a difference.

I'm not clear the details of your Syncing steps. Besides verified you custom domain in Azure AD, you also need some other configurations, like Azure AD sign-in configuration. You can see more details in this document.

Does that apply when using the graph api as well? Do I have to setup federation on my local network or is there another way around?

Yes, Since you're using ADFS, you need to use Federated SSO (with Active Directory Federation Services (AD FS)) to allows your users to sign in to both cloud and on-premises resources by using the same passwords.

You can also see more details about Azure AD Connect user sign-in options in this official document.

Hope it helps!

这篇关于使用本地域的Azure AD图API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！