使用本地域的 Azure AD 图形 API [英] Azure AD graph API using on-premise domain
问题描述
我正在尝试访问 Azure AD 图形 API.我已成功将用户添加到我的测试环境 (ADFS) 并将他们的域更改为 {mytestdomain}.onmicrosoft.com.使用 Azure AD Connect 的密码同步有效.
现在我已经相应地设置了生产环境(包括ADFS),我现在正在同步用户,但显然无法将域更改为{mydomain}.onmicrosoft.com. 用户现在拥有 {mydomain}.net,我正在将用户同步到 Azure AD 中经过验证的域.
尝试访问时https://login.microsoftonline.com/{mydomain}.net/oauth2/token使用以下(是的,我知道不推荐使用 grant_type,但这不是重点)
grant_type: 密码用户名:{user}@{mydomain}.net密码:XXXX资源:https://graph.windows.netclient_id:{Guid}我明白了:
<块引用>AADSTS70002:验证凭据时出错.
AADSTS50126:用户名或密码无效
如果我使用像 admin@{mydomain}.onmicrosoft.com 这样的管理员,它可以正常工作.
在 Azure 门户中,我尝试将主域从 {mydomain}.onmicrosoft.com 更改为 {mydomain}.net,但这并没有什么不同.
管理门户上写着:
<块引用>要配置 {mydomain} 以联合登录到 Azure Active Directory,请在本地网络上运行 Azure AD Connect."
这在使用图形 API 时是否也适用?我必须在我的本地网络上设置联合还是有其他方法?
在 azure 门户中,我尝试将主域从
{mydomain}.onmicrosoft.com到{mydomain}.net,但它不会生成区别.
我不清楚您的同步步骤的详细信息.除了在 Azure AD 中验证您的自定义域外,您还需要一些其他配置,例如 Azure AD 登录配置.您可以在
您还可以在 this官方文档.
希望对你有帮助!
I am trying to access the Azure AD graph API. I have successfully added users to my test environment (ADFS) and changed their domain to {mytestdomain}.onmicrosoft.com. The password synchronization using Azure AD Connect works.
Now I have setup the production environment (including ADFS) accordingly and I am now synchronizing the users, but obviously can't change the domains to {mydomain}.onmicrosoft.com. The users now have {mydomain}.net and I am synchronizing the users to a verified domain in Azure AD.
When trying to access
https://login.microsoftonline.com/{mydomain}.net/oauth2/token
using the following (yes, I know that grant_type is not recommended, but that's not the point)
grant_type: password
username: {user}@{mydomain}.net
password: XXXX
resource: https://graph.windows.net
client_id: {Guid}
I get:
AADSTS70002: Error validating credentials.
AADSTS50126: Invalid username or password
If I use an administrator like admin@{mydomain}.onmicrosoft.com it works fine.
In the Azure portal I have tried changing the primary domain from {mydomain}.onmicrosoft.com to {mydomain}.net, but it does not make a difference.
It says in the management portal:
"To configure {mydomain} for federated sign-on to your Azure Active Directory, run Azure AD Connect on your local network."
Does that apply when using the graph API as well? Do I have to setup federation on my local network or is there another way around?
In the azure portal I have tried changing the primary domain from
{mydomain}.onmicrosoft.comto{mydomain}.net, but it does not make a difference.
I'm not clear the details of your Syncing steps. Besides verified you custom domain in Azure AD, you also need some other configurations, like Azure AD sign-in configuration. You can see more details in this document.
Does that apply when using the graph api as well? Do I have to setup federation on my local network or is there another way around?
Yes, Since you're using ADFS, you need to use Federated SSO (with Active Directory Federation Services (AD FS)) to allows your users to sign in to both cloud and on-premises resources by using the same passwords.
You can also see more details about Azure AD Connect user sign-in options in this official document.
Hope it helps!
这篇关于使用本地域的 Azure AD 图形 API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
