Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
active-directory | Define Conditional Rules For Provisioning User Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md | Scoping filters are configured as part of the attribute mappings for each Micros ::: zone pivot="app-provisioning" -5. In the **Mappings** section, select the mapping that you want to configure a scoping filter for: for example, "Synchronize Microsoft Entra Users to ServiceNow". +5. In the **Mappings** section, select the mapping that you want to configure a scoping filter for: for example, "Synchronize Microsoft Entra users to ServiceNow". ::: zone-end ::: zone pivot="cross-tenant-synchronization" -5. In the **Mappings** section, select the mapping that you want to configure a scoping filter for: for example, "Provision Microsoft Entra Users". +5. In the **Mappings** section, select the mapping that you want to configure a scoping filter for: for example, "Provision Microsoft Entra users". ::: zone-end |
active-directory | Inbound Provisioning Api Issues | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-issues.md | There's a user provisioning failure. The provisioning logs displays the error co 3. Copy and paste this expression into the expression box: ```Join("", Replace([userName], , "(?<Suffix>@(.)*)", "Suffix", "", , ), RandomString(3, 3, 0, 0, 0, ), "@", DefaultDomain())``` -This expression fixes the issue by appending a random number to the UPN value accepted by Azure AD. +This expression fixes the issue by appending a random number to the UPN value accepted by Microsoft Entra ID. ### User creation failed - Invalid domain |
active-directory | Inbound Provisioning Api Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-powershell.md | PS > CSV2SCIM.ps1 -Path <path-to-csv-file> > [!NOTE] > The `AttributeMapping` and `ValidateAttributeMapping` command-line parameters refer to the mapping of CSV column attributes to the standard SCIM schema elements. -It doesn't refer to the attribute mappings that you perform in the Microsoft Entra admin center provisioning app between source SCIM schema elements and target Azure AD/on-premises AD attributes. +It doesn't refer to the attribute mappings that you perform in the Microsoft Entra admin center provisioning app between source SCIM schema elements and target Microsoft Entra / on-premises Active Directory attributes. | Parameter | Description | Processing remarks | |-|-|--| |
active-directory | Insufficient Access Rights Error Troubleshooting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/insufficient-access-rights-error-troubleshooting.md | Expression $dsaclsCMD | Out-Null ``` If the Cx needs more help on troubleshooting on-premises AD permissions, engage Windows Server Support team.-This article on [AdminSDHolder issues with Azure AD Connect](https://c7solutions.com/2017/03/administrators-aadconnect-and-adminsdholder-issues) has more examples on DSACLS usage. +This article on [AdminSDHolder issues with Microsoft Entra Connect](https://c7solutions.com/2017/03/administrators-aadconnect-and-adminsdholder-issues) has more examples on DSACLS usage. **Option 3: Assign full control to provAgentgMSA account** |
active-directory | On Premises Application Provisioning Architecture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-application-provisioning-architecture.md | You can also check whether all the required ports are open. - Microsoft Entra Connect Provisioning Agent Package ## Provisioning agent history-This article lists the versions and features of Microsoft Entra Connect Provisioning Agent that have been released. The Microsoft Entra ID team regularly updates the Provisioning Agent with new features and functionality. Please ensure that you do not use the same agent for on-premises provisioning and Cloud Sync / HR-driven provisioning. +This article lists the versions and features of Microsoft Entra Connect Provisioning Agent that have been released. The Microsoft Entra team regularly updates the Provisioning Agent with new features and functionality. Please ensure that you do not use the same agent for on-premises provisioning and Cloud Sync / HR-driven provisioning. Microsoft provides direct support for the latest agent version and one version before. |
active-directory | Partner Driven Integrations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/partner-driven-integrations.md | If your line-of-business application supports the [SCIM](https://aka.ms/scimover Many new applications use Microsoft Graph to retrieve users, groups and other resources from Microsoft Entra ID. You can learn more about what scenarios to use [SCIM and Graph](scim-graph-scenarios.md) in. **Option 4 - Use partner-driven connectors:**-In cases where an application doesn't support SCIM, partners have built [custom ECMA connectors](on-premises-custom-connector.md) and SCIM gateways to integrate Microsoft Entra ID with numerous applications. **This document serves as a place for partners to attest to integrations that are compatible with Azure Active Directory, and for customers to discover these partner-driven integrations.** Custom ECMA connectors and SCIM gateways are built, maintained, and owned by the third-party vendor. +In cases where an application doesn't support SCIM, partners have built [custom ECMA connectors](on-premises-custom-connector.md) and SCIM gateways to integrate Microsoft Entra ID with numerous applications. **This document serves as a place for partners to attest to integrations that are compatible with Microsoft Entra ID, and for customers to discover these partner-driven integrations.** Custom ECMA connectors and SCIM gateways are built, maintained, and owned by the third-party vendor. [![Diagram showing gateways between the Microsoft Entra SCIM client and target applications.](media/partner-driven-integrations/partner-driven-connectors-1.png)](media/partner-driven-integrations/partner-driven-connectors-1.png#lightbox) |
active-directory | Plan Auto User Provisioning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/plan-auto-user-provisioning.md | Refer to the following links to troubleshoot any issues that may turn up during * [Writing expressions for attribute mappings](../app-provisioning/functions-for-customizing-application-data.md) -* [Azure AD synchronization API overview](/graph/api/resources/synchronization-overview) +* [Microsoft Entra synchronization API overview](/graph/api/resources/synchronization-overview) * [Skip deletion of user accounts that go out of scope](skip-out-of-scope-deletions.md) |
active-directory | Plan Cloud Hr Provision | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/plan-cloud-hr-provision.md | To troubleshoot any issues that might turn up during provisioning, see the follo ### Next steps - [Writing expressions for attribute mappings](functions-for-customizing-application-data.md)-- [Azure AD synchronization API overview](/graph/api/resources/synchronization-overview)+- [Microsoft Entra synchronization API overview](/graph/api/resources/synchronization-overview) - [Skip deletion of user accounts that go out of scope](skip-out-of-scope-deletions.md) - [Microsoft Entra Connect Provisioning Agent: Version release history](provisioning-agent-release-version-history.md) |
active-directory | Sap Successfactors Integration Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/sap-successfactors-integration-reference.md | Based on the attribute-mapping, during full sync Microsoft Entra provisioning se > [!NOTE] > During the full initial sync, both active and terminated workers from SAP SuccessFactors are fetched. -For each SuccessFactors user, the provisioning service looks for an account in the target (Azure AD/on-premises Active Directory) using the matching attribute defined in the mapping. For example: if *personIdExternal* maps to *employeeId* and is set as the matching attribute, then the provisioning service uses the *personIdExternal* value to search for the user with *employeeId* filter. If a user match is found, then it updates the target attributes. If no match is found, then it creates a new entry in the target. +For each SuccessFactors user, the provisioning service looks for an account in the target (Microsoft Entra ID / on-premises Active Directory) using the matching attribute defined in the mapping. For example: if *personIdExternal* maps to *employeeId* and is set as the matching attribute, then the provisioning service uses the *personIdExternal* value to search for the user with *employeeId* filter. If a user match is found, then it updates the target attributes. If no match is found, then it creates a new entry in the target. To validate the data returned by your OData API endpoint for a specific `personIdExternal`, update the `SuccessFactorsAPIEndpoint` in the API query with your API data center server URL and use a tool like [Postman](https://www.postman.com/downloads/) to invoke the query. If the "in" filter doesn't work, you can try the "eq" filter. |
active-directory | Use Scim To Provision Users And Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md | To automate provisioning to an application, it requires building and integrating 1. [Optional] [Publish your application to the Microsoft Entra application gallery](#publish-your-application-to-the-azure-ad-application-gallery) - Make it easy for customers to discover your application and easily configure provisioning. -![Diagram that shows the required steps for integrating a SCIM endpoint with Azure AD.](media/use-scim-to-provision-users-and-groups/process.png) +![Diagram that shows the required steps for integrating a SCIM endpoint with Microsoft Entra ID.](media/use-scim-to-provision-users-and-groups/process.png) ## Design your user and group schema |
active-directory | Workday Integration Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/workday-integration-reference.md | Microsoft Entra provisioning service processes each page and iterates through th For each worker entry imported from Workday: * The [XPATH expression](workday-attribute-reference.md) is applied to retrieve attribute values from Workday. * The attribute mapping and matching rules are applied and -* The service determines what operation to perform in the target (Azure AD/AD). +* The service determines what operation to perform in the target (Microsoft Entra ID / Active Directory). Once the processing is complete, it saves the timestamp associated with the start of full sync as a watermark. This watermark serves as the starting point for the incremental sync cycle. |
active-directory | Application Proxy Connector Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-connector-groups.md | There are two different approaches you can take with a disaster recovery (DR) si ### Serve multiple companies from a single tenant -There are many different ways to implement a model in which a single service provider deploys and maintains Microsoft Entra ID related services for multiple companies. Connector groups help the admin segregate the connectors and applications into different groups. One way, which is suitable for small companies, is to have a single Microsoft Entra tenant while the different companies have their own domain name and networks. This is also true for M&A scenarios and situations where a single IT division serves several companies for regulatory or business reasons. +There are many different ways to implement a model in which a single service provider deploys and maintains Microsoft Entra related services for multiple companies. Connector groups help the admin segregate the connectors and applications into different groups. One way, which is suitable for small companies, is to have a single Microsoft Entra tenant while the different companies have their own domain name and networks. This is also true for M&A scenarios and situations where a single IT division serves several companies for regulatory or business reasons. ## Sample configurations |
active-directory | Application Proxy Page Links Broken Problem | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-page-links-broken-problem.md | There are three ways to resolve this issue. The choices below are in listed in i If you change the internal URL but donΓÇÖt want to change the landing page for users, change the Home page URL to the previously published internal URL. This can be done by navigating to **Microsoft Entra ID** > **App Registrations** and selecting the application **Branding**. In the branding section, you see the field **Home Page URL**, which you can adjust to be the desired landing page. If you are still using the legacy App registrations experience the properties tab would show the **Home Page URL** details. > [!IMPORTANT]- > In order to make the above changes you require rights to modify application objects in Azure AD.The user needs to be assigned [Application Administrator](../roles/delegate-app-roles.md#assign-built-in-application-admin-roles) role which grants application modification rights in Microsoft Entra ID to the user. + > In order to make the above changes you require rights to modify application objects in Microsoft Entra ID. The user needs to be assigned [Application Administrator](../roles/delegate-app-roles.md#assign-built-in-application-admin-roles) role which grants application modification rights in Microsoft Entra ID to the user. 2. If your applications use fully qualified domain names (FQDNs), use [custom domains](application-proxy-configure-custom-domain.md) to publish your applications. This feature allows the same URL to be used both internally and externally. |
active-directory | Application Proxy Powershell Samples | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-powershell-samples.md | -The following table includes links to PowerShell script examples for Microsoft Entra application proxy. These samples require either the [Microsoft Entra V2 PowerShell for Graph module](/powershell/azure/active-directory/install-adv2) or the [Microsoft Entra V2 PowerShell for Graph module preview version](/powershell/azure/active-directory/install-adv2?view=azureadps-2.0-preview&preserve-view=true), unless otherwise noted. +The following table includes links to PowerShell script examples for Microsoft Entra application proxy. These samples require either the [Azure Active Directory PowerShell 2.0 for Graph module](/powershell/azure/active-directory/install-adv2) or the [Azure Active Directory PowerShell 2.0 for Graph module preview version](/powershell/azure/active-directory/install-adv2?view=azureadps-2.0-preview&preserve-view=true), unless otherwise noted. For more information about the cmdlets used in these samples, see [Application Proxy Application Management](/powershell/module/azuread/#application_proxy_application_management) and [Application Proxy Connector Management](/powershell/module/azuread/#application_proxy_connector_management). For more information about the cmdlets used in these samples, see [Application P | [List basic information for all Application Proxy apps](scripts/powershell-get-all-app-proxy-apps-basic.md) | Lists basic information (AppId, DisplayName, ObjId) about all the Application Proxy apps in your directory. | | [List extended information for all Application Proxy apps](scripts/powershell-get-all-app-proxy-apps-extended.md) | Lists extended information (AppId, DisplayName, ExternalUrl, InternalUrl, ExternalAuthenticationType) about all the Application Proxy apps in your directory. | | [List all Application Proxy apps by connector group](scripts/powershell-get-all-app-proxy-apps-by-connector-group.md) | Lists information about all the Application Proxy apps in your directory and which connector groups the apps are assigned to. |-| [Get all Application Proxy apps with a token lifetime policy](scripts/powershell-get-all-app-proxy-apps-with-policy.md) | Lists all Application Proxy apps in your directory with a token lifetime policy and its details. This sample requires the [Microsoft Entra V2 PowerShell for Graph module preview version](/powershell/azure/active-directory/install-adv2?view=azureadps-2.0-preview&preserve-view=true). | +| [Get all Application Proxy apps with a token lifetime policy](scripts/powershell-get-all-app-proxy-apps-with-policy.md) | Lists all Application Proxy apps in your directory with a token lifetime policy and its details. This sample requires the [Azure Active Directory PowerShell 2.0 for Graph module preview version](/powershell/azure/active-directory/install-adv2?view=azureadps-2.0-preview&preserve-view=true). | |**Connector groups**|| | [Get all connector groups and connectors in the directory](scripts/powershell-get-all-connectors.md) | Lists all the connector groups and connectors in your directory. | | [Move all apps assigned to a connector group to another connector group](scripts/powershell-move-all-apps-to-connector-group.md) | Moves all applications currently assigned to a connector group to a different connector group. | |
active-directory | 3 Secure Access Plan | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/3-secure-access-plan.md | Generally, organizations customize policy, however consider the following parame ## Access control methods -Some features, for example entitlement management, are available with a Microsoft Entra ID P1 or P2 2 (P2) license. Microsoft 365 E5 and Office 365 E5 licenses include Microsoft Entra ID P2 licenses. Learn more in the following entitlement management section. +Some features, for example entitlement management, are available with a Microsoft Entra ID P1 or P2 license. Microsoft 365 E5 and Office 365 E5 licenses include Microsoft Entra ID P2 licenses. Learn more in the following entitlement management section. > [!NOTE] > Licenses are for one user. Therefore users, administrators, and business owners can have delegated access control. This scenario can occur with Microsoft Entra ID P2 or Microsoft 365 E5, and you don't have to enable licenses for all users. The first 50,000 external users are free. If you don't enable P2 licenses for other internal users, they can't use entitlement management. |
active-directory | Architecture Icons | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/architecture-icons.md | Title: Microsoft Entra architecture icons -description: Learn about the official collection of Microsoft Entra icons that you can use in architectural diagrams, training materials, or documentation. +description: Learn about the official collection of Microsoft Entra ID icons that you can use in architectural diagrams, training materials, or documentation. Last updated 08/15/2023 -# Customer intent: As a new or existing customer, I want to learn how I can use the official Microsoft Entra icons in architectural diagrams, training materials, or documentation. +# Customer intent: As a new or existing customer, I want to learn how I can use the official Microsoft Entra ID icons in architectural diagrams, training materials, or documentation. # Microsoft Entra architecture icons -Helping our customers design and architect new solutions is core to the Microsoft Entra mission. Architecture diagrams can help communicate design decisions and the relationships between components of a given workload. This article provides information about the official collection of Microsoft Entra icons that you can use in architectural diagrams, training materials, or documentation. +Helping our customers design and architect new solutions is core to the Microsoft Entra mission. Architecture diagrams can help communicate design decisions and the relationships between components of a given workload. This article provides information about the official collection of Microsoft Entra ID icons that you can use in architectural diagrams, training materials, or documentation. ## General guidelines |
active-directory | Auth Ldap | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/auth-ldap.md | There is a need to for an application or service to use LDAP authentication. ## Implement LDAP authentication with Microsoft Entra ID -* [Create and configure a Microsoft Entra DS instance](../../active-directory-domain-services/tutorial-create-instance.md) +* [Create and configure a Microsoft Entra Domain Services instance](../../active-directory-domain-services/tutorial-create-instance.md) -* [Configure virtual networking for a Microsoft Entra DS instance](../../active-directory-domain-services/tutorial-configure-networking.md) +* [Configure virtual networking for a Microsoft Entra Domain Services instance](../../active-directory-domain-services/tutorial-configure-networking.md) -* [Configure Secure LDAP for a Microsoft Entra DS managed domain](../../active-directory-domain-services/tutorial-configure-ldaps.md) +* [Configure Secure LDAP for a Microsoft Entra Domain Services managed domain](../../active-directory-domain-services/tutorial-configure-ldaps.md) -* [Create an outbound forest trust to an on-premises domain in Microsoft Entra DS](../../active-directory-domain-services/tutorial-create-forest-trust.md) +* [Create an outbound forest trust to an on-premises domain in Microsoft Entra Domain Services](../../active-directory-domain-services/tutorial-create-forest-trust.md) |
active-directory | Auth Prov Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/auth-prov-overview.md | Title: Azure Active Directory synchronization protocol overview + Title: Microsoft Entra synchronization protocol overview description: Architectural guidance on integrating Microsoft Entra ID with legacy synchronization protocols |
active-directory | Backup Authentication System | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/backup-authentication-system.md | The backup authentication system is supported in all cloud environments except M | Ceridian Dayforce HCM | No | SAML SP-initiated | | Cisco AnyConnect | No | SAML SP-initiated | | Cisco Webex | No | SAML SP-initiated |-| Citrix ADC SAML Connector forAzure AD | No | SAML SP-initiated | +| Citrix ADC SAML Connector for Azure AD | No | SAML SP-initiated | | Clever | No | SAML SP-initiated | | Cloud Drive Mapper | Yes | Protected | | Cornerstone Single Sign-on | No | SAML SP-initiated | |
active-directory | Govern Service Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/govern-service-accounts.md | Regularly review service account permissions and accessed scopes to see if they * See, [Get-AzureADServicePrincipalOAuth2PermissionGrant](/powershell/module/azuread/get-azureadserviceprincipaloauth2permissiongrant) * [Script to list all delegated permissions and application permissions in Microsoft Entra ID](https://gist.github.com/psignoret/41793f8c6211d2df5051d77ca3728c09) scopes for service account-* See, [Azure AD/AzureADAssessment](https://github.com/AzureAD/AzureADAssessment) and confirm validity +* See, [`AzureADAssessment`](https://github.com/AzureAD/AzureADAssessment) and confirm validity * Don't set service principal credentials to **Never expire** * Use certificates or credentials stored in Azure Key Vault, when possible * [What is Azure Key Vault?](../../key-vault/general/basic-concepts.md) -The free PowerShell sample collects service principal OAuth2 grants and credential information, records them in a comma-separated values (CSV) file, and a Power BI sample dashboard. For more information, see [Azure AD/AzureADAssessment](https://github.com/AzureAD/AzureADAssessment). +The free PowerShell sample collects service principal OAuth2 grants and credential information, records them in a comma-separated values (CSV) file, and a Power BI sample dashboard. For more information, see [`AzureADAssessment`](https://github.com/AzureAD/AzureADAssessment). ### Recertify service account use |
active-directory | Monitor Sign In Health For Resilience | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/monitor-sign-in-health-for-resilience.md | During an impacting event, two things may happen: - A Microsoft Entra tenant. - A user with global administrator or security administrator role for the Microsoft Entra tenant. - A Log Analytics workspace in your Azure subscription to send logs to Azure Monitor logs. Learn how to [create a Log Analytics workspace](../../azure-monitor/logs/quick-create-workspace.md).-- Microsoft Entra ID logs integrated with Azure Monitor logs. Learn how to [Integrate Microsoft Entra sign-in logs with Azure Monitor Stream.](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)+- Microsoft Entra logs integrated with Azure Monitor logs. Learn how to [Integrate Microsoft Entra sign-in logs with Azure Monitor Stream.](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md) ## Configure the App sign-in health workbook |
active-directory | Multilateral Federation Solution One | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/multilateral-federation-solution-one.md | Here are some of the advantages of implementing Microsoft Entra ID with Cirrus B * This solution is the only architecture that enables you to configure granular Microsoft Entra Conditional Access for both multilateral federation apps and CAS apps. -* **Use of other Microsoft Entra ID-related solutions for all apps** +* **Use of other Microsoft Entra related solutions for all apps** * You can use Intune and Microsoft Entra join for device management. |
active-directory | Ops Guide Auth | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/ops-guide-auth.md | Having access to sign-in activity, audits and risk events for Microsoft Entra ID #### Logs recommended reading -- [Microsoft Entra ID audit API reference](/graph/api/resources/directoryaudit)+- [Microsoft Entra audit API reference](/graph/api/resources/directoryaudit) - [Microsoft Entra sign-in activity report API reference](/graph/api/resources/signin) - [Get data using the Microsoft Entra reporting API with certificates](../reports-monitoring/howto-configure-prerequisites-for-reporting-api.md) - [Microsoft Graph for Microsoft Entra ID Protection](../identity-protection/howto-identity-protection-graph-api.md) |
active-directory | Parallel Identity Options | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/parallel-identity-options.md | If the customer chooses to keep some or all Litware's identity infrastructure, t - Scenario A - Don't use *any* of Litware's identity infrastructure. - Scenario B - Use Litware's Active Directory forests, but not Litware's Microsoft Entra ID (if they've one) - Scenario C - Use Litware's Microsoft Entra ID.-- Scenario D - Use Litware's non-Microsoft identity infrastructure (if Litware isn't using Active Directory/Azure AD) +- Scenario D - Use Litware's non-Microsoft identity infrastructure (if Litware isn't using Active Directory / Microsoft Entra ID) The following table summarizes each option with the technologies for how the customer could achieve those outcomes, the constraints, and benefits of each. |
active-directory | Protect M365 From On Premises Attacks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/protect-m365-from-on-premises-attacks.md | On-premises accounts synced from Active Directory are marked to never expire in We recommend the following provisioning methods: -- **Provision from cloud HR apps to Azure AD.** This provisioning enables an on-premises compromise to be isolated. This isolation doesn't disrupt your joiner-mover-leaver cycle from your cloud HR apps to Microsoft Entra ID.+- **Provision from cloud HR apps to Microsoft Entra ID.** This provisioning enables an on-premises compromise to be isolated. This isolation doesn't disrupt your joiner-mover-leaver cycle from your cloud HR apps to Microsoft Entra ID. - **Cloud applications.** Where possible, deploy Microsoft Entra app provisioning as opposed to on-premises provisioning solutions. This method protects some of your software as a service (SaaS) apps from malicious hacker profiles in on-premises breaches. For more information, see [What is app provisioning in Microsoft Entra ID](../app-provisioning/user-provisioning.md). - **External identities.** Use Microsoft Entra B2B collaboration to reduce the dependency on on-premises accounts for external collaboration with partners, customers, and suppliers. Carefully evaluate any direct federation with other identity providers. For more information, see [B2B collaboration overview](../external-identities/what-is-b2b.md). Monitor the following key scenarios, in addition to any scenarios specific to yo - **Suspicious activity** - Monitor all Microsoft Entra ID risk events for suspicious activity. See [How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md). Microsoft Entra ID Protection is natively integrated with [Microsoft Defender for Identity](/defender-for-identity/what-is). + Monitor all Microsoft Entra risk events for suspicious activity. See [How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md). Microsoft Entra ID Protection is natively integrated with [Microsoft Defender for Identity](/defender-for-identity/what-is). Define network named locations to avoid noisy detections on location-based signals. See [Using the location condition in a Conditional Access policy](../conditional-access/location-condition.md). |
active-directory | Road To The Cloud Migrate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/road-to-the-cloud-migrate.md | After you move SaaS applications that were federated to Microsoft Entra ID, ther * [Move application authentication to Microsoft Entra ID](../manage-apps/migrate-adfs-apps-stages.md) -* [Migrate from Microsoft Entra multifactor authentication Server to Microsoft Entra multifactor authentication](../authentication/how-to-migrate-mfa-server-to-azure-mfa.md) +* [Migrate from Azure Multi-Factor Authentication Server to Microsoft Entra multifactor authentication](../authentication/how-to-migrate-mfa-server-to-azure-mfa.md) * [Migrate from federation to cloud authentication](../hybrid/connect/migrate-from-federation-to-cloud-authentication.md) In terms of infrastructure management, on-premises environments often use a comb Active Directory is for on-premises IT environments, and Microsoft Entra ID is for cloud-based IT environments. One-to-one parity of features isn't present here, so you can manage application servers in several ways. -For example, Azure Arc helps bring many of the features that exist in Active Directory together into a single view when you use Microsoft Entra ID for identity and access management (IAM). You can also use Microsoft Entra Domain Services (Microsoft Entra DS) to domain-join servers in Microsoft Entra ID, especially when you want those servers to use GPOs for specific business or technical reasons. +For example, Azure Arc helps bring many of the features that exist in Active Directory together into a single view when you use Microsoft Entra ID for identity and access management (IAM). You can also use Microsoft Entra Domain Services to domain-join servers in Microsoft Entra ID, especially when you want those servers to use GPOs for specific business or technical reasons. Use the following table to determine what Azure-based tools you can use to replace the on-premises environment: Here's more information that you can use for application server management: * [Manage and secure your Azure VM environment](https://azure.microsoft.com/services/virtual-machines/secure-well-managed-iaas/). -* If you must wait to migrate or perform a partial migration, you can use GPOs with [Microsoft Entra DS](https://azure.microsoft.com/services/active-directory-ds/). +* If you must wait to migrate or perform a partial migration, you can use GPOs with [Microsoft Entra Domain Services](https://azure.microsoft.com/services/active-directory-ds/). -If you require management of application servers with Microsoft Configuration Manager, you can't achieve this requirement by using Microsoft Entra DS. Microsoft Configuration Manager isn't supported to run in a Microsoft Entra DS environment. Instead, you need to extend your on-premises Active Directory instance to a domain controller running on an Azure VM. Or, you need to deploy a new Active Directory instance to an Azure IaaS virtual network. +If you require management of application servers with Microsoft Configuration Manager, you can't achieve this requirement by using Microsoft Entra Domain Services. Microsoft Configuration Manager isn't supported to run in a Microsoft Entra Domain Services environment. Instead, you need to extend your on-premises Active Directory instance to a domain controller running on an Azure VM. Or, you need to deploy a new Active Directory instance to an Azure IaaS virtual network. ### Define the migration strategy for legacy applications To reduce or eliminate those dependencies, you have three main approaches. In the most preferred approach, you undertake projects to migrate from legacy applications to SaaS alternatives that use modern authentication. Have the SaaS alternatives authenticate to Microsoft Entra ID directly: -1. Deploy Microsoft Entra DS into an Azure virtual network and [extend the schema](/azure/active-directory-domain-services/concepts-custom-attributes) to incorporate additional attributes needed by the applications. +1. Deploy Microsoft Entra Domain Services into an Azure virtual network and [extend the schema](/azure/active-directory-domain-services/concepts-custom-attributes) to incorporate additional attributes needed by the applications. -2. Lift and shift legacy apps to VMs on the Azure virtual network that are domain-joined to Microsoft Entra DS. +2. Lift and shift legacy apps to VMs on the Azure virtual network that are domain-joined to Microsoft Entra Domain Services. 3. Publish legacy apps to the cloud by using Microsoft Entra application proxy or a [secure hybrid access](../manage-apps/secure-hybrid-access.md) partner. -4. As legacy apps retire through attrition, eventually decommission Microsoft Entra DS running in the Azure virtual network. +4. As legacy apps retire through attrition, eventually decommission Microsoft Entra Domain Services running in the Azure virtual network. >[!NOTE]->* Use Microsoft Entra DS if the dependencies are aligned with [common deployment scenarios for Microsoft Entra DS](../../active-directory-domain-services/scenarios.md). ->* To validate if Microsoft Entra DS is a good fit, you might use tools like [Service Map in Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.ServiceMapOMS?tab=Overview) and [automatic dependency mapping with Service Map and Live Maps](https://techcommunity.microsoft.com/t5/system-center-blog/automatic-dependency-mapping-with-service-map-and-live-maps/ba-p/351867). +>* Use Microsoft Entra Domain Services if the dependencies are aligned with [common deployment scenarios for Microsoft Entra Domain Services](../../active-directory-domain-services/scenarios.md). +>* To validate if Microsoft Entra Domain Services is a good fit, you might use tools like [Service Map in Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.ServiceMapOMS?tab=Overview) and [automatic dependency mapping with Service Map and Live Maps](https://techcommunity.microsoft.com/t5/system-center-blog/automatic-dependency-mapping-with-service-map-and-live-maps/ba-p/351867). >* Validate that your SQL Server instantiations can be [migrated to a different domain](https://social.technet.microsoft.com/wiki/contents/articles/24960.migrating-sql-server-to-new-domain.aspx). If your SQL service is running in virtual machines, [use this guidance](/azure/azure-sql/migration-guides/virtual-machines/sql-server-to-sql-on-azure-vm-individual-databases-guide). #### Approach 2 This approach enables you to decouple the app from the existing Active Directory #### Comparison of strategies -| Strategy | Microsoft Entra DS | Extend Active Directory to IaaS | Independent Active Directory instance in IaaS | +| Strategy | Microsoft Entra Domain Services | Extend Active Directory to IaaS | Independent Active Directory instance in IaaS | | - | - | - | - | | Decoupling from on-premises Active Directory| Yes| No| Yes | | Allowing schema extensions| No| Yes| Yes | To simplify your environment, you can use [Microsoft Entra application proxy](.. It's important to mention that enabling remote access to an application by using the preceding technologies is an interim step. You need to do more work to completely decouple the application from Active Directory. -Microsoft Entra DS allows you to migrate application servers to the cloud IaaS and decouple from Active Directory, while using Microsoft Entra application proxy to enable remote access. To learn more about this scenario, check [Deploy Microsoft Entra application proxy for Microsoft Entra Domain Services](../../active-directory-domain-services/deploy-azure-app-proxy.md). +Microsoft Entra Domain Services allows you to migrate application servers to the cloud IaaS and decouple from Active Directory, while using Microsoft Entra application proxy to enable remote access. To learn more about this scenario, check [Deploy Microsoft Entra application proxy for Microsoft Entra Domain Services](../../active-directory-domain-services/deploy-azure-app-proxy.md). ## Next steps |
active-directory | Road To The Cloud Posture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/road-to-the-cloud-posture.md | In this state: * Self-service password reset (SSPR) and password protection for users are enabled. -* Some legacy apps are authenticated in the cloud through Microsoft Entra DS and Application Proxy. +* Some legacy apps are authenticated in the cloud through Microsoft Entra Domain Services and Application Proxy. ### State 3: Cloud first |
active-directory | Secure Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/secure-best-practices.md | All hybrid identity infrastructure OS logs should be archived and carefully moni The following scenarios must be explicitly monitored and investigated: -* **Suspicious activity** - All [Microsoft Entra ID risk events](../identity-protection/overview-identity-protection.md) should be monitored for suspicious activity. All tenants should define the network [named locations](../conditional-access/location-condition.md) to avoid noisy detections on location-based signals. [Microsoft Entra ID Protection](../identity-protection/overview-identity-protection.md) is natively integrated with Azure Security Center. It's recommended that any risk detection investigation includes all the environments the identity is provisioned (for example, if a human identity has an active risk detection in the corporate tenant, the team operating the customer facing tenant should also investigate the activity of the corresponding account in that environment). +* **Suspicious activity** - All [Microsoft Entra risk events](../identity-protection/overview-identity-protection.md) should be monitored for suspicious activity. All tenants should define the network [named locations](../conditional-access/location-condition.md) to avoid noisy detections on location-based signals. [Microsoft Entra ID Protection](../identity-protection/overview-identity-protection.md) is natively integrated with Azure Security Center. It's recommended that any risk detection investigation includes all the environments the identity is provisioned (for example, if a human identity has an active risk detection in the corporate tenant, the team operating the customer facing tenant should also investigate the activity of the corresponding account in that environment). * **User entity behavioral analytics (UEBA) alerts** - UEBA should be used to get insightful information based on anomaly detection. [Microsoft Microsoft 365 Defender for Cloud Apps](https://www.microsoft.com/security/business/siem-and-xdr/microsoft-defender-cloud-apps) provides [UEBA in the cloud](/defender-cloud-apps/tutorial-ueba). Customers can integrate [on-premises UEBA from Microsoft Microsoft 365 Defender for Identity](/defender-cloud-apps/mdi-integration). MCAS reads signals from Microsoft Entra ID Protection. |
active-directory | Secure Fundamentals | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/secure-fundamentals.md | Microsoft Entra ID also provides a portal and the Microsoft Graph API to allow o * Applications used to access -Microsoft Entra ID also provides information on the actions that are being performed within Microsoft Entra ID, and reports on security risks. For more information, see [Microsoft Entra ID reports and monitoring](../reports-monitoring/index.yml). +Microsoft Entra ID also provides information on the actions that are being performed within Microsoft Entra ID, and reports on security risks. For more information, see [Microsoft Entra reports and monitoring](../reports-monitoring/index.yml). **Auditing**. Auditing provides traceability through logs for all changes done by specific features within Microsoft Entra ID. Examples of activities found in audit logs include changes made to any resources within Microsoft Entra ID like adding or removing users, apps, groups, roles, and policies. Reporting in Microsoft Entra ID enables you to audit sign-in activities, risky sign-ins, and users flagged for risk. For more information, see [Audit activity reports in the Azure portal](../reports-monitoring/concept-audit-logs.md). |
active-directory | Secure Resource Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/secure-resource-management.md | Before any resource management request can be executed by Resource Manager, a se The following diagram summarizes the resource model we just described. -![Diagram that shows Azure resource management with ARM and Azure AD.](media/secure-resource-management/resource-model.png) +![Diagram that shows Azure resource management with ARM and Microsoft Entra ID.](media/secure-resource-management/resource-model.png) **Azure Lighthouse** - [Azure Lighthouse](../../lighthouse/overview.md) enables resource management across tenants. Organizations can delegate roles at the subscription or resource group level to identities in another tenant. |
active-directory | Security Operations Applications | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/security-operations-applications.md | The log files you use for investigation and monitoring are: * [Azure Key Vault logs](../../key-vault/general/logging.md) -From the Azure portal, you can view the Microsoft Entra audit logs and download as comma-separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Microsoft Entra ID logs with other tools, which allow more automation of monitoring and alerting: +From the Azure portal, you can view the Microsoft Entra audit logs and download as comma-separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Microsoft Entra logs with other tools, which allow more automation of monitoring and alerting: * **[Microsoft Sentinel](../../sentinel/overview.md)** ΓÇô enables intelligent security analytics at the enterprise level with security information and event management (SIEM) capabilities. From the Azure portal, you can view the Microsoft Entra audit logs and download * **[Azure Monitor](../../azure-monitor/overview.md)** ΓÇô automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources. -* **[Azure Event Hubs](../../event-hubs/event-hubs-about.md) integrated with a SIEM**- [Microsoft Entra ID logs can be integrated to other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar, and Sumo Logic via the Azure Event Hubs integration. +* **[Azure Event Hubs](../../event-hubs/event-hubs-about.md) integrated with a SIEM**- [Microsoft Entra logs can be integrated to other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar, and Sumo Logic via the Azure Event Hubs integration. * **[Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security)** ΓÇô discover and manage apps, govern across apps and resources, and check your cloud appsΓÇÖ compliance. Monitor application authentication using the following formation: | What to monitor| Risk level| Where| Filter/sub-filter| Notes | | - | - | - | - | - |-| Applications that are using the ROPC authentication flow|Medium | Microsoft Entra Sign-ins log|Status=Success<br><br>Authentication Protocol-ROPC| High level of trust is being placed in this application as the credentials can be cached or stored. Move if possible to a more secure authentication flow. This should only be used in automated testing of applications, if at all. For more information, see [Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials](../develop/v2-oauth-ropc.md)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| -|Applications using the Device code flow |Low to medium|Microsoft Entra Sign-ins log|Status=Success<br><br>Authentication Protocol-Device Code|Device code flows are used for input constrained devices, which may not be in all environments. If successful device code flows appear, without a need for them, investigate for validity. For more information, see [Microsoft identity platform and the OAuth 2.0 device authorization grant flow](../develop/v2-oauth2-device-code.md)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| Applications that are using the ROPC authentication flow|Medium | Microsoft Entra sign-in log|Status=Success<br><br>Authentication Protocol-ROPC| High level of trust is being placed in this application as the credentials can be cached or stored. Move if possible to a more secure authentication flow. This should only be used in automated testing of applications, if at all. For more information, see [Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials](../develop/v2-oauth-ropc.md)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +|Applications using the Device code flow |Low to medium|Microsoft Entra sign-in log|Status=Success<br><br>Authentication Protocol-Device Code|Device code flows are used for input constrained devices, which may not be in all environments. If successful device code flows appear, without a need for them, investigate for validity. For more information, see [Microsoft identity platform and the OAuth 2.0 device authorization grant flow](../develop/v2-oauth2-device-code.md)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| ## Application configuration changes Monitor changes to application configuration. Specifically, configuration change | What to monitor| Risk Level| Where| Filter/sub-filter| Notes | |-|-|-|-|-|-| Dangling URI| High| Microsoft Entra ID Logs and Application Registration| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update Application<br>Success ΓÇô Property Name AppAddress| For example, look for dangling URIs that point to a domain name that no longer exists or one that you donΓÇÖt explicitly own.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/URLAddedtoApplicationfromUnknownDomain.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | -| Redirect URI configuration changes| High| Microsoft Entra ID logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update Application<br>Success ΓÇô Property Name AppAddress| Look for URIs not using HTTPS*, URIs with wildcards at the end or the domain of the URL, URIs that are NOT unique to the application, URIs that point to a domain you don't control.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ApplicationRedirectURLUpdate.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| Dangling URI| High| Microsoft Entra logs and Application Registration| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update Application<br>Success ΓÇô Property Name AppAddress| For example, look for dangling URIs that point to a domain name that no longer exists or one that you donΓÇÖt explicitly own.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/URLAddedtoApplicationfromUnknownDomain.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| Redirect URI configuration changes| High| Microsoft Entra logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update Application<br>Success ΓÇô Property Name AppAddress| Look for URIs not using HTTPS*, URIs with wildcards at the end or the domain of the URL, URIs that are NOT unique to the application, URIs that point to a domain you don't control.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ApplicationRedirectURLUpdate.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | Alert when these changes are detected. Alert when these changes are detected. | What to monitor| Risk Level| Where| Filter/sub-filter| Notes | |-|-|-|-|-|-| Changes to AppID URI| High| Microsoft Entra ID logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update<br>Application<br>Activity: Update Service principal| Look for any AppID URI modifications, such as adding, modifying, or removing the URI.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ApplicationIDURIChanged.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| Changes to AppID URI| High| Microsoft Entra logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update<br>Application<br>Activity: Update Service principal| Look for any AppID URI modifications, such as adding, modifying, or removing the URI.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ApplicationIDURIChanged.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | Alert when these changes are detected outside approved change management procedures. Alert when these changes are detected outside approved change management procedu | What to monitor| Risk Level| Where| Filter/sub-filter| Notes | |-|-|-|-|-|-| Changes to application ownership| Medium| Microsoft Entra ID logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Add owner to application| Look for any instance of a user being added as an application owner outside of normal change management activities.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ChangestoApplicationOwnership.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| Changes to application ownership| Medium| Microsoft Entra logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Add owner to application| Look for any instance of a user being added as an application owner outside of normal change management activities.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ChangestoApplicationOwnership.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | ### Log-out URL modified or removed | What to monitor| Risk Level| Where| Filter/sub-filter| Notes | |-|-|-|-|-|-| Changes to log-out URL| Low| Microsoft Entra ID logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update Application<br>-and-<br>Activity: Update service principle| Look for any modifications to a sign-out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ChangestoApplicationLogoutURL.yaml) <br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| Changes to log-out URL| Low| Microsoft Entra logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update Application<br>-and-<br>Activity: Update service principle| Look for any modifications to a sign-out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ChangestoApplicationLogoutURL.yaml) <br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| ## Resources Alert when these changes are detected outside approved change management procedu * OAuth attack detection guidance - [Unusual addition of credentials to an OAuth app](/cloud-app-security/investigate-anomaly-alerts) -* Microsoft Entra ID monitoring configuration information for SIEMs - [Partner tools with Azure Monitor integration](../..//azure-monitor/essentials/stream-monitoring-data-event-hubs.md) +* Microsoft Entra monitoring configuration information for SIEMs - [Partner tools with Azure Monitor integration](../..//azure-monitor/essentials/stream-monitoring-data-event-hubs.md) ## Next steps |
active-directory | Security Operations Infrastructure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/security-operations-infrastructure.md | Organizations might need to monitor for and alert on the creation of new Microso Microsoft Entra ID and Microsoft Entra application proxy give remote users a single sign-on (SSO) experience. Users securely connect to on-premises apps without a virtual private network (VPN) or dual-homed servers and firewall rules. If your Microsoft Entra application proxy connector server is compromised, attackers could alter the SSO experience or change access to published applications. -To configure monitoring for Application Proxy, see [Troubleshoot Application Proxy problems and error messages](../app-proxy/application-proxy-troubleshoot.md). The data file that logs information can be found in Applications and Services Logs\Microsoft\AadApplicationProxy\Connector\Admin. For a complete reference guide to audit activity, see [Microsoft Entra ID audit activity reference](../reports-monitoring/reference-audit-activities.md). Specific things to monitor: +To configure monitoring for Application Proxy, see [Troubleshoot Application Proxy problems and error messages](../app-proxy/application-proxy-troubleshoot.md). The data file that logs information can be found in Applications and Services Logs\Microsoft\AadApplicationProxy\Connector\Admin. For a complete reference guide to audit activity, see [Microsoft Entra audit activity reference](../reports-monitoring/reference-audit-activities.md). Specific things to monitor: | What to monitor| Risk level| Where| Filter/sub-filter| Notes | | - | - | - | - | - | To configure monitoring for Application Proxy, see [Troubleshoot Application Pro For multifactor authentication (MFA) to be effective, you also need to block legacy authentication. You then need to monitor your environment and alert on any use of legacy authentication. Legacy authentication protocols like POP, SMTP, IMAP, and MAPI canΓÇÖt enforce MFA. This makes these protocols the preferred entry points for attackers. For more information on tools that you can use to block legacy authentication, see [New tools to block legacy authentication in your organization](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302). -Legacy authentication is captured in the Microsoft Entra sign-in log as part of the detail of the event. You can use the Azure Monitor workbook to help with identifying legacy authentication usage. For more information, see [Sign-ins using legacy authentication](../reports-monitoring/howto-use-azure-monitor-workbooks.md), which is part of [How to use Azure Monitor Workbooks for Microsoft Entra ID reports](../reports-monitoring/howto-use-azure-monitor-workbooks.md). You can also use the Insecure protocols workbook for Microsoft Sentinel. For more information, see [Microsoft Sentinel Insecure Protocols Workbook Implementation Guide](https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-insecure-protocols-workbook-implementation-guide/ba-p/1197564). Specific activities to monitor include: +Legacy authentication is captured in the Microsoft Entra sign-in log as part of the detail of the event. You can use the Azure Monitor workbook to help with identifying legacy authentication usage. For more information, see [Sign-ins using legacy authentication](../reports-monitoring/howto-use-azure-monitor-workbooks.md), which is part of [How to use Azure Monitor Workbooks for Microsoft Entra reports](../reports-monitoring/howto-use-azure-monitor-workbooks.md). You can also use the Insecure protocols workbook for Microsoft Sentinel. For more information, see [Microsoft Sentinel Insecure Protocols Workbook Implementation Guide](https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-insecure-protocols-workbook-implementation-guide/ba-p/1197564). Specific activities to monitor include: | What to monitor| Risk level| Where| Filter/sub-filter| Notes | | - | - | - | - | - | The DC agent Admin log is the primary source of information for how the software * Microsoft Entra audit log, Category Application Proxy -Complete reference for Microsoft Entra ID audit activities is available at [Microsoft Entra ID audit activity reference](../reports-monitoring/reference-audit-activities.md). +Complete reference for Microsoft Entra audit activities is available at [Microsoft Entra audit activity reference](../reports-monitoring/reference-audit-activities.md). ## Conditional Access |
active-directory | Security Operations Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/security-operations-introduction.md | As part of an Azure hybrid environment, the following items should be baselined * **Password writeback Agent** - Password writeback is a feature enabled with [Microsoft Entra Connect](../hybrid/whatis-hybrid-identity.md) that allows password changes in the cloud to be written back to an existing on-premises directory in real time. For more information on this feature, see [How does self-service password reset writeback work in Microsoft Entra ID](../authentication/concept-sspr-writeback.md). -* **Microsoft Entra application proxy Connector** - Lightweight agents that sit on-premises and facilitate the outbound connection to the Application Proxy service. For more information, see [Understand Azure ADF Application Proxy connectors](../app-proxy/application-proxy-connectors.md). +* **Microsoft Entra application proxy Connector** - Lightweight agents that sit on-premises and facilitate the outbound connection to the Application Proxy service. For more information, see [Understand Microsoft Entra Application Proxy connectors](../app-proxy/application-proxy-connectors.md). ## Components of cloud-based authentication |
active-directory | Security Operations Privileged Identity Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/security-operations-privileged-identity-management.md | The following are recommended baseline settings: <a name='azure-ad-roles-assignment'></a> +## Privileged Identity Management Alerts ++Privileged Identity Management (PIM) generates alerts when there's suspicious or unsafe activity in your Microsoft Entra ID organization. When an alert is generated, it appears in the Privileged Identity Management dashboard. You can also configure an email notification or send to your SIEM via GraphAPI. Because these alerts focus specifically on administrative roles, you should monitor closely for any alerts. ++| What to monitor| Risk Level| Where | Filter/sub-filter UX | Notes | +| - |- |- |- |- | +| [Roles are being assigned outside of Privileged Identity Management](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) | High |Privileged Identity Management, Alerts |[Roles are being assigned outside of Privileged Identity Management](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) |[How to configure security alerts](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) <br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| [Potential stale accounts in a privileged role](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) | Medium |Privileged Identity Management, Alerts |[Potential stale accounts in a privileged role](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) |[How to configure security alerts](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) <br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| [Administrators aren't using their privileged roles](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) | Low |Privileged Identity Management, Alerts |[Administrators aren't using their privileged roles](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) |[How to configure security alerts](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) <br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| [Roles don't require multi-factor authentication for activation](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) | Low |Privileged Identity Management, Alerts |[Roles don't require multi-factor authentication for activation](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) |[How to configure security alerts](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) <br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| [The organization doesn't have Microsoft Entra ID P2 or Microsoft Entra ID Governance](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) | Low |Privileged Identity Management, Alerts |[The organization doesn't have Microsoft Entra ID P2 or Microsoft Entra ID Governance](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) |[How to configure security alerts](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) <br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| [There are too many global administrators](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) | Low |Privileged Identity Management, Alerts |[There are too many global administrators](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts)|[How to configure security alerts](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) <br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| [Roles are being activated too frequently](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) | Low |Privileged Identity Management, Alerts |[Roles are being activated too frequently](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts)|[How to configure security alerts](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) <br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| ++<a name='azure-ad-roles-assignment'></a> + ## Microsoft Entra roles assignment A privileged role administrator can customize PIM in their Microsoft Entra organization, which includes changing the user experience of activating an eligible role assignment: |
active-directory | Security Operations User Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/security-operations-user-accounts.md | As you design and operationalize a log monitoring and alerting strategy, conside | What to monitor | Risk Level | Where | Filter/sub-filter | Notes | | - | - | - | - | - |-| Leaked credentials user risk detection| High| Microsoft Entra ID Risk Detection logs| UX: Leaked credentials <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| -| Microsoft Entra Threat Intelligence user risk detection| High| Microsoft Entra ID Risk Detection logs| UX: Microsoft Entra threat intelligence <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| -| Anonymous IP address sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Anonymous IP address <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| -| Atypical travel sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Atypical travel <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| -| Anomalous Token| Varies| Microsoft Entra ID Risk Detection logs| UX: Anomalous Token <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| -| Malware linked IP address sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Malware linked IP address <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| -| Suspicious browser sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Suspicious browser <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| -| Unfamiliar sign-in properties sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Unfamiliar sign-in properties <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| -| Malicious IP address sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Malicious IP address<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| -| Suspicious inbox manipulation rules sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Suspicious inbox manipulation rules<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| -| Password Spray sign-in risk detection| High| Microsoft Entra ID Risk Detection logs| UX: Password spray<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| -| Impossible travel sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Impossible travel<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| -| New country/region sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: New country/region<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| -| Activity from anonymous IP address sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Activity from Anonymous IP address<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| -| Suspicious inbox forwarding sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Suspicious inbox forwarding<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| -| Microsoft Entra threat intelligence sign-in risk detection| High| Microsoft Entra ID Risk Detection logs| UX: Microsoft Entra threat intelligence<br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| Leaked credentials user risk detection| High| Microsoft Entra risk detection logs| UX: Leaked credentials <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| Microsoft Entra Threat Intelligence user risk detection| High| Microsoft Entra risk detection logs| UX: Microsoft Entra threat intelligence <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| Anonymous IP address sign-in risk detection| Varies| Microsoft Entra risk detection logs| UX: Anonymous IP address <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| Atypical travel sign-in risk detection| Varies| Microsoft Entra risk detection logs| UX: Atypical travel <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| Anomalous Token| Varies| Microsoft Entra risk detection logs| UX: Anomalous Token <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| Malware linked IP address sign-in risk detection| Varies| Microsoft Entra risk detection logs| UX: Malware linked IP address <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| Suspicious browser sign-in risk detection| Varies| Microsoft Entra risk detection logs| UX: Suspicious browser <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| Unfamiliar sign-in properties sign-in risk detection| Varies| Microsoft Entra risk detection logs| UX: Unfamiliar sign-in properties <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| Malicious IP address sign-in risk detection| Varies| Microsoft Entra risk detection logs| UX: Malicious IP address<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| Suspicious inbox manipulation rules sign-in risk detection| Varies| Microsoft Entra risk detection logs| UX: Suspicious inbox manipulation rules<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| Password Spray sign-in risk detection| High| Microsoft Entra risk detection logs| UX: Password spray<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| Impossible travel sign-in risk detection| Varies| Microsoft Entra risk detection logs| UX: Impossible travel<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| New country/region sign-in risk detection| Varies| Microsoft Entra risk detection logs| UX: New country/region<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| Activity from anonymous IP address sign-in risk detection| Varies| Microsoft Entra risk detection logs| UX: Activity from Anonymous IP address<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| Suspicious inbox forwarding sign-in risk detection| Varies| Microsoft Entra risk detection logs| UX: Suspicious inbox forwarding<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| Microsoft Entra threat intelligence sign-in risk detection| High| Microsoft Entra risk detection logs| UX: Microsoft Entra threat intelligence<br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| For more information, visit [What is Identity Protection](../identity-protection/overview-identity-protection.md). |
active-directory | Sync Ldap | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/sync-ldap.md | Use LDAP synchronization when you need to synchronize identity data between your ## System components -* **Microsoft Entra ID**: Azure AD synchronizes identity information (users, groups) from organization's on-premises LDAP directories via Microsoft Entra Connect. +* **Microsoft Entra ID**: Microsoft Entra ID synchronizes identity information (users, groups) from organization's on-premises LDAP directories via Microsoft Entra Connect. * **Microsoft Entra Connect**: is a tool for connecting on premises identity infrastructures to Microsoft Entra ID. The wizard and guided experiences help to deploy and configure prerequisites and components required for the connection. * **Custom Connector**: A Generic LDAP Connector enables you to integrate the Microsoft Entra Connect synchronization service with an LDAP v3 server. It sits on Microsoft Entra Connect. * **Active Directory**: Active Directory is a directory service included in most Windows Server operating systems. Servers that run Active Directory Services, referred to as domain controllers, authenticate and authorize all users and computers in a Windows domain. |
active-directory | Certificate Based Authentication Federation Android | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/certificate-based-authentication-federation-android.md | As a best practice, you should update your organization's AD FS error pages with For more information, see [Customizing the AD FS Sign-in Pages](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn280950(v=ws.11)). -Office apps with modern authentication enabled send '*prompt=login*' to Azure AD in their request. By default, Azure AD translates '*prompt=login*' in the request to AD FS as '*wauth=usernamepassworduri*' (asks AD FS to do U/P Auth) and '*wfresh=0*' (asks AD FS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, you need to modify the default Azure AD behavior. Set the '*PromptLoginBehavior*' in your federated domain settings to '*Disabled*'. +Office apps with modern authentication enabled send '*prompt=login*' to Microsoft Entra ID in their request. By default, Microsoft Entra ID translates '*prompt=login*' in the request to AD FS as '*wauth=usernamepassworduri*' (asks AD FS to do U/P Auth) and '*wfresh=0*' (asks AD FS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, you need to modify the default Microsoft Entra behavior. Set the '*PromptLoginBehavior*' in your federated domain settings to '*Disabled*'. You can use Set-MgDomainFederationConfiguration to perform this task: ```powershell |
active-directory | Concept Certificate Based Authentication Certificateuserids | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-certificateuserids.md | The values stored in **certificateUserIds** should be in the format described in ## Roles to update certificateUserIds -For cloud-only users, only users with roles **Global Administrators**, **Privileged Authentication Administrator** can write into certificateUserIds. Cloud-only users can use both UX and MSGraph to write into certificateUserIds. For synched users, AD users with role **Hybrid Identity Administrator** can write into the attribute. Only Azure ADConnect can be used to update CertificateUserIds by syncing the value from on-prem for synched users. +For cloud-only users, only users with roles **Global Administrators**, **Privileged Authentication Administrator** can write into certificateUserIds. Cloud-only users can use both UX and MSGraph to write into certificateUserIds. For synched users, AD users with role **Hybrid Identity Administrator** can write into the attribute. Only Microsoft Entra Connect can be used to update CertificateUserIds by syncing the value from on-prem for synched users. >[!NOTE] >Active Directory Administrators (including accounts with delegated administrative privilege over synched user accounts as well as administrative rights over the Azure >AD Connect Servers) can make changes that impact the certificateUserIds value in Microsoft Entra ID for any synched accounts. |
active-directory | Concept Certificate Based Authentication Technical Deep Dive | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md | Now we'll walk through each step: However, with the issue hints feature enabled (coming soon), the new certauth endpoint will change to `https://t{tenantid}.certauth.login.microsoftonline.com`. -The endpoint performs TLS mutual authentication, and requests the client certificate as part of the TLS handshake. You'll see an entry for this request in the Sign-ins log. +The endpoint performs TLS mutual authentication, and requests the client certificate as part of the TLS handshake. You'll see an entry for this request in the sign-in log. >[!NOTE] >The network administrator should allow access to the User sign-in page and certauth endpoint `*.certauth.login.microsoftonline.com` for the customer's cloud environment. Disable TLS inspection on the certauth endpoint to make sure the client certificate request succeeds as part of the TLS handshake. The endpoint performs TLS mutual authentication, and requests the client certifi Without this change, certificate-based authentication will fail when you enable Issuer Hints feature. - :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-log.png" alt-text="Screenshot of the Sign-ins log in Microsoft Entra ID." lightbox="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-log.png"::: + :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-log.png" alt-text="Screenshot of the sign-in log in Microsoft Entra ID." lightbox="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-log.png"::: Click the log entry to bring up **Activity Details** and click **Authentication Details**. You'll see an entry for the X.509 certificate. |
active-directory | Concept Mfa Authprovider | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-mfa-authprovider.md | If your MFA provider isn't linked to a Microsoft Entra tenant, or you link the n > [!CAUTION] > There is no confirmation when deleting an authentication provider. Selecting **Delete** is a permanent process. -Authentication providers can be found in the [Microsoft Entra admin center](https://entra.microsoft.com). Sign in as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator). Browse to **Protection** > **multifactor authentication** > **Providers**. Click the listed providers to see details and configurations associated with that provider. +Authentication providers can be found in the [Microsoft Entra admin center](https://entra.microsoft.com). Sign in as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator). Browse to **Protection** > **Multifactor authentication** > **Providers**. Click the listed providers to see details and configurations associated with that provider. Before removing an authentication provider, take note of any customized settings configured in your provider. Decide what settings need to be migrated to general MFA settings from your provider and complete the migration of those settings. |
active-directory | Concept Mfa Data Residency | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-mfa-data-residency.md | For Microsoft Azure Government, Microsoft Azure operated by 21Vianet, Azure AD B If you use MFA Server, the following personal data is stored. > [!IMPORTANT]-> In September 2022, Microsoft announced deprecation of Azure multifactor authentication Server. Beginning September 30, 2024, Azure multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). +> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). | Event type | Data store type | |--|--| For MFA Server, the following pages might contain organizational data: * Server settings * One-time bypass * Caching rules-* Multifactor authentication Server status +* Multi-Factor Authentication Server status ## Multifactor authentication activity reports for public cloud |
active-directory | Concept Password Ban Bad Combined Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-password-ban-bad-combined-policy.md | The following Microsoft Entra password policy requirements apply for all passwor ## Password expiration policies -Password expiration policies are unchanged but they're included in this topic for completeness. A *Global Administrator* or *User Administrator* can use the [Azure AD Module for PowerShell](/powershell/module/Azuread/) to set user passwords not to expire. +Password expiration policies are unchanged but they're included in this topic for completeness. A *Global Administrator* or *User Administrator* can use the [Azure AD module for PowerShell](/powershell/module/Azuread/) to set user passwords not to expire. > [!NOTE] > By default, only passwords for user accounts that aren't synchronized through Microsoft Entra Connect can be configured to not expire. For more information about directory synchronization, see [Connect AD with Microsoft Entra ID](../hybrid/connect/how-to-connect-password-hash-synchronization.md#password-expiration-policy). |
active-directory | Concepts Azure Multi Factor Authentication Prompts Session Lifetime | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md | When a user selects **Yes** on the *Stay signed in?* prompt option during sign-i ![Screenshot of example prompt to remain signed in](./media/concepts-azure-multi-factor-authentication-prompts-session-lifetime/stay-signed-in-prompt.png) -If you have a Microsoft Entra ID P1 or P2 1 license, we recommend using Conditional Access policy for *Persistent browser session*. This policy overwrites the *Stay signed in?* setting and provides an improved user experience. If you don't have a Microsoft Entra ID P1 or P2 1 license, we recommend enabling the stay signed in setting for your users. +If you have a Microsoft Entra ID P1 or P2 license, we recommend using Conditional Access policy for *Persistent browser session*. This policy overwrites the *Stay signed in?* setting and provides an improved user experience. If you don't have a Microsoft Entra ID P1 or P2 license, we recommend enabling the stay signed in setting for your users. For more information on configuring the option to let users remain signed-in, see [How to manage the 'Stay signed in?' prompt](../fundamentals/how-to-manage-stay-signed-in-prompt.md). This setting lets you configure values between 1-365 days and sets a persistent While this setting reduces the number of authentications on web apps, it increases the number of authentications for modern authentication clients, such as Office clients. These clients normally prompt only after password reset or inactivity of 90 days. However, setting this value to less than 90 days shortens the default MFA prompts for Office clients, and increases reauthentication frequency. When used in combined with **Remain signed-in** or Conditional Access policies, it may increase the number of authentication requests. -If you use *Remember MFA* and have Microsoft Entra ID P1 or P2 1 licenses, consider migrating these settings to Conditional Access Sign-in Frequency. Otherwise, consider using *Keep me signed in?* instead. +If you use *Remember MFA* and have Microsoft Entra ID P1 or P2 licenses, consider migrating these settings to Conditional Access Sign-in Frequency. Otherwise, consider using *Keep me signed in?* instead. More information, see [Remember multifactor authentication](howto-mfa-mfasettings.md#remember-multi-factor-authentication). |
active-directory | How To Authentication Two Way Sms Unsupported | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-authentication-two-way-sms-unsupported.md | -Two-way SMS for Microsoft Entra multifactor authentication Server was originally deprecated in 2018, and no longer supported after February 24, 2021, except for organizations that received a support extension until August 2, 2021. Administrators should enable another method for users who still use two-way SMS. +Two-way SMS for Azure Multi-Factor Authentication Server was originally deprecated in 2018, and no longer supported after February 24, 2021, except for organizations that received a support extension until August 2, 2021. Administrators should enable another method for users who still use two-way SMS. Email notifications and Service Health notifications (portal toasts) were sent to affected admins on December 8, 2020 and January 28, 2021. The alerts went to the Owner, Co-Owner, Admin, and Service Admin RBAC roles tied to the subscriptions. If you've already completed the following steps, no action is necessary. |
active-directory | How To Mfa Number Match | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-number-match.md | Combined registration with Authenticator requires number matching. When a user g ### AD FS adapter -AD FS adapter requires number matching on supported versions of Windows Server. On earlier versions, users continue to see the **Approve**/**Deny** experience and donΓÇÖt see number matching until you upgrade. The AD FS adapter supports number matching only after you install one of the updates in the following table. For more information about how to set up AD FS adapter, see [Configure Microsoft Entra multifactor authentication Server to work with AD FS in Windows Server](howto-mfaserver-adfs-windows-server.md). +AD FS adapter requires number matching on supported versions of Windows Server. On earlier versions, users continue to see the **Approve**/**Deny** experience and donΓÇÖt see number matching until you upgrade. The AD FS adapter supports number matching only after you install one of the updates in the following table. For more information about how to set up AD FS adapter, see [Configure Azure Multi-Factor Authentication Server to work with AD FS in Windows Server](howto-mfaserver-adfs-windows-server.md). >[!NOTE] >Unpatched versions of Windows Server don't support number matching. Users continue to see the **Approve**/**Deny** experience and don't see number matching unless these updates are applied. |
active-directory | How To Mfa Registration Campaign | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-registration-campaign.md | To enable a registration campaign in the Microsoft Entra admin center, complete 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator) or [Global Administrator](../roles/permissions-reference.md#global-administrator). 1. Browse to **Protection** > **Authentication methods** > **Registration campaign** and click **Edit**.-1. For **State**, click **Microsoft managed** or **Enabled**. In the following screenshot, the registration campaign is **Microsoft managed**. That setting allows Microsoft to set the default value to be either Enabled or Disabled. From Sept. 25 to Oct. 20, 2023, the Microsoft managed value for the registration campaign will change to **Enabled** for voice call and text message users across all tenants. For more information, see [Protecting authentication methods in Azure Active Directory](concept-authentication-default-enablement.md). +1. For **State**, click **Microsoft managed** or **Enabled**. In the following screenshot, the registration campaign is **Microsoft managed**. That setting allows Microsoft to set the default value to be either Enabled or Disabled. From Sept. 25 to Oct. 20, 2023, the Microsoft managed value for the registration campaign will change to **Enabled** for voice call and text message users across all tenants. For more information, see [Protecting authentication methods in Microsoft Entra ID](concept-authentication-default-enablement.md). :::image type="content" border="true" source="media/how-to-mfa-registration-campaign/admin-experience.png" alt-text="Screenshot of enabling a registration campaign."::: |
active-directory | How To Mfa Server Migration Utility | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-server-migration-utility.md | Take a look at our video for an overview of the MFA Server Migration Utility and |Phase|Steps| |:|:--|-|Preparations |[Identify Microsoft Entra multifactor authentication Server dependencies](#identify-azure-ad-mfa-server-dependencies) | -||[Backup Microsoft Entra multifactor authentication Server datafile](#backup-azure-ad-mfa-server-datafile) | +|Preparations |[Identify Azure Multi-Factor Authentication Server dependencies](#identify-azure-ad-mfa-server-dependencies) | +||[Backup Azure Multi-Factor Authentication Server datafile](#backup-azure-ad-mfa-server-datafile) | ||[Install MFA Server update](#install-mfa-server-update) | ||[Configure MFA Server Migration Utility](#configure-the-mfa-server-migration-utility) | |Migrations |[Migrate user data](#migrate-user-data)| The following sections explain the migration steps in more detail. <a name='identify-azure-ad-mfa-server-dependencies'></a> -### Identify Microsoft Entra multifactor authentication Server dependencies +<a name='identify-microsoft-entra-multifactor-authentication-server-dependencies'></a> ++### Identify Azure Multi-Factor Authentication Server dependencies We've worked hard to ensure that moving onto our cloud-based Microsoft Entra multifactor authentication solution will maintain and even improve your security posture. There are three broad categories that should be used to group dependencies: If you enabled the [MFA Server Authentication provider in AD FS 2.0](./howto-mfa <a name='backup-azure-ad-mfa-server-datafile'></a> -### Backup Microsoft Entra multifactor authentication Server datafile -Make a backup of the MFA Server data file located at %programfiles%\multifactor authentication Server\Data\PhoneFactor.pfdata (default location) on your primary MFA Server. Make sure you have a copy of the installer for your currently installed version in case you need to roll back. If you no longer have a copy, contact Customer Support Services. +<a name='backup-microsoft-entra-multifactor-authentication-server-datafile'></a> ++### Backup Azure Multi-Factor Authentication Server datafile +Make a backup of the MFA Server data file located at %programfiles%\Multi-Factor Authentication Server\Data\PhoneFactor.pfdata (default location) on your primary MFA Server. Make sure you have a copy of the installer for your currently installed version in case you need to roll back. If you no longer have a copy, contact Customer Support Services. Depending on user activity, the data file can become outdated quickly. Any changes made to MFA Server, or any end-user changes made through the portal after the backup won't be captured. If you roll back, any changes made after this point won't be restored. ### Install MFA Server update-Run the new installer on the Primary MFA Server. Before you upgrade a server, remove it from load balancing or traffic sharing with other MFA Servers. You don't need to uninstall your current MFA Server before running the installer. The installer performs an in-place upgrade using the current installation path (for example, C:\Program Files\multifactor authentication Server). If you're prompted to install a Microsoft Visual C++ 2015 Redistributable update package, accept the prompt. Both the x86 and x64 versions of the package are installed. It isn't required to install updates for User portal, Web SDK, or AD FS Adapter. +Run the new installer on the Primary MFA Server. Before you upgrade a server, remove it from load balancing or traffic sharing with other MFA Servers. You don't need to uninstall your current MFA Server before running the installer. The installer performs an in-place upgrade using the current installation path (for example, C:\Program Files\Multi-Factor Authentication Server). If you're prompted to install a Microsoft Visual C++ 2015 Redistributable update package, accept the prompt. Both the x86 and x64 versions of the package are installed. It isn't required to install updates for User portal, Web SDK, or AD FS Adapter. >[!NOTE] >After you run the installer on your primary server, secondary servers may begin to log **Unhandled SB** entries. This is due to schema changes made on the primary server that will not be recognized by secondary servers. These errors are expected. In environments with 10,000 users or more, the amount of log entries can increase significantly. To mitigate this issue, you can increase the file size of your MFA Server logs, or upgrade your secondary servers. ### Configure the MFA Server Migration Utility-After installing the MFA Server update, open an elevated PowerShell command prompt: hover over the PowerShell icon, right-click, and click **Run as Administrator**. Run the .\Configure-MultiFactorAuthMigrationUtility.ps1 script found in your MFA Server installation directory (C:\Program Files\multifactor authentication Server by default). +After installing the MFA Server update, open an elevated PowerShell command prompt: hover over the PowerShell icon, right-click, and click **Run as Administrator**. Run the .\Configure-MultiFactorAuthMigrationUtility.ps1 script found in your MFA Server installation directory (C:\Program Files\Multi-Factor Authentication Server by default). This script will require you to provide credentials for an Application Administrator in your Microsoft Entra tenant. The script will then create a new MFA Server Migration Utility application within Microsoft Entra ID, which will be used to write user authentication methods to each Microsoft Entra user object. The script will instruct you to grant admin consent to the newly created applica :::image type="content" border="true" source="./media/how-to-mfa-server-migration-utility/permissions.png" alt-text="Screenshot of permissions."::: -Once complete, navigate to the multifactor authentication Server folder, and open the **MultiFactorAuthMigrationUtilityUI** application. You should see the following screen: +Once complete, navigate to the Multi-Factor Authentication Server folder, and open the **MultiFactorAuthMigrationUtilityUI** application. You should see the following screen: :::image type="content" border="true" source="./media/how-to-mfa-server-migration-utility/utility.png" alt-text="Screenshot of MFA Server Migration Utility."::: The Configure-MultiFactorAuthMigrationUtility.ps1 script should be run on the se ### Migrate user data-Migrating user data doesn't remove or alter any data in the multifactor authentication Server database. Likewise, this process won't change where a user performs MFA. This process is a one-way copy of data from the on-premises server to the corresponding user object in Microsoft Entra ID. +Migrating user data doesn't remove or alter any data in the Multi-Factor Authentication Server database. Likewise, this process won't change where a user performs MFA. This process is a one-way copy of data from the on-premises server to the corresponding user object in Microsoft Entra ID. The MFA Server Migration utility targets a single Microsoft Entra group for all migration activities. You can add users directly to this group, or add other groups. You can also add them in stages during the migration. |
active-directory | How To Migrate Mfa Server To Azure Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-migrate-mfa-server-to-azure-mfa.md | -Multifactor authentication is important to securing your infrastructure and assets from bad actors. Microsoft Entra multifactor authentication Server (MFA Server) isn't available for new deployments and will be deprecated. Customers who are using MFA Server should move to using cloud-based Microsoft Entra multifactor authentication. +Multifactor authentication is important to securing your infrastructure and assets from bad actors. Azure Multi-Factor Authentication Server (MFA Server) isn't available for new deployments and will be deprecated. Customers who are using MFA Server should move to using cloud-based Microsoft Entra multifactor authentication. In this article, we assume that you have a hybrid environment where: If you no longer have access to the secret keys, contact your hardware vendor fo The MFA Server Web Service SDK can be used to export the serial number for any OATH tokens assigned to a given user. You can use this information along with the seed file to import the tokens into Microsoft Entra ID and assign the OATH token to the specified user based on the serial number. The user will also need to be contacted at the time of import to supply OTP information from the device to complete the registration. -Refer to the help file topic **GetUserInfo** > **userSettings** > **OathTokenSerialNumber** in multifactor authentication Server on your MFA Server. +Refer to the help file topic **GetUserInfo** > **userSettings** > **OathTokenSerialNumber** in Multi-Factor Authentication Server on your MFA Server. ### More migrations |
active-directory | How To Migrate Mfa Server To Mfa User Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-migrate-mfa-server-to-mfa-user-authentication.md | -Multifactor authentication helps secure your infrastructure and assets from bad actors. Microsoft multifactor authentication Server (MFA Server) is no longer offered for new deployments. Customers who are using MFA Server should move to Microsoft Entra multifactor authentication (Microsoft Entra multifactor authentication). +Multifactor authentication helps secure your infrastructure and assets from bad actors. Microsoft Multi-Factor Authentication Server (MFA Server) is no longer offered for new deployments. Customers who are using MFA Server should move to Microsoft Entra multifactor authentication (Microsoft Entra multifactor authentication). There are several options for migrating from MFA Server to Microsoft Entra ID: This change ensures only Microsoft Entra multifactor authentication is used as a 1. Open the **AD FS management console**. 1. Under **Services**, right-click on **Authentication Methods**, and select **Edit multifactor authentication Methods**. -1. Clear the **Azure multifactor authentication Server** checkbox. +1. Clear the **Azure Multi-Factor Authentication Server** checkbox. ### Decommission the MFA Server Follow your enterprise server decommissioning process to remove the MFA Servers Possible considerations when decommissions the MFA Server include: * We recommend reviewing MFA Server logs to ensure no users or applications are using it before you remove the server.-* Uninstall multifactor authentication Server from the Control Panel on the server. +* Uninstall Multi-Factor Authentication Server from the Control Panel on the server. * Optionally clean up logs and data directories that are left behind after backing them up first. * Uninstall the multifactor authentication Web Server SDK, if applicable including any files left over inetpub\wwwroot\MultiFactorAuthWebServiceSdk and/or MultiFactorAuth directories. * For pre-8.0.x versions of MFA Server, it may also be necessary to remove the multifactor authentication Phone App Web Service. |
active-directory | How To Migrate Mfa Server To Mfa With Federation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-migrate-mfa-server-to-mfa-with-federation.md | For step-by-step directions on this process, see [Configure the AD FS servers](/ Once you've configured the servers, you can add Microsoft Entra multifactor authentication as an additional authentication method. -![Screen shot showing the Edit authentication methods screen with Microsoft Entra multifactor authentication and Azure multifactor authentication Server selected](./media/how-to-migrate-mfa-server-to-mfa-user-authentication/edit-authentication-methods.png) +![Screen shot showing the Edit authentication methods screen with Microsoft Entra multifactor authentication and Azure Multi-Factor Authentication Server selected](./media/how-to-migrate-mfa-server-to-mfa-user-authentication/edit-authentication-methods.png) <a name='prepare-azure-ad-and-implement-migration'></a> This change ensures only Microsoft Entra multifactor authentication is used as a 1. Under **Services**, right-click on **Authentication Methods**, and select **Edit multifactor authentication Methods**. -1. Uncheck the box next to **Azure multifactor authentication Server**. +1. Uncheck the box next to **Azure Multi-Factor Authentication Server**. ### Decommission the MFA Server Possible considerations when decommissions the MFA Servers include: * Review MFA Servers' logs to ensure no users or applications are using it before you remove the server. -* Uninstall multifactor authentication Server from the Control Panel on the server +* Uninstall Multi-Factor Authentication Server from the Control Panel on the server * Optionally clean up logs and data directories that are left behind after backing them up first. |
active-directory | Howto Authentication Passwordless Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-passwordless-deployment.md | Microsoft provides communication templates for end users. Download the [authenti ## Plan user registration -Users register their passwordless method as a part of the **combined security information workflow** at [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo). Microsoft Entra ID logs registration of security keys and the Authenticator app, and any other changes to the authentication methods. +Users register their passwordless method as a part of the **combined security information workflow** at [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo). Microsoft Entra logs registration of security keys and the Authenticator app, and any other changes to the authentication methods. For the first-time user who doesn't have a password, admins can provide a [Temporary Access Passcode](howto-authentication-temporary-access-pass.md) to register their security information in [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo) . This is a time-limited passcode and satisfies strong authentication requirements. **Temporary Access Pass is a per-user process**. This method can also be used for easy recovery when the user has lost or forgott **MFA server** - End users enabled for multifactor authentication through an organization's on-premises MFA server can create and use a single passwordless phone sign-in credential. If the user attempts to upgrade multiple installations (5 or more) of the Authenticator app with the credential, this change may result in an error. > [!IMPORTANT]-> In September 2022, Microsoft announced deprecation of Azure multifactor authentication Server. Beginning September 30, 2024, Azure multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users' authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). +> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users' authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). **Device registration** - To use the Authenticator app for passwordless authentication, the device must be registered in the Microsoft Entra tenant and can't be a shared device. A device can only be registered in a single tenant. This limit means that only one work or school account is supported for phone sign-in using the Authenticator app. |
active-directory | Howto Authentication Passwordless Faqs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-passwordless-faqs.md | Like any other DC, the Microsoft Entra Kerberos server encryption *krbtgt* keys ### Why do we need Microsoft Entra Connect? Does it write any info back to AD DS from Microsoft Entra ID? -Microsoft Entra Connect doesn't write info back from Microsoft Entra ID to AD DS. The utility includes the PowerShell module to create the Kerberos Server Object in AD DS and publish it in Microsoft Entra ID. +Microsoft Entra Connect doesn't write info back from Microsoft Entra ID to Active Directory DS. The utility includes the PowerShell module to create the Kerberos Server Object in AD DS and publish it in Microsoft Entra ID. ### What does the HTTP request/response look like when requesting PRT+ partial TGT? Microsoft Entra ID combines the encrypted client key and message buffer into the | tgt_message_buffer | string | Base64 encoded KERB_MESSAGE_BUFFER. | ### Do users need to be a member of the Domain Users Active Directory group?-Yes. A user must be in the Domain Users group to be able to sign-in using Azure AD Kerberos. +Yes. A user must be in the Domain Users group to be able to sign-in using Microsoft Entra Kerberos. ## Next steps |
active-directory | Howto Authentication Use Email Signin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-use-email-signin.md | Many organizations want to let users sign in to Microsoft Entra ID using the sam Some organizations haven't moved to hybrid authentication for the following reasons: -* By default, the Microsoft Entra User Principal Name (UPN) is set to the same value as the on-premises UPN. +* By default, the Microsoft Entra user Principal Name (UPN) is set to the same value as the on-premises UPN. * Changing the Microsoft Entra UPN creates a mismatch between on-premises and Microsoft Entra environments that could cause problems with certain applications and services. * Due to business or compliance reasons, the organization doesn't want to use the on-premises UPN to sign in to Microsoft Entra ID. |
active-directory | Howto Mfa Nps Extension Rdg | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension-rdg.md | Typically, organizations use NPS (RADIUS) to simplify and centralize the managem Organizations can also integrate NPS with Microsoft Entra multifactor authentication to enhance security and provide a high level of compliance. This helps ensure that users establish two-step verification to sign in to the Remote Desktop Gateway. For users to be granted access, they must provide their username/password combination along with information that the user has in their control. This information must be trusted and not easily duplicated, such as a cell phone number, landline number, application on a mobile device, and so on. RDG currently supports phone call and **Approve**/**Deny** push notifications from Microsoft authenticator app methods for 2FA. For more information about supported authentication methods see the section [Determine which authentication methods your users can use](howto-mfa-nps-extension.md#determine-which-authentication-methods-your-users-can-use). -Prior to the availability of the NPS extension for Azure, customers who wished to implement two-step verification for integrated NPS and Microsoft Entra multifactor authentication environments had to configure and maintain a separate MFA Server in the on-premises environment as documented in [Remote Desktop Gateway and Azure multifactor authentication Server using RADIUS](howto-mfaserver-nps-rdg.md). +Prior to the availability of the NPS extension for Azure, customers who wished to implement two-step verification for integrated NPS and Microsoft Entra multifactor authentication environments had to configure and maintain a separate MFA Server in the on-premises environment as documented in [Remote Desktop Gateway and Azure Multi-Factor Authentication Server using RADIUS](howto-mfaserver-nps-rdg.md). The availability of the NPS extension for Azure now gives organizations the choice to deploy either an on-premises based MFA solution or a cloud-based MFA solution to secure RADIUS client authentication. This section details the prerequisites necessary before integrating Microsoft En * Microsoft Entra multifactor authentication License * Windows Server software * Network Policy and Access Services (NPS) role-* Azure Active Directory synched with on-premises Active Directory +* Microsoft Entra synched with on-premises Active Directory * Microsoft Entra GUID ID ### Remote Desktop Services (RDS) infrastructure The NPS role service provides the RADIUS server and client functionality as well For information on installing the NPS role service Windows Server 2012 or older, see [Install a NAP Health Policy Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd296890(v=ws.10)). For a description of best practices for NPS, including the recommendation to install NPS on a domain controller, see [Best Practices for NPS](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771746(v=ws.10)). -### Azure Active Directory synched with on-premises Active Directory +<a name='azure-active-directory-synched-with-on-premises-active-directory'></a> ++### Microsoft Entra synched with on-premises Active Directory To use the NPS extension, on-premises users must be synced with Microsoft Entra ID and enabled for MFA. This section assumes that on-premises users are synched with Microsoft Entra ID using AD Connect. For information on Microsoft Entra Connect, see [Integrate your on-premises directories with Microsoft Entra ID](../hybrid/whatis-hybrid-identity.md). The image below from Microsoft Message Analyzer shows network traffic filtered o [How to get Microsoft Entra multifactor authentication](concept-mfa-licensing.md) -[Remote Desktop Gateway and Azure multifactor authentication Server using RADIUS](howto-mfaserver-nps-rdg.md) +[Remote Desktop Gateway and Azure Multi-Factor Authentication Server using RADIUS](howto-mfaserver-nps-rdg.md) [Integrate your on-premises directories with Microsoft Entra ID](../hybrid/whatis-hybrid-identity.md) |
active-directory | Howto Mfa Nps Extension Vpn | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension-vpn.md | Network Policy and Access Services gives organizations the ability to: To enhance security and provide a high level of compliance, organizations can integrate NPS with Microsoft Entra multifactor authentication to ensure that users use two-step verification to connect to the virtual port on the VPN server. For users to be granted access, they must provide their username and password combination and other information that they control. This information must be trusted and not easily duplicated. It can include a cell phone number, a landline number, or an application on a mobile device. -Prior to the availability of the NPS extension for Azure, customers who wanted to implement two-step verification for integrated NPS and MFA environments had to configure and maintain a separate MFA server in an on-premises environment. This type of authentication is offered by Remote Desktop Gateway and Azure multifactor authentication Server using RADIUS. +Prior to the availability of the NPS extension for Azure, customers who wanted to implement two-step verification for integrated NPS and MFA environments had to configure and maintain a separate MFA server in an on-premises environment. This type of authentication is offered by Remote Desktop Gateway and Azure Multi-Factor Authentication Server using RADIUS. With the NPS extension for Azure, organizations can secure RADIUS client authentication by deploying either an on-premises based MFA solution or a cloud-based MFA solution. This section details the prerequisites that must be completed before you can int * Microsoft Entra multifactor authentication license * Windows Server software * Libraries-* Azure Active Directory (Azure AD) synced with on-premises Active Directory +* Microsoft Entra ID synced with on-premises Active Directory * Microsoft Entra GUID ID ### VPN infrastructure The following libraries are installed automatically with the NPS extension: If the Azure Active Directory PowerShell module is not already present, it is installed with a configuration script that you run as part of the setup process. There is no need to install the module ahead of time if it is not already installed. -### Azure Active Directory synced with on-premises Active Directory +<a name='azure-active-directory-synced-with-on-premises-active-directory'></a> ++### Microsoft Entra ID synced with on-premises Active Directory To use the NPS extension, on-premises users must be synced with Microsoft Entra ID and enabled for MFA. This guide assumes that on-premises users are synced with Microsoft Entra ID via Microsoft Entra Connect. Instructions for enabling users for MFA are provided below. For more information, see [Integrate your existing NPS infrastructure with Micro [Get Microsoft Entra multifactor authentication](concept-mfa-licensing.md) -[Remote Desktop Gateway and Azure multifactor authentication Server using RADIUS](howto-mfaserver-nps-rdg.md) +[Remote Desktop Gateway and Azure Multi-Factor Authentication Server using RADIUS](howto-mfaserver-nps-rdg.md) [Integrate your on-premises directories with Microsoft Entra ID](../hybrid/whatis-hybrid-identity.md) |
active-directory | Howto Mfa Reporting Datacollection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-reporting-datacollection.md | -This document explains how to find user information collected by Azure multifactor authentication Server (MFA Server), Microsoft Entra multifactor authentication (Cloud-based), and self-service password reset (SSPR) in the event you would like to remove it. +This document explains how to find user information collected by Azure Multi-Factor Authentication Server (MFA Server), Microsoft Entra multifactor authentication (Cloud-based), and self-service password reset (SSPR) in the event you would like to remove it. [!INCLUDE [gdpr-hybrid-note](../../../includes/gdpr-hybrid-note.md)] |
active-directory | Howto Mfa Userdevicesettings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-userdevicesettings.md | If you're assigned the *Authentication Administrator* role, you can require user 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Administrator](../roles/permissions-reference.md#authentication-administrator). 1. Browse to **Identity** > **Users** > **All users**. 1. Select **Multifactor authentication**. You may need to scroll to the right to see this menu option. Select the example screenshot below to see the full window and menu location:- [![Select multifactor authentication from the Users window in Azure AD.](media/howto-mfa-userstates/selectmfa-cropped.png)](media/howto-mfa-userstates/selectmfa.png#lightbox) + [![Select multifactor authentication from the Users window in Microsoft Entra ID.](media/howto-mfa-userstates/selectmfa-cropped.png)](media/howto-mfa-userstates/selectmfa.png#lightbox) 1. Check the box next to the user or users that you wish to manage. A list of quick step options appears on the right. 1. Select **Manage user settings**, then check the box for **Delete all existing app passwords generated by the selected users**, as shown in the following example: ![Delete all existing app passwords](./media/howto-mfa-userdevicesettings/deleteapppasswords.png) If you're assigned the *Authentication Administrator* role, you can require user This article showed you how to configure individual user settings. To configure overall Microsoft Entra multifactor authentication service settings, see [Configure Microsoft Entra multifactor authentication settings](howto-mfa-mfasettings.md). If your users need help, see the [User guide for Microsoft Entra multifactor authentication](https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc).-- |
active-directory | Howto Mfaserver Adfs 2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfaserver-adfs-2.md | Title: Use Microsoft Entra multifactor authentication Server with AD FS 2.0 + Title: Use Azure Multi-Factor Authentication Server with AD FS 2.0 description: Describes how to get started with Microsoft Entra multifactor authentication and AD FS 2.0. -# Configure Azure multifactor authentication Server to work with AD FS 2.0 +# Configure Azure Multi-Factor Authentication Server to work with AD FS 2.0 -This article is for organizations that are federated with Microsoft Entra ID, and want to secure resources that are on-premises or in the cloud. Protect your resources by using the Azure multifactor authentication Server and configuring it to work with AD FS so that two-step verification is triggered for high-value end points. +This article is for organizations that are federated with Microsoft Entra ID, and want to secure resources that are on-premises or in the cloud. Protect your resources by using the Azure Multi-Factor Authentication Server and configuring it to work with AD FS so that two-step verification is triggered for high-value end points. -This documentation covers using the Azure multifactor authentication Server with AD FS 2.0. For information about AD FS, see [Securing cloud and on-premises resources using Azure multifactor authentication Server with Windows Server](howto-mfaserver-adfs-windows-server.md). +This documentation covers using the Azure Multi-Factor Authentication Server with AD FS 2.0. For information about AD FS, see [Securing cloud and on-premises resources using Azure Multi-Factor Authentication Server with Windows Server](howto-mfaserver-adfs-windows-server.md). > [!IMPORTANT]-> In September 2022, Microsoft announced deprecation of Azure multifactor authentication Server. Beginning September 30, 2024, Azure multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra multifactor authentication service by using the latest Migration Utility included in the most recent [Microsoft Entra multifactor authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Microsoft Entra multifactor authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). +> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra multifactor authentication service by using the latest Migration Utility included in the most recent [Azure Multi-Factor Authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure Multi-Factor Authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). > > To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Azure multifactor authentication](tutorial-enable-azure-mfa.md). > This documentation covers using the Azure multifactor authentication Server with ## Secure AD FS 2.0 with a proxy -To secure AD FS 2.0 with a proxy, install the Azure multifactor authentication Server on the AD FS proxy server. +To secure AD FS 2.0 with a proxy, install the Azure Multi-Factor Authentication Server on the AD FS proxy server. ### Configure IIS authentication -1. In the Azure multifactor authentication Server, click the **IIS Authentication** icon in the left menu. +1. In the Azure Multi-Factor Authentication Server, click the **IIS Authentication** icon in the left menu. 2. Click the **Form-Based** tab. 3. Click **Add**. Make sure users are imported from Active Directory into the Server. To allow use ## AD FS 2.0 Direct without a proxy -You can secure AD FS when the AD FS proxy isn't used. Install the Azure multifactor authentication Server on the AD FS server and configure the Server per the following steps: +You can secure AD FS when the AD FS proxy isn't used. Install the Azure Multi-Factor Authentication Server on the AD FS server and configure the Server per the following steps: -1. Within the Azure multifactor authentication Server, click the **IIS Authentication** icon in the left menu. +1. Within the Azure Multi-Factor Authentication Server, click the **IIS Authentication** icon in the left menu. 2. Click the **HTTP** tab. 3. Click **Add**. 4. In the Add Base URL dialogue box, enter the URL for the AD FS website where HTTP authentication is performed (like `https://sso.domain.com/adfs/ls/auth/integrated`) into the Base URL field. Then, enter an Application name (optional). The Application name appears in Azure multifactor authentication reports and may be displayed within SMS or Mobile App authentication messages. |
active-directory | Howto Mfaserver Adfs Windows Server | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfaserver-adfs-windows-server.md | -# Configure Azure multifactor authentication Server to work with AD FS in Windows Server +# Configure Azure Multi-Factor Authentication Server to work with AD FS in Windows Server -If you use Active Directory Federation Services (AD FS) and want to secure cloud or on-premises resources, you can configure Azure multifactor authentication Server to work with AD FS. This configuration triggers two-step verification for high-value endpoints. +If you use Active Directory Federation Services (AD FS) and want to secure cloud or on-premises resources, you can configure Azure Multi-Factor Authentication Server to work with AD FS. This configuration triggers two-step verification for high-value endpoints. -In this article, we discuss using Azure multifactor authentication Server with AD FS beginning with Windows Server 2016. For more information, read about how to [secure cloud and on-premises resources by using Azure multifactor authentication Server with AD FS 2.0](howto-mfaserver-adfs-2.md). +In this article, we discuss using Azure Multi-Factor Authentication Server with AD FS beginning with Windows Server 2016. For more information, read about how to [secure cloud and on-premises resources by using Azure Multi-Factor Authentication Server with AD FS 2.0](howto-mfaserver-adfs-2.md). > [!IMPORTANT]-> In September 2022, Microsoft announced deprecation of Azure multifactor authentication Server. Beginning September 30, 2024, Azure multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). +> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). > > To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Azure multifactor authentication](tutorial-enable-azure-mfa.md). > In this article, we discuss using Azure multifactor authentication Server with A <a name='secure-windows-server-ad-fs-with-azure-multi-factor-authentication-server'></a> -## Secure Windows Server AD FS with Azure multifactor authentication Server +<a name='secure-windows-server-ad-fs-with-azure-multifactor-authentication-server'></a> -When you install Azure multifactor authentication Server, you have the following options: +## Secure Windows Server AD FS with Azure Multi-Factor Authentication Server -* Install Azure multifactor authentication Server locally on the same server as AD FS -* Install the Azure multifactor authentication adapter locally on the AD FS server, and then install multifactor authentication Server on a different computer +When you install Azure Multi-Factor Authentication Server, you have the following options: ++* Install Azure Multi-Factor Authentication Server locally on the same server as AD FS +* Install the Azure multifactor authentication adapter locally on the AD FS server, and then install Multi-Factor Authentication Server on a different computer Before you begin, be aware of the following information: -* You don't have to install Azure multifactor authentication Server on your AD FS server. However, you must install the multifactor authentication adapter for AD FS on a Windows Server 2012 R2 or Windows Server 2016 that is running AD FS. You can install the server on a different computer if you install the AD FS adapter separately on your AD FS federation server. See the following procedures to learn how to install the adapter separately. +* You don't have to install Azure Multi-Factor Authentication Server on your AD FS server. However, you must install the multifactor authentication adapter for AD FS on a Windows Server 2012 R2 or Windows Server 2016 that is running AD FS. You can install the server on a different computer if you install the AD FS adapter separately on your AD FS federation server. See the following procedures to learn how to install the adapter separately. * If your organization is using text message or mobile app verification methods, the strings defined in Company Settings contain a placeholder, <$*application_name*$>. In MFA Server v7.1, you can provide an application name that replaces this placeholder. In v7.0 or older, this placeholder is not automatically replaced when you use the AD FS adapter. For those older versions, remove the placeholder from the appropriate strings when you secure AD FS. * The account that you use to sign in must have user rights to create security groups in your Active Directory service. * The multifactor Authentication AD FS adapter installation wizard creates a security group called PhoneFactor Admins in your instance of Active Directory. It then adds the AD FS service account of your federation service to this group. Verify that the PhoneFactor Admins group was created on your domain controller, and that the AD FS service account is a member of this group. If necessary, manually add the AD FS service account to the PhoneFactor Admins group on your domain controller.-* For information about installing the Web Service SDK with the user portal, see [deploying the user portal for Azure multifactor authentication Server.](howto-mfaserver-deploy-userportal.md) +* For information about installing the Web Service SDK with the user portal, see [deploying the user portal for Azure Multi-Factor Authentication Server.](howto-mfaserver-deploy-userportal.md) <a name='install-azure-multi-factor-authentication-server-locally-on-the-ad-fs-server'></a> -### Install Azure multifactor authentication Server locally on the AD FS server +<a name='install-azure-multifactor-authentication-server-locally-on-the-ad-fs-server'></a> ++### Install Azure Multi-Factor Authentication Server locally on the AD FS server -1. Download and install Azure multifactor authentication Server on your AD FS server. For installation information, read about [getting started with Azure multifactor authentication Server](howto-mfaserver-deploy.md). -2. In the Azure multifactor authentication Server management console, click the **AD FS** icon. Select the options **Allow user enrollment** and **Allow users to select method**. +1. Download and install Azure Multi-Factor Authentication Server on your AD FS server. For installation information, read about [getting started with Azure Multi-Factor Authentication Server](howto-mfaserver-deploy.md). +2. In the Azure Multi-Factor Authentication Server management console, click the **AD FS** icon. Select the options **Allow user enrollment** and **Allow users to select method**. 3. Select any additional options you'd like to specify for your organization. 4. Click **Install AD FS Adapter**. Before you begin, be aware of the following information: 5. If the Active Directory window is displayed, that means two things. Your computer is joined to a domain, and the Active Directory configuration for securing communication between the AD FS adapter and the multifactor authentication service is incomplete. Click **Next** to automatically complete this configuration, or select the **Skip automatic Active Directory configuration and configure settings manually** check box. Click **Next**. 6. If the Local Group window is displayed, that means two things. Your computer is not joined to a domain, and the local group configuration for securing communication between the AD FS adapter and the multifactor authentication service is incomplete. Click **Next** to automatically complete this configuration, or select the **Skip automatic Local Group configuration and configure settings manually** check box. Click **Next**.-7. In the installation wizard, click **Next**. Azure multifactor authentication Server creates the PhoneFactor Admins group and adds the AD FS service account to the PhoneFactor Admins group. +7. In the installation wizard, click **Next**. Azure Multi-Factor Authentication Server creates the PhoneFactor Admins group and adds the AD FS service account to the PhoneFactor Admins group. 8. On the **Launch Installer** page, click **Next**. 9. In the multifactor authentication AD FS adapter installer, click **Next**. 10. Click **Close** when the installation is finished. Before you begin, be aware of the following information: ![Edit global authentication policy](./media/howto-mfaserver-adfs-2012/global.png) -At this point, multifactor authentication Server is set up to be an additional authentication provider to use with AD FS. +At this point, Multi-Factor Authentication Server is set up to be an additional authentication provider to use with AD FS. ## Install a standalone instance of the AD FS adapter by using the Web Service SDK -1. Install the Web Service SDK on the server that is running multifactor authentication Server. -2. Copy the following files from the \Program Files\multifactor authentication Server directory to the server on which you plan to install the AD FS adapter: +1. Install the Web Service SDK on the server that is running Multi-Factor Authentication Server. +2. Copy the following files from the \Program Files\Multi-Factor Authentication Server directory to the server on which you plan to install the AD FS adapter: * MultiFactorAuthenticationAdfsAdapterSetup64.msi * Register-MultiFactorAuthenticationAdfsAdapter.ps1 * Unregister-MultiFactorAuthenticationAdfsAdapter.ps1 If you don't want to use a username and password, follow these steps to configur 24. Open the client certificate and copy the thumbprint from the **Details** tab. 25. In the MultiFactorAuthenticationAdfsAdapter.config file, set **WebServiceSdkCertificateThumbprint** to the string copied in the previous step. -Finally, to register the adapter, run the \Program Files\multifactor authentication Server\Register-MultiFactorAuthenticationAdfsAdapter.ps1 script in PowerShell. The adapter is registered as WindowsAzureMultiFactorAuthentication. Restart the AD FS service for the registration to take effect. +Finally, to register the adapter, run the \Program Files\Multi-Factor Authentication Server\Register-MultiFactorAuthenticationAdfsAdapter.ps1 script in PowerShell. The adapter is registered as WindowsAzureMultiFactorAuthentication. Restart the AD FS service for the registration to take effect. <a name='secure-azure-ad-resources-using-ad-fs'></a> |
active-directory | Howto Mfaserver Deploy Ha | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfaserver-deploy-ha.md | Title: High availability for Azure MFA Server -description: Deploy multiple instances of Azure multifactor authentication Server in configurations that provide high availability. +description: Deploy multiple instances of Azure Multi-Factor Authentication Server in configurations that provide high availability. -# Configure Azure multifactor authentication Server for high availability +# Configure Azure Multi-Factor Authentication Server for high availability To achieve high-availability with your Azure Server MFA deployment, you need to deploy multiple MFA servers. This section provides information on a load-balanced design to achieve your high availability targets in your Azure MFS Server deployment. > [!IMPORTANT]-> In September 2022, Microsoft announced deprecation of Azure multifactor authentication Server. Beginning September 30, 2024, Azure multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). +> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). > > To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication](tutorial-enable-azure-mfa.md). > |
active-directory | Howto Mfaserver Deploy Mobileapp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfaserver-deploy-mobileapp.md | -# Enable mobile app authentication with Microsoft Entra multifactor authentication Server +# Enable mobile app authentication with Azure Multi-Factor Authentication Server The Microsoft Authenticator app offers an extra out-of-band verification option. Instead of placing an automated phone call or SMS to the user during login, Microsoft Entra multifactor authentication pushes a notification to the Authenticator app on the user's smartphone or tablet. The user simply taps **Verify** (or enters a PIN and taps "Authenticate") in the app to complete their sign-in. Using a mobile app for two-step verification is preferred when phone reception is unreliable. If you use the app as an OATH token generator, it doesn't require any network or internet connection. > [!IMPORTANT]-> In September 2022, Microsoft announced deprecation of Microsoft Entra multifactor authentication Server. Beginning September 30, 2024, Microsoft Entra multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). +> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). > To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication](tutorial-enable-azure-mfa.md). > [!IMPORTANT]-> If you have installed Microsoft Entra multifactor authentication Server v8.x or higher, most of the steps below are not required. Mobile app authentication can be set up by following the steps under [Configure the mobile app](#configure-the-mobile-app-settings-in-mfa-server). +> If you have installed Azure Multi-Factor Authentication Server v8.x or higher, most of the steps below are not required. Mobile app authentication can be set up by following the steps under [Configure the mobile app](#configure-the-mobile-app-settings-in-mfa-server). ## Requirements -To use the Authenticator app, you must be running Microsoft Entra multifactor authentication Server v8.x or higher +To use the Authenticator app, you must be running Azure Multi-Factor Authentication Server v8.x or higher ## Configure the mobile app settings in MFA Server To use the Authenticator app, you must be running Microsoft Entra multifactor au ## Next steps -- [Advanced scenarios with Microsoft Entra multifactor authentication Server and third-party VPNs](howto-mfaserver-nps-vpn.md).+- [Advanced scenarios with Azure Multi-Factor Authentication Server and third-party VPNs](howto-mfaserver-nps-vpn.md). |
active-directory | Howto Mfaserver Deploy Upgrade Pf | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfaserver-deploy-upgrade-pf.md | Title: Upgrade PhoneFactor to Microsoft Entra multifactor authentication Server -description: Get started with Microsoft Entra multifactor authentication Server when you upgrade from the older phonefactor agent. + Title: Upgrade PhoneFactor to Azure Multi-Factor Authentication Server +description: Get started with Azure Multi-Factor Authentication Server when you upgrade from the older phonefactor agent. -# Upgrade the PhoneFactor Agent to Microsoft Entra multifactor authentication Server +# Upgrade the PhoneFactor Agent to Azure Multi-Factor Authentication Server -To upgrade the PhoneFactor Agent v5.x or older to Microsoft Entra multifactor authentication Server, uninstall the PhoneFactor Agent and affiliated components first. Then the multifactor authentication Server and its affiliated components can be installed. +To upgrade the PhoneFactor Agent v5.x or older to Azure Multi-Factor Authentication Server, uninstall the PhoneFactor Agent and affiliated components first. Then the Multi-Factor Authentication Server and its affiliated components can be installed. > [!IMPORTANT]-> In September 2022, Microsoft announced deprecation of Microsoft Entra multifactor authentication Server. Beginning September 30, 2024, Microsoft Entra multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). +> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). > To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication](tutorial-enable-azure-mfa.md). To upgrade the PhoneFactor Agent v5.x or older to Microsoft Entra multifactor au <a name='install-the-multi-factor-authentication-server'></a> -## Install the multifactor authentication Server +<a name='install-the-multifactor-authentication-server'></a> -The installation path is picked up from the registry from the previous PhoneFactor Agent installation, so it should install in the same location (for example, C:\Program Files\PhoneFactor). New installations have a different default install path (for example, C:\Program Files\multifactor authentication Server). The data file left by the previous PhoneFactor Agent should be upgraded during installation, so your users and settings should still be there after installing the new multifactor authentication Server. +## Install the Multi-Factor Authentication Server -1. If prompted, activate the multifactor authentication Server and ensure it is assigned to the correct replication group. +The installation path is picked up from the registry from the previous PhoneFactor Agent installation, so it should install in the same location (for example, C:\Program Files\PhoneFactor). New installations have a different default install path (for example, C:\Program Files\Multi-Factor Authentication Server). The data file left by the previous PhoneFactor Agent should be upgraded during installation, so your users and settings should still be there after installing the new Multi-Factor Authentication Server. -2. If the Web Service SDK was previously installed, install the new Web Service SDK through the multifactor authentication Server User Interface. +1. If prompted, activate the Multi-Factor Authentication Server and ensure it is assigned to the correct replication group. ++2. If the Web Service SDK was previously installed, install the new Web Service SDK through the Multi-Factor Authentication Server User Interface. The default virtual directory name is now **MultiFactorAuthWebServiceSdk** instead of **PhoneFactorWebServiceSdk**. If you want to use the previous name, you must change the name of the virtual directory during installation. Otherwise, if you allow the install to use the new default name, you have to change the URL in any applications that reference the Web Service SDK (like the User portal and Mobile App Web Service) to point at the correct location. -3. If the User portal was previously installed on the PhoneFactor Agent Server, install the new multifactor authentication User portal through the multifactor authentication Server User Interface. +3. If the User portal was previously installed on the PhoneFactor Agent Server, install the new multifactor authentication User portal through the Multi-Factor Authentication Server User Interface. - The default virtual directory name is now **MultiFactorAuth** instead of **PhoneFactor**. If you want to use the previous name, you must change the name of the virtual directory during installation. Otherwise, if you allow the install to use the new default name, you should click the User portal icon in the multifactor authentication Server and update the User portal URL on the Settings tab. + The default virtual directory name is now **MultiFactorAuth** instead of **PhoneFactor**. If you want to use the previous name, you must change the name of the virtual directory during installation. Otherwise, if you allow the install to use the new default name, you should click the User portal icon in the Multi-Factor Authentication Server and update the User portal URL on the Settings tab. 4. If the User portal and/or Mobile App Web Service was previously installed on a different server from the PhoneFactor Agent: The installation path is picked up from the registry from the previous PhoneFact 2. To install the User portal on the web server, open a command prompt as an administrator and run MultiFactorAuthenticationUserPortalSetupXX.msi. - The default virtual directory name is now **MultiFactorAuth** instead of **PhoneFactor**. If you want to use the previous name, you must change the name of the virtual directory during installation. Otherwise, if you allow the install to use the new default name, you should click the User portal icon in the multifactor authentication Server and update the User portal URL on the Settings tab. Existing users need to be informed of the new URL. + The default virtual directory name is now **MultiFactorAuth** instead of **PhoneFactor**. If you want to use the previous name, you must change the name of the virtual directory during installation. Otherwise, if you allow the install to use the new default name, you should click the User portal icon in the Multi-Factor Authentication Server and update the User portal URL on the Settings tab. Existing users need to be informed of the new URL. 3. Go to the User portal install location (for example, C:\inetpub\wwwroot\MultiFactorAuth) and edit the web.config file. Copy the values in the appSettings and applicationSettings sections from your original web.config file that was backed up before the upgrade into the new web.config file. If the new default virtual directory name was kept when installing the Web Service SDK, change the URL in the applicationSettings section to point to the correct location. If any other defaults were changed in the previous web.config file, apply those same changes to the new web.config file. The installation path is picked up from the registry from the previous PhoneFact ## Next steps -- [Install the users portal](howto-mfaserver-deploy-userportal.md) for the Microsoft Entra multifactor authentication Server.+- [Install the users portal](howto-mfaserver-deploy-userportal.md) for the Azure Multi-Factor Authentication Server. - [Configure Windows Authentication](howto-mfaserver-windows.md) for your applications. |
active-directory | Howto Mfaserver Deploy Upgrade | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfaserver-deploy-upgrade.md | Title: Upgrading Azure MFA Server -description: Steps and guidance to upgrade the Microsoft Entra multifactor authentication Server to a newer version. +description: Steps and guidance to upgrade the Azure Multi-Factor Authentication Server to a newer version. -# Upgrade to the latest Microsoft Entra multifactor authentication Server +# Upgrade to the latest Azure Multi-Factor Authentication Server -This article walks you through the process of upgrading Microsoft Entra multifactor authentication Server v6.0 or higher. If you need to upgrade an old version of the PhoneFactor Agent, refer to [Upgrade the PhoneFactor Agent to Microsoft Entra multifactor authentication Server](howto-mfaserver-deploy-upgrade-pf.md). +This article walks you through the process of upgrading Azure Multi-Factor Authentication Server v6.0 or higher. If you need to upgrade an old version of the PhoneFactor Agent, refer to [Upgrade the PhoneFactor Agent to Azure Multi-Factor Authentication Server](howto-mfaserver-deploy-upgrade-pf.md). If you're upgrading from v6.x or older to v7.x or newer, all components change from .NET 2.0 to .NET 4.5. All components also require Microsoft Visual C++ 2015 Redistributable Update 1 or higher. The MFA Server installer installs both the x86 and x64 versions of these components if they aren't already installed. If the User Portal and Mobile App Web Service run on separate servers, you need to install those packages before upgrading those components. You can search for the latest Microsoft Visual C++ 2015 Redistributable update on the [Microsoft Download Center](https://www.microsoft.com/download/). > [!IMPORTANT]-> In September 2022, Microsoft announced deprecation of Microsoft Entra multifactor authentication Server. Beginning September 30, 2024, Microsoft Entra multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). +> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). > To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication](tutorial-enable-azure-mfa.md). Upgrade steps at a glance: ## Upgrade Azure MFA Server -1. Use the instructions in [Download the Microsoft Entra multifactor authentication Server](howto-mfaserver-deploy.md#download-the-mfa-server) to get the latest version of the Azure MFA Server installer. -2. Make a backup of the MFA Server data file located at C:\Program Files\multifactor authentication Server\Data\PhoneFactor.pfdata (assuming the default install location) on your primary MFA Server. +1. Use the instructions in [Download the Azure Multi-Factor Authentication Server](howto-mfaserver-deploy.md#download-the-mfa-server) to get the latest version of the Azure MFA Server installer. +2. Make a backup of the MFA Server data file located at C:\Program Files\Multi-Factor Authentication Server\Data\PhoneFactor.pfdata (assuming the default install location) on your primary MFA Server. 3. If you run multiple servers for high availability, change the client systems that authenticate to the MFA Server so that they stop sending traffic to the servers that are upgrading. If you use a load balancer, remove a subordinate MFA Server from the load balancer, do the upgrade, and then add the server back into the farm. 4. Run the new installer on each MFA Server. Upgrade subordinate servers first because they can read the old data file being replicated by the primary. > [!NOTE] > When upgrading a server it should be removed from any load balancing or traffic sharing with other MFA Servers. >- > You do not need to uninstall your current MFA Server before running the installer. The installer performs an in-place upgrade. The installation path is picked up from the registry from the previous installation, so it installs in the same location (for example, C:\Program Files\multifactor authentication Server). + > You do not need to uninstall your current MFA Server before running the installer. The installer performs an in-place upgrade. The installation path is picked up from the registry from the previous installation, so it installs in the same location (for example, C:\Program Files\Multi-Factor Authentication Server). 5. If you're prompted to install a Microsoft Visual C++ 2015 Redistributable update package, accept the prompt. Both the x86 and x64 versions of the package are installed. 6. If you use the Web Service SDK, you are prompted to install the new Web Service SDK. When you install the new Web Service SDK, make sure that the virtual directory name matches the previously installed virtual directory (for example, MultiFactorAuthWebServiceSdk). Complete the upgrade of your MFA Servers and User Portal before moving to this s ### If MFA runs on different servers than AD FS -These instructions only apply if you run multifactor authentication Server separately from your AD FS servers. If both services run on the same servers, skip this section and go to the installation steps. +These instructions only apply if you run Multi-Factor Authentication Server separately from your AD FS servers. If both services run on the same servers, skip this section and go to the installation steps. 1. Save a copy of the MultiFactorAuthenticationAdfsAdapter.config file that was registered in AD FS, or export the configuration using the following PowerShell command: `Export-AdfsAuthenticationProviderConfigurationData -Name [adapter name] -FilePath [path to config file]`. The adapter name is either "WindowsAzureMultiFactorAuthentication" or "AzureMfaServerAuthentication" depending on the version previously installed. 2. Copy the following files from the MFA Server installation location to the AD FS servers: |
active-directory | Howto Mfaserver Deploy Userportal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfaserver-deploy-userportal.md | -# User portal for the Microsoft Entra multifactor authentication Server +# User portal for the Azure Multi-Factor Authentication Server The user portal is an IIS web site that allows users to enroll in Microsoft Entra multifactor authentication and maintain their accounts. A user may change their phone number, change their PIN, or choose to bypass two-step verification during their next sign-on. Users sign in to the user portal with their normal username and password, then e User portal Administrators may be set up and granted permission to add new users and update existing users. -Depending on your environment, you may want to deploy the user portal on the same server as Microsoft Entra multifactor authentication Server or on another internet-facing server. +Depending on your environment, you may want to deploy the user portal on the same server as Azure Multi-Factor Authentication Server or on another internet-facing server. > [!IMPORTANT]-> In September 2022, Microsoft announced deprecation of Microsoft Entra multifactor authentication Server. Beginning September 30, 2024, Microsoft Entra multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). +> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). > To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication](tutorial-enable-azure-mfa.md). Depending on your environment, you may want to deploy the user portal on the sam ![MFA Server User portal log in page](./media/howto-mfaserver-deploy-userportal/portal.png) > [!NOTE]-> The user portal is only available with multifactor authentication Server. If you use multifactor authentication in the cloud, refer your users to the [Set-up your account for two-step verification](https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc) or [Manage your settings for two-step verification](https://support.microsoft.com/account-billing/change-your-two-step-verification-method-and-settings-c801d5ad-e0fc-4711-94d5-33ad5d4630f7). +> The user portal is only available with Multi-Factor Authentication Server. If you use multifactor authentication in the cloud, refer your users to the [Set-up your account for two-step verification](https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc) or [Manage your settings for two-step verification](https://support.microsoft.com/account-billing/change-your-two-step-verification-method-and-settings-c801d5ad-e0fc-4711-94d5-33ad5d4630f7). ## Install the web service SDK -In either scenario, if the Microsoft Entra multifactor authentication Web Service SDK is **not** already installed on the Microsoft Entra multifactor authentication Server, complete the steps that follow. +In either scenario, if the Microsoft Entra multifactor authentication Web Service SDK is **not** already installed on the Azure Multi-Factor Authentication Server, complete the steps that follow. -1. Open the multifactor authentication Server console. +1. Open the Multi-Factor Authentication Server console. 2. Go to the **Web Service SDK** and select **Install Web Service SDK**. 3. Complete the install using the defaults unless you need to change them for some reason. 4. Bind a TLS/SSL Certificate to the site in IIS. The Web Service SDK must be secured with a TLS/SSL certificate. A self-signed ce <a name='deploy-the-user-portal-on-the-same-server-as-the-azure-ad-multi-factor-authentication-server'></a> -## Deploy the user portal on the same server as the Microsoft Entra multifactor authentication Server +<a name='deploy-the-user-portal-on-the-same-server-as-the-microsoft-entra-multifactor-authentication-server'></a> -The following pre-requisites are required to install the user portal on the **same server** as the Microsoft Entra multifactor authentication Server: +## Deploy the user portal on the same server as the Azure Multi-Factor Authentication Server ++The following pre-requisites are required to install the user portal on the **same server** as the Azure Multi-Factor Authentication Server: * IIS, including ASP.NET, and IIS 6 meta base compatibility (for IIS 7 or higher) * An account with admin rights for the computer and Domain if applicable. The account needs permissions to create Active Directory security groups. The following pre-requisites are required to install the user portal on the **sa To deploy the user portal, follow these steps: -1. Open the Microsoft Entra multifactor authentication Server console, click the **User Portal** icon in the left menu, then click **Install User Portal**. +1. Open the Azure Multi-Factor Authentication Server console, click the **User Portal** icon in the left menu, then click **Install User Portal**. 2. Complete the install using the defaults unless you need to change them for some reason. 3. Bind a TLS/SSL Certificate to the site in IIS If you have questions about configuring a TLS/SSL Certificate on an IIS server, ## Deploy the user portal on a separate server -If the server where Microsoft Entra multifactor authentication Server is running isn't internet-facing, you should install the user portal on a **separate, internet-facing server**. +If the server where Azure Multi-Factor Authentication Server is running isn't internet-facing, you should install the user portal on a **separate, internet-facing server**. If your organization uses the Microsoft Authenticator app as one of the verification methods, and want to deploy the user portal on its own server, complete the following requirements: -* Use v6.0 or higher of the Microsoft Entra multifactor authentication Server. +* Use v6.0 or higher of the Azure Multi-Factor Authentication Server. * Install the user portal on an internet-facing web server running Microsoft internet Information Services (IIS) 6.x or higher. * When using IIS 6.x, ensure ASP.NET v2.0.50727 is installed, registered, and set to **Allowed**. * When using IIS 7.x or higher, IIS, including Basic Authentication, ASP.NET, and IIS 6 meta base compatibility. * Secure the user portal with a TLS/SSL certificate. * Secure the Microsoft Entra multifactor authentication Web Service SDK with a TLS/SSL certificate. * Ensure that the user portal can connect to the Microsoft Entra multifactor authentication Web Service SDK over TLS/SSL.-* Ensure that the user portal can authenticate to the Microsoft Entra multifactor authentication Web Service SDK using the credentials of a service account in the "PhoneFactor Admins" security group. This service account and group should exist in Active Directory if the Microsoft Entra multifactor authentication Server is running on a domain-joined server. This service account and group exist locally on the Microsoft Entra multifactor authentication Server if it isn't joined to a domain. +* Ensure that the user portal can authenticate to the Microsoft Entra multifactor authentication Web Service SDK using the credentials of a service account in the "PhoneFactor Admins" security group. This service account and group should exist in Active Directory if the Azure Multi-Factor Authentication Server is running on a domain-joined server. This service account and group exist locally on the Azure Multi-Factor Authentication Server if it isn't joined to a domain. -Installing the user portal on a server other than the Microsoft Entra multifactor authentication Server requires the following steps: +Installing the user portal on a server other than the Azure Multi-Factor Authentication Server requires the following steps: -1. **On the MFA Server**, browse to the installation path (Example: C:\Program Files\multifactor authentication Server), and copy the file **MultiFactorAuthenticationUserPortalSetup64** to a location accessible to the internet-facing server where you'll install it. +1. **On the MFA Server**, browse to the installation path (Example: C:\Program Files\Multi-Factor Authentication Server), and copy the file **MultiFactorAuthenticationUserPortalSetup64** to a location accessible to the internet-facing server where you'll install it. 2. **On the internet-facing web server**, run the MultiFactorAuthenticationUserPortalSetup64 install file as an administrator, change the Site if desired and change the Virtual directory to a short name if you would like. 3. Bind a TLS/SSL Certificate to the site in IIS. If you have questions about configuring a TLS/SSL Certificate on an IIS server, <a name='configure-user-portal-settings-in-the-azure-ad-multi-factor-authentication-server'></a> -## Configure user portal settings in the Microsoft Entra multifactor authentication Server +<a name='configure-user-portal-settings-in-the-microsoft-entra-multifactor-authentication-server'></a> ++## Configure user portal settings in the Azure Multi-Factor Authentication Server -Now that the user portal is installed, you need to configure the Microsoft Entra multifactor authentication Server to work with the portal. +Now that the user portal is installed, you need to configure the Azure Multi-Factor Authentication Server to work with the portal. -1. In the Microsoft Entra multifactor authentication Server console, click the **User Portal** icon. On the Settings tab, enter the URL to the user portal in the **User Portal URL** textbox. If email functionality has been enabled, this URL is included in the emails that are sent to users when they're imported into the Microsoft Entra multifactor authentication Server. +1. In the Azure Multi-Factor Authentication Server console, click the **User Portal** icon. On the Settings tab, enter the URL to the user portal in the **User Portal URL** textbox. If email functionality has been enabled, this URL is included in the emails that are sent to users when they're imported into the Azure Multi-Factor Authentication Server. 2. Choose the settings that you want to use in the User Portal. For example, if users are allowed to choose their authentication methods, ensure that **Allow users to select method** is checked, along with the methods they can choose from. 3. Define who should be Administrators on the **Administrators** tab. You can create granular administrative permissions using the checkboxes and dropdowns in the Add/Edit boxes. Optional configuration: ![MFA Server User Portal configuration](./media/howto-mfaserver-deploy-userportal/config.png) -Microsoft Entra multifactor authentication server provides several options for the user portal. The following table provides a list of these options and an explanation of what they're used for. +Azure Multi-Factor Authentication Server provides several options for the user portal. The following table provides a list of these options and an explanation of what they're used for. | User Portal Settings | Description | |: |: | Microsoft Entra multifactor authentication server provides several options for t | Use security questions for fallback | Allow security questions in case two-step verification fails. You can specify the number of security questions that must be successfully answered. | | Allow users to associate third-party OATH token | Allow users to specify a third-party OATH token. | | Use OATH token for fallback | Allow for the use of an OATH token in case two-step verification isn't successful. You can also specify the session timeout in minutes. |-| Enable logging | Enable logging on the user portal. The log files are located at: C:\Program Files\multifactor authentication Server\Logs. | +| Enable logging | Enable logging on the user portal. The log files are located at: C:\Program Files\Multi-Factor Authentication Server\Logs. | > [!IMPORTANT] > Starting in March of 2019 the phone call options will not be available to MFA Server users in free/trial Microsoft Entra tenants. SMS messages are not impacted by this change. Phone call will continue to be available to users in paid Microsoft Entra tenants. This change only impacts free/trial Microsoft Entra tenants. The page then displays an activation code and a URL along with a barcode picture After the activation is complete, the user clicks the **Authenticate Me Now** button. Microsoft Entra multifactor authentication performs a verification to the user's mobile app. The user must enter their PIN (if applicable) and press the Authenticate button in their mobile app to move on to the next step of the self-enrollment process. -If the administrators have configured the Microsoft Entra multifactor authentication Server to collect security questions and answers, the user is then taken to the Security Questions page. The user must select four security questions and provide answers to their selected questions. +If the administrators have configured the Azure Multi-Factor Authentication Server to collect security questions and answers, the user is then taken to the Security Questions page. The user must select four security questions and provide answers to their selected questions. ![User portal security questions](./media/howto-mfaserver-deploy-userportal/secq.png) The user self-enrollment is now complete and the user is signed in to the user p ## Next steps -- [Deploy the Microsoft Entra multifactor authentication Server Mobile App Web Service](howto-mfaserver-deploy-mobileapp.md)+- [Deploy the Azure Multi-Factor Authentication Server Mobile App Web Service](howto-mfaserver-deploy-mobileapp.md) |
active-directory | Howto Mfaserver Deploy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfaserver-deploy.md | Title: Getting started Microsoft Entra multifactor authentication Server -description: Step-by-step get started with Microsoft Entra multifactor authentication Server on-premises + Title: Getting started Azure Multi-Factor Authentication Server +description: Step-by-step get started with Azure Multi-Factor Authentication Server on-premises -# Getting started with the Microsoft Entra multifactor authentication Server +# Getting started with the Azure Multi-Factor Authentication Server <center> ![Getting started with MFA Server on-premises](./media/howto-mfaserver-deploy/server2.png)</center> -This page covers a new installation of the server and setting it up with on-premises Active Directory. If you already have the MFA server installed and are looking to upgrade, see [Upgrade to the latest Azure multifactor authentication Server](howto-mfaserver-deploy-upgrade.md). If you're looking for information on installing just the web service, see [Deploying the Azure multifactor authentication Server Mobile App Web Service](howto-mfaserver-deploy-mobileapp.md). +This page covers a new installation of the server and setting it up with on-premises Active Directory. If you already have the MFA server installed and are looking to upgrade, see [Upgrade to the latest Azure Multi-Factor Authentication Server](howto-mfaserver-deploy-upgrade.md). If you're looking for information on installing just the web service, see [Deploying the Azure Multi-Factor Authentication Server Mobile App Web Service](howto-mfaserver-deploy-mobileapp.md). > [!IMPORTANT]-> In September 2022, Microsoft announced deprecation of Azure multifactor authentication Server. Beginning September 30, 2024, Azure multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra multifactor authentication service by using the latest Migration Utility included in the most recent [Microsoft Entra multifactor authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Microsoft Entra multifactor authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). +> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra multifactor authentication service by using the latest Migration Utility included in the most recent [Azure Multi-Factor Authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure Multi-Factor Authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). > To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Azure multifactor authentication](tutorial-enable-azure-mfa.md). ## Plan your deployment -Before you download the Azure multifactor authentication Server, think about what your load and high availability requirements are. Use this information to decide how and where to deploy. +Before you download the Azure Multi-Factor Authentication Server, think about what your load and high availability requirements are. Use this information to decide how and where to deploy. A good guideline for the amount of memory you need is the number of users you expect to authenticate regularly. A good guideline for the amount of memory you need is the number of users you ex | 100,000-200,001 | 16 GB | | 200,001+ | 32 GB | -Do you need to set up multiple servers for high availability or load balancing? There are many ways to set up this configuration with Microsoft Entra multifactor authentication Server. When you install your first Microsoft Entra multifactor authentication Server, it becomes the master. Any other servers become subordinate, and automatically synchronize users and configuration with the master. Then, you can configure one primary server and have the rest act as backup, or you can set up load balancing among all the servers. +Do you need to set up multiple servers for high availability or load balancing? There are many ways to set up this configuration with Azure Multi-Factor Authentication Server. When you install your first Azure Multi-Factor Authentication Server, it becomes the master. Any other servers become subordinate, and automatically synchronize users and configuration with the master. Then, you can configure one primary server and have the rest act as backup, or you can set up load balancing among all the servers. -When a master Microsoft Entra multifactor authentication Server goes offline, the subordinate servers can still process two-step verification requests. However, you can't add new users and existing users can't update their settings until the master is back online or a subordinate gets promoted. +When a master Azure Multi-Factor Authentication Server goes offline, the subordinate servers can still process two-step verification requests. However, you can't add new users and existing users can't update their settings until the master is back online or a subordinate gets promoted. ### Prepare your environment Make sure the server that you're using for Azure multifactor authentication meets the following requirements. -| Azure multifactor authentication Server Requirements | Description | +| Azure Multi-Factor Authentication Server Requirements | Description | |: |: | | Hardware |<li>200 MB of hard disk space</li><li>x32 or x64 capable processor</li><li>1 GB or greater RAM</li> | | Software |<li>Windows Server 2022<sup>1</sup><li>Windows Server 2019<sup>1</sup></li><li>Windows Server 2016</li><li>Windows Server 2012 R2</li><li>Windows Server 2012</li><li>Windows Server 2008/R2 (with [ESU](/lifecycle/faq/extended-security-updates) only)</li><li>Windows 10</li><li>Windows 8.1, all editions</li><li>Windows 8, all editions</li><li>Windows 7, all editions (with [ESU](/lifecycle/faq/extended-security-updates) only)</li><li>Microsoft .NET 4.0 Framework</li><li>IIS 7.0 or greater if installing the user portal or web service SDK</li> | | Permissions | Domain Administrator or Enterprise Administrator account to register with Active Directory | -<sup>1</sup>If Microsoft Entra multifactor authentication Server fails to activate on an Azure VM that runs Windows Server 2019 or later, try using an earlier version of Windows Server. +<sup>1</sup>If Azure Multi-Factor Authentication Server fails to activate on an Azure VM that runs Windows Server 2019 or later, try using an earlier version of Windows Server. <a name='azure-active-directory-multi-factor-authentication-server-components'></a> -### Microsoft Entra multifactor authentication Server Components +<a name='microsoft-entra-multifactor-authentication-server-components'></a> -There are three web components that make up Microsoft Entra multifactor authentication Server: +### Azure Multi-Factor Authentication Server Components ++There are three web components that make up Azure Multi-Factor Authentication Server: * Web Service SDK - Enables communication with the other components and is installed on the Microsoft Entra multifactor authentication application server * User portal - An IIS web site that allows users to enroll in Azure multifactor authentication and maintain their accounts. All three components can be installed on the same server if the server is intern <a name='azure-multi-factor-authentication-server-firewall-requirements'></a> -### Azure multifactor authentication Server firewall requirements +<a name='azure-multifactor-authentication-server-firewall-requirements'></a> ++### Azure Multi-Factor Authentication Server firewall requirements Each MFA server must be able to communicate on port 443 outbound to the following addresses: If you aren't using the Event Confirmation feature, and your users aren't using [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -Follow these steps to download the Microsoft Entra multifactor authentication Server: +Follow these steps to download the Azure Multi-Factor Authentication Server: > [!IMPORTANT]-> In September 2022, Microsoft announced deprecation of Azure multifactor authentication Server. Beginning September 30, 2024, Azure multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra multifactor authentication service by using the latest Migration Utility included in the most recent [Microsoft Entra multifactor authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Microsoft Entra multifactor authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). +> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra multifactor authentication service by using the latest Migration Utility included in the most recent [Azure Multi-Factor Authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure Multi-Factor Authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). > > To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Azure multifactor authentication](tutorial-enable-azure-mfa.md). > Now that you have downloaded the server you can install and configure it. Be sur * [Visual C++ Redistributable for Visual Studio 2017 (x64)](https://go.microsoft.com/fwlink/?LinkId=746572) * [Visual C++ Redistributable for Visual Studio 2017 (x86)](https://go.microsoft.com/fwlink/?LinkId=746571) 3. When the installation finishes, select **Finish**. The configuration wizard starts.-5. Back on the page that you downloaded the server from, click the **Generate Activation Credentials** button. Copy this information into the Microsoft Entra multifactor authentication Server in the boxes provided and click **Activate**. +5. Back on the page that you downloaded the server from, click the **Generate Activation Credentials** button. Copy this information into the Azure Multi-Factor Authentication Server in the boxes provided and click **Activate**. > [!NOTE] > Only global administrators are able to generate activation credentials in the Microsoft Entra admin center. Now that the server is installed you want to add users. You can choose to create ### Manual import from Active Directory -1. In the Microsoft Entra multifactor authentication Server, on the left, select **Users**. +1. In the Azure Multi-Factor Authentication Server, on the left, select **Users**. 2. At the bottom, select **Import from Active Directory**. 3. Now you can either search for individual users or search the AD directory for OUs with users in them. In this case, we specify the users OU. 4. Highlight all the users on the right and click **Import**. You should receive a pop-up telling you that you were successful. Close the import window. Now that the server is installed you want to add users. You can choose to create ### Automated synchronization with Active Directory -1. In the Microsoft Entra multifactor authentication Server, on the left, select **Directory Integration**. +1. In the Azure Multi-Factor Authentication Server, on the left, select **Directory Integration**. 2. Navigate to the **Synchronization** tab. 3. At the bottom, choose **Add** 4. In the **Add Synchronization Item** box that appears choose the Domain, OU **or** security group, Settings, Method Defaults, and Language Defaults for this synchronization task and click **Add**. Now that the server is installed you want to add users. You can choose to create <a name='how-the-azure-ad-multi-factor-authentication-server-handles-user-data'></a> -## How the Microsoft Entra multifactor authentication Server handles user data +<a name='how-the-microsoft-entra-multifactor-authentication-server-handles-user-data'></a> -When you use the multifactor authentication Server on-premises, a user's data is stored in the on-premises servers. No persistent user data is stored in the cloud. When the user performs a two-step verification, the MFA Server sends data to the Microsoft Entra multifactor authentication cloud service to perform the verification. When these authentication requests are sent to the cloud service, the following fields are sent in the request and logs so that they are available in the customer's authentication/usage reports. Some of the fields are optional so they can be enabled or disabled within the multifactor authentication Server. The communication from the MFA Server to the MFA cloud service uses SSL/TLS over port 443 outbound. These fields are: +## How the Azure Multi-Factor Authentication Server handles user data ++When you use the Multi-Factor Authentication Server on-premises, a user's data is stored in the on-premises servers. No persistent user data is stored in the cloud. When the user performs a two-step verification, the MFA Server sends data to the Microsoft Entra multifactor authentication cloud service to perform the verification. When these authentication requests are sent to the cloud service, the following fields are sent in the request and logs so that they are available in the customer's authentication/usage reports. Some of the fields are optional so they can be enabled or disabled within the Multi-Factor Authentication Server. The communication from the MFA Server to the MFA cloud service uses SSL/TLS over port 443 outbound. These fields are: * Unique ID - either username or internal MFA server ID * First and last name (optional) In addition to the fields above, the verification result (success/denial) and re <a name='back-up-and-restore-azure-active-directory-multi-factor-authentication-server'></a> -## Back up and restore Microsoft Entra multifactor authentication Server +<a name='back-up-and-restore-microsoft-entra-multifactor-authentication-server'></a> ++## Back up and restore Azure Multi-Factor Authentication Server Making sure that you have a good backup is an important step to take with any system. -To back up Microsoft Entra multifactor authentication Server, ensure that you have a copy of the **C:\Program Files\multifactor authentication Server\Data** folder including the **PhoneFactor.pfdata** file. +To back up Azure Multi-Factor Authentication Server, ensure that you have a copy of the **C:\Program Files\Multi-Factor Authentication Server\Data** folder including the **PhoneFactor.pfdata** file. In case a restore is needed complete the following steps: -1. Reinstall Microsoft Entra multifactor authentication Server on a new server. -2. Activate the new Microsoft Entra multifactor authentication Server. +1. Reinstall Azure Multi-Factor Authentication Server on a new server. +2. Activate the new Azure Multi-Factor Authentication Server. 3. Stop the **MultiFactorAuth** service. 4. Overwrite the **PhoneFactor.pfdata** with the backed-up copy. 5. Start the **MultiFactorAuth** service. Once you have upgraded to or installed MFA Server version 8.x or higher, it is r ## Next steps - Set up and configure the [User portal](howto-mfaserver-deploy-userportal.md) for user self-service.-- Set up and configure the Microsoft Entra multifactor authentication Server with [Active Directory Federation Service](multi-factor-authentication-get-started-adfs.md), [RADIUS Authentication](howto-mfaserver-dir-radius.md), or [LDAP Authentication](howto-mfaserver-dir-ldap.md).-- Set up and configure [Remote Desktop Gateway and Azure multifactor authentication Server using RADIUS](howto-mfaserver-nps-rdg.md).-- [Deploy the Azure multifactor authentication Server Mobile App Web Service](howto-mfaserver-deploy-mobileapp.md).+- Set up and configure the Azure Multi-Factor Authentication Server with [Active Directory Federation Service](multi-factor-authentication-get-started-adfs.md), [RADIUS Authentication](howto-mfaserver-dir-radius.md), or [LDAP Authentication](howto-mfaserver-dir-ldap.md). +- Set up and configure [Remote Desktop Gateway and Azure Multi-Factor Authentication Server using RADIUS](howto-mfaserver-nps-rdg.md). +- [Deploy the Azure Multi-Factor Authentication Server Mobile App Web Service](howto-mfaserver-deploy-mobileapp.md). - [Advanced scenarios with Azure multifactor authentication and third-party VPNs](howto-mfaserver-nps-vpn.md). |
active-directory | Howto Mfaserver Dir Radius | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfaserver-dir-radius.md | Title: RADIUS and Azure MFA Server -description: Deploying RADIUS Authentication and Azure multifactor authentication Server. +description: Deploying RADIUS Authentication and Azure Multi-Factor Authentication Server. -# Integrate RADIUS authentication with Azure multifactor authentication Server +# Integrate RADIUS authentication with Azure Multi-Factor Authentication Server -RADIUS is a standard protocol to accept authentication requests and to process those requests. The Azure multifactor authentication Server can act as a RADIUS server. Insert it between your RADIUS client (VPN appliance) and your authentication target to add two-step verification. Your authentication target could be Active Directory, an LDAP directory, or another RADIUS server. For Azure multifactor authentication to function, you must configure the Azure MFA Server so that it can communicate with both the client servers and the authentication target. The Azure MFA Server accepts requests from a RADIUS client, validates credentials against the authentication target, adds Azure multifactor authentication, and sends a response back to the RADIUS client. The authentication request only succeeds if both the primary authentication and the Azure multifactor authentication succeed. +RADIUS is a standard protocol to accept authentication requests and to process those requests. The Azure Multi-Factor Authentication Server can act as a RADIUS server. Insert it between your RADIUS client (VPN appliance) and your authentication target to add two-step verification. Your authentication target could be Active Directory, an LDAP directory, or another RADIUS server. For Azure multifactor authentication to function, you must configure the Azure MFA Server so that it can communicate with both the client servers and the authentication target. The Azure MFA Server accepts requests from a RADIUS client, validates credentials against the authentication target, adds Azure multifactor authentication, and sends a response back to the RADIUS client. The authentication request only succeeds if both the primary authentication and the Azure multifactor authentication succeed. > [!IMPORTANT]-> In September 2022, Microsoft announced deprecation of Azure multifactor authentication Server. Beginning September 30, 2024, Azure multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). +> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). > > To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication](tutorial-enable-azure-mfa.md). > RADIUS is a standard protocol to accept authentication requests and to process t ## Add a RADIUS client -To configure RADIUS authentication, install the Azure multifactor authentication Server on a Windows server. If you have an Active Directory environment, the server should be joined to the domain inside the network. Use the following procedure to configure the Azure multifactor authentication Server: +To configure RADIUS authentication, install the Azure Multi-Factor Authentication Server on a Windows server. If you have an Active Directory environment, the server should be joined to the domain inside the network. Use the following procedure to configure the Azure Multi-Factor Authentication Server: -1. In the Azure multifactor authentication Server, click the RADIUS Authentication icon in the left menu. +1. In the Azure Multi-Factor Authentication Server, click the RADIUS Authentication icon in the left menu. 2. Check the **Enable RADIUS authentication** checkbox. 3. On the Clients tab, change the Authentication and Accounting ports if the Azure MFA RADIUS service needs to listen for RADIUS requests on non-standard ports. 4. Click **Add**.-5. Enter the IP address of the appliance/server that will authenticate to the Azure multifactor authentication Server, an application name (optional), and a shared secret. +5. Enter the IP address of the appliance/server that will authenticate to the Azure Multi-Factor Authentication Server, an application name (optional), and a shared secret. The application name appears in reports and may be displayed within SMS or mobile app authentication messages. - The shared secret needs to be the same on both the Azure multifactor authentication Server and appliance/server. + The shared secret needs to be the same on both the Azure Multi-Factor Authentication Server and appliance/server. 6. Check the **Require multifactor authentication user match** box if all users have been imported into the Server and subject to multifactor authentication. If a significant number of users have not yet been imported into the Server or are exempt from two-step verification, leave the box unchecked. 7. Check the **Enable fallback OATH token** box if you want to use OATH passcodes from mobile verification apps as a backup method. Repeat steps 4 through 8 to add as many additional RADIUS clients as you need. 1. Click **Add** to configure the server to which the Azure MFA Server will proxy the RADIUS requests. 1. In the Add RADIUS Server dialog box, enter the IP address of the RADIUS server and a shared secret. - The shared secret needs to be the same on both the Azure multifactor authentication Server and RADIUS server. Change the Authentication port and Accounting port if different ports are used by the RADIUS server. + The shared secret needs to be the same on both the Azure Multi-Factor Authentication Server and RADIUS server. Change the Authentication port and Accounting port if different ports are used by the RADIUS server. 1. Click **OK**.-1. Add the Azure MFA Server as a RADIUS client in the other RADIUS server so that it can process access requests sent to it from the Azure MFA Server. Use the same shared secret configured in the Azure multifactor authentication Server. +1. Add the Azure MFA Server as a RADIUS client in the other RADIUS server so that it can process access requests sent to it from the Azure MFA Server. Use the same shared secret configured in the Azure Multi-Factor Authentication Server. Repeat these steps to add more RADIUS servers. Configure the order in which the Azure MFA Server should call them with the **Move Up** and **Move Down** buttons. -You've successfully configured the Azure multifactor authentication Server. The Server is now listening on the configured ports for RADIUS access requests from the configured clients. +You've successfully configured the Azure Multi-Factor Authentication Server. The Server is now listening on the configured ports for RADIUS access requests from the configured clients. ## RADIUS Client configuration To configure the RADIUS client, use the guidelines: -* Configure your appliance/server to authenticate via RADIUS to the Azure multifactor authentication Server's IP address, which acts as the RADIUS server. +* Configure your appliance/server to authenticate via RADIUS to the Azure Multi-Factor Authentication Server's IP address, which acts as the RADIUS server. * Use the same shared secret that was configured earlier. * Configure the RADIUS timeout to 60 seconds so that there is time to validate the user's credentials, perform two-step verification, receive their response, and then respond to the RADIUS access request. |
active-directory | Howto Mfaserver Nps Vpn | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfaserver-nps-vpn.md | -Azure multifactor authentication Server (Azure MFA Server) can be used to seamlessly connect with various third-party VPN solutions. This article focuses on Cisco® ASA VPN appliance, Citrix NetScaler SSL VPN appliance, and the Juniper Networks Secure Access/Pulse Secure Connect Secure SSL VPN appliance. We created configuration guides to address these three common appliances. Azure MFA Server can also integrate with most other systems that use RADIUS, LDAP, IIS, or claims-based authentication to AD FS. You can find more details in [Azure MFA Server configurations](howto-mfaserver-deploy.md#next-steps). +Azure Multi-Factor Authentication Server (Azure MFA Server) can be used to seamlessly connect with various third-party VPN solutions. This article focuses on Cisco® ASA VPN appliance, Citrix NetScaler SSL VPN appliance, and the Juniper Networks Secure Access/Pulse Secure Connect Secure SSL VPN appliance. We created configuration guides to address these three common appliances. Azure MFA Server can also integrate with most other systems that use RADIUS, LDAP, IIS, or claims-based authentication to AD FS. You can find more details in [Azure MFA Server configurations](howto-mfaserver-deploy.md#next-steps). > [!IMPORTANT] > As of July 1, 2019, Microsoft no longer offers MFA Server for new deployments. New customers that want to require multifactor authentication during sign-in events should use cloud-based Microsoft Entra multifactor authentication. |
active-directory | Howto Mfaserver Windows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfaserver-windows.md | Title: Windows authentication and Azure MFA Server -description: Deploying Windows Authentication and Azure multifactor authentication Server. +description: Deploying Windows Authentication and Azure Multi-Factor Authentication Server. -# Windows Authentication and Azure multifactor authentication Server +# Windows Authentication and Azure Multi-Factor Authentication Server -Use the Windows Authentication section of the Azure multifactor authentication Server to enable and configure Windows authentication for applications. Before you set up Windows Authentication, keep the following list in mind: +Use the Windows Authentication section of the Azure Multi-Factor Authentication Server to enable and configure Windows authentication for applications. Before you set up Windows Authentication, keep the following list in mind: * After setup, reboot the Azure multifactor authentication for Terminal Services to take effect. * If 'Require Azure multifactor authentication user match' is checked and you are not in the user list, you will not be able to log into the machine after reboot. Use the Windows Authentication section of the Azure multifactor authentication S ## To secure an application with Windows Authentication, use the following procedure -1. In the Azure multifactor authentication Server click the Windows Authentication icon. +1. In the Azure Multi-Factor Authentication Server click the Windows Authentication icon. ![Windows Authentication in MFA Server](./media/howto-mfaserver-windows/windowsauth.png) 2. Check the **Enable Windows Authentication** checkbox. By default, this box is unchecked. 3. The Applications tab allows the administrator to configure one or more applications for Windows Authentication. |
active-directory | Howto Sspr Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-sspr-deployment.md | For a guided walkthrough of many of the recommendations in this article, see the | |[How to enable and configure SSPR in Microsoft Entra ID](https://www.youtube.com/watch?v=rA8TvhNcCvQ)| | |[How to configure self-service password reset for users in Microsoft Entra ID?](https://azure.microsoft.com/resources/videos/self-service-password-reset-azure-ad/) | | |[How to [prepare users to] register [their] security information for Microsoft Entra ID](https://youtu.be/gXuh0XS18wA) |-| Online courses|[Managing Identities in Microsoft Entra ID](https://www.pluralsight.com/courses/microsoft-azure-active-directory-managing-identities) Use SSPR to give your users a modern, protected experience. See especially the "[Managing Microsoft Entra Users and Groups](https://app.pluralsight.com/library/courses/microsoft-azure-active-directory-managing-identities/table-of-contents)" module. | +| Online courses|[Managing Identities in Microsoft Entra ID](https://www.pluralsight.com/courses/microsoft-azure-active-directory-managing-identities) Use SSPR to give your users a modern, protected experience. See especially the "[`Managing Microsoft Entra Users and Groups`](https://app.pluralsight.com/library/courses/microsoft-azure-active-directory-managing-identities/table-of-contents)" module. | |Pluralsight Paid courses |[The Issues of Identity and Access Management](https://www.pluralsight.com/courses/identity-access-management-issues) Learn about IAM and security issues to be aware of in your organization. See especially the "Other Authentication Methods" module.| | |[Getting Started with the Microsoft Enterprise Mobility Suite](https://www.pluralsight.com/courses/microsoft-enterprise-mobility-suite-getting-started) Learn the best practices for extending on-premises assets to the cloud in a manner that allows for authentication, authorization, encryption, and a secured mobile experience. See especially the "Configuring Advanced Features of Microsoft Entra ID P1 or P2" module. |Tutorials |[Complete a Microsoft Entra self-service password reset pilot roll out](./tutorial-enable-sspr.md) | |
active-directory | Multi Factor Authentication Get Started Adfs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/multi-factor-authentication-get-started-adfs.md | -* Secure cloud and on-premises resources using Azure multifactor authentication Server +* Secure cloud and on-premises resources using Azure Multi-Factor Authentication Server The following table summarizes the verification experience between securing resources with Microsoft Entra multifactor authentication and AD FS Caveats with app passwords for federated users: * You lose on-premises authentication-logging capability for app passwords. * Account disable/deletion may take up to three hours for directory sync, delaying disable/deletion of app passwords in the cloud identity. -For information on setting up either Microsoft Entra multifactor authentication or the Azure multifactor authentication Server with AD FS, see the following articles: +For information on setting up either Microsoft Entra multifactor authentication or the Azure Multi-Factor Authentication Server with AD FS, see the following articles: * [Secure cloud resources using Microsoft Entra multifactor authentication and AD FS](howto-mfa-adfs.md)-* [Secure cloud and on-premises resources using Azure multifactor authentication Server with Windows Server](howto-mfaserver-adfs-windows-server.md) -* [Secure cloud and on-premises resources using Azure multifactor authentication Server with AD FS 2.0](howto-mfaserver-adfs-2.md) +* [Secure cloud and on-premises resources using Azure Multi-Factor Authentication Server with Windows Server](howto-mfaserver-adfs-windows-server.md) +* [Secure cloud and on-premises resources using Azure Multi-Factor Authentication Server with AD FS 2.0](howto-mfaserver-adfs-2.md) |
active-directory | Multi Factor Authentication Wizard | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/multi-factor-authentication-wizard.md | This guide provides step-by-step instructions for IT administrators to implement ## What to expect and what you need -The setup guides help you configure the core functionality of Microsoft Entra ID. If you need to set up a more advanced configuration, the setup guide points you to the appropriate location in the Microsoft Entra portal. +The setup guides help you configure the core functionality of Microsoft Entra ID. If you need to set up a more advanced configuration, the setup guide points you to the appropriate location in the Microsoft Entra admin center. ### Required permissions |
active-directory | Troubleshoot Authentication Strengths | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/troubleshoot-authentication-strengths.md | Use the **Sign-ins** log to find more information about the sign-in: - Under the **Authentication details** tab, the **Requirement** column shows the name of the authentication strength policy. - :::image type="content" source="./media/troubleshoot-authentication-strengths/sign-in-logs-authentication-details.png" alt-text="Screenshot showing the authentication strength in the Sign-ins log."::: + :::image type="content" source="./media/troubleshoot-authentication-strengths/sign-in-logs-authentication-details.png" alt-text="Screenshot showing the authentication strength in the sign-in log."::: - Under the **Conditional Access** tab, you can see which Conditional Access policy was applied. Click the name of the policy, and look for **Grant controls** to see the authentication strength that was enforced. - :::image type="content" source="./media/troubleshoot-authentication-strengths/sign-in-logs-control.png" alt-text="Screenshot showing the authentication strength under Conditional Access Policy details in the Sign-ins log."::: + :::image type="content" source="./media/troubleshoot-authentication-strengths/sign-in-logs-control.png" alt-text="Screenshot showing the authentication strength under Conditional Access Policy details in the sign-in log."::: ## Users can't use their FIDO2 security key to sign in An Authentication Policy Administrator can restrict access to specific security keys. When a user tries to sign in by using a key they can't use, this **You can't get there from here** message appears. The user has to restart the session, and sign-in with a different FIDO2 security key. |
active-directory | Terms Of Use | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/terms-of-use.md | The following procedure describes how to add a ToU language. ## Per-device terms of use -The **Require users to consent on every device** setting enables you to require end users to accept your terms of use policy on every device they're accessing from. The end user is required to register their device in Microsoft Entra ID. When the device is registered, the device ID is used to enforce the terms of use policy on each device. --Supported platforms and software. --> [!div class="mx-tableFixed"] -> | | iOS | Android | Windows 10 | Other | -> | | | | | | -> | **Native app** | Yes | Yes | Yes | | -> | **Microsoft Edge** | Yes | Yes | Yes | | -> | **Internet Explorer** | Yes | Yes | Yes | | -> | **Chrome (with extension)** | Yes | Yes | Yes | | +The **Require users to consent on every device** setting enables you to require end users to accept your terms of use policy on every device they're accessing from. The end user's device must be registered in Microsoft Entra ID. When the device is registered, the device ID is used to enforce the terms of use policy on each device. Their experience is dependent on permissions to join devices as well as the platform and software used, for more information see, [device identity in Microsoft Entra ID](../devices/overview.md). Per-device terms of use have the following constraints: -- A device can only be joined to one tenant.-- A user must have permissions to join their device. - The Intune Enrollment app isn't supported. Ensure that it's excluded from any Conditional Access policy requiring Terms of Use policy. - Microsoft Entra B2B users aren't supported. -If the user's device isn't joined, they receive a message that they need to join their device. Their experience is dependent on the platform and software. --### Join a Windows 10 device --If a user is using Windows 10 and Microsoft Edge, they receive a message similar to the following to [join their device](https://support.microsoft.com/account-billing/join-your-work-device-to-your-work-or-school-network-ef4d6adb-5095-4e51-829e-5457430f3973#to-join-an-already-configured-windows-10-device). --![Windows 10 and Microsoft Edge - Message indicating your device must be registered](./media/terms-of-use/per-device-win10-edge.png) --If they're using Chrome, they're prompted to install the [Windows 10 Accounts extension](https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji). --### Register an iOS device --If a user is using an iOS device, they're prompted to install the [Microsoft Authenticator app](https://apps.apple.com/us/app/microsoft-authenticator/id983156458). --### Register an Android device --If a user is using an Android device, they're prompted to install the [Microsoft Authenticator app](https://play.google.com/store/apps/details?id=com.azure.authenticator). --### Browsers --If a user is using browser that isn't supported, they're asked to use a different browser. --![Message indicating your device must be registered, but browser is not supported](./media/terms-of-use/per-device-browser-unsupported.png) - ## Delete terms of use You can delete old terms of use policies using the following procedure. |
active-directory | Access Tokens | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/access-tokens.md | Microsoft Entra ID has a tenant-independent version of the document available at - Keys that have an issuer value like `https://login.microsoftonline.com/{tenantid}/v2.0` may be used with any matching token issuer. - Keys that have an issuer value like `https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0` should only be used with exact match. - Microsoft Entra's tenant-independent key endpoint ([https://login.microsoftonline.com/common/discovery/v2.0/keys](https://login.microsoftonline.com/common/discovery/v2.0/keys)) returns a document like: + Microsoft Entra tenant-independent key endpoint ([https://login.microsoftonline.com/common/discovery/v2.0/keys](https://login.microsoftonline.com/common/discovery/v2.0/keys)) returns a document like: ``` { "keys":[ |
active-directory | Developer Glossary | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/developer-glossary.md | An identity used by a software workload like an application, service, script, or ## Workload identity federation -Allows you to securely access Microsoft Entra ID protected resources from external apps and services without needing to manage secrets (for supported scenarios). For more information, see [workload identity federation](../workload-identities/workload-identity-federation.md). +Allows you to securely access Microsoft Entra protected resources from external apps and services without needing to manage secrets (for supported scenarios). For more information, see [workload identity federation](../workload-identities/workload-identity-federation.md). ## Next steps |
active-directory | Federation Metadata | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/federation-metadata.md | Title: Azure AD federation metadata -description: This article describes the federation metadata document that Microsoft Entra ID publishes for services that accept Microsoft Entra ID tokens. + Title: Microsoft Entra federation metadata +description: This article describes the federation metadata document that Microsoft Entra ID publishes for services that accept Microsoft Entra tokens. Microsoft Entra ID publishes federation metadata at `https://login.microsoftonli For **tenant-specific endpoints**, the `TenantDomainName` can be one of the following types: -* A registered domain name of an Azure AD tenant, such as: `contoso.onmicrosoft.com`. +* A registered domain name of a Microsoft Entra tenant, such as: `contoso.onmicrosoft.com`. * The immutable tenant ID of the domain, such as `72f988bf-86f1-41af-91ab-2d7cd011db45`. -For **tenant-independent endpoints**, the `TenantDomainName` is `common`. This document lists only the Federation Metadata elements that are common to all Azure AD tenants that are hosted at login.microsoftonline.com. +For **tenant-independent endpoints**, the `TenantDomainName` is `common`. This document lists only the Federation Metadata elements that are common to all Microsoft Entra tenants that are hosted at login.microsoftonline.com. For example, a tenant-specific endpoint might be `https://login.microsoftonline.com/contoso.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml`. The tenant-independent endpoint is [https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml](https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml). You can view the federation metadata document by typing this URL in a browser. ## Contents of federation metadata -The following section provides information needed by services that consume the tokens issued by Azure AD. +The following section provides information needed by services that consume the tokens issued by Microsoft Entra ID. ### Entity ID entityID="https://sts.windows.net/{tenant}/"> ### Token signing certificates -When a service receives a token that is issued by an Azure AD tenant, the signature of the token must be validated with a signing key that is published in the federation metadata document. The federation metadata includes the public portion of the certificates that the tenants use for token signing. The certificate raw bytes appear in the `KeyDescriptor` element. The token signing certificate is valid for signing only when the value of the `use` attribute is `signing`. +When a service receives a token that is issued by a Microsoft Entra tenant, the signature of the token must be validated with a signing key that is published in the federation metadata document. The federation metadata includes the public portion of the certificates that the tenants use for token signing. The certificate raw bytes appear in the `KeyDescriptor` element. The token signing certificate is valid for signing only when the value of the `use` attribute is `signing`. -A federation metadata document published by Azure AD can have multiple signing keys, such as when Azure AD is preparing to update the signing certificate. When a federation metadata document includes more than one certificate, a service that is validating the tokens should support all certificates in the document. +A federation metadata document published by Microsoft Entra ID can have multiple signing keys, such as when Microsoft Entra ID is preparing to update the signing certificate. When a federation metadata document includes more than one certificate, a service that is validating the tokens should support all certificates in the document. The following metadata shows a sample `KeyDescriptor` element with a signing key. There are no differences in the format of tenant-specific and tenant-independent ### WS-Federation endpoint URL -The federation metadata includes the URL that is Azure AD uses for single sign-in and single sign-out in WS-Federation protocol. This endpoint appears in the `PassiveRequestorEndpoint` element. +The federation metadata includes the URL that is Microsoft Entra ID uses for single sign-in and single sign-out in WS-Federation protocol. This endpoint appears in the `PassiveRequestorEndpoint` element. The following metadata shows a sample `PassiveRequestorEndpoint` element for a tenant-specific endpoint. https://login.microsoftonline.com/common/wsfed ### SAML protocol endpoint URL -The federation metadata includes the URL that Azure AD uses for single sign-in and single sign-out in SAML 2.0 protocol. These endpoints appear in the `IDPSSODescriptor` element. +The federation metadata includes the URL that Microsoft Entra ID uses for single sign-in and single sign-out in SAML 2.0 protocol. These endpoints appear in the `IDPSSODescriptor` element. The sign-in and sign-out URLs appear in the `SingleSignOnService` and `SingleLogoutService` elements. |
active-directory | How To Integrate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/how-to-integrate.md | There are several ways for your application to integrate with the Microsoft iden ### Promote your application in the Azure and Microsoft 365 Marketplaces -**Promote your application to the millions of organizations who are already using Azure AD.** Users who search and browse these marketplaces are already using one or more cloud services, making them qualified cloud service customers. Learn more about promoting your application in [the Azure Marketplace](https://azure.microsoft.com/marketplace/partner-program/). +**Promote your application to the millions of organizations who are already using Microsoft Entra ID.** Users who search and browse these marketplaces are already using one or more cloud services, making them qualified cloud service customers. Learn more about promoting your application in [the Azure Marketplace](https://azure.microsoft.com/marketplace/partner-program/). **When users sign up for your application, it will appear in their Microsoft Entra ID access panel and Microsoft 365 app launcher.** Users will be able to quickly and easily return to your application later, improving user engagement. Learn more about the [Microsoft Entra ID access panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510). |
active-directory | Howto Add Branding In Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-add-branding-in-apps.md | Your app may present separate paths for sign-up and sign-in and the following se ## Visual guidance for app acquisition -Your ΓÇ£get the appΓÇ¥ link must redirect the user to the Microsoft Entra grant access (authorize) page, to allow an organizationΓÇÖs administrator to authorize your app to have access to their organizationΓÇÖs data, which is hosted by Microsoft. Details on how to request access are discussed in the [Integrating Applications with Microsoft Entra ID](./quickstart-register-app.md) article. +Your ΓÇ£get the appΓÇ¥ link must redirect the user to the Microsoft Entra ID grant access (authorize) page, to allow an organizationΓÇÖs administrator to authorize your app to have access to their organizationΓÇÖs data, which is hosted by Microsoft. Details on how to request access are discussed in the [Integrating Applications with Microsoft Entra ID](./quickstart-register-app.md) article. After admins consent to your app, they can choose to add it to their usersΓÇÖ Microsoft 365 app launcher experience (accessible from the waffle and from [https://www.office.com/](https://www.office.com/)). If you want to advertise this capability, you can use terms like ΓÇ£Add this app to your organizationΓÇ¥ and show a button like the following example: |
active-directory | Migrate Objc Adal Msal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/migrate-objc-adal-msal.md | -The Microsoft Authentication Library for iOS and macOS (MSAL) is built to work with all Microsoft identities such as Microsoft Entra accounts, personal Microsoft accounts, and Azure AD B2C accounts via the Microsoft identity platform (formally the Azure AD v2.0 endpoint). +The Microsoft Authentication Library for iOS and macOS (MSAL) is built to work with all Microsoft identities such as Microsoft Entra accounts, personal Microsoft accounts, and Azure AD B2C accounts via the Microsoft identity platform (formerly the Azure AD v2.0 endpoint). The Microsoft identity platform has a few key differences with Azure AD v1.0. This article highlights these differences and provides guidance to migrate an app from ADAL to MSAL. |
active-directory | Msal Compare Msal Js And Adal Js | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-compare-msal-js-and-adal-js.md | In addition, as MSAL.js is implemented in TypeScript unlike ADAL.js, it exposes ## Use scopes instead of resources -An important difference between the Microsoft Entra ID **v1.0** vs. **v2.0** endpoints is about how the resources are accessed. When using ADAL.js with the **v1.0** endpoint, you would first register a permission on app registration portal, and then request an access token for a resource (such as Microsoft Graph) as shown below: +An important difference between the Azure Active Directory v1.0 versus 2.0 endpoints is about how the resources are accessed. When using ADAL.js with the **v1.0** endpoint, you would first register a permission on app registration portal, and then request an access token for a resource (such as Microsoft Graph) as shown below: ```javascript authContext.acquireTokenRedirect("https://graph.microsoft.com", function (error, token) { |
active-directory | Quickstart Daemon App Java Acquire Token | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-daemon-app-java-acquire-token.md | To register your application and add the app's registration information to your ### Step 3: Configure the Java project -1. Extract the zip file to a local folder close to the root of the disk, for example, *C:\Azure-Samples*. -1. Navigate to the sub folder **msal-client-credential-secret**. -1. Edit *src\main\resources\application.properties* and replace the values of the fields `AUTHORITY`, `CLIENT_ID`, and `SECRET` with the following snippet: +1. Extract the zip file to a local folder close to the root of the disk, such as `C:\Azure-Samples`. +1. Navigate to the `msal-client-credential-secret` subfolder. +1. Edit `src\main\resources\application.properties` and replace the values of the fields `AUTHORITY`, `CLIENT_ID`, and `SECRET` with the following snippet: ``` AUTHORITY=https://login.microsoftonline.com/Enter_the_Tenant_Id_Here/ |
active-directory | Quickstart V2 Java Webapp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-v2-java-webapp.md | -> 1. On the front page, select the **Login** button to redirect users to Azure Active Directory and prompt them for credentials. +> 1. On the front page, select the **Login** button to redirect users to Microsoft Entra ID and prompt them for credentials. > > 1. After users are authenticated, they're redirected to `https://localhost:8443/msal4jsample/secure/aad`. They're now signed in, and the page will show information about the user account. The sample UI has these buttons: > - **Sign Out**: Signs the current user out of the application and redirects that user to the home page. |
active-directory | Quickstart Web App Java Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-web-app-java-sign-in.md | If you want to deploy the web sample to Tomcat, make a couple changes to the sou clientAuth="false" sslProtocol="TLS"/> ``` -3. Open a Command Prompt window. Go to the root folder of this sample (where the pom.xml file is located), and run `mvn package` to build the project. - - This command will generate a *msal-web-sample-0.1.0.war* file in your */targets* directory. - - Rename this file to *msal4jsample.war*. +3. Open a Command Prompt window. Go to the root folder of this sample (where the `pom.xml` file is located), and run `mvn package` to build the project. + - This command will generate a `msal-web-sample-0.1.0.war` file in your `/targets` directory. + - Rename this file to `msal4jsample.war`. - Deploy the WAR file by using Tomcat or any other J2EE container solution.- - To deploy the msal4jsample.war file, copy it to the */webapps/* directory in your Tomcat installation, and then start the Tomcat server. + - To deploy the `msal4jsample.war` file, copy it to the `/webapps/` directory in your Tomcat installation, and then start the Tomcat server. -4. After the file is deployed, go to https://localhost:8443/msal4jsample by using a browser. +4. After the file is deployed, go to `https://localhost:8443/msal4jsample` by using a browser. > [!IMPORTANT] > This quickstart application uses a client secret to identify itself as a confidential client. Because the client secret is added as plain text to your project files, for security reasons we recommend that you use a certificate instead of a client secret before using the application in a production environment. For more information on how to use a certificate, see [Certificate credentials for application authentication](./certificate-credentials.md). |
active-directory | Sample V2 Code | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/sample-v2-code.md | The following samples illustrate web applications that sign in users. Some sampl > | Blazor | Blazor Server Series <br/> • [Sign in users](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-OIDC/MyOrg) <br/> • [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-OIDC/B2C) <br/> • [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-graph-user/Call-MSGraph) <br/> • [Call web API](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-your-API/MyOrg) <br/> • [Call web API (B2C)](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-your-API/B2C) | [MSAL.NET](/entra/msal/dotnet) | Hybrid flow | > | ASP.NET Core|[Advanced Token Cache Scenarios](https://github.com/Azure-Samples/ms-identity-dotnet-advanced-token-cache) | [Microsoft.Identity.Web](/dotnet/api/microsoft-authentication-library-dotnet/confidentialclient) | On-Behalf-Of (OBO) | > | ASP.NET Core|[Use the Conditional Access auth context to perform step\-up authentication](https://github.com/Azure-Samples/ms-identity-dotnetcore-ca-auth-context-app/blob/main/README.md) | [Microsoft.Identity.Web](/dotnet/api/microsoft-authentication-library-dotnet/confidentialclient) | Authorization code |-> | ASP.NET Core|[Active Directory FS to Microsoft Entra migration](https://github.com/Azure-Samples/ms-identity-dotnet-adfs-to-aad) | [MSAL.NET](/entra/msal/dotnet) | • SAML <br/> • OpenID connect | +> | ASP.NET Core|[Active Directory Federation Services to Microsoft Entra migration](https://github.com/Azure-Samples/ms-identity-dotnet-adfs-to-aad) | [MSAL.NET](/entra/msal/dotnet) | • SAML <br/> • OpenID connect | > | ASP.NET | • [Microsoft Graph Training Sample](https://github.com/microsoftgraph/msgraph-training-aspnetmvcapp) <br/> • [Sign in users and call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect) <br/> • [Sign in users and call Microsoft Graph with admin restricted scope](https://github.com/azure-samples/active-directory-dotnet-admin-restricted-scopes-v2) <br/> • [Quickstart: Sign in users](https://github.com/AzureAdQuickstarts/AppModelv2-WebApp-OpenIDConnect-DotNet) | [MSAL.NET](/entra/msal/dotnet) | • OpenID connect <br/> • Authorization code | > | Java </p> Spring |Microsoft Entra Spring Boot Starter Series <br/> • [Sign in users](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4-spring-web-app/1-Authentication/sign-in) <br/> • [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4-spring-web-app/1-Authentication/sign-in-b2c) <br/> • [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4-spring-web-app/2-Authorization-I/call-graph) <br/> • [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4-spring-web-app/3-Authorization-II/roles) <br/> • [Use Groups for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4-spring-web-app/3-Authorization-II/groups) <br/> • [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4-spring-web-app/4-Deployment/deploy-to-azure-app-service) <br/> • [Protect a web API](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4-spring-web-app/3-Authorization-II/protect-web-api) | • [MSAL Java](/java/api/com.microsoft.aad.msal4j) <br/> • Microsoft Entra ID Boot Starter | Authorization code | > | Java </p> Servlets | Spring-less Servlet Series <br/> • [Sign in users](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3-java-servlet-web-app/1-Authentication/sign-in) <br/> • [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3-java-servlet-web-app/1-Authentication/sign-in-b2c) <br/> • [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3-java-servlet-web-app/2-Authorization-I/call-graph) <br/> • [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3-java-servlet-web-app/3-Authorization-II/roles) <br/> • [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3-java-servlet-web-app/3-Authorization-II/groups) <br/> • [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3-java-servlet-web-app/4-Deployment/deploy-to-azure-app-service) | [MSAL Java](/java/api/com.microsoft.aad.msal4j) | Authorization code | The following samples show how to build applications using the C# language and f > | Web application| • [Sign in users](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/1-WebApp-OIDC/README.md) <br/> • [Sign in users (B2C)](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/1-WebApp-OIDC/1-5-B2C/README.md) <br/> • [Call Microsoft Graph](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-1-Call-MSGraph/README.md) <br/> • [Customize token cache](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-2-TokenCache/README.md) <br/> • [Call Graph (multi-tenant)](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-3-Multi-Tenant/README.md) <br/> • [Call Azure REST APIs](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/3-WebApp-multi-APIs/README.md) <br/> • [Protect web API](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-1-MyOrg/README.md) <br/> • [Protect web API (B2C)](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-2-B2C/README.md) <br/> • [Protect multi-tenant web API](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-3-AnyOrg/Readme.md) <br/> • [Use App Roles for access control](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/5-WebApp-AuthZ/5-1-Roles/README.md) <br/> • [Use Security Groups for access control](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/5-WebApp-AuthZ/5-2-Groups/README.md) <br/> • [Deploy to Azure Storage and App Service](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/6-Deploy-to-Azure/README.md) | [Microsoft.Identity.Web](/dotnet/api/microsoft-authentication-library-dotnet/confidentialclient) | • OpenID connect <br/> • Authorization code <br/> • On-Behalf-Of| > | Web application |[Advanced Token Cache Scenarios](https://github.com/Azure-Samples/ms-identity-dotnet-advanced-token-cache) | [Microsoft.Identity.Web](/dotnet/api/microsoft-authentication-library-dotnet/confidentialclient) | On-Behalf-Of (OBO) | > | Web application |[Use the Conditional Access auth context to perform step\-up authentication](https://github.com/Azure-Samples/ms-identity-dotnetcore-ca-auth-context-app/blob/main/README.md) | [Microsoft.Identity.Web](/dotnet/api/microsoft-authentication-library-dotnet/confidentialclient) | Authorization code |-> | Web application |[Active Directory FS to Microsoft Entra migration](https://github.com/Azure-Samples/ms-identity-dotnet-adfs-to-aad) | [MSAL.NET](/entra/msal/dotnet) | • SAML <br/> • OpenID connect | +> | Web application |[Active Directory Federation Services to Microsoft Entra migration](https://github.com/Azure-Samples/ms-identity-dotnet-adfs-to-aad) | [MSAL.NET](/entra/msal/dotnet) | • SAML <br/> • OpenID connect | > | Web API | [Sign in users and call Microsoft Graph](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/2.%20Web%20API%20now%20calls%20Microsoft%20Graph) | [MSAL.NET](/entra/msal/dotnet) | On-Behalf-Of (OBO) | > | Multi-tenant SaaS | [ASP.NET Core MVC web application calls Microsoft Graph API](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/2-WebApp-graph-user/2-3-Multi-Tenant) | [MSAL.NET](/entra/msal/dotnet) | OpenID connect | > | Multi-tenant SaaS | [ASP.NET Core MVC web application calls ASP.NET Core web API](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API/4-3-AnyOrg) | [MSAL.NET](/entra/msal/dotnet) | Authorization code | |
active-directory | Scenario Daemon Acquire Token | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-daemon-acquire-token.md | var scopes = new [] { ResourceId+"/.default"}; -<a name='azure-ad-v10-resources'></a> --### Microsoft Entra ID (v1.0) resources +### Azure AD (v1.0) resources The scope used for client credentials should always be the resource ID followed by `/.default`. |
active-directory | Scenario Web App Sign User App Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-web-app-sign-user-app-configuration.md | The *.env* file should never be checked into source control, since it contains s ## Initialization code -The initialization code differences are platform dependant. For ASP.NET Core and ASP.NET, signing in users is delegated to the OpenID Connect middleware. The ASP.NET or ASP.NET Core template generates web applications for the Microsoft Entra v1.0 endpoint. Some configuration is required to adapt them to the Microsoft identity platform. +The initialization code differences are platform dependant. For ASP.NET Core and ASP.NET, signing in users is delegated to the OpenID Connect middleware. The ASP.NET or ASP.NET Core template generates web applications for the Azure AD v1.0 endpoint. Some configuration is required to adapt them to the Microsoft identity platform. # [ASP.NET Core](#tab/aspnetcore) In ASP.NET Core web apps (and web APIs), the application is protected because yo > .AddAzureAD(options => Configuration.Bind("AzureAd", options)); > ``` >-> This code uses the legacy **Microsoft.AspNetCore.Authentication.AzureAD.UI** NuGet package which is used to create a Microsoft Entra v1.0 application. This article explains how to create a Microsoft identity platform (Microsoft Entra v2.0) application which replaces that code. +> This code uses the legacy **Microsoft.AspNetCore.Authentication.AzureAD.UI** NuGet package which is used to create an Azure Active Directory v1.0 application. This article explains how to create a Microsoft identity platform v2.0 application which replaces that code. 1. Add the [Microsoft.Identity.Web](https://www.nuget.org/packages/Microsoft.Identity.Web) and [Microsoft.Identity.Web.UI](https://www.nuget.org/packages/Microsoft.Identity.Web.UI) NuGet packages to your project. Remove the `Microsoft.AspNetCore.Authentication.AzureAD.UI` NuGet package if it's present. |
active-directory | Tutorial Single Page App React Prepare Spa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-single-page-app-react-prepare-spa.md | Identity related **npm** packages must be installed in the project to enable use ``` -To learn more about these packages refer to the documentation in [msal-browser](/javascript/api/@azure/msal-browser), [msal-common](/javascript/api/@azure/msal-common), [msal-react](/javascript/api/@azure/msal-react). +To learn more about these packages refer to the documentation in [`msal-browser`](/javascript/api/@azure/msal-browser), [`msal-common`](/javascript/api/@azure/msal-common), [`msal-react`](/javascript/api/@azure/msal-react). ## Creating the authentication configuration file |
active-directory | Tutorial V2 Aspnet Daemon Web App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-aspnet-daemon-web-app.md | The "daemon" component in this sample is an API controller, `SyncController.cs`. Because the app is a multi-tenant app for Microsoft business customers, it must provide a way for customers to "sign up" or "connect" the application to their company data. During the connection flow, a Global Administrator first grants *application permissions* directly to the app so that it can access company data in a non-interactive fashion, without the presence of a signed-in user. The majority of the logic in this sample shows how to achieve this connection flow by using the identity platform's [admin consent](./permissions-consent-overview.md#using-the-admin-consent-endpoint) endpoint. -![Diagram shows UserSync App with three local items connecting to Azure, with Start dot Auth acquiring a token interactively to connect to Microsoft Entra I D, AccountController getting admin consent to connect to Microsoft Entra I D, and SyncController reading user to connect to Microsoft Graph.](./media/tutorial-v2-aspnet-daemon-webapp/topology.png) +![Diagram shows UserSync App with three local items connecting to Azure, with Start dot Auth acquiring a token interactively to connect to Microsoft Entra ID, AccountController getting admin consent to connect to Microsoft Entra ID, and SyncController reading user to connect to Microsoft Graph.](./media/tutorial-v2-aspnet-daemon-webapp/topology.png) For more information on the concepts used in this sample, read the [client credentials protocol documentation for the identity platform](v2-oauth2-client-creds-grant-flow.md). |
active-directory | V2 Conditional Access Dev Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-conditional-access-dev-guide.md | To try out this scenario, see our [React SPA calling Node.js web API using on-be ## See also * To learn more about the capabilities, see [Conditional Access in Microsoft Entra ID](../conditional-access/overview.md).-* For more Microsoft Entra ID code samples, see [samples](sample-v2-code.md). +* For more Microsoft Entra code samples, see [samples](sample-v2-code.md). * For more info on the MSAL SDK's and access the reference documentation, see the [Microsoft Authentication Library overview](msal-overview.md). * To learn more about multi-tenant scenarios, see [How to sign in users using the multi-tenant pattern](howto-convert-app-to-be-multi-tenant.md). * Learn more about [Conditional Access and securing access to IoT apps](/azure/architecture/example-scenario/iot-aad/iot-aad). |
active-directory | Web App Quickstart Portal Java | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-app-quickstart-portal-java.md | -> 1. On the front page, select the **Login** button to redirect users to Azure Active Directory and prompt them for credentials. +> 1. On the front page, select the **Login** button to redirect users to Microsoft Entra ID and prompt them for credentials. > > 1. After users are authenticated, they're redirected to `https://localhost:8443/msal4jsample/secure/aad`. They're now signed in, and the page will show information about the user account. The sample UI has these buttons: > - **Sign Out**: Signs the current user out of the application and redirects that user to the home page. |
active-directory | Assign Local Admin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/assign-local-admin.md | To modify the Azure AD Joined Device Local Administrator role, configure **Addit > [!NOTE] > This option requires Microsoft Entra ID P1 or P2 licenses. -Azure AD Joined Device Local Administrators are assigned to all Microsoft Entra joined devices. You canΓÇÖt scope this role to a specific set of devices. Updating the Azure AD Joined Device Local Administrator role doesn't necessarily have an immediate impact on the affected users. On devices where a user is already signed into, the privilege elevation takes place when *both* the below actions happen: +Microsoft Entra joined Device Local Administrators are assigned to all Microsoft Entra joined devices. You canΓÇÖt scope this role to a specific set of devices. Updating the Azure AD Joined Device Local Administrator role doesn't necessarily have an immediate impact on the affected users. On devices where a user is already signed into, the privilege elevation takes place when *both* the below actions happen: - Upto 4 hours have passed for Microsoft Entra ID to issue a new Primary Refresh Token with the appropriate privileges. - User signs out and signs back in, not lock/unlock, to refresh their profile. |
active-directory | How To Hybrid Join Verify | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/how-to-hybrid-join-verify.md | Verify the device registration state in your Azure tenant by using **[Get-MsolDe When you use the **Get-MSolDevice** cmdlet to check the service details: - An object with the **device ID** that matches the ID on the Windows client must exist.-- The value for **DeviceTrustType** is **Domain Joined**. This setting is equivalent to the **Microsoft Entra hybrid joined** state on the **Devices** page in the Microsoft Entra portal.+- The value for **DeviceTrustType** is **Domain Joined**. This setting is equivalent to the **Microsoft Entra hybrid joined** state on the **Devices** page in the Microsoft Entra admin center. - For devices that are used in Conditional Access, the value for **Enabled** is **True** and **DeviceTrustLevel** is **Managed**. 1. Open Windows PowerShell as an administrator. |
active-directory | Manage Device Identities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/manage-device-identities.md | You must be assigned one of the following roles to manage device settings: - Global Administrator - Cloud Device Administrator -![Screenshot that shows device settings related to Azure AD.](./media/manage-device-identities/device-settings-azure-portal.png) +![Screenshot that shows device settings related to Microsoft Entra ID.](./media/manage-device-identities/device-settings-azure-portal.png) - **Users may join devices to Microsoft Entra ID**: This setting enables you to select the users who can register their devices as Microsoft Entra joined devices. The default is **All**. |
active-directory | Troubleshoot Device Dsregcmd | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-device-dsregcmd.md | This section lists the statuses of various attributes for users who are currentl - **WamDefaultSet**: Set the state to *YES* if a Web Account Manager (WAM) default WebAccount is created for the logged-in user. This field could display an error if `dsregcmd /status` is run from an elevated command prompt. - **WamDefaultAuthority**: Set the state to *organizations* for Microsoft Entra ID. - **WamDefaultId**: Always use *https://login.microsoft.com* for Microsoft Entra ID.-- **WamDefaultGUID**: The WAM provider's (Azure AD/Microsoft account) GUID for the default WAM WebAccount.+- **WamDefaultGUID**: The WAM provider's (Microsoft Entra ID / Microsoft account) GUID for the default WAM WebAccount. ### Sample user state output |
active-directory | Troubleshoot Mac Sso Extension Plugin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-mac-sso-extension-plugin.md | Now that the PRT (shared credential) has been verified, before doing any deeper ##### Native MSAL application -Scenario: An application developed to use MSAL (Example: **Microsoft To Do** client) that is running on an Apple device needs to sign the user in with their Microsoft Entra account in order to access a Microsoft Entra ID protected service (Example: **Microsoft To Do Service**). +Scenario: An application developed to use MSAL (Example: **Microsoft To Do** client) that is running on an Apple device needs to sign the user in with their Microsoft Entra account in order to access a Microsoft Entra protected service (Example: **Microsoft To Do Service**). :::image type="content" source="media/troubleshoot-mac-sso-extension-plugin/macos-prt-msal-app.gif" alt-text="A GIF animation showing the authentication flow of an MSAL app with a PRT."::: -1. MSAL-developed applications invoke the SSO extension directly, and send the PRT to the Microsoft Entra token endpoint along with the application's request for a token for a Microsoft Entra ID protected resource +1. MSAL-developed applications invoke the SSO extension directly, and send the PRT to the Microsoft Entra token endpoint along with the application's request for a token for a Microsoft Entra protected resource 1. Microsoft Entra ID validates the PRT credential, and returns an application-specific token back to the SSO extension broker-1. The SSO extension broker then passes the token to the MSAL client application, which then sends it to the Microsoft Entra ID protected resource +1. The SSO extension broker then passes the token to the MSAL client application, which then sends it to the Microsoft Entra protected resource 1. The user is now signed into the app and the authentication process is complete ##### Non-MSAL/Browser SSO -Scenario: A user on an Apple device opens up the Safari web browser (or any Non-MSAL native app that supports the Apple Networking Stack) to sign into a Microsoft Entra ID protected resource (Example: `https://office.com`). +Scenario: A user on an Apple device opens up the Safari web browser (or any Non-MSAL native app that supports the Apple Networking Stack) to sign into a Microsoft Entra protected resource (Example: `https://office.com`). :::image type="content" source="media/troubleshoot-mac-sso-extension-plugin/macos-prt-non-msal-app.gif" alt-text="An animation showing the high level authentication flow of a Non-MSAL app using the SSO Extension."::: Scenario: A user on an Apple device opens up the Safari web browser (or any Non- 1. As long as the Non-MSAL application is allow-listed in the MDM payload configuration, the Apple network stack intercepts the authentication request and redirects the request to the SSO Extension broker 1. Once the SSO extension receives the intercepted request, the PRT is sent to the Microsoft Entra token endpoint 1. Microsoft Entra ID validates the PRT, and returns an application-specific token back to the SSO Extension-1. The application-specific token is given to the Non-MSAL client application, and the client application sends the token to access the Microsoft Entra ID protected service +1. The application-specific token is given to the Non-MSAL client application, and the client application sends the token to access the Microsoft Entra protected service 1. The user now has completed the sign-in and the authentication process is complete ### Obtaining the SSO extension logs |
active-directory | Troubleshoot Primary Refresh Token | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-primary-refresh-token.md | Microsoft Entra ID can't find the user account in the tenant. ##### Solution -To acquire a fresh PRT that has the new credentials, wait for the Azure AD synchronization to finish. +To acquire a fresh PRT that has the new credentials, wait for the Microsoft Entra synchronization to finish. </details> #### Common network error codes ("ERROR_WINHTTP_" prefix) |
active-directory | Linkedin Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/linkedin-integration.md | You can allow users in your organization to access their LinkedIn connections wi ## Enable LinkedIn account connections in the Azure portal - You can enable LinkedIn account connections for only the users you want to have access, from your entire organization to only selected users in your organization. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](../roles/permissions-reference.md#global-administrator). You can enable LinkedIn account connections for only the users you want to have 1. When you're done, select **Save** to save your settings. > [!Important]-> LinkedIn integration is not fully enabled for your users until they consent to connect their accounts. No data is shared when you enable account connections for your users. +> While LinkedIn integration is not fully enabled until your users consent to connect their accounts, access to public LinkedIn profile information is available without requiring individual consent. Full integration (two-way consent and additional fields) is not enabled without each user's consent. Your users can see the available LinkedIn profile of anyone that matches the name searched, regardless of whether that match is in the same enabled group or not. ### Assign selected users with a group |
active-directory | B2b Direct Connect Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/b2b-direct-connect-overview.md | Reporting for monitoring and auditing B2B direct connect activity is available i <a name='azure-ad-monitoring-and-audit-logs'></a> -### Microsoft Entra ID monitoring and audit logs +<a name='microsoft-entra-id-monitoring-and-audit-logs'></a> ++### Microsoft Entra monitoring and audit logs Microsoft Entra ID includes information about cross-tenant access and B2B direct connect in the organization's Audit logs and Sign-in logs. These logs can be viewed in the Azure portal under **Monitoring**. |
active-directory | Cross Cloud Settings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/cross-cloud-settings.md | The following scenarios are supported when collaborating with an organization fr ## Next steps -See [Configure external collaboration settings](external-collaboration-settings-configure.md) for B2B collaboration with non-Azure AD identities, social identities, and non-IT managed external accounts. +See [Configure external collaboration settings](external-collaboration-settings-configure.md) for B2B collaboration with non Microsoft Entra identities, social identities, and non-IT managed external accounts. |
active-directory | How To Facebook Federation Customers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-facebook-federation-customers.md | After you create the Facebook application, in this step you set the Facebook cli 1. Browse to **Identity** > **External Identities** > **All identity providers**. 2. Select **+ Facebook**. - <!-- ![Screenshot that shows how to add Facebook identity provider in Azure AD.](./media/sign-in-with-facebook/configure-facebook-idp.png)--> + <!-- ![Screenshot that shows how to add Facebook identity provider in Microsoft Entra ID.](./media/sign-in-with-facebook/configure-facebook-idp.png)--> 1. Enter a **Name**. For example, *Facebook*. 1. For the **Client ID**, enter the App ID of the Facebook application that you created earlier. |
active-directory | How To Google Federation Customers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-google-federation-customers.md | After you create the Google application, in this step you set the Google client 1. Browse to **Identity** > **External Identities** > **All identity providers**. 2. Select **+ Google**. - <!-- ![Screenshot that shows how to add Google identity provider in Azure AD.](./media/sign-in-with-google/configure-google-idp.png)--> + <!-- ![Screenshot that shows how to add Google identity provider in Microsoft Entra ID.](./media/sign-in-with-google/configure-google-idp.png)--> 1. Enter a **Name**. For example, *Google*. 1. For the **Client ID**, enter the Client ID of the Google application that you created earlier. |
active-directory | Tutorial Desktop App Maui Sign In Prepare App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/tutorial-desktop-app-maui-sign-in-prepare-app.md | Download the following files into a folder in your computer: You need to install the following packages: -- _Microsoft.Identity.Client_ - This package contains the binaries of the Microsoft Authentication Library for .NET (MSAL.NET).-- _Microsoft.Extensions.Configuration.Json_ - This package contains JSON configuration provider implementation for Microsoft.Extensions.Configuration.-- _Microsoft.Extensions.Configuration.Binder_ - This package contains functionality to bind an object to data in configuration providers for Microsoft.Extensions.Configuration.-- _Microsoft.Extensions.Configuration.Abstractions_ - This package contains abstractions of key-value pair based configuration.-- _Microsoft.Identity.Client.Extensions.Msal_ - This package contains extensions to Microsoft Authentication Library for .NET (MSAL.NET).+- `Microsoft.Identity.Client` - This package contains the binaries of the Microsoft Authentication Library for .NET (MSAL.NET). +- `Microsoft.Extensions.Configuration.Json` - This package contains JSON configuration provider implementation for Microsoft.Extensions.Configuration. +- `Microsoft.Extensions.Configuration.Binder` - This package contains functionality to bind an object to data in configuration providers for Microsoft.Extensions.Configuration. +- `Microsoft.Extensions.Configuration.Abstractions` - This package contains abstractions of key-value pair based configuration. +- `Microsoft.Identity.Client.Extensions.Msal` - This package contains extensions to Microsoft Authentication Library for .NET (MSAL.NET). ### NuGet Package Manager |
active-directory | Whats New Docs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/whats-new-docs.md | Title: "What's new in Azure Active Directory for customers" -description: "New and updated documentation for the Azure Active Directory for customers documentation." + Title: "What's new in Microsoft Entra ID for customers" +description: "New and updated documentation for the Microsoft Entra ID for customers documentation." Last updated 09/29/2023 -# Azure Active Directory for customers: What's new +# Microsoft Entra ID for customers: What's new -Welcome to what's new in Azure Active Directory for customers documentation. This article lists new docs that have been added and those that have had significant updates in the last three months. +Welcome to what's new in Microsoft Entra ID for customers documentation. This article lists new docs that have been added and those that have had significant updates in the last three months. ## September 2023 -This month, we renamed Azure Active Directory (Azure AD) to Microsoft Entra ID. For more information about the rebranding, see the [New name for Azure Active Directory](/azure/active-directory/fundamentals/new-name) article. +This month, we renamed Microsoft Entra ID to Microsoft Entra ID. For more information about the rebranding, see the [New name for Microsoft Entra ID](/azure/active-directory/fundamentals/new-name) article. ### Updated articles This month, we renamed Azure Active Directory (Azure AD) to Microsoft Entra ID. - [Quickstart: Create a tenant (preview)](quickstart-tenant-setup.md) - Get started guide update - [Add and manage admin accounts](how-to-manage-admin-accounts.md) - Editorial review - [Tutorial: Prepare a Vanilla JavaScript single-page app for authentication in a customer tenant](tutorial-single-page-app-vanillajs-prepare-app.md) - Editorial review-- [Azure AD for customers documentation](index.yml) - Editorial review+- [Microsoft Entra ID for customers documentation](index.yml) - Editorial review - [Tutorial: Sign in users in .NET MAUI app](tutorial-desktop-app-maui-sign-in-sign-out.md) - Add app roles to .NET MAUI app and receive them in the ID token - [Tutorial: Sign in users in .NET MAUI shell app](tutorial-mobile-app-maui-sign-in-sign-out.md) - Add app roles to .NET MAUI app and receive them in the ID token This month, we renamed Azure Active Directory (Azure AD) to Microsoft Entra ID. ### New articles - [Tutorial: Prepare your customer tenant to authorize a .NET daemon application](tutorial-daemon-dotnet-call-api-prepare-tenant.md)-- [Tutorial: Secure an ASP.NET web API registered in the Azure AD for customer's tenant](tutorial-protect-web-api-dotnet-core-build-app.md)+- [Tutorial: Secure an ASP.NET web API registered in the Microsoft Entra ID for customer's tenant](tutorial-protect-web-api-dotnet-core-build-app.md) - [Tutorial: Prepare your customer tenant to authorize a Node.js daemon application](tutorial-daemon-node-call-api-prepare-tenant.md) - [Tutorial: Register and configure .NET browserless app authentication details in a customer tenant](tutorial-browserless-app-dotnet-sign-in-prepare-tenant.md) - [Sign in users in a sample WPF desktop application](sample-desktop-wpf-dotnet-sign-in.md) This month, we renamed Azure Active Directory (Azure AD) to Microsoft Entra ID. - [Tutorial: Add add sign-in and sign-out in your Node.js web application](tutorial-web-app-node-sign-in-sign-out.md) - Editorial review - [Tutorial: Call a web API from your Node.js daemon application](tutorial-daemon-node-call-api-build-app.md) - Editorial review - [Tutorial: Sign in users to your .NET browserless application](tutorial-browserless-app-dotnet-sign-in-build-app.md) - Editorial review- |
active-directory | Customize Invitation Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customize-invitation-api.md | Get-AzureADUser -Filter "UserState eq 'PendingAcceptance'" | Format-List -Proper ``` > [!NOTE]-> Make sure you have the latest version of the Azure AD PowerShell module or AzureADPreview PowerShell module. +> Make sure you have the latest version of the Azure AD PowerShell module or AzureADPreview PowerShell module. ## See also |
active-directory | Google Federation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/google-federation.md | First, create a new project in the Google Developers Console to obtain a client 1. Select **Create credentials**, and then select **OAuth client ID**. -1. In the Application type menu, select **Web application**. Give the application a suitable name, like `Azure AD B2B`. Under **Authorized redirect URIs**, add the following URIs: +1. In the Application type menu, select **Web application**. Give the application a suitable name, like `Microsoft Entra B2B`. Under **Authorized redirect URIs**, add the following URIs: - `https://login.microsoftonline.com` - `https://login.microsoftonline.com/te/<tenant ID>/oauth2/authresp` <br>(where `<tenant ID>` is your tenant ID) |
active-directory | Self Service Sign Up User Flow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/self-service-sign-up-user-flow.md | Next, you'll create the user flow for self-service sign-up and add it to an appl 1. Select the user flow type (for example, **Sign up and sign in**), and then select the version (**Recommended** or **Preview**). 1. On the **Create** page, enter a **Name** for the user flow. The name is automatically prefixed with **B2X_1_**.-1. In the **Identity providers** list, select one or more identity providers that your external users can use to log into your application. **Azure Active Directory Sign up** is selected by default. (See [Before you begin](#before-you-begin) earlier in this article to learn how to add identity providers.) +1. In the **Identity providers** list, select one or more identity providers that your external users can use to log into your application. **Microsoft Entra ID Sign up** is selected by default. (See [Before you begin](#before-you-begin) earlier in this article to learn how to add identity providers.) 1. Under **User attributes**, choose the attributes you want to collect from the user. For more attributes, select **Show more**. For example, select **Show more**, and then choose attributes and claims for **Country/Region**, **Display Name**, and **Postal Code**. Select **OK**. :::image type="content" source="media/self-service-sign-up-user-flow/create-user-flow.png" alt-text="Screenshot of the new user flow creation page. "::: |
active-directory | Tenant Restrictions V2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/tenant-restrictions-v2.md | The following table compares the features in each version. | |Tenant restrictions v1 |Tenant restrictions v2 | |-||| |**Policy enforcement** | The corporate proxy enforces the tenant restriction policy in the Microsoft Entra ID control plane. | Options: <br></br>- Universal tenant restrictions in Global Secure Access (preview), which uses policy signaling to tag all traffic, providing both authentication and data plane support on all platforms. <br></br>- Authentication plane-only protection, where the corporate proxy sets tenant restrictions v2 signals on all traffic. <br></br>- Windows device management, where devices are configured to point Microsoft traffic to the tenant restriction policy, and the policy is enforced in the cloud. |-|**Policy enforcement limitation** | Manage corporate proxies by adding tenants to the Microsoft Entra ID traffic allowlist. The character limit of the header value in Restrict-Access-To-Tenants: `<allowed-tenant-list>` limits the number of tenants that can be added. | Managed by a cloud policy in the cross-tenant access policy. A partner policy is created for each external tenant. Currently, the configuration for all external tenants is contained in one policy with a 25KB size limit. | +|**Policy enforcement limitation** | Manage corporate proxies by adding tenants to the Microsoft Entra traffic allowlist. The character limit of the header value in Restrict-Access-To-Tenants: `<allowed-tenant-list>` limits the number of tenants that can be added. | Managed by a cloud policy in the cross-tenant access policy. A partner policy is created for each external tenant. Currently, the configuration for all external tenants is contained in one policy with a 25KB size limit. | |**Malicious tenant requests** | Microsoft Entra ID blocks malicious tenant authentication requests to provide authentication plane protection. | Microsoft Entra ID blocks malicious tenant authentication requests to provide authentication plane protection. | |**Granularity** | Limited. | Tenant, user, group, and application granularity. (User-level granularity isn't supported with Microsoft Accounts.) | |**Anonymous access** | Anonymous access to Teams meetings and file sharing is allowed. | Anonymous access to Teams meetings is blocked. Access to anonymously shared resources (ΓÇ£Anyone with the linkΓÇ¥) is blocked. | to this tenant restrictions v2 header: `sec-Restrict-Tenant-Access-Policy: <DirectoryID>:<policyGUID>` -where `<DirectoryID>` is your Azure AD tenant ID and `<policyGUID>` is the object ID for your cross-tenant access policy. +where `<DirectoryID>` is your Microsoft Entra tenant ID and `<policyGUID>` is the object ID for your cross-tenant access policy. #### Tenant restrictions v1 settings on the corporate proxy You can configure the corporate proxy to enable client-side tagging of the tenan `sec-Restrict-Tenant-Access-Policy: <DirectoryID>:<policyGUID>` -where `<DirectoryID>` is your Azure AD tenant ID and `<policyGUID>` is the object ID for your cross-tenant access policy. For details, see [Set up tenant restrictions v2 on your corporate proxy](#option-2-set-up-tenant-restrictions-v2-on-your-corporate-proxy) +where `<DirectoryID>` is your Microsoft Entra tenant ID and `<policyGUID>` is the object ID for your cross-tenant access policy. For details, see [Set up tenant restrictions v2 on your corporate proxy](#option-2-set-up-tenant-restrictions-v2-on-your-corporate-proxy) You can configure server-side cloud tenant restrictions v2 policies by following the steps at [Step 2: Configure tenant restrictions v2 for specific partners](#step-2-configure-tenant-restrictions-v2-for-specific-partners). Be sure to follow these guidelines: You can configure server-side cloud tenant restrictions v2 policies by following >Blocking the MSA tenant will not block user-less traffic for devices, including: > >- Traffic for Autopilot, Windows Update, and organizational telemetry.->- B2B authentication of consumer accounts, or "passthrough" authentication, where Azure apps and Office.com apps use Azure AD to sign in consumer users in a consumer context. +>- B2B authentication of consumer accounts, or "passthrough" authentication, where Azure apps and Office.com apps use Microsoft Entra ID to sign in consumer users in a consumer context. #### Tenant restrictions v2 with no support for break and inspect |
active-directory | Add Custom Domain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/add-custom-domain.md | -Microsoft Entra tenants come with an initial domain name like, `domainname.onmicrosoft.com`. You can't change or delete the initial domain name, but you can add your organization's names. Adding custom domain names helps you to create user names that are familiar to your users, such as `alain@contoso.com`. +Microsoft Entra tenants come with an initial domain name like, `domainname.onmicrosoft.com`. You can't change or delete the initial domain name, but you can add your organization's name to the initial domain. By adding your custom domain name, you can then add user names that are familiar to your users, such as `alain@contoso.com`. ## Before you begin For more information about subscription roles, see [Azure roles](../../role-base After you create your directory, you can add your custom domain name. > [!IMPORTANT]-> When updating domain information, you may be unable to complete the process and encounter a HTTP 500 Internal Server Error message. Under some conditions, this error may be expected. This message may appear if you try to use a protected DNS suffix. Protected DNS suffixes may only be used by Microsoft. If you believe that this operation should have been completed successfully, please contact your Microsoft representative for assistance. +> When updating domain information, you may be unable to complete the process and encounter a HTTP 500 Internal Server Error message. Under some conditions, this error may be expected. This message may appear if you try to use a protected DNS suffix. Protected DNS suffixes may only be used by Microsoft. If you believe that this operation should have been completed successfully, please contact your Microsoft representative for assistance. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Domain Name Administrator](../roles/permissions-reference.md#domain-name-administrator). |
active-directory | Add Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/add-users.md | When a user is deleted, any licenses consumed by the user are made available for After you've added your users, you can do the following basic processes: - [Add or change profile information](./how-to-manage-user-profile-info.md)- - [Assign roles to users](./how-subscriptions-associated-directory.md)- - [Create a basic group and add members](./how-to-manage-groups.md)- - [Work with dynamic groups and users](../enterprise-users/groups-create-rule.md)- - [Add guest users from another directory](../external-identities/what-is-b2b.md) |
active-directory | Concept Learn About Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/concept-learn-about-groups.md | -Microsoft Entra ID provides several ways to manage access to resources, applications, and tasks. With Microsoft Entra groups, you can grant access and permissions to a group of users instead of for each individual user. Limiting access to Microsoft Entra resources to only those users who need access is one of the core security principles of [Zero Trust](/security/zero-trust/zero-trust-overview). This article provides an overview of how groups and access rights can be used together to make managing your Microsoft Entra users easier while also applying security best practices. +Microsoft Entra ID provides several ways to manage access to resources, applications, and tasks. With Microsoft Entra groups, you can grant access and permissions to a group of users instead of for each individual user. Limiting access to Microsoft Entra resources to only those users who need access is one of the core security principles of [Zero Trust](/security/zero-trust/zero-trust-overview). ++This article provides an overview of how groups and access rights can be used together to make managing your Microsoft Entra users easier while also applying security best practices. Microsoft Entra ID lets you use groups to manage access to applications, data, and resources. Resources can be: After a user requests to join a group, the request is forwarded to the group own ## Next steps - [Create and manage Microsoft Entra groups and group membership](how-to-manage-groups.md)- - [Learn about group-based licensing in Microsoft Entra ID](./licensing-whatis-azure-portal.md)- - [Manage access to SaaS apps using groups](../enterprise-users/groups-saasapps.md)- - [Manage dynamic rules for users in a group](../enterprise-users/groups-create-rule.md)- - [Learn about Privileged Identity Management for Microsoft Entra roles](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md) |
active-directory | Concept Secure Remote Workers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/concept-secure-remote-workers.md | -It can seem daunting trying to secure your workers in today's world, especially when you have to respond rapidly and provide access to many services quickly. This article is meant to provide a concise list of all the actions to take, helping you identify and prioritize which order to deploy the Microsoft Entra features based on the license type you own. Microsoft Entra ID offers many features and provides many layers of security for your Identities, navigating which feature is relevant can sometimes be overwhelming. This document is intended to help organizations deploy services quickly, with secure identities as the primary consideration. +It can seem daunting trying to secure your workers in today's world, especially when you have to respond rapidly and provide access to many services quickly. This article is meant to provide a concise list of all the actions to take, helping you identify and prioritize which order to deploy the Microsoft Entra features based on the license type you own. ++Microsoft Entra ID offers many features and provides many layers of security for your Identities, navigating which feature is relevant can sometimes be overwhelming. This document is intended to help organizations deploy services quickly, with secure identities as the primary consideration. Each table provides a consistent security recommendation, protecting identities from common security attacks while minimizing user friction. The guidance helps: -- Configure access to SaaS and on-premises applications in a secure and protected manner.-- Both cloud and hybrid identities.-- Users working remotely or in the office.+- Configure access to SaaS and on-premises applications in a secure and protected manner +- Both cloud and hybrid identities +- Users working remotely or in the office ## Prerequisites -This guide assumes that your cloud only or hybrid identities have been established in Microsoft Entra ID already. For help with choosing your identity type see the article, [Choose the right authentication method for your Microsoft Entra hybrid identity solution](../hybrid/connect/choose-ad-authn.md) +This guide assumes that your cloud only or hybrid identities have been established in Microsoft Entra ID already. For help with choosing your identity type see the article, [Choose the right authentication method for your Microsoft Entra hybrid identity solution](../hybrid/connect/choose-ad-authn.md). ### Guided walkthrough For a guided walkthrough of many of the recommendations in this article, see the <a name='guidance-for-azure-ad-free-office-365-or-microsoft-365-customers'></a> -## Guidance for Microsoft Entra ID Free, Office 365, or Microsoft 365 customers. +## Guidance for Microsoft Entra ID Free, Office 365, or Microsoft 365 customers There are many recommendations that Microsoft Entra ID Free, Office 365, or Microsoft 365 app customers should take to protect their user identities. The following table is intended to highlight key actions for the following license subscriptions: There are many recommendations that Microsoft Entra ID Free, Office 365, or Micr | Recommended action | Detail | | | |-| [Enable Security Defaults](security-defaults.md) | Protect all user identities and applications by enabling MFA and blocking legacy authentication | -| [Enable Password Hash Sync](../hybrid/connect/how-to-connect-password-hash-synchronization.md) (if using hybrid identities) | Provide redundancy for authentication and improve security (including Smart Lockout, IP Lockout, and the ability to discover leaked credentials.) | +| [Enable Security Defaults](security-defaults.md) | Protect all user identities and applications by enabling MFA and blocking legacy authentication. | +| [Enable Password Hash Sync](../hybrid/connect/how-to-connect-password-hash-synchronization.md) (if using hybrid identities) | Provide redundancy for authentication and improve security (including Smart Lockout, IP Lockout, and the ability to discover leaked credentials). | | [Enable ADFS smart lock out](/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection) (If applicable) | Protects your users from experiencing extranet account lockout from malicious activity. | | [Enable Microsoft Entra smart lockout](../authentication/howto-password-smart-lockout.md) (if using managed identities) | Smart lockout helps to lock out bad actors who are trying to guess your users' passwords or use brute-force methods to get in. | | [Disable end-user consent to applications](../manage-apps/configure-user-consent.md) | The admin consent workflow gives admins a secure way to grant access to applications that require admin approval so end users don't expose corporate data. Microsoft recommends disabling future user consent operations to help reduce your surface area and mitigate this risk. |-| [Integrate supported SaaS applications from the gallery to Microsoft Entra ID and enable Single sign on](../manage-apps/add-application-portal.md) | Microsoft Entra ID has a gallery that contains thousands of preintegrated applications. Some of the applications your organization uses are probably in the gallery accessible directly from the Azure portal. Provide access to corporate SaaS applications remotely and securely with improved user experience (SSO) | +| [Integrate supported SaaS applications from the gallery to Microsoft Entra ID and enable Single sign on](../manage-apps/add-application-portal.md) | Microsoft Entra ID has a gallery that contains thousands of preintegrated applications. Some of the applications your organization uses are probably in the gallery accessible directly from the Azure portal. Provide access to corporate SaaS applications remotely and securely with improved user experience (SSO). | | [Automate user provisioning and deprovisioning from SaaS Applications](../app-provisioning/user-provisioning.md) (if applicable) | Automatically create user identities and roles in the cloud (SaaS) applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change, increasing your organization's security. | | [Enable Secure hybrid access: Secure legacy apps with existing app delivery controllers and networks](../manage-apps/secure-hybrid-access.md) (if applicable) | Publish and protect your on-premises and cloud legacy authentication applications by connecting them to Microsoft Entra ID with your existing application delivery controller or network. | | [Enable self-service password reset](../authentication/tutorial-enable-sspr.md) (applicable to cloud only accounts) | This ability reduces help desk calls and loss of productivity when a user can't sign into their device or an application. | There are many recommendations that Microsoft Entra ID Free, Office 365, or Micr <a name='guidance-for-azure-ad-premium-plan-1-customers'></a> -## Guidance for Microsoft Entra ID P1 customers. +## Guidance for Microsoft Entra ID P1 customers The following table is intended to highlight the key actions for the following license subscriptions: The following table is intended to highlight the key actions for the following l | | | | [Create more than one Global Administrator](../roles/security-emergency-access.md) | Assign at least two cloud-only permanent Global Administrator accounts for use in an emergency. These accounts aren't to be used daily and should have long and complex passwords. | | [Enable combined registration experience for Microsoft Entra multifactor authentication and SSPR to simplify user registration experience](../authentication/howto-registration-mfa-sspr-combined.md) | Allow your users to register from one common experience for both Microsoft Entra multifactor authentication and self-service password reset. |-| [Configure MFA settings for your organization](../authentication/howto-mfa-getstarted.md) | Ensure accounts are protected from being compromised with multifactor authentication | -| [Enable self-service password reset](../authentication/tutorial-enable-sspr.md) | This ability reduces help desk calls and loss of productivity when a user can't sign into their device or an application | +| [Configure MFA settings for your organization](../authentication/howto-mfa-getstarted.md) | Ensure accounts are protected from being compromised with multifactor authentication. | +| [Enable self-service password reset](../authentication/tutorial-enable-sspr.md) | This ability reduces help desk calls and loss of productivity when a user can't sign into their device or an application. | | [Implement Password Writeback](../authentication/tutorial-enable-sspr-writeback.md) (if using hybrid identities) | Allow password changes in the cloud to be written back to an on-premises Windows Server Active Directory environment. | | Create and enable Conditional Access policies | [MFA for admins to protect accounts that are assigned administrative rights.](../conditional-access/howto-conditional-access-policy-admin-mfa.md) <br><br> [Block legacy authentication protocols due to the increased risk associated with legacy authentication protocols.](../conditional-access/howto-conditional-access-policy-block-legacy.md) <br><br> [MFA for all users and applications to create a balanced MFA policy for your environment, securing your users and applications.](../conditional-access/howto-conditional-access-policy-all-users-mfa.md) <br><br> [Require MFA for Azure Management to protect your privileged resources by requiring multifactor authentication for any user accessing Azure resources.](../conditional-access/howto-conditional-access-policy-azure-management.md) | | [Enable Password Hash Sync](../hybrid/connect/how-to-connect-password-hash-synchronization.md) (if using hybrid identities) | Provide redundancy for authentication and improve security (including Smart Lockout, IP Lockout, and the ability to discover leaked credentials.) | The following table is intended to highlight the key actions for the following l | [Use least privileged roles where possible](../roles/permissions-reference.md) | Give your administrators only the access they need to only the areas they need access to. Not all administrators need to be Global Administrators. | | [Enable Microsoft's password guidance](https://www.microsoft.com/research/publication/password-guidance/) | Stop requiring users to change their password on a set schedule, disable complexity requirements, and your users are more apt to remember their passwords and keep them something that is secure. | | [Create an organization specific custom banned password list](../authentication/tutorial-configure-custom-password-protection.md) | Prevent users from creating passwords that include common words or phrases from your organization or area. |-| [Deploy passwordless authentication methods for your users](../authentication/concept-authentication-passwordless.md) | Provide your users with convenient passwordless authentication methods | +| [Deploy passwordless authentication methods for your users](../authentication/concept-authentication-passwordless.md) | Provide your users with convenient passwordless authentication methods. | | [Create a plan for guest user access](../external-identities/what-is-b2b.md) | Collaborate with guest users by letting them sign into your apps and services with their own work, school, or social identities. | <a name='guidance-for-azure-ad-premium-plan-2-customers'></a> -## Guidance for Microsoft Entra ID P2 customers. +## Guidance for Microsoft Entra ID P2 customers The following table is intended to highlight the key actions for the following license subscriptions: The following table is intended to highlight the key actions for the following l | | | | [Create more than one Global Administrator](../roles/security-emergency-access.md) | Assign at least two cloud-only permanent Global Administrator accounts for use in an emergency. These accounts aren't to be used daily and should have long and complex passwords. | | [Enable combined registration experience for Microsoft Entra multifactor authentication and SSPR to simplify user registration experience](../authentication/howto-registration-mfa-sspr-combined.md) | Allow your users to register from one common experience for both Microsoft Entra multifactor authentication and self-service password reset. |-| [Configure MFA settings for your organization](../authentication/howto-mfa-getstarted.md) | Ensure accounts are protected from being compromised with multifactor authentication | -| [Enable self-service password reset](../authentication/tutorial-enable-sspr.md) | This ability reduces help desk calls and loss of productivity when a user can't sign into their device or an application | +| [Configure MFA settings for your organization](../authentication/howto-mfa-getstarted.md) | Ensure accounts are protected from being compromised with multifactor authentication. | +| [Enable self-service password reset](../authentication/tutorial-enable-sspr.md) | This ability reduces help desk calls and loss of productivity when a user can't sign into their device or an application. | | [Implement Password Writeback](../authentication/tutorial-enable-sspr-writeback.md) (if using hybrid identities) | Allow password changes in the cloud to be written back to an on-premises Windows Server Active Directory environment. | | [Enable Identity Protection policies to enforce MFA registration](../identity-protection/howto-identity-protection-configure-mfa-policy.md) | Manage the roll-out of Microsoft Entra multifactor authentication. | | [Enable Identity Protection user and sign-in risk policies](../identity-protection/howto-identity-protection-configure-risk-policies.md) | Enable Identity Protection User and Sign-in policies. The recommended sign-in policy is to target medium risk sign-ins and require MFA. For User policies, you should target high risk users requiring the password change action. | The following table is intended to highlight the key actions for the following l | [Create an organization specific custom banned password list](../authentication/tutorial-configure-custom-password-protection.md) | Prevent users from creating passwords that include common words or phrases from your organization or area. | | [Deploy passwordless authentication methods for your users](../authentication/concept-authentication-passwordless.md) | Provide your users with convenient passwordless authentication methods | | [Create a plan for guest user access](../external-identities/what-is-b2b.md) | Collaborate with guest users by letting them sign into your apps and services with their own work, school, or social identities. |-| [Enable Privileged Identity Management](../privileged-identity-management/pim-configure.md) | Enables you to manage, control, and monitor access to important resources in your organization, ensuring admins have access only when needed and with approval | +| [Enable Privileged Identity Management](../privileged-identity-management/pim-configure.md) | Enables you to manage, control, and monitor access to important resources in your organization, ensuring admins have access only when needed and with approval. | | [Complete an access review for Microsoft Entra directory roles in PIM](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md) | Work with your security and leadership teams to create an access review policy to review administrative access based on your organization's policies. | [!INCLUDE [active-directory-zero-trust](../../../includes/active-directory-zero-trust.md)] |
active-directory | Create New Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/create-new-tenant.md | -In this quickstart, you'll learn how to get to the Azure portal and Microsoft Entra ID, and you'll learn how to create a basic tenant for your organization. +In this quickstart article, you'll learn how to get to the Azure portal and Microsoft Entra ID, and you'll learn how to create a basic tenant for your organization. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. After you sign in to the [Azure portal](https://portal.azure.com), you can creat 1. From the Azure portal menu, select **Microsoft Entra ID**. -1. On the overview page, select **Manage tenants** +1. On the overview page, select **Manage tenants**. 1. Select **Create**. After you sign in to the [Azure portal](https://portal.azure.com), you can creat 1. On the Basics tab, select the type of tenant you want to create, either **Microsoft Entra ID** or **Microsoft Entra ID (B2C)**. -1. Select **Next: Configuration** to move on to the Configuration tab. +1. Select **Next: Configuration** to move to the Configuration tab. 1. On the Configuration tab, enter the following information: After you sign in to the [Azure portal](https://portal.azure.com), you can creat - Type your desired Initial domain name (for example _Contosoorg_) into the **Initial domain name** box. - Select your desired Country/Region or leave the _United States_ option in the **Country or region** box. -1. Select **Next: Review + Create**. Review the information you entered and if the information is correct, select **create**. +1. Select **Next: Review + Create**. Review the information you entered and if the information is correct, select **Create** in the lower left corner. Your new tenant is created with the domain contoso.onmicrosoft.com. If you're not going to continue to use this application, you can delete the tena ## Next steps -- Change or add other domain names, see [How to add a custom domain name to Microsoft Entra ID](add-custom-domain.md)+- Change or add other domain names, see [How to add a custom domain name to Microsoft Entra ID](add-custom-domain.md). - Add users, see [Add or delete a new user](./add-users.md) -- Add groups and members, see [Create a basic group and add members](./how-to-manage-groups.md)+- Add groups and members, see [Create a basic group and add members](./how-to-manage-groups.md). - Learn about [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md) and [Conditional Access](../conditional-access/overview.md) to help manage your organization's application and resource access. |
active-directory | Custom Security Attributes Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/custom-security-attributes-overview.md | For more information about working with extensions, see [Add custom data to reso Check that you are assigned the [Attribute Definition Administrator](../roles/permissions-reference.md#attribute-definition-administrator) or [Attribute Assignment Administrator](../roles/permissions-reference.md#attribute-assignment-administrator) roles. If not, check with your administrator to assign you the appropriate role at tenant scope or attribute set scope. By default, [Global Administrator](../roles/permissions-reference.md#global-administrator) and other administrator roles do not have permissions to read, define, or assign custom security attributes. If necessary, a Global Administrator can assign these roles to themselves. - ![Diagram showing checking permissions to add custom security attributes in Azure AD.](./media/custom-security-attributes-overview/attributes-permissions.png) + ![Diagram showing checking permissions to add custom security attributes in Microsoft Entra ID.](./media/custom-security-attributes-overview/attributes-permissions.png) 1. **Add attribute sets** Depending on whether you have a Microsoft Entra ID P1 or P2 license, here are th ## License requirements ## Next steps |
active-directory | Data Operational Considerations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/data-operational-considerations.md | -In this article, learn about data operational considerations for your configuration. There's information about how log files and other features work in relation to Microsoft Entra ID, such as usage data and operator security. YouΓÇÖll learn about physical security considerations in addition to guidance on how the Microsoft Entra ID team defines deployments and change. +In this article, learn about data operational considerations for your configuration. There's information about how log files and other features work in relation to Microsoft Entra ID, such as usage data and operator security. YouΓÇÖll learn about physical security considerations in addition to guidance on how the Microsoft Entra team defines deployments and change. ## Log files Learn more: [Azure facilities, premises, and physical security](../../security/f ## Change control process -To roll out changes to the service across data centers, the Microsoft Entra ID team defines the layers of a deployment environment. Applying the change layers is constrained by strict exit criteria. The amount of time to roll a change across layers is defined by the operations team and is based on potential effects. Typically a rollout takes between 1 to 2 weeks. Critical changes, such as security fixes or hot fixes, can be deployed faster. If a change doesn't meet the exit criteria when applied to a deployment layer, it's rolled back to the prior, stable state. +To roll out changes to the service across data centers, the Microsoft Entra team defines the layers of a deployment environment. Applying the change layers is constrained by strict exit criteria. The amount of time to roll a change across layers is defined by the operations team and is based on potential effects. Typically a rollout takes between 1 to 2 weeks. Critical changes, such as security fixes or hot fixes, can be deployed faster. If a change doesn't meet the exit criteria when applied to a deployment layer, it's rolled back to the prior, stable state. ## Resources To roll out changes to the service across data centers, the Microsoft Entra ID t ## Next steps * [Microsoft Entra ID and data residency](data-residency.md)- * [Data operational considerations](data-operational-considerations.md) (You're here) * [Data protection considerations](data-protection-considerations.md) |
active-directory | Data Protection Considerations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/data-protection-considerations.md | The security tokens are issued by the Microsoft Entra authentication Services. I **Application Access**: Because applications can access the Application Programming Interfaces (APIs) without user context, the access check includes information about the userΓÇÖs application and the scope of access requested, for example read only, read/write, etc. Many applications use OpenID Connect or OAuth to obtain tokens to access the directory on behalf of the user. These applications must be explicitly granted access to the directory or they won't receive a token from Microsoft Entra authentication Service, and they access data from the granted scope. -**Auditing**: Access is audited. For example, authorized actions such as create user and password reset create an audit trail that can be used by a tenant administrator to manage compliance efforts or investigations. Tenant administrators can generate audit reports by using the Microsoft Entra ID audit API. +**Auditing**: Access is audited. For example, authorized actions such as create user and password reset create an audit trail that can be used by a tenant administrator to manage compliance efforts or investigations. Tenant administrators can generate audit reports by using the Microsoft Entra audit API. Learn more: [Audit logs in Microsoft Entra ID](../reports-monitoring/concept-audit-logs.md) For more information about Secret encryption at rest, see the following table. ## Next steps * [Microsoft Entra ID and data residency](data-residency.md) - * [Data operational considerations](data-operational-considerations.md) * [Data protection considerations](data-protection-considerations.md) (You're here) |
active-directory | Data Residency | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/data-residency.md | The Core Store is made up of tenants stored in scale units, each of which contai Learn more: [Microsoft Entra Core Store Scale Units](https://www.youtube.com/watch?v=OcKO44GtHh8) -Microsoft Entra ID is available in the following clouds +Microsoft Entra ID is available in the following clouds: * Public * China For more information on data residency in Microsoft Cloud offerings, see the fol ## Next steps * [Microsoft Entra ID and data residency](data-residency.md) (You're here)- * [Data operational considerations](data-operational-considerations.md) * [Data protection considerations](data-protection-considerations.md) |
active-directory | Data Storage Australia | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/data-storage-australia.md | All other Microsoft Entra services store customer data in global datacenters. To ## Microsoft Entra multifactor authentication -MFA stores Identity Customer Data in global datacenters. To learn more about the user information collected and stored by cloud-based Microsoft Entra multifactor authentication and Microsoft Entra multifactor authentication Server, see [Microsoft Entra multifactor authentication user data collection](../authentication/concept-mfa-data-residency.md). +MFA stores Identity Customer Data in global datacenters. To learn more about the user information collected and stored by cloud-based Microsoft Entra multifactor authentication and Azure Multi-Factor Authentication Server, see [Microsoft Entra multifactor authentication user data collection](../authentication/concept-mfa-data-residency.md). ## Next steps |
active-directory | Data Storage Eu | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/data-storage-eu.md | -Microsoft Entra stores customer data in a geographic location based on how a tenant was created and provisioned. The following list provides information about how the location is defined: +Microsoft Entra ID stores customer data in a geographic location based on how a tenant was created and provisioned. The following list provides information about how the location is defined: * **Microsoft Entra admin center or Microsoft Entra API** - A customer selects a location from the pre-defined list. * **Dynamics 365 and Power Platform** - A customer provisions their tenant in a pre-defined location.-* **EU Data Residency** - For customers who provided a location in Europe, Microsoft Entra stores most of the customer data in Europe, except where noted later in this article. -* **EU Data Boundary** - For customers who provided a location that is within the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn#eu-data-boundary-countries-and-datacenter-locations) (members of the EU and EFTA), Microsoft Entra stores and processes most of the customer data in the EU Data Boundary, except where noted later in this article. +* **EU Data Residency** - For customers who provided a location in Europe, Microsoft Entra ID stores most of the customer data in Europe, except where noted later in this article. +* **EU Data Boundary** - For customers who provided a location that is within the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn#eu-data-boundary-countries-and-datacenter-locations) (members of the EU and EFTA), Microsoft Entra ID stores and processes most of the customer data in the EU Data Boundary, except where noted later in this article. * **Microsoft 365** - The location is based on a customer provided billing address. The following sections provide information about customer data that doesn't meet the EU Data Residency or EU Data Boundary commitments. See more information on optional service capabilities that transfer customer dat ### Other EU Data Boundary online services -Services and applications that integrate with Microsoft Entra have access to customer data. Review how each service and application stores and processes customer data, and verify that they meet your company's data handling requirements. +Services and applications that integrate with Microsoft Entra ID have access to customer data. Review how each service and application stores and processes customer data, and verify that they meet your company's data handling requirements. ## Next steps |
active-directory | Five Steps To Full Application Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/five-steps-to-full-application-integration.md | Last updated 03/01/2023 # Five steps to integrate your apps with Microsoft Entra ID -Learn to integrate your applications with Microsoft Entra ID, which is a cloud-based identity and access management service. Organizations use Microsoft Entra ID for secure authentication and authorization so customers, partners, and employees can access applications. With Microsoft Entra ID, features such as Conditional Access, Microsoft Entra multifactor authentication, single sign-on, and application provisioning make identity and access management easier to manage and more secure. +Learn to integrate your applications with Microsoft Entra ID, which is a cloud-based identity and access management service. Organizations use Microsoft Entra ID for secure authentication and authorization so customers, partners, and employees can access applications. ++With Microsoft Entra ID, features such as Conditional Access, Microsoft Entra multifactor authentication, single sign-on, and application provisioning make identity and access management easier to manage and more secure. Learn more: Learn more: When your business acquires new applications, add them to the Microsoft Entra tenant. Establish a company policy of adding new apps to Microsoft Entra ID. -See, [Quickstart: Add an enterprise application](../manage-apps/add-application-portal.md) +See: [Quickstart: Add an enterprise application](../manage-apps/add-application-portal.md) -Microsoft Entra ID has a gallery of integrated applications to make it easy to get started. Add a gallery app to your Microsoft Entra organization (see, previous link) and learn about integrating software as a service (SaaS) tutorials. +Microsoft Entra ID has a gallery of integrated applications to make it easy to get started. Add a gallery app to your Microsoft Entra organization (see previous link) and learn about integrating software as a service (SaaS) tutorials. -See, [Tutorials for integrating SaaS applications with Microsoft Entra ID](../saas-apps/tutorial-list.md) +See: [Tutorials for integrating SaaS applications with Microsoft Entra ID](../saas-apps/tutorial-list.md) ### Integration tutorials Use the following tutorials to learn to integrate common tools with Microsoft Entra single sign-on (SSO). -* [Tutorial: Microsoft Entra SSO integration with ServiceNow](../saas-apps/servicenow-tutorial.md) -* [Tutorial: Microsoft Entra SSO integration with Workday](../saas-apps/workday-tutorial.md) -* [Tutorial: Microsoft Entra SSO integration with Salesforce](../saas-apps/salesforce-tutorial.md) -* [Tutorial: Microsoft Entra SSO integration with AWS Single-Account Access](../saas-apps/amazon-web-service-tutorial.md) -* [Tutorial: Microsoft Entra SSO integration with Slack](../saas-apps/slack-tutorial.md) +* Tutorial: [Microsoft Entra SSO integration with ServiceNow](../saas-apps/servicenow-tutorial.md) +* Tutorial: [Microsoft Entra SSO integration with Workday](../saas-apps/workday-tutorial.md) +* Tutorial: [Microsoft Entra SSO integration with Salesforce](../saas-apps/salesforce-tutorial.md) +* Tutorial: [Microsoft Entra SSO integration with AWS Single-Account Access](../saas-apps/amazon-web-service-tutorial.md) +* Tutorial: [Microsoft Entra SSO integration with Slack](../saas-apps/slack-tutorial.md) ### Apps not in the gallery Learn more: In addition, use the Active Directory Federation Services (AD FS) in the Azure portal to discover AD FS apps in your organization. Discover unique users that signed in to the apps, and see information about integration compatibility. -See, [Review the application activity report](../manage-apps/migrate-adfs-application-activity.md) +See: [Review the application activity report](../manage-apps/migrate-adfs-application-activity.md) ### Application migration After you discover apps in your environment, prioritize the apps to migrate and - Apps to be decommissioned, therefore not in migration - Apps that stay on-premises -See, [Resources for migrating applications to Microsoft Entra ID](../manage-apps/migration-resources.md) +See: [Resources for migrating applications to Microsoft Entra ID](../manage-apps/migration-resources.md) ## Integrate apps and identity providers During discovery, there might be applications not tracked by the IT team, which * Reduce on-premises user set-up, authentication, and IdP licensing fees * Lower administrative overhead with streamlined identity and access management process * Enable single sign-on (SSO) access to applications in the My Apps portal- * See, [Create collections on the My Apps portal](../manage-apps/access-panel-collections.md) + * See: [Create collections on the My Apps portal](../manage-apps/access-panel-collections.md) * Use Identity Protection and Conditional Access to increase data from app usage, and extend benefits to recently added apps * [What is Identity Protection?](../identity-protection/overview-identity-protection.md) * [What is Conditional Access?](../conditional-access/overview.md) To help manage app integration with Microsoft Entra ID, use the following materi You can download: -* Zip file, [Editable Microsoft Entra App Integration One-Pager](https://aka.ms/AppOnePager) -* Microsoft PowerPoint presentation, [Microsoft Entra application integration guidelines](https://aka.ms/AppGuideline) +* Zip file: [Editable Microsoft Entra App Integration One-Pager](https://aka.ms/AppOnePager) +* Microsoft PowerPoint presentation: [Microsoft Entra application integration guidelines](https://aka.ms/AppGuideline) ### Active Directory Federation Services Learn more: See the following diagram of app authentication simplified by Microsoft Entra ID. - ![Diagram of app authentication with Azure AD.](./media/five-steps-to-full-application-integration/integration-2.png) + ![Diagram of app authentication with Microsoft Entra ID.](./media/five-steps-to-full-application-integration/integration-2.png) After Microsoft Entra ID is the central IdP, you might be able to discontinue ADFS. You can migrate apps that use a different cloud-based IdP. Your organization mig Traditionally, application security enabled access during a connection to a corporate network. However, organization grant access to apps for customers, partners, and/or employees, regardless of location. Application Proxy Service in Microsoft Entra connects on-premises apps to Microsoft Entra ID and doesn't require edge servers or more infrastructure. -See, [Using Microsoft Entra application proxy to publish on-premises apps for remote users](../app-proxy/what-is-application-proxy.md) +See: [Using Microsoft Entra application proxy to publish on-premises apps for remote users](../app-proxy/what-is-application-proxy.md) The following diagram illustrates Application Proxy Service processing a user request. ![Diagram of the Microsoft Entra application proxy Service processing a user request.](./media/five-steps-to-full-application-integration/app-proxy.png) -See, [Tutorial: Add an on-premises application for remote access through Application Proxy in Microsoft Entra ID](../app-proxy/application-proxy-add-on-premises-application.md) +See: [Tutorial: Add an on-premises application for remote access through Application Proxy in Microsoft Entra ID](../app-proxy/application-proxy-add-on-premises-application.md) In addition, integrate application delivery controllers like F5 BIG-IP APM, or Zscaler Private Access, with Microsoft Entra ID. Benefits are modern authentication and identity management, traffic management, and security features. We call this solution secure hybrid access. -See, [Secure hybrid access: Protect legacy apps with Microsoft Entra ID](../manage-apps/secure-hybrid-access.md) +See: [Secure hybrid access: Protect legacy apps with Microsoft Entra ID](../manage-apps/secure-hybrid-access.md) For the following services, there are Microsoft Entra integration tutorials. |
active-directory | Get Started Premium | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/get-started-premium.md | You can purchase and associate Microsoft Entra ID P1 or P2 editions with your Az Before you sign up for Active Directory Premium 1 or Premium 2, you must first determine which of your existing subscription or plan to use: - Through your existing Azure or Microsoft 365 subscription- - Through your Enterprise Mobility + Security licensing plan- - Through a Microsoft Volume Licensing plan +## Sign up options + Signing up using your Azure subscription with previously purchased and activated Microsoft Entra ID licenses, automatically activates the licenses in the same directory. If that's not the case, you must still activate your license plan and your Microsoft Entra ID access. For more information about activating your license plan, see [Activate your new license plan](#activate-your-new-license-plan). For more information about activating your Microsoft Entra ID access, see [Activate your Microsoft Entra ID access](#activate-your-azure-ad-access). -## Sign up using your existing Azure or Microsoft 365 subscription +### Sign up using your existing Azure or Microsoft 365 subscription As an Azure or Microsoft 365 subscriber, you can purchase the Microsoft Entra ID P1 or P2 editions online. For detailed steps, see [Buy or remove licenses](/microsoft-365/commerce/licenses/buy-licenses?view=o365-worldwide&preserve-view=true). -## Sign up using your Enterprise Mobility + Security licensing plan +### Sign up using your Enterprise Mobility + Security licensing plan Enterprise Mobility + Security is a suite, comprised of Microsoft Entra ID P1 or P2, Azure Information Protection, and Microsoft Intune. If you already have an EMS license, you can get started with Microsoft Entra ID, using one of these licensing options: For more information about EMS, see [Enterprise Mobility + Security web site](ht - Purchase [Enterprise Mobility + Security E3 licenses](https://signup.microsoft.com/Signup?OfferId=4BBA281F-95E8-4136-8B0F-037D6062F54C&ali=1) -## Sign up using your Microsoft Volume Licensing plan +### Sign up using your Microsoft Volume Licensing plan Through your Microsoft Volume Licensing plan, you can sign up for Microsoft Entra ID P1 or P2 using one of these two programs, based on the number of licenses you want to get: -- **For 250 or more licenses.** [Microsoft Enterprise Agreement](https://www.microsoft.com/en-us/licensing/licensing-programs/enterprise.aspx)+- For 250 or more licenses, see [Microsoft Enterprise Agreement](https://www.microsoft.com/en-us/licensing/licensing-programs/enterprise.aspx). -- **For 5 to 250 licenses.** [Open Volume License](https://www.microsoft.com/en-us/licensing/licensing-programs/open-license.aspx)+- For 5 to 250 licenses, see [Open Volume License](https://www.microsoft.com/en-us/licensing/licensing-programs/open-license.aspx). -For more information about volume licensing purchase options, see [How to purchase through Volume Licensing](https://www.microsoft.com/en-us/licensing/how-to-buy/how-to-buy.aspx). +- For more information about volume licensing purchase options, see [How to purchase through Volume Licensing](https://www.microsoft.com/en-us/licensing/how-to-buy/how-to-buy.aspx). ## Activate your new license plan If you signed up using a new Microsoft Entra ID license plan, you must activate ### To activate your license plan -- Open the confirmation email you received from Microsoft after you signed up, and then select either **Sign In** or **Sign Up**.+1. Open the confirmation email you received from Microsoft after you signed up, and then select either **Sign In** or **Sign Up**. - ![Confirmation email with sign in and sign up links](media/get-started-premium/MOLSEmail.png) + ![Confirmation email with sign in and sign up links](media/get-started-premium/MOLSEmail.png) - - **Sign in.** Choose this link if you have an existing tenant, and then sign in using your existing administrator account. You must be a Global Administrator on the tenant where the licenses are being activated. +1. Select **Sign in** or **Sign up**. + - **Sign in.** Choose this link if you have an existing tenant, and then sign in using your existing administrator account. You must be a Global Administrator on the tenant where the licenses are being activated. - - **Sign up.** Choose this link if you want to open the **Create Account Profile** page and create a new Microsoft Entra tenant for your licensing plan. + - **Sign up.** Choose this link if you want to open the **Create Account Profile** page and create a new Microsoft Entra tenant for your licensing plan. - ![Create account profile page, with sample information](media/get-started-premium/MOLSAccountProfile.png) + ![Create account profile page, with sample information](media/get-started-premium/MOLSAccountProfile.png) When you're done, you'll see a confirmation box thanking you for activating the license plan for your tenant. |
active-directory | How To Create Delete Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-create-delete-users.md | For more information abut the differences between internal and external guests a Authentication methods vary based on the type of user you create. Internal guests and members have credentials in your Microsoft Entra tenant that can be managed by administrators. These users can also reset their own password. External members authenticate to their home Microsoft Entra tenant and your Microsoft Entra tenant authenticates the user through a federated sign-in with the external member's Microsoft Entra tenant. If external members forget their password, the administrator in their Microsoft Entra tenant can reset their password. External guests set up their own password using the link they receive in email when their account is created. -Reviewing the default user permissions may also help you determine the type of user you need to create. For more information, see [Set default user permissions](users-default-permissions.md) +Reviewing the default user permissions may also help you determine the type of user you need to create. For more information, see [Set default user permissions](users-default-permissions.md). ## Required roles The required role of least privilege varies based on the type of user you're add The **Basics** tab contains the core fields required to create a new user. -- **User principal name**: Enter a unique username and select a domain from the menu after the @ symbol. Select **Domain not listed** if you need to create a new domain. For more information, see [Add your custom domain name](add-custom-domain.md)+- **User principal name**: Enter a unique username and select a domain from the menu after the @ symbol. Select **Domain not listed** if you need to create a new domain. For more information, see [Add your custom domain name](add-custom-domain.md). - **Mail nickname**: If you need to enter an email nickname that is different from the user principal name you entered, uncheck the **Derive from user principal name** option, then enter the mail nickname. - **Display name**: Enter the user's name, such as Chris Green or Chris A. Green - **Password**: Provide a password for the user to use during their initial sign-in. Uncheck the **Auto-generate password** option to enter a different password. If you have an environment with both Microsoft Entra ID (cloud) and Windows Serv ## Delete a user -You can delete an existing user using Azure portal. +You can delete an existing user using the [Microsoft Entra admin center](https://entra.microsoft.com/). - You must have a Global Administrator, Privileged Authentication Administrator, or User Administrator role assignment to delete users in your organization. - Global Administrators and Privileged Authentication Administrators can delete any users including other administrators. |
active-directory | How To Customize Branding | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-customize-branding.md | -The default sign-in experience is the global look and feel that applies across all sign-ins to your tenant. Before you customize any settings, the default Microsoft branding appears in your sign-in pages. You can customize this default experience with a custom background image and/or color, favicon, layout, header, and footer. You can also upload a custom CSS. +The default sign-in experience is the global look and feel that applies across all sign-ins to your tenant. Before you customize any settings, the default Microsoft branding appears in your sign-in pages. You can customize this default experience with a custom background image and/or color, favicon, layout, header, and footer. You can also upload a custom CSS file. > [!NOTE] > Instructions for how to manage the **'Stay signed in prompt?'** can be found in the **[Manage the 'Stay signed in?' prompt](how-to-manage-stay-signed-in-prompt.md)** article. The default sign-in experience is the global look and feel that applies across a Adding custom branding requires one of the following licenses: -- Microsoft Entra ID P1 or P2 1-- Microsoft Entra ID P1 or P2 2+- Microsoft Entra ID P1 or P2 +- Microsoft Entra ID P1 or P2 - Office 365 (for Office apps) For more information about licensing and editions, see the [Sign up for Microsoft Entra ID P1 or P2](./get-started-premium.md) article. -Microsoft Entra ID P1 or P2 editions are available for customers in China using the worldwide instance of Microsoft Entra ID. Microsoft Entra ID P1 or P2 editions aren't currently supported in the Azure service operated by 21Vianet in China +Microsoft Entra ID P1 or P2 editions are available for customers in China using the worldwide instance of Microsoft Entra ID. Microsoft Entra ID P1 or P2 editions aren't currently supported in the Azure service operated by 21Vianet in China. The **Global Administrator** role is required to customize company branding. The sign-in experience process is grouped into sections. At the end of each sect !['Review + create' and 'Next: Layout' buttons from the bottom of the configure custom branding page](media/how-to-customize-branding/customize-branding-buttons.png) -## Basics +### Basics - **Favicon**: Select a PNG or JPG of your logo that appears in the web browser tab. The sign-in experience process is grouped into sections. At the end of each sect - **Page background color**: If the background image isn't able to load because of a slower connection, your selected background color appears instead. -## Layout +### Layout -- **Visual Templates**: Customize the layout of your sign-in page using templates or custom CSS.+- **Visual Templates**: Customize the layout of your sign-in page using templates or a custom CSS file. - Choose one of two **Templates**: Full-screen or partial-screen background. The full-screen background could obscure your background image, so choose the partial-screen background if your background image is important. - The details of the **Header** and **Footer** options are set on the next two sections of the process. ![Screenshot of the Layout tab.](media/how-to-customize-branding/layout-visual-templates.png) -- **Custom CSS**: Upload custom CSS to replace the Microsoft default style of the page.+- **Custom CSS**: Upload a custom CSS file to replace the Microsoft default style of the page. - [Download the CSS template](https://download.microsoft.com/download/7/2/7/727f287a-125d-4368-a673-a785907ac5ab/custom-styles-template-013023.css). - View the [CSS template reference guide](reference-company-branding-css-template.md). -## Header +### Header If you haven't enabled the header, go to the **Layout** section and select **Show header**. Once enabled, select a PNG or JPG to display in the header of the sign-in page. ![Screenshot of the message indicating that the header needs to be enabled.](media/how-to-customize-branding/disabled-header-message.png) -## Footer +### Footer If you haven't enabled the footer, go to the **Layout** section and select **Show footer**. Once enabled, adjust the following settings. If you haven't enabled the footer, go to the **Layout** section and select **Sho ![Customize branding on the Footer section](media/how-to-customize-branding/customize-branding-footer.png) -## Sign-in form +### Sign-in form - **Banner logo**: Select a PNG or JPG image file of a banner-sized logo (short and wide) to appear on the sign-in pages. If you haven't enabled the footer, go to the **Layout** section and select **Sho - Username collection display text: Replace the default text with your own custom username collection text. - Password collection display text: Replace the default text with your own customer password collection text. -## Review +### Review All of the available options appear in one list so you can review everything you've customized or left at the default setting. When you're done, select the **Create** button. Once your default sign-in experience is created, select the **Edit** button to make any changes. You can't delete a default sign-in experience after it's created, but you can remove all custom settings. -## Customize the sign-in experience by browser language +### Customize the sign-in experience by browser language You can create a personalized sign-in experience for users who sign in using a specific browser language by customizing the branding elements for that browser language. This customization overrides any configurations made to the default branding. If you don't make any changes to the elements, the default elements are displayed. Microsoft Entra ID supports right-to-left functionality for languages such as Ar ## Next steps -- [View the CSS template reference guide](reference-company-branding-css-template.md).+- [View the CSS template reference guide](reference-company-branding-css-template.md) - [Learn more about default user permissions in Microsoft Entra ID](../fundamentals/users-default-permissions.md) - [Manage the 'stay signed in' prompt](how-to-manage-stay-signed-in-prompt.md) |
active-directory | How To Get Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-get-support.md | Support for Microsoft Entra ID in the [Microsoft 365 admin center](https://admin Things can change quickly. The following resources provide updates and information on the latest releases. - [Azure Updates](https://azure.microsoft.com/updates/?category=identity): Learn about important product updates, roadmap, and announcements.- - [What's new in Microsoft Entra ID](whats-new.md): Get to know what's new in Microsoft Entra ID including the latest release notes, known issues, bug fixes, deprecated functionality, and upcoming changes.- - [Microsoft Entra identity blog](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/bg-p/Identity): Get news and information about Microsoft Entra ID. ## Next steps * [Post a question to Microsoft Q&A](/answers/products/)--* [Join the Microsoft Technical Community](https://techcommunity.microsoft.com/)] -+* [Join the Microsoft Technical Community](https://techcommunity.microsoft.com/) * [Learn about the diagnostic data Azure identity support can access](https://azure.microsoft.com/support/legal/support-diagnostic-information-collection/) |
active-directory | How To Manage Stay Signed In Prompt | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-manage-stay-signed-in-prompt.md | The KMSI setting is managed in **User settings**. ## Troubleshoot 'Stay signed in?' issues -If a user doesn't act on the **Stay signed in?** prompt but abandons the sign-in attempt, a sign-in log entry appears in the Microsoft Entra sign-ins logs. The prompt the user sees is called an "interrupt." +If a user doesn't act on the **Stay signed in?** prompt but abandons the sign-in attempt, a sign-in log entry appears in the Microsoft Entra sign-in logs. The prompt the user sees is called an "interrupt." ![Sample 'Stay signed in?' prompt](media/how-to-manage-stay-signed-in-prompt/kmsi-stay-signed-in-prompt.png) |
active-directory | How To Manage User Profile Info | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-manage-user-profile-info.md | When new users are created, only a few details are added to their user profile. 1. After making any changes, select the **Save** button. -If you selected the **Edit properties option**: +If you selected the **Edit properties** option: - The full list of properties appears in edit mode on the **All** category. - To edit properties based on the category, select a category from the top of the page. - Select the **Save** button at the bottom of the page to save any changes. ![Screenshot a selected user's details, with the detail categories and save button highlighted.](media/how-to-manage-user-profile-info/user-profile-properties-tabbed-view.png) -If you selected the **Properties tab option**: +If you selected the **Properties** tab option: - The full list of properties appears for you to review. - To edit a property, select the pencil icon next to the category heading. - Select the **Save** button at the bottom of the page to save any changes. The following settings can be managed from **User settings**. ## Next steps - [Add or delete users](./add-users.md)- - [Assign roles to users](./how-subscriptions-associated-directory.md)- - [Create a basic group and add members](./how-to-manage-groups.md)--- [View Microsoft Entra enterprise user management documentation](../enterprise-users/index.yml).+- [View Microsoft Entra enterprise user management documentation](../enterprise-users/index.yml) |
active-directory | How To Rename Azure Ad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-rename-azure-ad.md | -Azure Active Directory (Azure AD) is being renamed to Microsoft Entra ID to better communicate the multicloud, multiplatform functionality of the product and unify the naming of the Microsoft Entra product family. +Azure Active Directory (Azure AD) has been renamed to Microsoft Entra ID to better communicate the multicloud, multiplatform functionality of the product and unify the naming of the Microsoft Entra product family. This article provides best practices and support for customers and organizations who wish to update their documentation or content with the new product name and icon. ## Prerequisites -Before changing instances of Azure AD in your documentation or content, familiarize yourself with the guidance in [New name for Azure AD](./new-name.md) to: +Before changing instances of Azure AD to Microsoft Entra ID in your documentation or content, familiarize yourself with the guidance in [New name for Azure AD](new-name.md) to: - Understand the product name and why we made the change - Download the new product icon foreach ($file in $filteredFiles) { ``` -## Communicate the change to your customers +### Communicate the change to your customers To help your customers with the transition, it's helpful to add a note: "Azure Active Directory is now Microsoft Entra ID" or follow the new name with "formerly Azure Active Directory" for the first year. |
active-directory | Identity Fundamental Concepts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/identity-fundamental-concepts.md | Authorization validates that the user, machine, or software component has been g ## Authentication vs. authorization The terms authentication and authorization are sometimes used interchangeably, because they often seem like a single experience to users. They're actually two separate processes: -- Authentication proves the identity of a user, machine, or software component -- Authorization grants or denies the user, machine, or software component access to certain resources +- Authentication proves the identity of a user, machine, or software component. +- Authorization grants or denies the user, machine, or software component access to certain resources. :::image type="content" source="./media/identity-fundamentals/authentication-vs-authorization.svg" alt-text="Diagram that shows authentication and authorization side by side." ::: If you're staying at the hotel, you first go to reception to start the "authenti :::image type="content" source="./media/identity-fundamentals/hotel-authentication.png" alt-text="Diagram that shows a person showing identification to get a hotel keycard." ::: -The doors to the hotel rooms and other areas have keycard sensors. Swiping the keycard in front of a sensor is the "authorization process". The keycard only lets you open the doors to rooms you're permitted to access, such as your hotel room and the hotel exercise room. If you swipe your keycard to enter any other hotel guest room, your access is denied. Individual [permissions](/azure/active-directory/fundamentals/users-default-permissions?context=/azure/active-directory/roles/context/ugr-context), such as accessing the exercise room and a specific guest room, are collected into [roles](/azure/active-directory/roles/concept-understand-roles) which can be granted to individual users. When you're staying at the hotel, you're granted the Hotel Patron role. Hotel room service staff would be granted the Hotel Room Service role. This role permits access to all hotel guest rooms (but only between 11am and 4pm), the laundry room, and the supply closets on each floor. +The doors to the hotel rooms and other areas have keycard sensors. Swiping the keycard in front of a sensor is the "authorization process". The keycard only lets you open the doors to rooms you're permitted to access, such as your hotel room and the hotel exercise room. If you swipe your keycard to enter any other hotel guest room, your access is denied. ++Individual [permissions](/azure/active-directory/fundamentals/users-default-permissions?context=/azure/active-directory/roles/context/ugr-context), such as accessing the exercise room and a specific guest room, are collected into [roles](/azure/active-directory/roles/concept-understand-roles) which can be granted to individual users. When you're staying at the hotel, you're granted the Hotel Patron role. Hotel room service staff would be granted the Hotel Room Service role. This role permits access to all hotel guest rooms (but only between 11am and 4pm), the laundry room, and the supply closets on each floor. :::image type="content" source="./media/identity-fundamentals/hotel-authorization.png" alt-text="Diagram that shows a user getting access to a room with a keycard." ::: With a central identity provider, organizations can establish authentication and - Read [Introduction to identity and access management](introduction-identity-access-management.md) to learn more. - Learn about [Single sign-on (SSO)](/azure/active-directory/manage-apps/what-is-single-sign-on).-- Learn about [Multi-factor authentication (MFA)](/azure/active-directory/authentication/concept-mfa-howitworks).+- Learn about [Multi-factor authentication (MFA)](/azure/active-directory/authentication/concept-mfa-howitworks). |
active-directory | License Users Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/license-users-groups.md | Title: Assign or remove licenses -description: Instructions about how to assign or remove Microsoft Entra licenses from your users or groups. +description: Instructions about how to assign or remove Microsoft Entra ID licenses from your users or groups. Many Microsoft Entra services require you to license each of your users or group ## Available license plans -There are several Microsoft Entra license plans: +There are several Microsoft Entra ID license plans: - Microsoft Entra ID Free- - Microsoft Entra ID P1- - Microsoft Entra ID P2 For specific information about each license plan and the associated licensing details, see [What license do I need?](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing). To sign up for Microsoft Entra ID P1 or P2 license plans see [here](./get-started-premium.md). -Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the **Usage location** for all members. You can set this value in **Identity** > **Users** > **All users** > *select a user* > **Properties**. When assigning licenses to a group or bulk updates such as disabling the synchronization status for the organization, any user whose usage location isn't specified inherits the location of the tenant. +Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the **Usage location** for all members. You can set this value in Microsoft Entra by going to **Identity** > **Users** > **All users** > *select a user* > **Properties**. ++When assigning licenses to a group or bulk updates, such as disabling the synchronization status for the organization, any user whose usage location isn't specified inherits the location of the tenant. ## View license plans and plan details You can view your available service plans, including the individual licenses, ch > [!NOTE] > The numbers are defined as: - > - Total: Total number of licenses purchased - > - Assigned: Number of licenses assigned to users - > - Available: Number of licenses available for assignment including expiring soon - > - Expiring soon: Number of licenses expiring soon + > - **Total**: Total number of licenses purchased + > - **Assigned**: Number of licenses assigned to users + > - **Available**: Number of licenses available for assignment including expiring soon + > - **Expiring soon**: Number of licenses expiring soon 1. Select a plan name to see its licensed users and groups. You can remove a license from a user's Microsoft Entra user page, from the group After you've assigned your licenses, you can perform the following processes: - [Identify and resolve license assignment problems](../enterprise-users/licensing-groups-resolve-problems.md)- - [Add licensed users to a group for licensing](../enterprise-users/licensing-groups-migrate-users.md)- - [Scenarios, limitations, and known issues using groups to manage licensing in Microsoft Entra ID](../enterprise-users/licensing-group-advanced.md)- - [Add or change profile information](./how-to-manage-user-profile-info.md) |
active-directory | Licensing Preview Terms | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/licensing-preview-terms.md | Title: Microsoft Entra preview program terms -description: In this article we go over the terms in effect when participating in Microsoft Entra preview programs. + Title: Microsoft Entra ID preview program terms +description: In this article we go over the terms in effect when participating in Microsoft Entra ID preview programs. Last updated 09/19/2023-# Customer intent: I am trying to find information on the terms and conditions for Microsoft Entra preview programs. +# Customer intent: I am trying to find information on the terms and conditions for Microsoft Entra ID preview programs. -# Microsoft Entra preview program terms +# Microsoft Entra ID preview program terms |
active-directory | New Name | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/new-name.md | -To communicate the multicloud, multiplatform functionality of the products, alleviate confusion with Windows Server Active Directory, and unify the [Microsoft Entra](/entra) product family, the new name for Azure Active Directory (Azure AD) is Microsoft Entra ID. +Microsoft has reamed Azure Active Directory (Azure AD) to Microsoft Entra ID for the following reasons: (1) to communicate the multicloud, multiplatform functionality of the products, (2) to alleviate confusion with Windows Server Active Directory, and (3) to unify the [Microsoft Entra](/entra) product family. ## No interruptions to usage or service -If you're using Azure AD today or are currently deploying Azure AD in your organizations, you can continue to use the service without interruption. All existing deployments, configurations, and integrations continue to function as they do today without any action from you. +If you're currently using Azure AD today or are have previously deployed Azure AD in your organizations, you can continue to use the service without interruption. All existing deployments, configurations, and integrations continue to function as they do today without any action from you. You can continue to use familiar Azure AD capabilities that you can access through the Azure portal, Microsoft 365 admin center, and the [Microsoft Entra admin center](https://entra.microsoft.com). All features and capabilities are still available in the product. Licensing, ter To make the transition seamless, all existing login URLs, APIs, PowerShell cmdlets, and Microsoft Authentication Libraries (MSAL) stay the same, as do developer experiences and tooling. -Service plan display names will change on October 1, 2023. Microsoft Entra ID Free, Microsoft Entra ID P1, and Microsoft Entra ID P2 will be the new names of standalone offers, and all capabilities included in the current Azure AD plans remain the same. Microsoft Entra ID ΓÇô currently known as Azure AD ΓÇô continues to be included in Microsoft 365 licensing plans, including Microsoft 365 E3 and Microsoft 365 E5. Details on pricing and whatΓÇÖs included are available on the [pricing and free trials page](https://aka.ms/PricingEntra). +Service plan display names will change on October 1, 2023. Microsoft Entra ID Free, Microsoft Entra ID P1, and Microsoft Entra ID P2 will be the new names of standalone offers, and all capabilities included in the current Azure AD plans remain the same. Microsoft Entra ID ΓÇô previously known as Azure AD ΓÇô continues to be included in Microsoft 365 licensing plans, including Microsoft 365 E3 and Microsoft 365 E5. Details on pricing and whatΓÇÖs included are available on the [pricing and free trials page](https://aka.ms/PricingEntra). :::image type="content" source="./media/new-name/azure-ad-new-name.png" alt-text="Diagram showing the new name for Azure AD and Azure AD External Identities." border="false" lightbox="./media/new-name/azure-ad-new-name-high-res.png"::: The Microsoft Entra product family helps you protect all identities and secure n | Identity and access management | New identity categories | Network access | ||||-| [Microsoft Entra ID (currently known as Azure AD)](../index.yml) | [Microsoft Entra Verified ID](../verifiable-credentials/index.yml) | [Microsoft Entra Internet Access](https://aka.ms/GlobalSecureAccessDocs) | +| [Microsoft Entra ID (previously known as Azure AD)](../index.yml) | [Microsoft Entra Verified ID](../verifiable-credentials/index.yml) | [Microsoft Entra Internet Access](https://aka.ms/GlobalSecureAccessDocs) | | [Microsoft Entra ID Governance](../governance/index.yml) | [Microsoft Entra Permissions Management](../cloud-infrastructure-entitlement-management/index.yml) | [Microsoft Entra Private Access](https://aka.ms/GlobalSecureAccessDocs) | | [Microsoft Entra External ID](../external-identities/index.yml) | [Microsoft Entra Workload ID](../workload-identities/index.yml) | | No. Prices, terms and service level agreements (SLAs) remain the same. Pricing d ### Will Microsoft Entra ID be available as a free service with an Azure subscription? -Customers currently using Azure AD Free as part of their Azure, Microsoft 365, Dynamics 365, Teams, or Intune subscription continue to have access to the same capabilities. It will be called Microsoft Entra ID Free. Get the free version at <https://www.microsoft.com/security/business/microsoft-entra-pricing>. +Customers using Azure AD Free as part of their Azure, Microsoft 365, Dynamics 365, Teams, or Intune subscription continue to have access to the same capabilities. It will be called Microsoft Entra ID Free. Get the free version at <https://www.microsoft.com/security/business/microsoft-entra-pricing>. ### What's changing for Microsoft 365 or Azure AD for Office 365? -Microsoft Entra ID ΓÇô currently known as Azure AD ΓÇô continues to be available within Microsoft 365 enterprise and business premium offers. Office 365 was renamed Microsoft 365 in 2022. Unique capabilities in the Azure AD for Office 365 apps (such as company branding and self-service sign-in activity search) are now be available to all Microsoft customers in Microsoft Entra ID Free. +Microsoft Entra ID ΓÇô previously known as Azure AD ΓÇô continues to be available within Microsoft 365 enterprise and business premium offers. Office 365 was renamed Microsoft 365 in 2022. Unique capabilities in the Azure AD for Office 365 apps (such as company branding and self-service sign-in activity search) are now be available to all Microsoft customers in Microsoft Entra ID Free. ### What's changing for Microsoft 365 E3? -There are no changes to the identity features and functionality available in Microsoft 365 E3. Microsoft 365 E3 includes Microsoft Entra ID P1, currently known as Azure AD Premium P1. +There are no changes to the identity features and functionality available in Microsoft 365 E3. Microsoft 365 E3 includes Microsoft Entra ID P1, previously known as Azure AD Premium P1. ### What's changing for Microsoft 365 E5? -In addition to the capabilities they already have, Microsoft 365 E5 customers also get access to new identity protection capabilities like token protection, Conditional Access based on GPS-based location and step-up authentication for the most sensitive actions. Microsoft 365 E5 includes Microsoft Entra ID P2, currently known as Azure AD Premium P2. +In addition to the capabilities they already have, Microsoft 365 E5 customers also get access to new identity protection capabilities like token protection, Conditional Access based on GPS-based location and step-up authentication for the most sensitive actions. Microsoft 365 E5 includes Microsoft Entra P2, previously known as Azure AD Premium P2. -### What's changing for identity developer and devops experience? +### What's changing for identity developer and devops experiences? Identity developer and devops experiences aren't being renamed. To make the transition seamless, all existing login URLs, APIs, PowerShell cmdlets, and Microsoft Authentication Libraries (MSAL) stay the same, as do developer experiences and tooling. |
active-directory | Properties Area | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/properties-area.md | We strongly recommend you add both your global privacy contact and your organiza ## Add your privacy info -Your privacy and technical information is located in the **Properties** area. +Your privacy and technical information is located in the **Properties** area of the Microsoft Entra admin center. ### To access the properties area and add your privacy information |
active-directory | Scenario Azure First Sap Identity Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/scenario-azure-first-sap-identity-integration.md | When your authoritative user directory is Microsoft Entra ID, we recommend setti ![SAP trust configuration](./media/scenario-azure-first-sap-identity-integration/sap-trust-configuration.png) -On the trust configuration in BTP, we recommend that "Create Shadow Users During Logon" is enabled. This way, users who haven't yet been created in BTP, automatically get an account when they sign in through IAS/Azure AD for the first time. If this setting would be disabled, only pre-provisioned users would be allowed to sign in. +On the trust configuration in BTP, we recommend that "Create Shadow Users During Logon" is enabled. This way, users who haven't yet been created in BTP, automatically get an account when they sign in through IAS / Microsoft Entra ID for the first time. If this setting would be disabled, only pre-provisioned users would be allowed to sign in. #### Why this recommendation? |
active-directory | Security Defaults | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/security-defaults.md | Microsoft is making these preconfigured security settings available to everyone, These basic controls include: -- [Requiring all users to register for multifactor authentication](#require-all-users-to-register-for-azure-ad-multifactor-authentication).-- [Requiring administrators to do multifactor authentication](#require-administrators-to-do-multifactor-authentication).-- [Requiring users to do multifactor authentication when necessary](#require-users-to-do-multifactor-authentication-when-necessary).-- [Blocking legacy authentication protocols](#block-legacy-authentication-protocols).-- [Protecting privileged activities like access to the Azure portal](#protect-privileged-activities-like-access-to-the-azure-portal).+- [Requiring all users to register for multifactor authentication](#require-all-users-to-register-for-azure-ad-multifactor-authentication) +- [Requiring administrators to do multifactor authentication](#require-administrators-to-do-multifactor-authentication) +- [Requiring users to do multifactor authentication when necessary](#require-users-to-do-multifactor-authentication-when-necessary) +- [Blocking legacy authentication protocols](#block-legacy-authentication-protocols) +- [Protecting privileged activities like access to the Azure portal](#protect-privileged-activities-like-access-to-the-azure-portal) ## Who's it for? - Organizations who want to increase their security posture, but don't know how or where to start.-- Organizations using the free tier of Microsoft Entra licensing.+- Organizations using the free tier of Microsoft Entra ID licensing. ### Who should use Conditional Access? - If you're an organization with Microsoft Entra ID P1 or P2 licenses, security defaults are probably not right for you.-- If your organization has complex security requirements, you should consider [Conditional Access](../conditional-access/concept-conditional-access-policy-common.md#template-categories)+- If your organization has complex security requirements, you should consider [Conditional Access](../conditional-access/concept-conditional-access-policy-common.md#template-categories). ## Enabling security defaults If your tenant was created on or after October 22, 2019, security defaults may b To help protect organizations, we're always working to improve the security of Microsoft account services. As part of this protection, customers are periodically notified for the automatic enablement of the security defaults if they: -- Haven't enabled Conditional Access policies.-- Don't have premium licenses.-- ArenΓÇÖt actively using legacy authentication clients.+- Haven't enabled Conditional Access policies +- Don't have premium licenses +- ArenΓÇÖt actively using legacy authentication clients After this setting is enabled, all users in the organization will need to register for multifactor authentication. To avoid confusion, refer to the email you received and alternatively you can [disable security defaults](#disabling-security-defaults) after it's enabled. To enable security defaults: 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). 1. Browse toΓÇ»**Identity**ΓÇ»> **Overview** > **Properties**.- 1. Select **Manage security defaults**. +1. Select **Manage security defaults**. 1. Set **Security defaults** to **Enabled**. 1. Select **Save**. One common method to improve protection for all users is to require a stronger f To give your users easy access to your cloud apps, we support various authentication protocols, including legacy authentication. *Legacy authentication* is a term that refers to an authentication request made by: -- Clients that don't use modern authentication (for example, an Office 2010 client).-- Any client that uses older mail protocols such as IMAP, SMTP, or POP3.+- Clients that don't use modern authentication (for example, an Office 2010 client) +- Any client that uses older mail protocols such as IMAP, SMTP, or POP3 Today, most compromising sign-in attempts come from legacy authentication. Legacy authentication doesn't support multifactor authentication. Even if you have a multifactor authentication policy enabled on your directory, an attacker can authenticate by using an older protocol and bypass multifactor authentication. To disable security defaults in your directory: 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). 1. Browse toΓÇ»**Identity**ΓÇ»>ΓÇ»**Overview** > **Properties**.- 1. Select **Manage security defaults**. +1. Select **Manage security defaults**. 1. Set **Security defaults** to **Disabled (not recommended)**. 1. Select **Save**. |
active-directory | Users Reset Password Azure Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/users-reset-password-azure-portal.md | Administrators can reset a user's password if the password is forgotten, if the After you've reset your user's password, you can perform the following basic processes: - [Add or delete users](./add-users.md)- - [Assign roles to users](./how-subscriptions-associated-directory.md)- - [Add or change profile information](./how-to-manage-user-profile-info.md)- - [Create a basic group and add members](./how-to-manage-groups.md) Or you can perform more complex user scenarios, such as assigning delegates, using policies, and sharing user accounts. For more information about other available actions, see [Microsoft Entra user management documentation](../enterprise-users/index.yml). |
active-directory | Users Restore | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/users-restore.md | -After you delete a user, the account remains in a suspended state for 30 days. During that 30-day window, the user account can be restored, along with all its properties. After that 30-day window passes, the permanent deletion process is automatically started and can't be stopped. During this time, the management of soft-deleted users is blocked. This limitation also applies to restoring a soft-deleted user via a match during Tenant sync cycle for on-premises hybrid scenarios. +After you delete a user, the account remains in a suspended state for 30 days. During that 30-day window, the user account can be restored, along with all its properties. ++After that 30-day window passes, the permanent deletion process is automatically started and can't be stopped. During this time, the management of soft-deleted users is blocked. This limitation also applies to restoring a soft-deleted user via a match during Tenant sync cycle for on-premises hybrid scenarios. You can view your restorable users, restore a deleted user, or permanently delete a user using the Microsoft Entra admin center. You can permanently delete a user from your organization without waiting the 30 After you've restored or deleted your users, you can: - [Add or delete users](./add-users.md)- - [Assign roles to users](./how-subscriptions-associated-directory.md)- - [Add or change profile information](./how-to-manage-user-profile-info.md)- - [Add guest users from another organization](../external-identities/what-is-b2b.md) For more information about other available user management tasks, [Microsoft Entra user management documentation](../enterprise-users/index.yml). |
active-directory | What Is Deprecated | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/what-is-deprecated.md | -The lifecycle of functionality, features, and services are governed by policy, support timelines, data, also leadership and engineering team decisions. Lifecycle information allows customers to predictably plan long-term deployment aspects, transition from outdated to new technology, and help improve business outcomes. Use the definitions below to understand the following table with change information about Azure Active Directory (Azure AD) and Microsoft Entra features, services, and functionality. +The lifecycle of functionality, features, and services are governed by policy, support timelines, data, also leadership and engineering team decisions. Lifecycle information allows customers to predictably plan long-term deployment aspects, transition from outdated to new technology, and help improve business outcomes. ++> ![NOTE] +> If you're currently using Azure AD today or are have previously deployed Azure AD in your organizations, you can continue to use the service without interruption. All existing deployments, configurations, and integrations continue to function as they do today without any action from you. Get notified about when to revisit this page for updates by copying and pasting this URL: `https://learn.microsoft.com/api/search/rss?search=%22What's+deprecated+in+Azure+Active+Directory%22&locale=en-us` into your ![RSS feed reader icon](./media/whats-new/feed-icon-16x16.png) feed reader. Use the following table to learn about changes including deprecations, retiremen |[Azure AD Graph API](https://aka.ms/aadgraphupdate)|Start of phased retirement|Jul 2023| |[Terms of Use experience](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Feature change|Jul 2023| |[Azure AD PowerShell and MSOnline PowerShell](https://aka.ms/aadgraphupdate)|Deprecation|Mar 30, 2024|-|[Azure AD MFA Server](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Retirement|Sep 30, 2024| +|[Azure Multi-Factor Authentication Server](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Retirement|Sep 30, 2024| |[Legacy MFA & SSPR policy](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Retirement|Sep 30, 2025| |['Require approved client app' Conditional Access Grant](https://aka.ms/RetireApprovedClientApp)|Retirement|Mar 31, 2026| Use the following table to learn about changes including deprecations, retiremen |[My Groups experience](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Feature change|May 2023| |[My Apps browser extension](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Feature change|May 2023| |Microsoft Authenticator app [Number matching](../authentication/how-to-mfa-number-match.md)|Feature change|May 8, 2023|-|[Azure AD Domain Services virtual network deployments](../../active-directory-domain-services/overview.md)|Retirement|Mar 1, 2023| +|[Microsoft Entra Domain Services virtual network deployments](../../active-directory-domain-services/overview.md)|Retirement|Mar 1, 2023| |[License management API, PowerShell](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/migrate-your-apps-to-access-the-license-managements-apis-from/ba-p/2464366)|Retirement|*Mar 31, 2023| \* The legacy license management API and PowerShell cmdlets won't work for **new tenants** created after Nov 1, 2022. Use the definitions in this section help clarify the state, availability, and su [What's new in Microsoft Entra ID?](../../active-directory/fundamentals/whats-new.md) ## Resources-* [Microsoft Entra Change Announcement blog](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-november-2022-train/ba-p/2967452) +* [Microsoft Entra change announcement blog](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-november-2022-train/ba-p/2967452) * Devices: [End-of-life management and recycling](https://www.microsoft.com/legal/compliance/recycling) |
active-directory | Whatis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whatis.md | -Microsoft Entra ID is a cloud-based identity and access management service. Microsoft Entra ID enables your employees access external resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications. Microsoft Entra ID also helps them access internal resources like apps on your corporate intranet, and any cloud apps developed for your own organization. To learn how to create a tenant, see [Quickstart: Create a new tenant in Microsoft Entra ID](./create-new-tenant.md). +Microsoft Entra ID is a cloud-based identity and access management service that enables your employees access external resources. Example resources include Microsoft 365, the Azure portal, and thousands of other SaaS applications. -To learn the differences between Active Directory and Microsoft Entra ID, see [Compare Active Directory to Microsoft Entra ID](compare.md). You can also refer [Microsoft Cloud for Enterprise Architects Series](/microsoft-365/solutions/cloud-architecture-models) posters to better understand the core identity services in Azure like Microsoft Entra ID and Microsoft-365. +Microsoft Entra ID also helps them access internal resources like apps on your corporate intranet, and any cloud apps developed for your own organization. To learn how to create a tenant, see [Quickstart: Create a new tenant in Microsoft Entra ID](./create-new-tenant.md). ++To learn the differences between Active Directory and Microsoft Entra ID, see [Compare Active Directory to Microsoft Entra ID](compare.md). You can also refer to [Microsoft Cloud for Enterprise Architects Series](/microsoft-365/solutions/cloud-architecture-models) posters to better understand the core identity services in Azure like Microsoft Entra ID and Microsoft-365. <a name='who-uses-azure-ad'></a> |
active-directory | Whats New Sovereign Clouds Archive | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-sovereign-clouds-archive.md | Title: Archive for What's new in Sovereign Clouds? + Title: Archive for What's new in Azure Sovereign Clouds? description: The What's new in sovereign cloud release notes in the Overview section of this content set contain six months of activity. After six months, the items are removed from the main article and put into this archive article for the next two years. |
active-directory | Whats New Sovereign Clouds | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-sovereign-clouds.md | Title: What's new in Sovereign Clouds? Release notes -description: Learn what is new with Azure Active Directory Sovereign Cloud. + Title: What's new in Azure Sovereign Clouds? Release notes +description: Learn what is new with Azure Sovereign Clouds. -# What's new in Azure Active Directory Sovereign Clouds? -+# What's new in Azure Sovereign Clouds? Azure AD receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about: |
active-directory | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new.md | Title: What's new? Release notes -description: Learn what is new with Azure Active Directory; such as the latest release notes, known issues, bug fixes, deprecated functionality, and upcoming changes. +description: Learn what is new with Microsoft Entra ID, such as the latest release notes, known issues, bug fixes, deprecated functionality, and upcoming changes. featureFlags:-# What's new in Azure Active Directory? +# What's new in Microsoft Entra ID? >Get notified about when to revisit this page for updates by copying and pasting this URL: `https://learn.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Active+Directory%22&locale=en-us` into your ![RSS feed reader icon](./media/whats-new/feed-icon-16x16.png) feed reader. -Azure AD receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about: +Microsoft Entra ID (previously known as Azure AD) receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about: - The latest releases - Known issues Azure AD receives improvements on an ongoing basis. To stay up to date with the - Deprecated functionality - Plans for changes +> ![NOTE] +> If you're currently using Azure AD today or are have previously deployed Azure AD in your organizations, you can continue to use the service without interruption. All existing deployments, configurations, and integrations continue to function as they do today without any action from you. + This page updates monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in [Archive for What's new in Azure Active Directory](whats-new-archive.md). |
active-directory | Access Reviews Application Preparation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/access-reviews-application-preparation.md | In order to permit a wide variety of applications and IT requirements to be addr |Pattern|Application integration pattern|Steps to prepare for an access review| |:||--| |A| The application supports federated SSO, Microsoft Entra ID is the only identity provider, and the application doesn't rely upon group or role claims. | In this pattern, you'll configure that the application requires individual application role assignments, and that users are assigned to the application. Then to perform the review, you'll create a single access review for the application, of the users assigned to this application role. When the review completes, if a user was denied, then they will be removed from the application role. Microsoft Entra ID will then no longer issue that user with federation tokens and the user will be unable to sign into that application.|-|B|If the application uses group claims in addition to application role assignments.| An application may use AD or Microsoft Entra group membership, distinct from application roles to express finer-grained access. Here, you can choose based on your business requirements either to have the users who have application role assignments reviewed, or to review the users who have group memberships. If the groups do not provide comprehensive access coverage, in particular if users may have access to the application even if they aren't a member of those groups, then we recommend reviewing the application role assignments, as in pattern A above.| +|B|If the application uses group claims in addition to application role assignments.| An application may use Active Directory or Microsoft Entra group membership, distinct from application roles to express finer-grained access. Here, you can choose based on your business requirements either to have the users who have application role assignments reviewed, or to review the users who have group memberships. If the groups do not provide comprehensive access coverage, in particular if users may have access to the application even if they aren't a member of those groups, then we recommend reviewing the application role assignments, as in pattern A above.| |C| If the application doesn't rely solely on Microsoft Entra ID for federated SSO, but does support provisioning via SCIM, via updates to a SQL table of users, has a non-AD LDAP directory, or supports a SOAP or REST provisioning protocol. | In this pattern, you'll configure Microsoft Entra ID to provision the users with application role assignments to the application's database or directory, update the application role assignments in Microsoft Entra ID with a list of the users who currently have access, and then create a single access review of the application role assignments. For more information, see [Governing an application's existing users](identity-governance-applications-existing-users.md) to update the application role assignments in Microsoft Entra ID.| ### Other options Now that you have identified the integration pattern for the application, check * If the application has local user accounts, managed through a MIM connector, configure an application with the [provisioning agent with a custom connector](../app-provisioning/on-premises-custom-connector.md). * If the application is SAP ECC with NetWeaver AS ABAP 7.0 or later, configure an application with the [provisioning agent with a SAP ECC configured web services connector](../app-provisioning/on-premises-sap-connector-configure.md). -1. If provisioning is configured, then click on **Edit Attribute Mappings**, expand the Mapping section and click on **Provision Microsoft Entra Users**. Check that in the list of attribute mappings, there is a mapping for `isSoftDeleted` to the attribute in the application's data store that you would like to set to false when a user loses access. If this mapping isn't present, then Microsoft Entra ID will not notify the application when a user has gone out of scope, as described in [how provisioning works](../app-provisioning/how-provisioning-works.md). +1. If provisioning is configured, then click on **Edit Attribute Mappings**, expand the Mapping section and click on **Provision Microsoft Entra users**. Check that in the list of attribute mappings, there is a mapping for `isSoftDeleted` to the attribute in the application's data store that you would like to set to false when a user loses access. If this mapping isn't present, then Microsoft Entra ID will not notify the application when a user has gone out of scope, as described in [how provisioning works](../app-provisioning/how-provisioning-works.md). 1. If the application supports federated SSO, then change to the **Conditional Access** tab. Inspect the enabled policies for this application. If there are policies that are enabled, block access, have users assigned to the policies, but no other conditions, then those users may be already blocked from being able to get federated SSO to the application. 1. Change to the **Users and groups** tab. This list contains all the users who are assigned to the application in Microsoft Entra ID. If the list is empty, then a review of the application will complete immediately, since there isn't any task for the reviewer to perform. |
active-directory | Entitlement Management Logs And Reporting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-logs-and-reporting.md | Use the following procedure to view events: ![View app role assignments](./media/entitlement-management-access-package-incompatible/workbook-ara.png) ## Create custom Azure Monitor queries using the Microsoft Entra admin center-You can create your own queries on Microsoft Entra ID audit events, including entitlement management events. +You can create your own queries on Microsoft Entra audit events, including entitlement management events. 1. In Identity of the Microsoft Entra admin center, select **Logs** under the Monitoring section in the left navigation menu to create a new query page. -1. Your workspace should be shown in the upper left of the query page. If you have multiple Azure Monitor workspaces, and the workspace you're using to store Microsoft Entra ID audit events isn't shown, select **Select Scope**. Then, select the correct subscription and workspace. +1. Your workspace should be shown in the upper left of the query page. If you have multiple Azure Monitor workspaces, and the workspace you're using to store Microsoft Entra audit events isn't shown, select **Select Scope**. Then, select the correct subscription and workspace. 1. Next, in the query text area, delete the string "search *" and replace it with the following query: |
active-directory | How To Lifecycle Workflow Sync Attributes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/how-to-lifecycle-workflow-sync-attributes.md | For more information on attributes, see [Attribute mapping in Microsoft Entra Co ## How to create a custom sync rule in Microsoft Entra Connect for EmployeeHireDate The following example walks you through setting up a custom synchronization rule that synchronizes the Active Directory attribute to the employeeHireDate attribute in Microsoft Entra ID. 1. Open a PowerShell window as administrator and run `Set-ADSyncScheduler -SyncCycleEnabled $false` to disable the scheduler.- 1. Go to Start\Azure AD Connect\ and open the Synchronization Rules Editor + 1. Go to Start\Microsoft Entra Connect\ and open the Synchronization Rules Editor 1. Ensure the direction at the top is set to **Inbound**. 1. Select **Add Rule.** 1. On the **Create Inbound synchronization rule** screen, enter the following information and select **Next**. |
active-directory | Identity Governance Applications Define | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-applications-define.md | Organizations with compliance requirements or risk management plans have sensiti > [!Note] > If you're using an application from the Microsoft Entra application gallery that supports provisioning, then Microsoft Entra ID may import defined roles in the application and automatically update the application manifest with the application's roles automatically, once provisioning is configured. -1. **Select which roles and groups have membership that are to be governed in Azure AD.** Based on compliance and risk management requirements, organizations often prioritize those application roles or groups that give privileged access or access to sensitive information. +1. **Select which roles and groups have membership that are to be governed in Microsoft Entra ID.** Based on compliance and risk management requirements, organizations often prioritize those application roles or groups that give privileged access or access to sensitive information. ## Define the organization's policy with prerequisites and other constraints for access to the application If you already have an organization role definition, then see [how to migrate an 1. **Determine how long a user who has been approved for access, should have access, and when that access should go away.** For many applications, a user might retain access indefinitely, until they're no longer affiliated with the organization. In some situations, access may be tied to particular projects or milestones, so that when the project ends, access is removed automatically. Or, if only a few users are using an application through a policy, you may configure quarterly or yearly reviews of everyone's access through that policy, so that there's regular oversight. -1. **If your organization is governing access already with an organizational role model, plan to bring that organizational role model into Azure AD.** You may have an [organizational role](identity-governance-organizational-roles.md) defined which assigns access based on a user's property, such as their position or department. These processes can ensure users lose access eventually when access is no longer needed, even if there isn't a pre-determined project end date. +1. **If your organization is governing access already with an organizational role model, plan to bring that organizational role model into Microsoft Entra ID.** You may have an [organizational role](identity-governance-organizational-roles.md) defined which assigns access based on a user's property, such as their position or department. These processes can ensure users lose access eventually when access is no longer needed, even if there isn't a pre-determined project end date. 1. **Inquire if there are separation of duties constraints.** For example, you may have an application with two app roles, *Western Sales* and *Eastern Sales*, and you want to ensure that a user can only have one sales territory at a time. Include a list of any pairs of app roles that are incompatible for your application, so that if a user has one role, they aren't allowed to request the second role. |
active-directory | Identity Governance Automation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-automation.md | -[Azure Automation](../../automation/overview.md) is an Azure cloud service that allows you to automate common or repetitive systems management and processes. Microsoft Graph is the Microsoft unified API endpoint for Microsoft Entra features that manage users, groups, access packages, access reviews, and other resources in the directory. You can manage Microsoft Entra ID at scale from the PowerShell command line, using the [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started). You can also include the Microsoft Graph PowerShell cmdlets from a [PowerShell-based runbook in Azure Automation](/azure/automation/automation-intro), so that you can automate Microsoft Entra ID tasks from a simple script. +[Azure Automation](../../automation/overview.md) is an Azure cloud service that allows you to automate common or repetitive systems management and processes. Microsoft Graph is the Microsoft unified API endpoint for Microsoft Entra features that manage users, groups, access packages, access reviews, and other resources in the directory. You can manage Microsoft Entra ID at scale from the PowerShell command line, using the [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started). You can also include the Microsoft Graph PowerShell cmdlets from a [PowerShell-based runbook in Azure Automation](/azure/automation/automation-intro), so that you can automate Microsoft Entra tasks from a simple script. Azure Automation and the PowerShell Graph SDK supports certificate-based authentication and application permissions, so you can have Azure Automation runbooks authenticate to Microsoft Entra ID without needing a user context. |
active-directory | Identity Governance Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-overview.md | In addition to the features listed above, additional Microsoft Entra features fr |Policy and role management|Admin can define Conditional Access policies for run-time access to applications. Resource owners can define policies for user's access via access packages.|[Conditional Access](../conditional-access/overview.md) and [Entitlement management](entitlement-management-overview.md) policies| |Access certification|Admins can enable recurring access recertification for: SaaS apps, on-premises apps, cloud group memberships, Microsoft Entra ID or Azure Resource role assignments. Automatically remove resource access, block guest access and delete guest accounts.|[Access reviews](access-reviews-overview.md), also surfaced in [PIM](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md)| |Fulfillment and provisioning|Automatic provisioning and deprovisioning into Microsoft Entra connected apps, including via SCIM, LDAP, SQL and into SharePoint Online sites. |[user provisioning](../app-provisioning/user-provisioning.md)|-|Reporting and analytics|Admins can retrieve audit logs of recent user provisioning and sign on activity. Integration with Azure Monitor and 'who has access' via access packages.|[Microsoft Entra ID reports](../reports-monitoring/overview-reports.md) and [monitoring](../reports-monitoring/overview-monitoring.md)| +|Reporting and analytics|Admins can retrieve audit logs of recent user provisioning and sign on activity. Integration with Azure Monitor and 'who has access' via access packages.|[Microsoft Entra reports](../reports-monitoring/overview-reports.md) and [monitoring](../reports-monitoring/overview-monitoring.md)| |Privileged access|Just-in-time and scheduled access, alerting, approval workflows for Microsoft Entra roles (including custom roles) and Azure Resource roles.|[Microsoft Entra PIM](../privileged-identity-management/pim-configure.md)| |Auditing|Admins can be alerted of creation of admin accounts.|[Microsoft Entra PIM alerts](../privileged-identity-management/pim-how-to-configure-security-alerts.md)| |
active-directory | Lifecycle Workflow Audits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/lifecycle-workflow-audits.md | After filtering this information, you're also able to see other information in t - [Lifecycle Workflow History](lifecycle-workflow-history.md) - [Check the status of a workflow](check-status-workflow.md)-- [Microsoft Entra ID audit activity reference](../reports-monitoring/reference-audit-activities.md)+- [Microsoft Entra audit activity reference](../reports-monitoring/reference-audit-activities.md) |
active-directory | Services And Integration Partners | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/services-and-integration-partners.md | The descriptions and linked pages are provided by the partners themselves. You c |[Edgile, a Wipro company](https://aka.ms/EdgileEntraIDGov) |"Edgile, a Wipro company is excited to be a Microsoft Launch Partner for Microsoft Entra ID Governance. Our deep and broad experience in IGA and security will ensure your project is a success. Our project accelerators will reduce your risk and deliver results faster." | |[EY](https://aka.ms/EYEntraIDGov) |"The EY organization, a trusted global leader in professional services, creates a better working world with people at the center, leveraging technology at scale and driving innovation at speed. The EY-Microsoft Alliance collaborates on innovative identity management solutions with Microsoft Entra, transforming the way businesses protect and manage identities, creating a future where trust and safety are paramount." | |[InSpark](https://aka.ms/InSparkEntraIDGov) | "InSpark is a Dutch Microsoft partner helping customers to go from Zero-to-Hero with the full Microsoft cloud portfolio. The Microsoft Entra ID Governance stack is one of our strong focus points as we believe securing and protecting your digital identity and the access it has is crucial in today's world."|-|[Invoke](https://aka.ms/InvokeEntraIDGov) |"Invoke's Identity Solution Journey begins with assessments, building trust by showcasing security & compliance risk mitigation, along with productivity gains. In cost-sensitive markets, they deliver economic assessments, reporting cost savings by transitioning to a Microsoft-centric solution. By partnering with the Microsoft Entra ID team, they jointly empower customers to achieve more." | +|[Invoke](https://aka.ms/InvokeEntraIDGov) |"Invoke's Identity Solution Journey begins with assessments, building trust by showcasing security & compliance risk mitigation, along with productivity gains. In cost-sensitive markets, they deliver economic assessments, reporting cost savings by transitioning to a Microsoft-centric solution. By partnering with the Microsoft Entra team, they jointly empower customers to achieve more." | |[KPMG](https://aka.ms/KPMGEntraIDGov) |"KPMG and Microsoft further strengthen their alliance by delivering a comprehensive identity governance proposition. By adeptly navigating the complexities of identity governance, the combination of Microsoft Entra advanced tools with KPMG Powered Enterprise helps drive functional transformation. This synergy can propel accelerated digital capabilities, enhance operational efficiency, fortify security and ensure compliance."| |[Oxford Computer Group](https://aka.ms/OCGEntraIDGov) |"Oxford Computer Group's customer base includes some of the largest and most recognizable companies in the US and beyond. Our solutions include Identity Lifecycle Management, Identity and Access Management, Entitlements, Conditional Access, Separation of Duties, Attestation, SOX, Risk Assessments for IAM, Audit Remediation, External Identities, and Verifiable Credentials - nearly every aspect of Identity Governance. "| |[PwC](https://aka.ms/PwCEntraIDGov) |"Organizations use identity and access management to build trust, and doing so sustainably often requires the right technology and a multi-disciplinary team. Our team can help you implement Microsoft Entra ID Governance from strategy through execution by collaborating with you and our network of professionals by focusing on three key aspects: people, process, and technology."| |
active-directory | How To Inbound Synch Ms Graph | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-inbound-synch-ms-graph.md | Look under the 'status' section of the return object for relevant details - [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md) - [Transformations](how-to-transformation.md)-- [Azure AD Synchronization API](/graph/api/resources/synchronization-overview?view=graph-rest-beta&preserve-view=true)+- [Microsoft Entra Synchronization API](/graph/api/resources/synchronization-overview?view=graph-rest-beta&preserve-view=true) |
active-directory | Reference Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/reference-powershell.md | Disables accidentalDeletionPrevention tenant feature Disable-AADCloudSyncToolsDirSyncAccidentalDeletionPrevention -tenantId <TenantId> ``` -This cmdlet requires `TenantId` of the Azure AD tenant. It will verify if Accidental Deletion Prevention feature, set on the tenant with Azure AD Connect (ADSync, not Cloud Sync), is enabled and disables it. +This cmdlet requires `TenantId` of the Microsoft Entra tenant. It will verify if Accidental Deletion Prevention feature, set on the tenant with Microsoft Entra Connect (ADSync, not Cloud Sync), is enabled and disables it. #### Example: ``` powershell |
active-directory | Concept Azure Ad Connect Sync Declarative Provisioning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/concept-azure-ad-connect-sync-declarative-provisioning.md | Here is an example: In *Out to AD - User Exchange hybrid* the following flow can be found: `IIF([cloudSOAExchMailbox] = True,[cloudMSExchSafeSendersHash],IgnoreThisFlow)` -This expression should be read as: if the user mailbox is located in Microsoft Entra ID, then flow the attribute from Microsoft Entra ID to AD. If not, do not flow anything back to Active Directory. In this case, it would keep the existing value in AD. +This expression should be read as: if the user mailbox is located in Microsoft Entra ID, then flow the attribute from Microsoft Entra ID to Active Directory. If not, do not flow anything back to Active Directory. In this case, it would keep the existing value in AD. ### ImportedValue |
active-directory | Four Steps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/four-steps.md | To learn more, go read [Monitor AD FS using Microsoft Entra Connect Health](./ho ### Use Azure Monitor to collect data logs for analytics -[Azure Monitor](../../../azure-monitor/overview.md) is a unified monitoring portal for all Microsoft Entra ID logs, which provides deep insights, advanced analytics, and smart machine learning. With Azure Monitor, you can consume metrics and logs within the portal and via APIs to gain more visibility into the state and performance of your resources. It enables a single pane of glass experience within the portal while enabling a wide range of product integrations via APIs and data export options that support traditional third-party SIEM systems. Azure Monitor also gives you the ability to configure alert rules to get notified or to take automated actions on issues impacting your resources. +[Azure Monitor](../../../azure-monitor/overview.md) is a unified monitoring portal for all Microsoft Entra logs, which provides deep insights, advanced analytics, and smart machine learning. With Azure Monitor, you can consume metrics and logs within the portal and via APIs to gain more visibility into the state and performance of your resources. It enables a single pane of glass experience within the portal while enabling a wide range of product integrations via APIs and data export options that support traditional third-party SIEM systems. Azure Monitor also gives you the ability to configure alert rules to get notified or to take automated actions on issues impacting your resources. ![Azure Monitor](./media/four-steps/image1.png) |
active-directory | How To Bypassdirsyncoverrides | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-bypassdirsyncoverrides.md | Get-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -FromAzureAD ### Set _MobilePhone_ and _AlternateMobilePhones_ properties in Microsoft Entra ID: ```powershell-Set-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -MobileInAD '999888777' -OtherMobileInAD '0987654','1234567' +Set-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -MobilePhoneInAAD '999888777' -AlternateMobilePhonesInAAD '0987654','1234567' ``` ### Set _Mobile_ and _otherMobile_ properties in on-premises Active Directory: ```powershell-Set-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -MobilePhoneInAAD '999888777' -AlternateMobilePhonesInAAD '0987654','1234567' +Set-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -MobileInAD '999888777' -OtherMobileInAD '0987654','1234567' ``` <a name='clear-mobilephone-and-alternatemobilephones-properties-in-azure-ad'></a> Set-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -MobilePhoneInAAD '99988 ### Clear _MobilePhone_ and _AlternateMobilePhones_ properties in Microsoft Entra ID: ```powershell-Clear-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -MobileInAD -OtherMobileInAD +Clear-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -MobilePhoneInAAD -AlternateMobilePhonesInAAD ``` ### Clear _Mobile_ and _otherMobile_ properties in on-premises Active Directory: ```powershell-Clear-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -MobilePhoneInAAD -AlternateMobilePhonesInAAD +Clear-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -MobileInAD -OtherMobileInAD ``` ## Next Steps |
active-directory | How To Connect Fed O365 Certs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-fed-o365-certs.md | -For successful federation between Microsoft Entra ID and Active Directory Federation Services (AD FS), the certificates used by AD FS to sign security tokens to Microsoft Entra ID should match what is configured in Microsoft Entra ID. Any mismatch can lead to broken trust. Microsoft Entra ensures that this information is kept in sync when you deploy AD FS and Web Application Proxy (for extranet access). +For successful federation between Microsoft Entra ID and Active Directory Federation Services (AD FS), the certificates used by AD FS to sign security tokens to Microsoft Entra ID should match what is configured in Microsoft Entra ID. Any mismatch can lead to broken trust. Microsoft Entra ID ensures that this information is kept in sync when you deploy AD FS and Web Application Proxy (for extranet access). > [!NOTE] > This article provides information on manging your federation cerficates. For information on emergency rotation see [Emergency Rotation of the AD FS certificates](how-to-connect-emergency-ad-fs-certificate-rotation.md) |
active-directory | How To Connect Fed Saml Idp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-fed-saml-idp.md | This table shows requirements for specific attributes in the SAML 2.0 message. |Attribute|Description| | -- | -- | |NameID|The value of this assertion must be the same as the Microsoft Entra userΓÇÖs ImmutableID. It can be up to 64 alpha numeric characters. Any non-html safe characters must be encoded, for example a ΓÇ£+ΓÇ¥ character is shown as ΓÇ£.2BΓÇ¥.|-|IDPEmail|The User Principal Name (UPN) is listed in the SAML response as an element with the name IDPEmail The userΓÇÖs UserPrincipalName (UPN) in Azure AD/Microsoft 365. The UPN is in email address format. UPN value in Windows Microsoft 365 (Microsoft Entra ID).| +|IDPEmail|The User Principal Name (UPN) is listed in the SAML response as an element with the name IDPEmail The userΓÇÖs UserPrincipalName (UPN) in Microsoft Entra ID / Microsoft 365. The UPN is in email address format. UPN value in Windows Microsoft 365 (Microsoft Entra ID).| |Issuer|Required to be a URI of the identity provider. Do not reuse the Issuer from the sample messages. If you have multiple top-level domains in your Microsoft Entra tenants the Issuer must match the specified URI setting configured per domain.| >[!IMPORTANT] |
active-directory | How To Connect Group Writeback V2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-group-writeback-v2.md | To verify if Active Directory has been prepared for Exchange, see [Prepare Activ ## Meet prerequisites for public preview The following are prerequisites for group writeback: -- A Microsoft Entra ID P1 or P2 1 license +- A Microsoft Entra ID P1 or P2 license - Microsoft Entra Connect version 2.0.89.0 or later An optional prerequisite is Exchange Server 2016 CU15 or later. You need it only for configuring cloud groups with an Exchange hybrid. For more information, seeΓÇ»[Configure Microsoft 365 Groups with on-premises Exchange hybrid](/exchange/hybrid-deployment/set-up-microsoft-365-groups#prerequisites). If you haven't [prepared Active Directory for Exchange](/Exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019&preserve-view=true), mail-related attributes of groups won't be written back. |
active-directory | How To Connect Health Adfs Risky Ip Workbook | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-health-adfs-risky-ip-workbook.md | Additionally, it's possible for a single IP address to attempt multiple logins a 1. Connect Health for AD FS installed and updated to the latest agent. 2. A Log Analytics Workspace with the ΓÇ£ADFSSignInLogsΓÇ¥ stream enabled. 3. Permissions to use the Microsoft Entra ID Monitor Workbooks. To use Workbooks, you need:-- A Microsoft Entra tenant with a premium (P1 or P2) license.+- A Microsoft Entra tenant with a Microsoft Entra ID P1 or P2 license. - Access to a Log Analytics Workspace and the following roles in Microsoft Entra ID (if accessing Log Analytics through [Microsoft Entra admin center](https://entra.microsoft.com)): Security administrator, Security reader, Reports reader, Global administrator |
active-directory | How To Connect Health Agent Install | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-health-agent-install.md | The following table lists requirements for using Microsoft Entra Connect Health: | Requirement | Description | | | |-| You have a Microsoft Entra ID P1 or P2 (P1 or P2) Subscription. |Microsoft Entra Connect Health is a feature of Microsoft Entra ID P1 or P2 (P1 or P2). For more information, see [Sign up for Microsoft Entra ID P1 or P2](../../fundamentals/get-started-premium.md). <br /><br />To start a free 30-day trial, see [Start a trial](https://azure.microsoft.com/trial/get-started-active-directory/). | +| You have a Microsoft Entra ID P1 or P2 subscription. |Microsoft Entra Connect Health is a feature of Microsoft Entra ID P1 or P2. For more information, see [Sign up for Microsoft Entra ID P1 or P2](../../fundamentals/get-started-premium.md). <br /><br />To start a free 30-day trial, see [Start a trial](https://azure.microsoft.com/trial/get-started-active-directory/). | | You're a global administrator in Microsoft Entra ID. |Currently, only Global Administrator accounts can install and configure health agents. For more information, see [Administering your Microsoft Entra directory](../../fundamentals/whatis.md). <br /><br /> By using Azure role-based access control (Azure RBAC), you can allow other users in your organization to access Microsoft Entra Connect Health. For more information, see [Azure RBAC for Microsoft Entra Connect Health](how-to-connect-health-operations.md#manage-access-with-azure-rbac). <br /><br />**Important**: Use a work or school account to install the agents. You can't use a Microsoft account to install the agents. For more information, see [Sign up for Azure as an organization](../../fundamentals/sign-up-organization.md). |-| The Microsoft Entra Connect Health agent is installed on each targeted server. | Health agents must be installed and configured on targeted servers so that they can receive data and provide monitoring and analytics capabilities. <br /><br />For example, to get data from your Active Directory Federation Services (AD FS) infrastructure, you must install the agent on the AD FS server and on the Web Application Proxy server. Similarly, to get data from your on-premises Microsoft Entra Domain Services (Microsoft Entra DS) infrastructure, you must install the agent on the domain controllers. | +| The Microsoft Entra Connect Health agent is installed on each targeted server. | Health agents must be installed and configured on targeted servers so that they can receive data and provide monitoring and analytics capabilities. <br /><br />For example, to get data from your Active Directory Federation Services (AD FS) infrastructure, you must install the agent on the AD FS server and on the Web Application Proxy server. Similarly, to get data from your on-premises Microsoft Entra Domain Services infrastructure, you must install the agent on the domain controllers. | | The Azure service endpoints have outbound connectivity. | During installation and runtime, the agent requires connectivity to Microsoft Entra Connect Health service endpoints. If firewalls block outbound connectivity, add the [outbound connectivity endpoints](how-to-connect-health-agent-install.md#outbound-connectivity-to-azure-service-endpoints) to an allowlist. | |Outbound connectivity is based on IP addresses. | For information about firewall filtering based on IP addresses, see [Azure IP ranges](https://www.microsoft.com/download/details.aspx?id=56519).| | TLS inspection for outbound traffic is filtered or disabled. | The agent registration step or data upload operations might fail if there's TLS inspection or termination for outbound traffic at the network layer. For more information, see [Set up TLS inspection](/previous-versions/tn-archive/ee796230(v=technet.10)). | To download and install the Microsoft Entra Connect Health agent: - See the [installation instructions](#install-the-agent-for-ad-fs). - Get started using Microsoft Entra Connect Health for sync: - [Download and install the latest version of Microsoft Entra Connect](https://go.microsoft.com/fwlink/?linkid=615771). The health agent for sync is installed as part of the Microsoft Entra Connect installation (version 1.0.9125.0 or later).-- Get started using Microsoft Entra Connect Health for Microsoft Entra DS:- - [Download the Microsoft Entra Connect Health agent for Microsoft Entra DS](https://go.microsoft.com/fwlink/?LinkID=820540). +- Get started using Microsoft Entra Connect Health for Microsoft Entra Domain + - [Download the Microsoft Entra Connect Health agent for Microsoft Entra Domain Services](https://go.microsoft.com/fwlink/?LinkID=820540). - See the [installation instructions](#install-the-agent-for-azure-ad-ds). ## Install the agent for AD FS To verify that the agent has been installed, look for the following services on :::image type="content" source="media/how-to-connect-health-agent-install/services.png" alt-text="Screenshot that shows the running Microsoft Entra Connect Health for sync services on the server."::: > [!NOTE]-> Remember that you must have Microsoft Entra ID P1 or P2 (P1 or P2) to use Microsoft Entra Connect Health. If you don't have Microsoft Entra ID P1 or P2, you can't complete the configuration in the [Microsoft Entra admin center](https://entra.microsoft.com). For more information, see the [requirements](how-to-connect-health-agent-install.md#requirements). +> Remember that you must have Microsoft Entra ID P1 or P2 to use Microsoft Entra Connect Health. If you don't have Microsoft Entra ID P1 or P2, you can't complete the configuration in the [Microsoft Entra admin center](https://entra.microsoft.com). For more information, see the [requirements](how-to-connect-health-agent-install.md#requirements). <a name='manually-register-azure-ad-connect-health-for-sync'></a> When you're prompted for authentication, use the same Global Administrator accou <a name='install-the-agent-for-azure-ad-ds'></a> -## Install the agent for Microsoft Entra DS +<a name='install-the-agent-for-microsoft-entra-ds'></a> ++## Install the agent for Microsoft Entra Domain Services To start the agent installation, double-click the *.exe* file that you downloaded. In the first window, select **Install**. To start the agent installation, double-click the *.exe* file that you downloade When the installation finishes, select **Configure Now**. A Command Prompt window opens. PowerShell runs `Register-AzureADConnectHealthADDSAgent`. When you're prompted, sign in to Azure. After you sign in, PowerShell continues. When it finishes, you can close PowerShell. The configuration is complete. At this point, the services should be started automatically, allowing the agent to monitor and gather data. If you haven't met all the prerequisites outlined in the previous sections, warnings appear in the PowerShell window. Be sure to complete the [requirements](how-to-connect-health-agent-install.md#requirements) before you install the agent. The following screenshot shows an example of these warnings. To verify that the agent is installed, look for the following services on the domain controller: Check out the following related articles: - [Microsoft Entra Connect Health operations](how-to-connect-health-operations.md) - [Using Microsoft Entra Connect Health with AD FS](how-to-connect-health-adfs.md) - [Using Microsoft Entra Connect Health for sync](how-to-connect-health-sync.md)-- [Using Microsoft Entra Connect Health with Microsoft Entra DS](how-to-connect-health-adds.md)+- [Using Microsoft Entra Connect Health with Microsoft Entra Domain Services](how-to-connect-health-adds.md) - [Microsoft Entra Connect Health FAQ](reference-connect-health-faq.yml) - [Microsoft Entra Connect Health version history](reference-connect-health-version-history.md) |
active-directory | How To Connect Install Existing Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-install-existing-tenant.md | The match is only evaluated for new objects coming from Connect. If you change a If Microsoft Entra ID finds an object where the attribute values are the same for an object coming from Connect and that it is already present in Microsoft Entra ID, then the object in Microsoft Entra ID is taken over by Connect. The previously cloud-managed object is flagged as on-premises managed. All attributes in Microsoft Entra ID with a value in on-premises AD are overwritten with the on-premises value. > [!WARNING]-> Since all attributes in Microsoft Entra ID are going to be overwritten by the on-premises value, make sure you have good data on-premises. For example, if you only have managed email address in Microsoft 365 and not kept it updated in on-premises AD DS, then you lose any values in Azure AD/Microsoft 365 not present in AD DS. +> Since all attributes in Microsoft Entra ID are going to be overwritten by the on-premises value, make sure you have good data on-premises. For example, if you only have managed email address in Microsoft 365 and not kept it updated in on-premises AD DS, then you lose any values in Microsoft Entra ID / Microsoft 365 not present in AD DS. > [!IMPORTANT] > If you use password sync, which is always used by express settings, then the password in Microsoft Entra ID is overwritten with the password in on-premises AD. If your users are used to manage different passwords, then you need to inform them that they should use the on-premises password when you have installed Connect. If you matched your objects with a soft-match, then the **sourceAnchor** is adde ### Hard-match vs Soft-match For a new installation of Connect, there is no practical difference between a soft- and a hard-match. The difference is in a disaster recovery situation. If you have lost your server with Microsoft Entra Connect, you can reinstall a new instance without losing any data. An object with a sourceAnchor is sent to Connect during initial install. The match can then be evaluated by the client (Microsoft Entra Connect), which is a lot faster than doing the same in Microsoft Entra ID. A hard match is evaluated both by Connect and by Microsoft Entra ID. A soft match is only evaluated by Microsoft Entra ID. - We have added a configuration option to disable the Soft Matching feature in Microsoft Entra Connect. We advise customers to disable soft matching unless they need it to take over cloud only accounts. This [article](/powershell/module/msonline/set-msoldirsyncfeature) shows how to disable Soft Matching. +We have added a configuration option to disable the Soft Matching feature in Microsoft Entra Connect. We advise customers to disable soft matching unless they need it to take over cloud only accounts. ++To disable Soft Matching, use the [Update-MgDirectoryOnPremiseSynchronization](/powershell/module/microsoft.graph.identity.directorymanagement/update-mgdirectoryonpremisesynchronization) Microsoft Graph PowerShell cmdlet: ++```powershell +Import-Module Microsoft.Graph.Beta.Identity.DirectoryManagement ++Connect-MgGraph -Scopes "OnPremDirectorySynchronization.ReadWrite.All" +$onPremisesDirectorySynchronizationId = "<TenantID>" +$params = @{ + features = @{ + blockSoftMatchEnabled = $true + } +} +Update-MgDirectoryOnPremiseSynchronization -OnPremisesDirectorySynchronizationId $onPremisesDirectorySynchronizationId -BodyParameter $params +``` ++> [!NOTE] +> +> blockSoftMatchEnabled - Use to block soft match for all objects if enabled for the tenant. Customers are encouraged to enable this feature and keep it enabled until soft matching is required again for their tenancy. This flag should be enabled again after any soft matching has been completed and is no longer needed. ### Other objects than users For mail-enabled groups and contacts, you can soft-match based on proxyAddresses. Hard-match is not applicable since you can only update the sourceAnchor/immutableID (using PowerShell) on Users only. For groups that aren't mail-enabled, there is currently no support for soft-match or hard-match. To prevent untrusted on-premises users from matching with a cloud user that has 3. Trigger a sync. 4. Optionally add the directory roles back to the user object in cloud once the matching has occurred. -- <a name='create-a-new-on-premises-active-directory-from-data-in-azure-ad'></a> ## Create a new on-premises Active Directory from data in Microsoft Entra ID If the only reason why you plan to add on-premises AD is to support LOBs (Line-o ## Next steps Learn more about [Integrating your on-premises identities with Microsoft Entra ID](../whatis-hybrid-identity.md).+ |
active-directory | How To Connect Staged Rollout | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-staged-rollout.md | +- You're currently using an on-premises Multi-Factor Authentication Server. - You're using smart cards for authentication. - Your current server offers certain federation-only features. |
active-directory | How To Connect Sync Change The Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-sync-change-the-configuration.md | The inbound synchronization rule permits the attribute value to flow from the so | | | | | adminDescription | NOTSTARTWITH | User\_ | - The scoping filter determines to which on-premises AD objects this inbound synchronization rule is applied. In this example, we use the same scoping filter used in the *In from AD ΓÇô User Common* out-of-box synchronization rule, which prevents the synchronization rule from being applied to User objects created through the Microsoft Entra User writeback feature. You might need to tweak the scoping filter according to your Microsoft Entra Connect deployment. + The scoping filter determines to which on-premises AD objects this inbound synchronization rule is applied. In this example, we use the same scoping filter used in the *In from AD ΓÇô User Common* out-of-box synchronization rule, which prevents the synchronization rule from being applied to User objects created through the Microsoft Entra user writeback feature. You might need to tweak the scoping filter according to your Microsoft Entra Connect deployment. 6. Go to the **Transformation** tab and implement the desired transformation rule. For example, if you have designated an unused on-premises AD attribute (such as extensionAttribute1) as the source attribute for the UserType, you can implement a direct attribute flow: |
active-directory | How To Connect Sync Endpoint Api V2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-sync-endpoint-api-v2.md | Microsoft has deployed a new endpoint (API) for Microsoft Entra Connect that imp > It will not be made available in the Azure German cloud ## PrerequisitesΓÇ» -In order to use the new V2 endpoint, you'll need to use Microsoft Entra Connect v2.0. When you deploy AADConnect V2.0, the V2 endpoint will be automatically enabled. +In order to use the new V2 endpoint, you'll need to use Azure AD v2.0. When you deploy AADConnect V2.0, the V2 endpoint will be automatically enabled. There is a known issue where upgrading to the latest 1.6 build resets the group membership limit to 50k. When a server is upgraded to AADConnect 1.6, then the customer should reapply the rule changes that they applied when initially increasing the group membership limit to 250k before they enable sync for the server. ## Frequently asked questionsΓÇ» |
active-directory | How To Connect Sync Service Manager Ui Connectors | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-sync-service-manager-ui-connectors.md | Title: Connectors in the Azure AD Synchronization Service Manager UI' + Title: Connectors in the Microsoft Entra Synchronization Service Manager UI' description: Understand the Connectors tab in the Synchronization Service Manager for Microsoft Entra Connect. documentationcenter: '' |
active-directory | Howto Troubleshoot Upn Changes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/howto-troubleshoot-upn-changes.md | For example, if you add labs.contoso.com and change the user UPNs and email to r >[!IMPORTANT] > If you change the suffix in Active Directory, add and verify a matching custom domain name in Microsoft Entra ID. - > [Add your custom domain name using the Microsoft Entra portal](../../fundamentals/add-custom-domain.md) + > [Add your custom domain name using the Microsoft Entra admin center](../../fundamentals/add-custom-domain.md) ![Screenshot of the Add customer domain option, under Custom domain names.](./media/howto-troubleshoot-upn-changes/custom-domains.png) |
active-directory | Plan Connect User Signin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/plan-connect-user-signin.md | The Microsoft Entra sign-in page lists the UPN suffixes that are defined for on- | State | Description | Action needed | |: |: |: | | Verified |Microsoft Entra Connect found a matching verified domain in Microsoft Entra ID. All users for this domain can sign in by using their on-premises credentials. |No action is needed. |-| Not verified |Microsoft Entra Connect found a matching custom domain in Microsoft Entra ID, but it isn't verified. The UPN suffix of the users of this domain will be changed to the default .onmicrosoft.com suffix after synchronization if the domain isn't verified. | [Verify the custom domain in Azure AD.](../../fundamentals/add-custom-domain.md#verify-your-custom-domain-name) | +| Not verified |Microsoft Entra Connect found a matching custom domain in Microsoft Entra ID, but it isn't verified. The UPN suffix of the users of this domain will be changed to the default .onmicrosoft.com suffix after synchronization if the domain isn't verified. | [Verify the custom domain in Microsoft Entra ID.](../../fundamentals/add-custom-domain.md#verify-your-custom-domain-name) | | Not added |Microsoft Entra Connect didn't find a custom domain that corresponded to the UPN suffix. The UPN suffix of the users of this domain will be changed to the default .onmicrosoft.com suffix if the domain isn't added and verified in Azure. | [Add and verify a custom domain that corresponds to the UPN suffix.](../../fundamentals/add-custom-domain.md) | The Microsoft Entra sign-in page lists the UPN suffixes that are defined for on-premises Active Directory and the corresponding custom domain in Microsoft Entra ID with the current verification status. In a custom installation, you can now select the attribute for the user principal name on the **Microsoft Entra sign-in** page. You can change the user sign-in method from federation, password hash synchroniz On the next page, you're asked to provide the credentials for Microsoft Entra ID. -![Screenshot that shows where you should type the credentials for Azure AD.](./media/plan-connect-user-signin/changeusersignin2.png) +![Screenshot that shows where you should type the credentials for Microsoft Entra ID.](./media/plan-connect-user-signin/changeusersignin2.png) On the **User sign-in** page, select the desired user sign-in. |
active-directory | Reference Connect Adsynctools | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-adsynctools.md | Import ImmutableID from Microsoft Entra ID Import-ADSyncToolsSourceAnchor [-Output] <String> [-IncludeSyncUsersFromRecycleBin] [<CommonParameters>] ``` ### DESCRIPTION-Generates a file with all Azure AD Synchronized users containing the ImmutableID value in GUID format +Generates a file with all Microsoft Entra ID synchronized users containing the ImmutableID value in GUID format Requirements: MSOnline PowerShell Module ### EXAMPLES #### EXAMPLE 1 |
active-directory | Reference Connect Health Version History | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-health-version-history.md | Title: Azure AD Connect Health Version History -description: This document describes the releases for Azure AD Connect Health and what has been included in those releases. + Title: Microsoft Entra Connect Health Version History +description: This document describes the releases for Microsoft Entra Connect Health and what has been included in those releases. documentationcenter: '' -# Azure AD Connect Health: Version Release History -The Azure Active Directory team regularly updates Azure AD Connect Health with new features and functionality. This article lists the versions and features that have been released. +# Microsoft Entra Connect Health: Version Release History +The Microsoft Entra team regularly updates Microsoft Entra Connect Health with new features and functionality. This article lists the versions and features that have been released. > [!NOTE]-> Azure AD Connect Health agents are updated automatically when new version is released. +> Microsoft Entra Connect Health agents are updated automatically when new version is released. > -Azure AD Connect Health for Sync is integrated with Azure AD Connect installation. Read more about [Azure AD Connect release history](./reference-connect-version-history.md) +Microsoft Entra Connect Health for Sync is integrated with Microsoft Entra Connect installation. Read more about [Microsoft Entra Connect release history](./reference-connect-version-history.md) For feature feedback, vote at [Connect Health User Voice channel](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789) ## May / June 2023 **Agent Updates** -Microsoft Azure AD Connect Health ADFS Agents (versions 4.5.x) +Microsoft Entra Connect Health ADFS Agents (versions 4.5.x) -- New version of the Azure AD Connect Health ADFS agent that uses an updated architecture.+- New version of the Microsoft Entra Connect Health ADFS agent that uses an updated architecture. - Updated installer package - Migration to MSAL authentication library - New pre-requisite checks Microsoft Azure AD Connect Health ADFS Agents (versions 4.5.x) ## 27 March 2023 **Agent Update** -Azure AD Connect Health AD DS and ADFS Health Agents (version 3.2.2256.26, Download Center Only) +Microsoft Entra Connect Health AD DS and ADFS Health Agents (version 3.2.2256.26, Download Center Only) - We created a fix for so that the agents would be FIPS compliant - the change was to have the agents use ΓÇÿCloudStorageAccount.UseV1MD5 = falseΓÇÖ so the agent only uses only FIPS compliant cryptography, otherwise Azure blob client causes FIPs exceptions to be thrown. Azure AD Connect Health AD DS and ADFS Health Agents (version 3.2.2256.26, Downl ## 19 January 2023 **Agent Update**-- Azure AD Connect Health agent for Azure AD Connect (version 3.2.2188.23)- - We fixed a bug where, under certain circumstances, Azure AD Connect sync errors were not getting uploaded or shown in the portal. +- Microsoft Entra Connect Health agent for Microsoft Entra Connect (version 3.2.2188.23) + - We fixed a bug where, under certain circumstances, Microsoft Entra Connect Sync errors were not getting uploaded or shown in the portal. ## September 2021 **Agent Update**-- Azure AD Connect Health agent for AD FS (version 3.1.113.0)+- Microsoft Entra Connect Health agent for AD FS (version 3.1.113.0) - Fix to extract device information such as device compliance and managed status, device OS, and device OS version from AD FS audits in certain device based authentication scenarios. - Fix to populate OAuth Application info in failure cases and categorizing OAuth failures with more specific error codes - Fix for alerts on broken WMI calls on the customer machine. Now such calls the result/status would be set to "notRun". ## May 2021 **Agent Update**-- Azure AD Connect Health agent for AD FS (version 3.1.99.0)+- Microsoft Entra Connect Health agent for AD FS (version 3.1.99.0) - Fix for low unique user count value in AD FS application activity report - Fix for sign-ins with empty or default GUID CorrelationId ## March 2021 **Agent Update** -- Azure AD Connect Health agent for AD FS (version 3.1.95.0)+- Microsoft Entra Connect Health agent for AD FS (version 3.1.95.0) - Fix to resolve NT4 formatted username to a UPN during sign-in events. - Fix to identify incorrect application identifier scenarios with a dedicated error code. - Changes to add a new property for OAuth client identifier.- - Fix to display correct values in the **Protocol** and **Authentication Type** fields in Azure AD sign-in report for certain sign-in scenarios. - - Fix to display IP addresses in Azure AD sign-in report's IP chain field in order of the request. + - Fix to display correct values in the **Protocol** and **Authentication Type** fields in Microsoft Entra sign-in report for certain sign-in scenarios. + - Fix to display IP addresses in Microsoft Entra sign-in report's IP chain field in order of the request. - Changes to introduce a new field to differentiate if secondary authentication was requested during a sign-in.- - Fix for AD FS application identifier property to display in Azure AD sign-in report. + - Fix for AD FS application identifier property to display in Microsoft Entra sign-in report. ## April 2020 **Agent Update** -- Azure AD Connect Health agent for AD FS (version 3.1.77.0)+- Microsoft Entra Connect Health agent for AD FS (version 3.1.77.0) - Bug fix for ΓÇ£Invalid Service Principal Name (SPN) for AD FS serviceΓÇ¥ alert, for which the alert was reporting incorrectly. ## July 2019 **Agent Update**-* Azure AD Connect Health agent for AD FS (version 3.1.59.0) +* Microsoft Entra Connect Health agent for AD FS (version 3.1.59.0) 1. Text change in TestWindowsTransport 2. Changes for AD FS RP upload -* Azure AD Connect Health agent for AD FS (version 3.1.56.0) +* Microsoft Entra Connect Health agent for AD FS (version 3.1.56.0) 1. Add TestWindowsTransport test and remove WsTrust endpoints checks in CheckOffice365Endpoints test 2. Log OS and .NET information 3. Increase RP configuration message upload size to 1MB. 4. Bug fixes -* Azure AD Connect Health agent for AD DS (version 3.1.56.0) +* Microsoft Entra Connect Health agent for AD DS (version 3.1.56.0) 1. Log OS and .NET information 2. Bug fixes ## May 2019 **Agent Update:** -* Azure AD Connect Health agent for AD FS (version 3.1.51.0) +* Microsoft Entra Connect Health agent for AD FS (version 3.1.51.0) 1. Bug fix to distinguish between multiple sign ins that share the same client-request-id. 2. Bug fix to parse bad username/password errors on language localized servers. ## April 2019 **Agent Update:** -* Azure AD Connect Health agent for AD FS (version 3.1.46.0) +* Microsoft Entra Connect Health agent for AD FS (version 3.1.46.0) 1. Fix Check Duplicate SPN alert process for ADFS ## March 2019 **Agent Update:** -* Azure AD Connect Health agent for AD DS (version 3.1.41.0) +* Microsoft Entra Connect Health agent for AD DS (version 3.1.41.0) 1. .NET version collection 2. Improvement of performance counter collection when missing certain categories 3. Bug fix on preventing spawning of multiple Monitoring Agent instances -* Azure AD Connect Health agent for AD FS (version 3.1.41.0) +* Microsoft Entra Connect Health agent for AD FS (version 3.1.41.0) 1. Integrate and upgrade of AD FS test scripts using ADFSToolBox 2. Implement .NET version collection 3. Improvement of performance counter collection when missing certain categories Azure AD Connect Health AD DS and ADFS Health Agents (version 3.2.2256.26, Downl ## November 2018 **New GA features:** -* Azure AD Connect Health for Sync - Diagnose and remediate duplicated attribute sync errors from the portal +* Microsoft Entra Connect Health for Sync - Diagnose and remediate duplicated attribute sync errors from the portal **Agent Update:** -* Azure AD Connect Health agent for AD DS (version 3.1.24.0) +* Microsoft Entra Connect Health agent for AD DS (version 3.1.24.0) 1. Transport Layer Security (TLS) protocol version 1.2 compliance and enforcement 2. Reduce Global Catalog alert noise 3. Health agent registration bug fixes -* Azure AD Connect Health agent for AD FS (version 3.1.24.0) +* Microsoft Entra Connect Health agent for AD FS (version 3.1.24.0) 1. Transport Layer Security (TLS) protocol version 1.2 compliance and enforcement 2. Support of Test-ADFSRequestToken for localized operating system 3. Solved diagnostic agent EventHandler locking issue 4. Health agent registration bug fixes ## August 2018 -* Azure AD Connect Health agent for Sync (version 3.1.7.0) released with Azure AD Connect version 1.1.880.0 +* Microsoft Entra Connect Health agent for Sync (version 3.1.7.0) released with Microsoft Entra Connect version 1.1.880.0 1. Hotfix for [high CPU issue of monitoring agent with .NET Framework KB releases](https://support.microsoft.com/help/4346822/high-cpu-issue-in-azure-active-directory-connect-health-for-sync) ## June 2018 **New preview features:** -* Azure AD Connect Health for Sync - Diagnose and remediate duplicated attribute sync errors from the portal +* Microsoft Entra Connect Health for Sync - Diagnose and remediate duplicated attribute sync errors from the portal **Agent Update:** -* Azure AD Connect Health agent for AD DS (version 3.1.7.0) +* Microsoft Entra Connect Health agent for AD DS (version 3.1.7.0) 1. Hotfix for [high CPU issue of monitoring agent with .NET Framework KB releases](https://support.microsoft.com/help/4346822/high-cpu-issue-in-azure-active-directory-connect-health-for-sync) -* Azure AD Connect Health agent for AD FS (version 3.1.7.0) +* Microsoft Entra Connect Health agent for AD FS (version 3.1.7.0) 1. Hotfix for [high CPU issue of monitoring agent with .NET Framework KB releases](https://support.microsoft.com/help/4346822/high-cpu-issue-in-azure-active-directory-connect-health-for-sync) 2. Test results fixes on ADFS Server 2016 secondary server -* Azure AD Connect Health agent for AD FS (version 3.1.2.0) +* Microsoft Entra Connect Health agent for AD FS (version 3.1.2.0) 1. Hotfix for agent memory management and related alerts specifically for version 3.0.244.0 ## May 2018 **Agent Update:**-* Azure AD Connect Health agent for AD DS (version 3.0.244.0) +* Microsoft Entra Connect Health agent for AD DS (version 3.0.244.0) 1. Agent privacy improvement 2. Bug fixes and general improvements -* Azure AD Connect Health agent for AD FS (version 3.0.244.0) +* Microsoft Entra Connect Health agent for AD FS (version 3.0.244.0) 1. Agent Diagnostics Service and related PowerShell module improvements 2. Agent privacy improvement 3. Bug fixes and general improvements -* Azure AD Connect Health agent for Sync (version 3.0.164.0) released with Azure AD Connect version 1.1.819.0 +* Microsoft Entra Connect Health agent for Sync (version 3.0.164.0) released with Microsoft Entra Connect version 1.1.819.0 1. Agent privacy improvement 2. Bug fixes and general improvements ## March 2018 **New preview features:**-* Azure AD Connect Health for AD FS - Risky IP report and alert. +* Microsoft Entra Connect Health for AD FS - Risky IP report and alert. **Agent Update:** -* Azure AD Connect Health agent for AD DS (version 3.0.176.0) +* Microsoft Entra Connect Health agent for AD DS (version 3.0.176.0) 1. Agent availability improvements 2. Bug fixes and general improvements-* Azure AD Connect Health agent for AD FS (version 3.0.176.0) +* Microsoft Entra Connect Health agent for AD FS (version 3.0.176.0) 1. Agent availability improvements 2. Bug fixes and general improvements-* Azure AD Connect Health agent for Sync (version 3.0.129.0) released with Azure AD Connect version 1.1.750.0 +* Microsoft Entra Connect Health agent for Sync (version 3.0.129.0) released with Microsoft Entra Connect version 1.1.750.0 1. Agent availability improvements 2. Bug fixes and general improvements ## December 2017 **Agent Update:** -* Azure AD Connect Health agent for AD DS (version 3.0.145.0) +* Microsoft Entra Connect Health agent for AD DS (version 3.0.145.0) 1. Agent availability improvements 2. Added new agent troubleshooting commands 3. Bug fixes and general improvements-* Azure AD Connect Health agent for AD FS (version 3.0.145.0) +* Microsoft Entra Connect Health agent for AD FS (version 3.0.145.0) 1. Added new agent troubleshooting commands 2. Agent availability improvements 3. Bug fixes and general improvements Azure AD Connect Health AD DS and ADFS Health Agents (version 3.2.2256.26, Downl ## October 2017 **Agent Update:** - * Azure AD Connect Health agent for Sync (version 3.0.129.0) released with Azure AD Connect version 1.1.649.0 -<br></br> Fixed a version compatibility issue between Azure AD Connect and Azure AD Connect Health Agent for Sync. This issue affects customers who are performing Azure AD Connect in-place upgrade to version 1.1.647.0, but currently has Health Agent version 3.0.127.0. After the upgrade, the Health Agent can no longer send health data about Azure AD Connect Synchronization Service to Azure AD Health Service. With this fix, Health Agent version 3.0.129.0 is installed during Azure AD Connect in-place upgrade. Health Agent version 3.0.129.0 does not have compatibility issue with Azure AD Connect version 1.1.649.0. + * Microsoft Entra Connect Health agent for Sync (version 3.0.129.0) released with Microsoft Entra Connect version 1.1.649.0 +<br></br> Fixed a version compatibility issue between Microsoft Entra Connect and Microsoft Entra Connect Health Agent for Sync. This issue affects customers who are performing Microsoft Entra Connect in-place upgrade to version 1.1.647.0, but currently has Health Agent version 3.0.127.0. After the upgrade, the Health Agent can no longer send health data about Microsoft Entra Connect Synchronization Service to Microsoft Entra Health Service. With this fix, Health Agent version 3.0.129.0 is installed during Microsoft Entra Connect in-place upgrade. Health Agent version 3.0.129.0 does not have compatibility issue with Microsoft Entra Connect version 1.1.649.0. ## July 2017 **Agent Update:** -* Azure AD Connect Health agent for AD DS (version 3.0.68.0) +* Microsoft Entra Connect Health agent for AD DS (version 3.0.68.0) 1. Bug fixes and general improvements 2. Sovereign cloud support-* Azure AD Connect Health agent for AD FS (version 3.0.68.0) +* Microsoft Entra Connect Health agent for AD FS (version 3.0.68.0) 1. Bug fixes and general improvements 2. Sovereign cloud support-* Azure AD Connect Health agent for Sync (version 3.0.68.0) released with Azure AD Connect version 1.1.614.0 +* Microsoft Entra Connect Health agent for Sync (version 3.0.68.0) released with Microsoft Entra Connect version 1.1.614.0 1. Support for Microsoft Azure Government Cloud and Microsoft Cloud Germany ## April 2017 **Agent Update:** -* Azure AD Connect Health agent for AD FS (version 3.0.12.0) +* Microsoft Entra Connect Health agent for AD FS (version 3.0.12.0) 1. Bug fixes and general improvements-* Azure AD Connect Health agent for AD DS (version 3.0.12.0) +* Microsoft Entra Connect Health agent for AD DS (version 3.0.12.0) 1. Performance counters upload improvements 2. Bug fixes and general improvements ## October 2016 **Agent Update:** -* Azure AD Connect Health agent for AD FS (version 2.6.408.0) +* Microsoft Entra Connect Health agent for AD FS (version 2.6.408.0) * Improvements in detecting client IP addresses in authentication requests * Bug Fixes related to Alerts-* Azure AD Connect Health agent for AD DS (version 2.6.408.0) +* Microsoft Entra Connect Health agent for AD DS (version 2.6.408.0) * Bug fixes related to Alerts.-* Azure AD Connect Health agent for Sync (version 2.6.353.0) released with Azure AD Connect version 1.1.281.0 +* Microsoft Entra Connect Health agent for Sync (version 2.6.353.0) released with Microsoft Entra Connect version 1.1.281.0 * Provide the required data for the Synchronization Error Reports * Bug fixes related to Alerts **New preview features:** -* Synchronization Error Reports for Azure AD Connect +* Synchronization Error Reports for Microsoft Entra Connect **New features:** -* Azure AD Connect Health for AD FS - IP address field is available in the report about top 50 users with bad username/password. +* Microsoft Entra Connect Health for AD FS - IP address field is available in the report about top 50 users with bad username/password. ## July 2016 **New preview features:** -* [Azure AD Connect Health for AD DS](how-to-connect-health-adds.md). +* [Microsoft Entra Connect Health for AD DS](how-to-connect-health-adds.md). ## January 2016 **Agent Update:** -* Azure AD Connect Health agent for AD FS (version 2.6.91.1512) +* Microsoft Entra Connect Health agent for AD FS (version 2.6.91.1512) **New features:** -* [Test Connectivity Tool for Azure AD Connect Health Agents](how-to-connect-health-agent-install.md#test-connectivity-to-azure-ad-connect-health-service) +* [Test Connectivity Tool for Microsoft Entra Connect Health Agents](how-to-connect-health-agent-install.md#test-connectivity-to-azure-ad-connect-health-service) ## November 2015 **New features:** Azure AD Connect Health AD DS and ADFS Health Agents (version 3.2.2256.26, Downl **New preview features:** -* [Azure AD Connect Health for sync](how-to-connect-health-sync.md). +* [Microsoft Entra Connect Health for sync](how-to-connect-health-sync.md). **Fixed issues:** Azure AD Connect Health AD DS and ADFS Health Agents (version 3.2.2256.26, Downl * Support to configure Unauthenticated HTTP Proxy * Support to configure agent on Server core * Improvements to Alerts for AD FS-* Improvements in Azure AD Connect Health Agent for AD FS for connectivity and data upload. +* Improvements in Microsoft Entra Connect Health Agent for AD FS for connectivity and data upload. **Fixed issues:** * Bug fixes in Usage Insights for AD FS Error types. ## June 2015-**Initial release of Azure AD Connect Health for AD FS and AD FS Proxy.** +**Initial release of Microsoft Entra Connect Health for AD FS and AD FS Proxy.** **New features:** Azure AD Connect Health AD DS and ADFS Health Agents (version 3.2.2256.26, Downl * Easy access to AD FS topology and patterns in AD FS Performance Counters. * Trend in successful token requests on AD FS servers grouped by Applications, Authentication Methods, Request Network Location etc. * Trends in failed request on AD FS servers grouped by Applications, Error Types etc.-* Simpler Agent Deployment using Azure AD Global Administrator credentials. +* Simpler Agent Deployment using Microsoft Entra Global Administrator credentials. ## Next steps Learn more about [Monitor your on-premises identity infrastructure and synchronization services in the cloud](./whatis-azure-ad-connect.md). |
active-directory | Reference Connect Version History Archive | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-version-history-archive.md | Title: 'Azure AD Connect: Version release history archive' -description: This article lists all archived releases of Azure AD Connect and Azure AD Sync + Title: 'Microsoft Entra Connect: Version release history archive' +description: This article lists all archived releases of Microsoft Entra Connect and Azure AD Sync -# Azure AD Connect: Version release history archive +# Microsoft Entra Connect: Version release history archive -The Azure Active Directory (Azure AD) team regularly updates Azure AD Connect with new features and functionality. Not all additions are applicable to all audiences. +The Microsoft Entra team regularly updates Microsoft Entra Connect with new features and functionality. Not all additions are applicable to all audiences. >[!NOTE] -> This article contains version reference information about all archived versions of Azure AD - 1.5.42.0 and older. For current releases, see the [Azure AD Connect Version release history](reference-connect-version-history.md) +> This article contains version reference information about all archived versions of Microsoft Entra ID - 1.5.42.0 and older. For current releases, see the [Microsoft Entra Connect Version release history](reference-connect-version-history.md) ## 1.5.42.0 The Azure Active Directory (Azure AD) team regularly updates Azure AD Connect wi 07/10/2020: Released for download ### Functional changes-Includes a public preview of the functionality to export the configuration of an existing Azure AD Connect server into a .JSON file. This file can be used when installing a new Azure AD Connect server to create a copy of the original server. +Includes a public preview of the functionality to export the configuration of an existing Microsoft Entra Connect server into a .JSON file. This file can be used when installing a new Microsoft Entra Connect server to create a copy of the original server. A detailed description of this new feature can be found in [this article](./how-to-connect-import-export-config.md) ### Fixed issues - Fixed a bug where there would be a false warning about the local DB size on the localized builds during upgrade. - Fixed a bug where there would be a false error in the app events for the account name/domain name swap.-- Fixed an error where Azure AD Connect would fail to install on a DC, giving error "member not found".+- Fixed an error where Microsoft Entra Connect would fail to install on a DC, giving error "member not found". ## 1.5.30.0 This hotfix build fixes an issue where unselected domains were getting incorrect >[!NOTE]->This version includes the new Azure AD Connect sync V2 endpoint API. This new V2 endpoint is currently in public preview. This version or later is required to use the new V2 endpoint API. However, simply installing this version does not enable the V2 endpoint. You will continue to use the V1 endpoint unless you enable the V2 endpoint. You need to follow the steps under [Azure AD Connect sync V2 endpoint API (public preview)](how-to-connect-sync-endpoint-api-v2.md) in order to enable it and opt-in to the public preview. +>This version includes the new Microsoft Entra Connect Sync V2 endpoint API. This new V2 endpoint is currently in public preview. This version or later is required to use the new V2 endpoint API. However, simply installing this version does not enable the V2 endpoint. You will continue to use the V1 endpoint unless you enable the V2 endpoint. You need to follow the steps under [Microsoft Entra Connect Sync V2 endpoint API (public preview)](how-to-connect-sync-endpoint-api-v2.md) in order to enable it and opt-in to the public preview. ## 1.5.29.0 This hotfix build fixes an issue in build 1.5.20.0 if you've cloned the **In fro ### Functional changes ADSyncAutoUpgrade -- Added support for the mS-DS-ConsistencyGuid feature for group objects. Allows you to move groups between forests or reconnect groups in AD to Azure AD where the AD group objectID has changed. For more information, see [Moving groups between forests](how-to-connect-migrate-groups.md).+- Added support for the mS-DS-ConsistencyGuid feature for group objects. Allows you to move groups between forests or reconnect groups in AD to Microsoft Entra ID where the AD group objectID has changed. For more information, see [Moving groups between forests](how-to-connect-migrate-groups.md). - The mS-DS-ConsistencyGuid attribute is automatically set on all synced groups and you don't have to do anything to enable this feature. - Removed the Get-ADSyncRunProfile because it's no longer in use. - Changed the warning you see when attempting to use an Enterprise Admin or Domain Admin account for the AD DS connector account to provide more context. This hotfix build fixes an issue in build 1.5.20.0 if you've cloned the **In fro ### Fixed issues -- Fixed a bug in the group writeback forest/OU selector on rerunning the Azure AD Connect wizard after disabling the feature. +- Fixed a bug in the group writeback forest/OU selector on rerunning the Microsoft Entra Connect wizard after disabling the feature. - Introduced a new error page that will be displayed if the required DCOM registry values are missing with a new help link. Information is also written to log files. -- Fixed an issue with the creation of the Azure Active Directory synchronization account where enabling Directory Extensions or PHS may fail because the account hasn't propagated across all service replicas before attempted use. +- Fixed an issue with the creation of the Microsoft Entra synchronization account where enabling Directory Extensions or PHS may fail because the account hasn't propagated across all service replicas before attempted use. - Fixed a bug in the sync errors compression utility that wasn't handling surrogate characters correctly. - Fixed a bug in the auto upgrade that left the server in the scheduler suspended state. This hotfix build fixes an issue in build 1.5.20.0 if you've cloned the **In fro ### Release status 12/9/2019: Release for download. Not available through auto-upgrade. ### New features and improvements-- We updated Password Hash Sync for Azure AD Domain Services to properly account for padding in Kerberos hashes. Provides a performance improvement during password synchronization from Azure AD to Azure AD Domain Services.+- We updated Password Hash Sync for Microsoft Entra Domain Services to properly account for padding in Kerberos hashes. Provides a performance improvement during password synchronization from Microsoft Entra ID to Microsoft Entra Domain Services. - We added support for reliable sessions between the authentication agent and service bus. - We added a DNS cache for websocket connections between authentication agent and cloud services. - We added the ability to target specific agent from cloud to test for agent connectivity. ### Fixed issues-- Release 1.4.18.0 had a bug where the PowerShell cmdlet for DSSO was using the login Windows credentials instead of the admin credentials provided while running ps. As a result of which it wasn't possible to enable DSSO in multiple forest through the Azure AD Connect user interface. -- A fix was made to enable DSSO simultaneously in all forest through the Azure AD Connect user interface+- Release 1.4.18.0 had a bug where the PowerShell cmdlet for DSSO was using the login Windows credentials instead of the admin credentials provided while running ps. As a result of which it wasn't possible to enable DSSO in multiple forest through the Microsoft Entra Connect user interface. +- A fix was made to enable DSSO simultaneously in all forest through the Microsoft Entra Connect user interface ## 1.4.32.0 ### Release status 11/08/2019: Released for download. Not available through auto-upgrade. >[!IMPORTANT]->Due to an internal schema change in this release of Azure AD Connect, if you manage AD FS trust relationship configuration settings using MSOnline PowerShell then you must update your MSOnline PowerShell module to version 1.1.183.57 or higher +>Due to an internal schema change in this release of Microsoft Entra Connect, if you manage AD FS trust relationship configuration settings using MSOnline PowerShell then you must update your MSOnline PowerShell module to version 1.1.183.57 or higher ### Fixed issues -This version fixes an issue with existing Hybrid Azure AD joined devices. This release contains a new device sync rule that corrects this issue. -This rule change may cause deletion of obsolete devices from Azure AD. These device objects aren't used by Azure AD during Conditional Access authorization. For some customers, the number of devices that will be deleted through this rule change can exceed the deletion threshold. If you see the deletion of device objects in Azure AD exceeding the Export Deletion Threshold, it's advised to allow the deletions to go through. [How to allow deletes to flow when they exceed the deletion threshold](how-to-connect-sync-feature-prevent-accidental-deletes.md) +This version fixes an issue with existing Microsoft Entra hybrid joined devices. This release contains a new device sync rule that corrects this issue. +This rule change may cause deletion of obsolete devices from Microsoft Entra ID. These device objects aren't used by Microsoft Entra ID during Conditional Access authorization. For some customers, the number of devices that will be deleted through this rule change can exceed the deletion threshold. If you see the deletion of device objects in Microsoft Entra exceeding the Export Deletion Threshold, it's advised to allow the deletions to go through. [How to allow deletes to flow when they exceed the deletion threshold](how-to-connect-sync-feature-prevent-accidental-deletes.md) ## 1.4.25.0 We fixed a bug in the sync errors compression utility that wasn't handling surro ## 1.4.18.0 >[!WARNING]->We are investigating an incident where some customers are experiencing an issue with existing Hybrid Azure AD joined devices after upgrading to this version of Azure AD Connect. We advise customers who have deployed Hybrid Azure AD join to postpone upgrading to this version until the root cause of these issues are fully understood and mitigated. More information will be provided as soon as possible. +>We are investigating an incident where some customers are experiencing an issue with existing Microsoft Entra hybrid joined devices after upgrading to this version of Microsoft Entra Connect. We advise customers who have deployed Microsoft Entra hybrid join to postpone upgrading to this version until the root cause of these issues are fully understood and mitigated. More information will be provided as soon as possible. >[!IMPORTANT]->With this version of Azure AD Connect some customers may see some or all of their Windows devices disappear from Azure AD. These device identities aren't used by Azure AD during Conditional Access authorization. For more information, see [Understanding Azure AD Connect 1.4.xx.x device disappearance](/troubleshoot/azure/active-directory/reference-connect-device-disappearance) +>With this version of Microsoft Entra Connect some customers may see some or all of their Windows devices disappear from Microsoft Entra ID. These device identities aren't used by Microsoft Entra ID during Conditional Access authorization. For more information, see [Understanding Microsoft Entra Connect 1.4.xx.x device disappearance](/troubleshoot/azure/active-directory/reference-connect-device-disappearance) ### Release status We fixed a bug in the sync errors compression utility that wasn't handling surro ### New features and improvements - New troubleshooting tooling helps troubleshoot "user not syncing", "group not syncing" or "group member not syncing" scenarios.-- Add support for national clouds in Azure AD Connect troubleshooting script.+- Add support for national clouds in Microsoft Entra Connect troubleshooting script. - Customers should be informed that the deprecated WMI endpoints for MIIS_Service have now been removed. Any WMI operations should now be done via PS cmdlets. - Security improvement by resetting constrained delegation on AZUREADSSOACC object. - When adding/editing a sync rule, if there are any attributes used in the rule that are in the connector schema, but not added to the connector, the attributes will automatically be added to the connector. The same is true for the object type the rule affects. If anything is added to the connector, the connector will be marked for full import on the next sync cycle.-- Using an Enterprise or Domain admin as the connector account is no longer supported in new Azure AD Connect Deployments. Current Azure AD Connect deployments using an Enterprise or Domain admin as the connector account will not be affected by this release.+- Using an Enterprise or Domain admin as the connector account is no longer supported in new Microsoft Entra Connect Deployments. Current Microsoft Entra Connect deployments using an Enterprise or Domain admin as the connector account will not be affected by this release. - In the Synchronization Manager, a full sync is run on rule creation/edit/deletion. A pop-up will appear on any rule change notifying the user if full import or full sync is going to be run. - Added mitigation steps for password errors to 'connectors > properties > connectivity' page.-- Added a deprecation warning for the sync service manager on the connector properties page. This warning notifies the user that changes should be made through the Azure AD Connect wizard.+- Added a deprecation warning for the sync service manager on the connector properties page. This warning notifies the user that changes should be made through the Microsoft Entra Connect wizard. - Added new error for issues with a user's password policy. - Prevent misconfiguration of group filtering by domain and OU filters. Group filtering will show an error when the domain/OU of the entered group is already filtered out. Group filtering will keep the user from moving forward until the issue is resolved. - Users can no longer create a connector for Active Directory Domain Services or Windows Azure Active Directory in the Synchronization Service Manager UI. - Fixed accessibility of custom UI controls in the Synchronization Service Manager.-- Enabled six federation management tasks for all sign-in methods in Azure AD Connect. (Previously, only the "Update AD FS TLS/SSL certificate" task was available for all sign-ins.)-- Added a warning when changing the sign-in method from federation to PHS or PTA that all Azure AD domains and users will be converted to managed authentication.-- Removed token-signing certificates from the "Reset Azure AD and AD FS trust" task and added a separate sub-task to update these certificates.+- Enabled six federation management tasks for all sign-in methods in Microsoft Entra Connect. (Previously, only the "Update AD FS TLS/SSL certificate" task was available for all sign-ins.) +- Added a warning when changing the sign-in method from federation to PHS or PTA that all Microsoft Entra domains and users will be converted to managed authentication. +- Removed token-signing certificates from the "Reset Microsoft Entra ID and AD FS trust" task and added a separate sub-task to update these certificates. - Added a new federation management task called "Manage certificates" which has sub-tasks to update the TLS or token-signing certificates for the AD FS farm. - Added a new federation management sub-task called "Specify primary server" which allows administrators to specify a new primary server for the AD FS farm. - Added a new federation management task called "Manage servers" which has sub-tasks to deploy an AD FS server, deploy a Web Application Proxy server, and specify primary server. We fixed a bug in the sync errors compression utility that wasn't handling surro - For Auto upgrade, if any conflicting app is running from 6 hours, kill it and continue with upgrade. - Limit the number of attributes a customer can select to 100 per object when selecting directory extensions. This limit will prevent the error from occurring during export as Azure has a maximum of 100 extension attributes per object. - Fixed a bug to make the AD Connectivity script more robust.-- Fixed a bug to make Azure AD Connect install on a machine using an existing Named Pipes WCF service more robust.+- Fixed a bug to make Microsoft Entra Connect install on a machine using an existing Named Pipes WCF service more robust. - Improved diagnostics and troubleshooting around group policies that don't allow the ADSync service to start when initially installed. - Fixed a bug where display name for a Windows computer was written incorrectly. - Fix a bug where OS type for a Windows computer was written incorrectly.-- Fixed a bug where non-Windows 10 computers were syncing unexpectedly. Note that the effect of this change is that non-Windows-10 computers that were previously synced will now be deleted. This does not affect any features as the sync of Windows computers is only used for Hybrid Azure AD domain join, which only works for Windows-10 devices.+- Fixed a bug where non-Windows 10 computers were syncing unexpectedly. Note that the effect of this change is that non-Windows-10 computers that were previously synced will now be deleted. This does not affect any features as the sync of Windows computers is only used for Hybrid Microsoft Entra domain join, which only works for Windows-10 devices. - Added several new (internal) cmdlets to the ADSync PowerShell module. ## 1.3.21.0 >[!IMPORTANT]->There is a known issue with upgrading Azure AD Connect from an earlier version to 1.3.21.0 where the Microsoft 365 portal does not reflect the updated version even though Azure AD Connect upgraded successfully. +>There is a known issue with upgrading Microsoft Entra Connect from an earlier version to 1.3.21.0 where the Microsoft 365 portal does not reflect the updated version even though Microsoft Entra Connect upgraded successfully. >-> To resolve this issue, you need to import the **AdSync** module and then run the `Set-ADSyncDirSyncConfiguration` PowerShell cmdlet on the Azure AD Connect server. You can use the following steps: +> To resolve this issue, you need to import the **AdSync** module and then run the `Set-ADSyncDirSyncConfiguration` PowerShell cmdlet on the Microsoft Entra Connect server. You can use the following steps: > >1. Open PowerShell in administrator mode. >2. Run `Import-Module "ADSync"`. We fixed a bug in the sync errors compression utility that wasn't handling surro ### Fixed issues -- Fixed an elevation of privilege vulnerability that exists in Microsoft Azure Active Directory Connect build 1.3.20.0. This vulnerability, under certain conditions, may allow an attacker to execute two PowerShell cmdlets in the context of a privileged account, and perform privileged actions. This security update addresses the issue by disabling these cmdlets. For more information, see [security update](https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2019-1000).+- Fixed an elevation of privilege vulnerability that exists in Microsoft Entra Connect build 1.3.20.0. This vulnerability, under certain conditions, may allow an attacker to execute two PowerShell cmdlets in the context of a privileged account, and perform privileged actions. This security update addresses the issue by disabling these cmdlets. For more information, see [security update](https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2019-1000). ## 1.3.20.0 We fixed a bug in the sync errors compression utility that wasn't handling surro - Upgrade to ADAL 3.19.8 to pick up a WS-Trust fix for Ping and add support for new Azure instances - Modify Group Sync Rules to flow samAccountName, DomainNetbios and DomainFQDN to cloud - needed for claims - Modified Default Sync Rule Handling – read more [here](how-to-connect-fix-default-rules.md).-- Added a new agent running as a Windows service. This agent, named “Admin Agent”, enables deeper remote diagnostics of the Azure AD Connect server to help Microsoft Engineers troubleshoot when you open a support case. This agent is not installed and enabled by default. For more information on how to install and enable the agent, see [What is the Azure AD Connect Admin Agent?](whatis-aadc-admin-agent.md). +- Added a new agent running as a Windows service. This agent, named “Admin Agent”, enables deeper remote diagnostics of the Microsoft Entra Connect server to help Microsoft Engineers troubleshoot when you open a support case. This agent is not installed and enabled by default. For more information on how to install and enable the agent, see [What is the Microsoft Entra Connect Admin Agent?](whatis-aadc-admin-agent.md). - Updated the End User License Agreement (EULA) -- Added auto upgrade support for deployments that use AD FS as their login type. This also removed the requirement of updating the AD FS Azure AD Relying Party Trust as part of the upgrade process. -- Added an Azure AD trust management task that provides two options: analyze/update trust and reset trust. -- Changed the AD FS Azure AD Relying Party trust behavior so that it always uses the -SupportMultipleDomain switch (includes trust and Azure AD domain updates). +- Added auto upgrade support for deployments that use AD FS as their login type. This also removed the requirement of updating the AD FS Microsoft Entra ID Relying Party Trust as part of the upgrade process. +- Added a Microsoft Entra ID trust management task that provides two options: analyze/update trust and reset trust. +- Changed the AD FS Microsoft Entra ID Relying Party trust behavior so that it always uses the -SupportMultipleDomain switch (includes trust and Microsoft Entra domain updates). - Changed the install new AD FS farm behavior so that it requires a .pfx certificate by removing the option of using a pre-installed certificate. - Updated the install new AD FS farm workflow so that it only allows deploying 1 AD FS and 1 WAP server. All additional servers will be done after initial installation. We fixed a bug in the sync errors compression utility that wasn't handling surro - Fix PS Permissions script to refine GWB permissions - Fix VSS Errors with LocalDB - Fix misleading error message when object type is not in scope -- Corrected an issue where installation of Azure AD PowerShell on a server could potentially cause an assembly conflict with Azure AD Connect. +- Corrected an issue where installation of Azure AD PowerShell on a server could potentially cause an assembly conflict with Microsoft Entra Connect. - Fixed PHS bug on Staging Server when Connector Credentials are updated in the Synchronization Service Manager UI. - Fixed some memory leaks - Miscellaneous Autoupgrade fixes We fixed a bug in the sync errors compression utility that wasn't handling surro ### Fixed issues -This build updates the non-standard connectors (for example, Generic LDAP Connector and Generic SQL Connector) shipped with Azure AD Connect. For more information on applicable connectors, see version 1.1.911.0 in [Connector Version Release History](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-version-history). +This build updates the non-standard connectors (for example, Generic LDAP Connector and Generic SQL Connector) shipped with Microsoft Entra Connect. For more information on applicable connectors, see version 1.1.911.0 in [Connector Version Release History](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-version-history). ## 1.2.69.0 This hotfix build fixes a regression in the previous build where Password Writeb ### New features and improvements -- Changed the functionality of attribute write-back to ensure hosted voice-mail is working as expected. Under certain scenarios, Azure AD was overwriting the msExchUcVoicemailSettings attribute during write-back with a null value. Azure AD will now no longer clear the on-premises value of this attribute if the cloud value is not set.-- Added diagnostics in the Azure AD Connect wizard to investigate and identify Connectivity issues to Azure AD. These same diagnostics can also be run directly through PowerShell using the Test- AdSyncAzureServiceConnectivity Cmdlet. -- Added diagnostics in the Azure AD Connect wizard to investigate and identify Connectivity issues to AD. These same diagnostics can also be run directly through PowerShell using the Start-ConnectivityValidation function in the ADConnectivityTools PowerShell module. For more information, see [What is the ADConnectivityTool PowerShell Module?](how-to-connect-adconnectivitytools.md)-- Added an AD schema version pre-check for Hybrid Azure Active Directory Join and device write-back +- Changed the functionality of attribute write-back to ensure hosted voice-mail is working as expected. Under certain scenarios, Microsoft Entra ID was overwriting the msExchUcVoicemailSettings attribute during write-back with a null value. Microsoft Entra ID will now no longer clear the on-premises value of this attribute if the cloud value is not set. +- Added diagnostics in the Microsoft Entra Connect wizard to investigate and identify Connectivity issues to Microsoft Entra ID. These same diagnostics can also be run directly through PowerShell using the Test- AdSyncAzureServiceConnectivity Cmdlet. +- Added diagnostics in the Microsoft Entra Connect wizard to investigate and identify Connectivity issues to AD. These same diagnostics can also be run directly through PowerShell using the Start-ConnectivityValidation function in the ADConnectivityTools PowerShell module. For more information, see [What is the ADConnectivityTool PowerShell Module?](how-to-connect-adconnectivitytools.md) +- Added an AD schema version pre-check for Microsoft Entra hybrid join and device write-back - Changed the Directory Extension page attribute search to be non-case sensitive.-- Added full support for TLS 1.2. This release supports all other protocols being disabled and only TLS 1.2 being enabled on the machine where Azure AD Connect is installed. For more information, see [TLS 1.2 enforcement for Azure AD Connect](reference-connect-tls-enforcement.md)+- Added full support for TLS 1.2. This release supports all other protocols being disabled and only TLS 1.2 being enabled on the machine where Microsoft Entra Connect is installed. For more information, see [TLS 1.2 enforcement for Microsoft Entra Connect](reference-connect-tls-enforcement.md) ### Fixed issues -- Fixed a bug where Azure AD Connect Upgrade would fail if SQL Always On was being used. +- Fixed a bug where Microsoft Entra Connect Upgrade would fail if SQL Always On was being used. - Fixed a bug to correctly parse OU names that contain a forward slash. - Fixed an issue where Pass-Through Authentication would be disabled for a clean install in staging mode. - Fixed a bug that prevented the PowerShell module to be loaded when running the Troubleshooting tools - Fixed a bug that would block customers from using numeric values in the first character of a host name. -- Fixed a bug where Azure AD Connect would allow invalid partitions and container selection +- Fixed a bug where Microsoft Entra Connect would allow invalid partitions and container selection - Fixed the “Invalid Password” error message when Desktop SSO is enabled. - Various Bug fixes for AD FS Trust Management - When configuring Device Writeback - fixed the schema check to look for the msDs-DeviceContainer object class (introduced on WS2012 R2) This hotfix build fixes a regression in the previous build where Password Writeb ### Fixed issues -Azure AD Connect Upgrade fails if SQL Always On Availability is configured for the ADSync DB. This hotfix addresses this issue and allows Upgrade to succeed. +Microsoft Entra Connect Upgrade fails if SQL Always On Availability is configured for the ADSync DB. This hotfix addresses this issue and allows Upgrade to succeed. ## 1.1.880.0 Azure AD Connect Upgrade fails if SQL Always On Availability is configured for t ### New features and improvements -- The Ping Federate integration in Azure AD Connect is now available for General Availability. [Learn more about how to federated Azure AD with Ping Federate](./plan-connect-user-signin.md#federation-with-pingfederate)-- Azure AD Connect now creates the backup of Azure AD trust in AD FS every time an update is made and stores it in a separate file for easy restore if required. [Learn more about the new functionality and Azure AD trust management in Azure AD Connect](./how-to-connect-azure-ad-trust.md).+- The Ping Federate integration in Microsoft Entra Connect is now available for General Availability. [Learn more about how to federated Microsoft Entra ID with Ping Federate](./plan-connect-user-signin.md#federation-with-pingfederate) +- Microsoft Entra Connect now creates the backup of Microsoft Entra ID trust in AD FS every time an update is made and stores it in a separate file for easy restore if required. [Learn more about the new functionality and Microsoft Entra ID trust management in Microsoft Entra Connect](./how-to-connect-azure-ad-trust.md). - New troubleshooting tooling helps troubleshoot changing primary email address and hiding account from global address list-- Azure AD Connect was updated to include the latest SQL Server 2012 Native Client+- Microsoft Entra Connect was updated to include the latest SQL Server 2012 Native Client - When you switch user sign-in to Password Hash Synchronization or Pass-through Authentication in the "Change user sign-in" task, the Seamless Single Sign-On checkbox is enabled by default. - Added support for Windows Server Essentials 2019-- The Azure AD Connect Health agent was updated to the latest version 3.1.7.0+- The Microsoft Entra Connect Health agent was updated to the latest version 3.1.7.0 - During an upgrade, if the installer detects changes to the default sync rules, the admin is prompted with a warning before overwriting the modified rules. This will allow the user to take corrective actions and resume later. Old Behavior: If there was any modified out-of-box rule then manual upgrade was overwriting those rules without giving any warning to the user and sync scheduler was disabled without informing user. New Behavior: User will be prompted with warning before overwriting the modified out-of-box sync rules. User will have choice to stop the upgrade process and resume later after taking corrective action. - Provide a better handling of a FIPS compliance issue, providing an error message for MD5 hash generation in a FIPS compliant environment and a link to documentation that provides a work around for this issue. - UI update to improve federation tasks in the wizard, which are now under a separate sub group for federation. Azure AD Connect Upgrade fails if SQL Always On Availability is configured for t ### Fixed issues -- Fixed a bug where the Azure AD Connect server would show high CPU usage after upgrading to .NET 4.7.2+- Fixed a bug where the Microsoft Entra Connect server would show high CPU usage after upgrading to .NET 4.7.2 - Fixed a bug that would intermittently produce an error message for an auto-resolved SQL deadlock issue - Fixed several accessibility issues for the Sync Rules Editor and the Sync Service Manager -- Fixed a bug where Azure AD Connect can not get registry setting information+- Fixed a bug where Microsoft Entra Connect can not get registry setting information - Fixed a bug that created issues when the user goes forward/back in the wizard - Fixed a bug to prevent an error happening due to incorrect multi-thread handing in the wizard-- When Group Sync Filtering page encounters an LDAP error when resolving security groups, Azure AD Connect now returns the exception with full fidelity. The root cause for the referral exception is still unknown and will be addressed by a different bug.+- When Group Sync Filtering page encounters an LDAP error when resolving security groups, Microsoft Entra Connect now returns the exception with full fidelity. The root cause for the referral exception is still unknown and will be addressed by a different bug. - Fixed a bug where permissions for STK and NGC keys (ms-DS-KeyCredentialLink attribute on User/Device objects for WHfB) were not correctly set. - Fixed a bug where 'Set-ADSyncRestrictedPermissions’ wasn't called correctly - Adding support for permission granting on Group Writeback in Azure ADConnect's installation wizard Azure AD Connect Upgrade fails if SQL Always On Availability is configured for t New features and improvements -- This release includes the public preview of the integration of PingFederate in Azure AD Connect. With this release, customers can easily, and reliably configure their Azure Active Directory environment to leverage PingFederate as their federation provider. To learn more about how to use this new feature, please visit our [online documentation](plan-connect-user-signin.md#federation-with-pingfederate). -- Updated the Azure AD Connect Wizard Troubleshooting Utility, where it now analyzes more error scenario’s, such as Linked Mailboxes and AD Dynamic Groups. Read more about the troubleshooting utility [here](tshoot-connect-objectsync.md).-- Device Writeback configuration is now managed solely within the Azure AD Connect Wizard.+- This release includes the public preview of the integration of PingFederate in Microsoft Entra Connect. With this release, customers can easily, and reliably configure their Microsoft Entra environment to leverage PingFederate as their federation provider. To learn more about how to use this new feature, please visit our [online documentation](plan-connect-user-signin.md#federation-with-pingfederate). +- Updated the Microsoft Entra Connect Wizard Troubleshooting Utility, where it now analyzes more error scenario’s, such as Linked Mailboxes and AD Dynamic Groups. Read more about the troubleshooting utility [here](tshoot-connect-objectsync.md). +- Device Writeback configuration is now managed solely within the Microsoft Entra Connect Wizard. - A new PowerShell Module called ADSyncTools.psm1 is added that can be used to troubleshoot SQL Connectivity issues and various other troubleshooting utilities. Read more about the ADSyncTools module [here](tshoot-connect-tshoot-sql-connectivity.md). - A new additional task “Configure device options” has been added. You can use the task to configure the following two operations: - - **Hybrid Azure AD join**: If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD joined devices. These are devices that are both, joined to your on-premises Active Directory and your Azure Active Directory. + - **Microsoft Entra hybrid join**: If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Microsoft Entra ID, you can implement Microsoft Entra hybrid joined devices. These are devices that are both, joined to your on-premises Active Directory and your Microsoft Entra ID. - **Device writeback**: Device writeback is used to enable Conditional Access based on devices to AD FS (2012 R2 or higher) protected devices >[!NOTE] New features and improvements - This release updates the SQL Server Express installation to SQL Server 2012 SP4, which, among others, provides fixes for several security vulnerabilities. Please see [here](https://support.microsoft.com/help/4018073/sql-server-2012-service-pack-4-release-information) for more information about SQL Server 2012 SP4. - Sync Rule Processing: outbound Join sync rules with no Join Condition should be de-applied if the parent sync rule is no longer applicable - Several accessibility fixes have been applied to the Synchronization Service Manager UI and the Sync Rules Editor-- Azure AD Connect Wizard: Error creating AD Connector account when Azure AD Connect is in a workgroup-- Azure AD Connect Wizard: On the Azure AD Sign-in page display the verification checkbox whenever there is any mismatch in AD domains and Azure AD Verified domains+- Microsoft Entra Connect Wizard: Error creating AD Connector account when Microsoft Entra Connect is in a workgroup +- Microsoft Entra Connect Wizard: On the Microsoft Entra Sign-in page display the verification checkbox whenever there is any mismatch in AD domains and Microsoft Entra ID Verified domains - Auto-upgrade PowerShell fix to set auto upgrade state correctly in certain cases after auto upgrade attempted.-- Azure AD Connect Wizard: Updated telemetry to capture previously missing information-- Azure AD Connect Wizard: The following changes have been made when you use the **Change user sign-in** task to switch from AD FS to Pass-through Authentication:- - The Pass-through Authentication Agent is installed on the Azure AD Connect server and the Pass-through Authentication feature is enabled, before we convert domain(s) from federated to managed. +- Microsoft Entra Connect Wizard: Updated telemetry to capture previously missing information +- Microsoft Entra Connect Wizard: The following changes have been made when you use the **Change user sign-in** task to switch from AD FS to Pass-through Authentication: + - The Pass-through Authentication Agent is installed on the Microsoft Entra Connect server and the Pass-through Authentication feature is enabled, before we convert domain(s) from federated to managed. - Users are no longer converted from federated to managed. Only domain(s) are converted.-- Azure AD Connect Wizard: AD FS Multi Domain Regex is not correct when user UPN has ' special character Regex update to support special characters-- Azure AD Connect Wizard: Remove spurious "Configure source anchor attribute" message when no change -- Azure AD Connect Wizard: AD FS support for the dual federation scenario-- Azure AD Connect Wizard: AD FS Claims aren't updated for added domain when converting a managed domain to federated-- Azure AD Connect Wizard: During detection of installed packages, we find stale Dirsync/Azure AD Sync/Azure AD Connect related products. We will now attempt to uninstall the stale products.-- Azure AD Connect Wizard: Correct Error Message Mapping when installation of passthrough authentication agent fails-- Azure AD Connect Wizard: Removed "Configuration" container from Domain OU Filtering page+- Microsoft Entra Connect Wizard: AD FS Multi Domain Regex is not correct when user UPN has ' special character Regex update to support special characters +- Microsoft Entra Connect Wizard: Remove spurious "Configure source anchor attribute" message when no change +- Microsoft Entra Connect Wizard: AD FS support for the dual federation scenario +- Microsoft Entra Connect Wizard: AD FS Claims aren't updated for added domain when converting a managed domain to federated +- Microsoft Entra Connect Wizard: During detection of installed packages, we find stale Dirsync/Azure AD Sync/Azure AD Connect related products. We will now attempt to uninstall the stale products. +- Microsoft Entra Connect Wizard: Correct Error Message Mapping when installation of passthrough authentication agent fails +- Microsoft Entra Connect Wizard: Removed "Configuration" container from Domain OU Filtering page - Sync Engine install: remove unnecessary legacy logic that occasionally failed from Sync Engine install msi-- Azure AD Connect Wizard: Fix pop-up help text on Optional Features page for Password Hash Sync+- Microsoft Entra Connect Wizard: Fix pop-up help text on Optional Features page for Password Hash Sync - Sync Engine runtime: Fix the scenario where a CS object has an imported delete and Sync Rules attempt to re-provision the object. - Sync Engine runtime: Add help link for Online connectivity troubleshooting guide to the event log for an Import Error - Sync Engine runtime: Reduced memory usage of Sync Scheduler when enumerating Connectors-- Azure AD Connect Wizard: Fix an issue resolving a custom Sync Service Account which has no AD Read privileges-- Azure AD Connect Wizard: Improve logging of Domain and OU filtering selections-- Azure AD Connect Wizard: AD FS Add default claims to federation trust created for MFA scenario-- Azure AD Connect Wizard: AD FS Deploy WAP: Adding server fails to use new certificate-- Azure AD Connect Wizard: DSSO exception when onPremCredentials aren't initialized for a domain +- Microsoft Entra Connect Wizard: Fix an issue resolving a custom Sync Service Account which has no AD Read privileges +- Microsoft Entra Connect Wizard: Improve logging of Domain and OU filtering selections +- Microsoft Entra Connect Wizard: AD FS Add default claims to federation trust created for MFA scenario +- Microsoft Entra Connect Wizard: AD FS Deploy WAP: Adding server fails to use new certificate +- Microsoft Entra Connect Wizard: DSSO exception when onPremCredentials aren't initialized for a domain - Preferentially flow the AD distinguishedName attribute from the Active User object. - Fixed a cosmetic bug were the Precedence of the first OOB Sync Rule was set to 99 instead of 100 New features and improvements Status 4/12/2018: Released for download only >[!NOTE]->This release is a hotfix for Azure AD Connect -### Azure AD Connect sync +>This release is a hotfix for Microsoft Entra Connect +<a name='azure-ad-connect-sync'></a> ++### Microsoft Entra Connect Sync #### Fixed issues Corrected an issue were automatic Azure instance discovery for China tenants was occasionally failing. There was a problem in the configuration retry logic that would result in an Arg ## 1.1.750.0 Status 3/22/2018: Released for auto-upgrade and download. >[!NOTE]->When the upgrade to this new version completes, it will automatically trigger a full sync and full import for the Azure AD connector and a full sync for the AD connector. Since this may take some time, depending on the size of your Azure AD Connect environment, make sure that you've taken the necessary steps to support this or hold off on upgrading until you've found a convenient moment to do so. +>When the upgrade to this new version completes, it will automatically trigger a full sync and full import for the Microsoft Entra connector and a full sync for the AD connector. Since this may take some time, depending on the size of your Microsoft Entra Connect environment, make sure that you've taken the necessary steps to support this or hold off on upgrading until you've found a convenient moment to do so. >[!NOTE]->“AutoUpgrade functionality was incorrectly disabled for some tenants who deployed builds later than 1.1.524.0. To ensure that your Azure AD Connect instance is still eligible for AutoUpgrade, run the following PowerShell cmdlet: +>“AutoUpgrade functionality was incorrectly disabled for some tenants who deployed builds later than 1.1.524.0. To ensure that your Microsoft Entra Connect instance is still eligible for AutoUpgrade, run the following PowerShell cmdlet: “Set-ADSyncAutoUpgrade -AutoupGradeState Enabled” -### Azure AD Connect +<a name='azure-ad-connect'></a> ++### Microsoft Entra Connect #### Fixed issues * Set-ADSyncAutoUpgrade cmdlet would previously block Autoupgrade if auto-upgrade state is set to Suspended. This functionality has now changed so it does not block AutoUpgrade of future builds.-* Changed the **User Sign-in** page option "Password Synchronization" to "Password Hash Synchronization". Azure AD Connect synchronizes password hashes, not passwords, so this aligns with what is actually occurring. For more information, see [Implement password hash synchronization with Azure AD Connect sync](how-to-connect-password-hash-synchronization.md) +* Changed the **User Sign-in** page option "Password Synchronization" to "Password Hash Synchronization". Microsoft Entra Connect synchronizes password hashes, not passwords, so this aligns with what is actually occurring. For more information, see [Implement password hash synchronization with Microsoft Entra Connect Sync](how-to-connect-password-hash-synchronization.md) ## 1.1.749.0 Status: Released to select customers >[!NOTE]->When the upgrade to this new version completes, it will automatically trigger a full sync and full import for the Azure AD connector and a full sync for the AD connector. Since this may take some time, depending on the size of your Azure AD Connect environment, please make sure that you've taken the necessary steps to support this or hold off on upgrading until you've found a convenient moment to do so. -### Azure AD Connect +>When the upgrade to this new version completes, it will automatically trigger a full sync and full import for the Microsoft Entra connector and a full sync for the AD connector. Since this may take some time, depending on the size of your Microsoft Entra Connect environment, please make sure that you've taken the necessary steps to support this or hold off on upgrading until you've found a convenient moment to do so. +<a name='azure-ad-connect'></a> ++### Microsoft Entra Connect #### Fixed issues * Fix timing window on background tasks for Partition Filtering page when switching to next page. Status: Released to select customers * Fixed a bug where certificates with SAN wildcards failed a prerequisite check. -* Fixed a bug which causes miiserver.exe to crash during an Azure AD connector export. +* Fixed a bug which causes miiserver.exe to crash during a Microsoft Entra connector export. -* Fixed a bug which bad password attempt logged on DC when running the Azure AD Connect wizard to change configuration. +* Fixed a bug which bad password attempt logged on DC when running the Microsoft Entra Connect wizard to change configuration. #### New features and improvements Status: Released to select customers * application telemetry - admin can switch this class of data on/off at will -* Azure AD Health data - admin must visit the health portal to control their health settings. +* Microsoft Entra Health data - admin must visit the health portal to control their health settings. Once the service policy has been changed, the agents will read and enforce it. * Added device write-back configuration actions and a progress bar for page initialization Status: Released to select customers The changes will take care of following: 1. Express Installations 2. Custom Installations with Auto-Create account-3. Changed the installer so it doesn't require SA privilege on clean install of Azure AD Connect +3. Changed the installer so it doesn't require SA privilege on clean install of Microsoft Entra Connect -* Added a new utility to troubleshoot synchronization issues for a specific object. It is available under 'Troubleshoot Object Synchronization' option of Azure AD Connect Wizard Troubleshoot Additional Task. Currently, the utility checks for the following: +* Added a new utility to troubleshoot synchronization issues for a specific object. It is available under 'Troubleshoot Object Synchronization' option of Microsoft Entra Connect Wizard Troubleshoot Additional Task. Currently, the utility checks for the following: - * UserPrincipalName mismatch between synchronized user object and the user account in Azure AD Tenant. + * UserPrincipalName mismatch between synchronized user object and the user account in Microsoft Entra tenant. * If the object is filtered from synchronization due to domain filtering * If the object is filtered from synchronization due to organizational unit (OU) filtering * Added a new utility to synchronize the current password hash stored in the on-premises Active Directory for a specific user account. -The utility does not require a password change. It is available under 'Troubleshoot Password Hash Synchronization' option of Azure AD Connect Wizard Troubleshoot Additional Task. +The utility does not require a password change. It is available under 'Troubleshoot Password Hash Synchronization' option of Microsoft Entra Connect Wizard Troubleshoot Additional Task. The utility does not require a password change. It is available under 'Troublesh Status: December 12th, 2017 >[!NOTE]->This release is a security related hotfix for Azure AD Connect -### Azure AD Connect -An improvement has been added to Azure AD Connect version 1.1.654.0 (and after) to ensure that the recommended permission changes described under section [Lock down access to the AD DS account](#lock) are automatically applied when Azure AD Connect creates the AD DS account. +>This release is a security related hotfix for Microsoft Entra Connect +<a name='azure-ad-connect'></a> ++### Microsoft Entra Connect +An improvement has been added to Microsoft Entra Connect version 1.1.654.0 (and after) to ensure that the recommended permission changes described under section [Lock down access to the AD DS account](#lock) are automatically applied when Microsoft Entra Connect creates the AD DS account. -- When setting up Azure AD Connect, the installing administrator can either provide an existing AD DS account, or let Azure AD Connect automatically create the account. The permission changes are automatically applied to the AD DS account that is created by Azure AD Connect during setup. They aren't applied to existing AD DS account provided by the installing administrator.-- For customers who have upgraded from an older version of Azure AD Connect to 1.1.654.0 (or after), the permission changes will not be retroactively applied to existing AD DS accounts created prior to the upgrade. They will only be applied to new AD DS accounts created after the upgrade. This occurs when you are adding new AD forests to be synchronized to Azure AD.+- When setting up Microsoft Entra Connect, the installing administrator can either provide an existing AD DS account, or let Microsoft Entra Connect automatically create the account. The permission changes are automatically applied to the AD DS account that is created by Microsoft Entra Connect during setup. They aren't applied to existing AD DS account provided by the installing administrator. +- For customers who have upgraded from an older version of Microsoft Entra Connect to 1.1.654.0 (or after), the permission changes will not be retroactively applied to existing AD DS accounts created prior to the upgrade. They will only be applied to new AD DS accounts created after the upgrade. This occurs when you are adding new AD forests to be synchronized to Microsoft Entra ID. >[!NOTE]->This release only removes the vulnerability for new installations of Azure AD Connect where the service account is created by the installation process. For existing installations, or in cases where you provide the account yourself, you should ensure that this vulnerability does not exist. +>This release only removes the vulnerability for new installations of Microsoft Entra Connect where the service account is created by the installation process. For existing installations, or in cases where you provide the account yourself, you should ensure that this vulnerability does not exist. #### <a name="lock"></a> Lock down access to the AD DS account Lock down access to the AD DS account by implementing the following permission changes in the on-premises AD: Allow | Authenticated Users | Read Permissions | This object | #### PowerShell script to tighten a pre-existing service account -To use the PowerShell script, to apply these settings, to a pre-existing AD DS account, (ether provided by your organization or created by a previous installation of Azure AD Connect, please download the script from the provided link above. +To use the PowerShell script, to apply these settings, to a pre-existing AD DS account, (ether provided by your organization or created by a previous installation of Microsoft Entra Connect, please download the script from the provided link above. ##### Usage: Set-ADSyncRestrictedPermissions -ObjectDN "CN=TestAccount1,CN=Users,DC=bvtadwbac ``` ### Was this vulnerability used to gain unauthorized access? -To see if this vulnerability was used to compromise your Azure AD Connect configuration you should verify the last password reset date of the service account. If the timestamp in unexpected, further investigation, via the event log, for that password reset event, should be undertaken. +To see if this vulnerability was used to compromise your Microsoft Entra Connect configuration you should verify the last password reset date of the service account. If the timestamp in unexpected, further investigation, via the event log, for that password reset event, should be undertaken. For more information, see [Microsoft Security Advisory 4056318](/security-updates/securityadvisories/2017/4056318) For more information, see [Microsoft Security Advisory 4056318](/security-update Status: October 27 2017 >[!NOTE]->This build is not available to customers through the Azure AD Connect Auto Upgrade feature. -### Azure AD Connect +>This build is not available to customers through the Microsoft Entra Connect Auto Upgrade feature. +<a name='azure-ad-connect'></a> ++### Microsoft Entra Connect #### Fixed issue-* Fixed a version compatibility issue between Azure AD Connect and Azure AD Connect Health Agent (for sync). This issue affects customers who are performing Azure AD Connect in-place upgrade to version 1.1.647.0, but currently has Health Agent version 3.0.127.0. After the upgrade, the Health Agent can no longer send health data about Azure AD Connect Synchronization Service to Azure AD Health Service. With this fix, Health Agent version 3.0.129.0 is installed during Azure AD Connect in-place upgrade. Health Agent version 3.0.129.0 does not have compatibility issue with Azure AD Connect version 1.1.649.0. +* Fixed a version compatibility issue between Microsoft Entra Connect and Microsoft Entra Connect Health Agent (for sync). This issue affects customers who are performing Microsoft Entra Connect in-place upgrade to version 1.1.647.0, but currently has Health Agent version 3.0.127.0. After the upgrade, the Health Agent can no longer send health data about Microsoft Entra Connect Synchronization Service to Microsoft Entra Health Service. With this fix, Health Agent version 3.0.129.0 is installed during Microsoft Entra Connect in-place upgrade. Health Agent version 3.0.129.0 does not have compatibility issue with Microsoft Entra Connect version 1.1.649.0. ## 1.1.647.0 Status: October 19 2017 > [!IMPORTANT]-> There is a known compatibility issue between Azure AD Connect version 1.1.647.0 and Azure AD Connect Health Agent (for sync) version 3.0.127.0. This issue prevents the Health Agent from sending health data about the Azure AD Connect Synchronization Service (including object synchronization errors and run history data) to Azure AD Health Service. Before manually upgrading your Azure AD Connect deployment to version 1.1.647.0, please verify the current version of Azure AD Connect Health Agent installed on your Azure AD Connect server. You can do so by going to *Control Panel → Add Remove Programs* and look for application *Microsoft Azure AD Connect Health Agent for Sync*. If its version is 3.0.127.0, it's recommended that you wait for the next Azure AD Connect version to be available before upgrade. If the Health Agent version isn't 3.0.127.0, it's fine to proceed with the manual, in-place upgrade. This issue does not affect swing upgrade or customers who are performing new installation of Azure AD Connect. +> There is a known compatibility issue between Microsoft Entra Connect version 1.1.647.0 and Microsoft Entra Connect Health Agent (for sync) version 3.0.127.0. This issue prevents the Health Agent from sending health data about the Microsoft Entra Connect Synchronization Service (including object synchronization errors and run history data) to Microsoft Entra Health Service. Before manually upgrading your Microsoft Entra Connect deployment to version 1.1.647.0, please verify the current version of Microsoft Entra Connect Health Agent installed on your Microsoft Entra Connect server. You can do so by going to *Control Panel → Add Remove Programs* and look for application *Microsoft Entra Connect Health Agent for Sync*. If its version is 3.0.127.0, it's recommended that you wait for the next Microsoft Entra Connect version to be available before upgrade. If the Health Agent version isn't 3.0.127.0, it's fine to proceed with the manual, in-place upgrade. This issue does not affect swing upgrade or customers who are performing new installation of Microsoft Entra Connect. > >-### Azure AD Connect +<a name='azure-ad-connect'></a> ++### Microsoft Entra Connect #### Fixed issues-* Fixed an issue with the *Change user sign-in* task in Azure AD Connect wizard: +* Fixed an issue with the *Change user sign-in* task in Microsoft Entra Connect wizard: - * The issue occurs when you've an existing Azure AD Connect deployment with Password Synchronization **enabled**, and you are trying to set the user sign-in method as *Pass-through Authentication*. Before the change is applied, the wizard incorrectly shows the "*Disable Password Synchronization*" prompt. However, Password Synchronization remains enabled after the change is applied. With this fix, the wizard no longer shows the prompt. + * The issue occurs when you've an existing Microsoft Entra Connect deployment with Password Synchronization **enabled**, and you are trying to set the user sign-in method as *Pass-through Authentication*. Before the change is applied, the wizard incorrectly shows the "*Disable Password Synchronization*" prompt. However, Password Synchronization remains enabled after the change is applied. With this fix, the wizard no longer shows the prompt. * By design, the wizard does not disable Password Synchronization when you update the user sign-in method using the *Change user sign-in* task. This is to avoid disruption to customers who want to keep Password Synchronization, even though they are enabling Pass-through Authentication or federation as their primary user sign-in method. * If you wish to disable Password Synchronization after updating the user sign-in method, you must execute the *Customize Synchronization Configuration* task in the wizard. When you navigate to the *Optional features* page, uncheck the *Password Synchronization* option. - * Note that the same issue also occurs if you try to enable/disable Seamless Single Sign-On. Specifically, you've an existing Azure AD Connect deployment with Password Synchronization enabled and the user sign-in method is already configured as *Pass-through Authentication*. Using the *Change user sign-in* task, you try to check/uncheck the *Enable Seamless Single Sign-On* option while the user sign-in method remains configured as "Pass-through Authentication". Before the change is applied, the wizard incorrectly shows the "*Disable Password Synchronization*" prompt. However, Password Synchronization remains enabled after the change is applied. With this fix, the wizard no longer shows the prompt. + * Note that the same issue also occurs if you try to enable/disable Seamless Single Sign-On. Specifically, you've an existing Microsoft Entra Connect deployment with Password Synchronization enabled and the user sign-in method is already configured as *Pass-through Authentication*. Using the *Change user sign-in* task, you try to check/uncheck the *Enable Seamless Single Sign-On* option while the user sign-in method remains configured as "Pass-through Authentication". Before the change is applied, the wizard incorrectly shows the "*Disable Password Synchronization*" prompt. However, Password Synchronization remains enabled after the change is applied. With this fix, the wizard no longer shows the prompt. -* Fixed an issue with the *Change user sign-in* task in Azure AD Connect wizard: +* Fixed an issue with the *Change user sign-in* task in Microsoft Entra Connect wizard: - * The issue occurs when you've an existing Azure AD Connect deployment with Password Synchronization **disabled**, and you are trying to set the user sign-in method as *Pass-through Authentication*. When the change is applied, the wizard enables both Pass-through Authentication and Password Synchronization. With this fix, the wizard no longer enables Password Synchronization. + * The issue occurs when you've an existing Microsoft Entra Connect deployment with Password Synchronization **disabled**, and you are trying to set the user sign-in method as *Pass-through Authentication*. When the change is applied, the wizard enables both Pass-through Authentication and Password Synchronization. With this fix, the wizard no longer enables Password Synchronization. - * Previously, Password Synchronization was a pre-requisite for enabling Pass-through Authentication. When you set the user sign-in method as *Pass-through Authentication*, the wizard would enable both Pass-through Authentication and Password Synchronization. Recently, Password Synchronization was removed as a pre-requisite. As part of Azure AD Connect version 1.1.557.0, a change was made to Azure AD Connect to not enable Password Synchronization when you set the user sign-in method as *Pass-through Authentication*. However, the change was only applied to Azure AD Connect installation. With this fix, the same change is also applied to the *Change user sign-in* task. + * Previously, Password Synchronization was a pre-requisite for enabling Pass-through Authentication. When you set the user sign-in method as *Pass-through Authentication*, the wizard would enable both Pass-through Authentication and Password Synchronization. Recently, Password Synchronization was removed as a pre-requisite. As part of Microsoft Entra Connect version 1.1.557.0, a change was made to Microsoft Entra Connect to not enable Password Synchronization when you set the user sign-in method as *Pass-through Authentication*. However, the change was only applied to Microsoft Entra Connect installation. With this fix, the same change is also applied to the *Change user sign-in* task. - * Note that the same issue also occurs if you try to enable/disable Seamless Single Sign-On. Specifically, you've an existing Azure AD Connect deployment with Password Synchronization disabled and the user sign-in method is already configured as *Pass-through Authentication*. Using the *Change user sign-in* task, you try to check/uncheck the *Enable Seamless Single Sign-On* option while the user sign-in method remains configured as "Pass-through Authentication". When the change is applied, the wizard enables Password Synchronization. With this fix, the wizard no longer enables Password Synchronization. + * Note that the same issue also occurs if you try to enable/disable Seamless Single Sign-On. Specifically, you've an existing Microsoft Entra Connect deployment with Password Synchronization disabled and the user sign-in method is already configured as *Pass-through Authentication*. Using the *Change user sign-in* task, you try to check/uncheck the *Enable Seamless Single Sign-On* option while the user sign-in method remains configured as "Pass-through Authentication". When the change is applied, the wizard enables Password Synchronization. With this fix, the wizard no longer enables Password Synchronization. -* Fixed an issue that caused Azure AD Connect upgrade to fail with error "*Unable to upgrade the Synchronization Service*". Further, the Synchronization Service can no longer start with event error "*The service was unable to start because the version of the database is newer than the version of the binaries installed*". The issue occurs when the administrator performing the upgrade does not have sysadmin privilege to the SQL server that is being used by Azure AD Connect. With this fix, Azure AD Connect only requires the administrator to have db_owner privilege to the ADSync database during upgrade. +* Fixed an issue that caused Microsoft Entra Connect upgrade to fail with error "*Unable to upgrade the Synchronization Service*". Further, the Synchronization Service can no longer start with event error "*The service was unable to start because the version of the database is newer than the version of the binaries installed*". The issue occurs when the administrator performing the upgrade does not have sysadmin privilege to the SQL server that is being used by Microsoft Entra Connect. With this fix, Microsoft Entra Connect only requires the administrator to have db_owner privilege to the ADSync database during upgrade. -* Fixed an Azure AD Connect Upgrade issue that affected customers who have enabled [Seamless Single Sign-On](./how-to-connect-sso.md). After Azure AD Connect is upgraded, Seamless Single Sign-On incorrectly appears as disabled in Azure AD Connect wizard, even though the feature remains enabled and fully functional. With this fix, the feature now appears correctly as enabled in the wizard. +* Fixed a Microsoft Entra Connect Upgrade issue that affected customers who have enabled [Seamless Single Sign-On](./how-to-connect-sso.md). After Microsoft Entra Connect is upgraded, Seamless Single Sign-On incorrectly appears as disabled in Microsoft Entra Connect wizard, even though the feature remains enabled and fully functional. With this fix, the feature now appears correctly as enabled in the wizard. -* Fixed an issue that caused Azure AD Connect wizard to always show the “*Configure Source Anchor*” prompt on the *Ready to Configure* page, even if no changes related to Source Anchor were made. +* Fixed an issue that caused Microsoft Entra Connect wizard to always show the “*Configure Source Anchor*” prompt on the *Ready to Configure* page, even if no changes related to Source Anchor were made. -* When performing manual in-place upgrade of Azure AD Connect, the customer is required to provide the Global Administrator credentials of the corresponding Azure AD tenant. Previously, upgrade could proceed even though the Global Administrator's credentials belonged to a different Azure AD tenant. While upgrade appears to complete successfully, certain configurations aren't correctly persisted with the upgrade. With this change, the wizard prevents the upgrade from proceeding if the credentials provided don't match the Azure AD tenant. +* When performing manual in-place upgrade of Microsoft Entra Connect, the customer is required to provide the Global Administrator credentials of the corresponding Microsoft Entra tenant. Previously, upgrade could proceed even though the Global Administrator's credentials belonged to a different Microsoft Entra tenant. While upgrade appears to complete successfully, certain configurations aren't correctly persisted with the upgrade. With this change, the wizard prevents the upgrade from proceeding if the credentials provided don't match the Microsoft Entra tenant. -* Removed redundant logic that unnecessarily restarted Azure AD Connect Health service at the beginning of a manual upgrade. +* Removed redundant logic that unnecessarily restarted Microsoft Entra Connect Health service at the beginning of a manual upgrade. #### New features and improvements-* Added logic to simplify the steps required to set up Azure AD Connect with Microsoft Germany Cloud. Previously, you are required to update specific registry keys on the Azure AD Connect server for it to work correctly with Microsoft Germany Cloud, as described in this article. Now, Azure AD Connect can automatically detect if your tenant is in Microsoft Germany Cloud based on the Hybrid Identity Administrator credentials provided during setup. +* Added logic to simplify the steps required to set up Microsoft Entra Connect with Microsoft Germany Cloud. Previously, you are required to update specific registry keys on the Microsoft Entra Connect server for it to work correctly with Microsoft Germany Cloud, as described in this article. Now, Microsoft Entra Connect can automatically detect if your tenant is in Microsoft Germany Cloud based on the Hybrid Identity Administrator credentials provided during setup. ++<a name='azure-ad-connect-sync'></a> -### Azure AD Connect Sync +### Microsoft Entra Connect Sync > [!NOTE]-> Note: The Synchronization Service has a WMI interface that lets you develop your own custom scheduler. This interface is now deprecated and will be removed from future versions of Azure AD Connect shipped after June 30, 2018. Customers who want to customize synchronization schedule should use the [built-in scheduler](./how-to-connect-sync-feature-scheduler.md). +> Note: The Synchronization Service has a WMI interface that lets you develop your own custom scheduler. This interface is now deprecated and will be removed from future versions of Microsoft Entra Connect shipped after June 30, 2018. Customers who want to customize synchronization schedule should use the [built-in scheduler](./how-to-connect-sync-feature-scheduler.md). #### Fixed issues-* When Azure AD Connect wizard creates the AD Connector account required to synchronize changes from on-premises Active Directory, it does not correctly assign the account the permission required to read PublicFolder objects. This issue affects both Express installation and Custom installation. This change fixes the issue. +* When Microsoft Entra Connect wizard creates the AD Connector account required to synchronize changes from on-premises Active Directory, it does not correctly assign the account the permission required to read PublicFolder objects. This issue affects both Express installation and Custom installation. This change fixes the issue. -* Fixed an issue that caused the Azure AD Connect Wizard troubleshooting page to not render correctly for administrators running from Windows Server 2016. +* Fixed an issue that caused the Microsoft Entra Connect Wizard troubleshooting page to not render correctly for administrators running from Windows Server 2016. #### New features and improvements-* When troubleshooting Password Synchronization using the Azure AD Connect wizard troubleshooting page, the troubleshooting page now returns domain-specific status. +* When troubleshooting Password Synchronization using the Microsoft Entra Connect wizard troubleshooting page, the troubleshooting page now returns domain-specific status. -* Previously, if you tried to enable Password Hash Synchronization, Azure AD Connect does not verify whether the AD Connector account has required permissions to synchronize password hashes from on-premises AD. Now, Azure AD Connect wizard will verify and warn you if the AD Connector account does not have sufficient permissions. +* Previously, if you tried to enable Password Hash Synchronization, Microsoft Entra Connect does not verify whether the AD Connector account has required permissions to synchronize password hashes from on-premises AD. Now, Microsoft Entra Connect wizard will verify and warn you if the AD Connector account does not have sufficient permissions. ### AD FS Management #### Fixed issue-* Fixed an issue related to the use of [ms-DS-ConsistencyGuid as Source Anchor](./plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor) feature. This issue affects customers who have configured *Federation with AD FS* as the user sign-in method. When you execute *Configure Source Anchor* task in the wizard, Azure AD Connect switches to using *ms-DS-ConsistencyGuid as source attribute for immutableId. As part of this change, Azure AD Connect attempts to update the claim rules for ImmutableId in AD FS. However, this step failed because Azure AD Connect didn't have the administrator credentials required to configure AD FS. With this fix, Azure AD Connect now prompts you to enter the administrator credentials for AD FS when you execute the *Configure Source Anchor* task. +* Fixed an issue related to the use of [ms-DS-ConsistencyGuid as Source Anchor](./plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor) feature. This issue affects customers who have configured *Federation with AD FS* as the user sign-in method. When you execute *Configure Source Anchor* task in the wizard, Microsoft Entra Connect switches to using *ms-DS-ConsistencyGuid as source attribute for immutableId. As part of this change, Microsoft Entra Connect attempts to update the claim rules for ImmutableId in AD FS. However, this step failed because Microsoft Entra Connect didn't have the administrator credentials required to configure AD FS. With this fix, Microsoft Entra Connect now prompts you to enter the administrator credentials for AD FS when you execute the *Configure Source Anchor* task. ## 1.1.614.0 Status: September 05 2017 -### Azure AD Connect +<a name='azure-ad-connect'></a> ++### Microsoft Entra Connect #### Known issues-* There is a known issue that is causing Azure AD Connect upgrade to fail with error "*Unable to upgrade the Synchronization Service*". Further, the Synchronization Service can no longer start with event error "*The service was unable to start because the version of the database is newer than the version of the binaries installed*". The issue occurs when the administrator performing the upgrade does not have sysadmin privilege to the SQL server that is being used by Azure AD Connect. Dbo permissions aren't sufficient. +* There is a known issue that is causing Microsoft Entra Connect upgrade to fail with error "*Unable to upgrade the Synchronization Service*". Further, the Synchronization Service can no longer start with event error "*The service was unable to start because the version of the database is newer than the version of the binaries installed*". The issue occurs when the administrator performing the upgrade does not have sysadmin privilege to the SQL server that is being used by Microsoft Entra Connect. Dbo permissions aren't sufficient. -* There is a known issue with Azure AD Connect Upgrade that is affecting customers who have enabled [Seamless Single Sign-On](how-to-connect-sso.md). After Azure AD Connect is upgraded, the feature appears as disabled in the wizard, even though the feature remains enabled. A fix for this issue will be provided in future release. Customers who are concerned about this display issue can manually fix it by enabling Seamless Single Sign-On in the wizard. +* There is a known issue with Microsoft Entra Connect Upgrade that is affecting customers who have enabled [Seamless Single Sign-On](how-to-connect-sso.md). After Microsoft Entra Connect is upgraded, the feature appears as disabled in the wizard, even though the feature remains enabled. A fix for this issue will be provided in future release. Customers who are concerned about this display issue can manually fix it by enabling Seamless Single Sign-On in the wizard. #### Fixed issues-* Fixed an issue that prevented Azure AD Connect from updating the claims rules in on-premises AD FS while enabling the [ms-DS-ConsistencyGuid as Source Anchor](./plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor) feature. The issue occurs if you try to enable the feature for an existing Azure AD Connect deployment that has AD FS configured as the sign-in method. The issue occurs because the wizard does not prompt for ADFS credentials before trying to update the claims rules in AD FS. -* Fixed an issue that caused Azure AD Connect to fail installation if the on-premises AD forest has NTLM disabled. The issue is due to Azure AD Connect wizard not providing fully qualified credentials when creating the security contexts required for Kerberos authentication. This causes Kerberos authentication to fail and Azure AD Connect wizard to fall back to using NTLM. +* Fixed an issue that prevented Microsoft Entra Connect from updating the claims rules in on-premises AD FS while enabling the [ms-DS-ConsistencyGuid as Source Anchor](./plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor) feature. The issue occurs if you try to enable the feature for an existing Microsoft Entra Connect deployment that has AD FS configured as the sign-in method. The issue occurs because the wizard does not prompt for ADFS credentials before trying to update the claims rules in AD FS. +* Fixed an issue that caused Microsoft Entra Connect to fail installation if the on-premises AD forest has NTLM disabled. The issue is due to Microsoft Entra Connect wizard not providing fully qualified credentials when creating the security contexts required for Kerberos authentication. This causes Kerberos authentication to fail and Microsoft Entra Connect wizard to fall back to using NTLM. ++<a name='azure-ad-connect-sync'></a> -### Azure AD Connect Sync +### Microsoft Entra Connect Sync #### Fixed issues * Fixed an issue where new synchronization rule cannot be created if the Tag attribute isn’t populated.-* Fixed an issue that caused Azure AD Connect to connect to on-premises AD for Password Synchronization using NTLM, even though Kerberos is available. This issue occurs if the on-premises AD topology has one or more domain controllers that were restored from a backup. +* Fixed an issue that caused Microsoft Entra Connect to connect to on-premises AD for Password Synchronization using NTLM, even though Kerberos is available. This issue occurs if the on-premises AD topology has one or more domain controllers that were restored from a backup. * Fixed an issue that caused full synchronization steps to occur unnecessarily after upgrade. In general, running full synchronization steps is required after upgrade if there are changes to out-of-box synchronization rules. The issue was due to an error in the change detection logic that incorrectly detected a change when encountering synchronization rule expression with newline characters. Newline characters are inserted into sync rule expression to improve readability.-* Fixed an issue that can cause the Azure AD Connect server to not work correctly after Automatic Upgrade. This issue affects Azure AD Connect servers with version 1.1.443.0 (or earlier). For details about the issue, refer to article [Azure AD Connect is not working correctly after an automatic upgrade](https://support.microsoft.com/help/4038479/azure-ad-connect-is-not-working-correctly-after-an-automatic-upgrade). +* Fixed an issue that can cause the Microsoft Entra Connect server to not work correctly after Automatic Upgrade. This issue affects Microsoft Entra Connect servers with version 1.1.443.0 (or earlier). For details about the issue, refer to article [Microsoft Entra Connect is not working correctly after an automatic upgrade](https://support.microsoft.com/help/4038479/azure-ad-connect-is-not-working-correctly-after-an-automatic-upgrade). * Fixed an issue that can cause Automatic Upgrade to be retried every 5 minutes when errors are encountered. With the fix, Automatic Upgrade retries with exponential back-off when errors are encountered. * Fixed an issue where password synchronization event 611 is incorrectly shown in Windows Application Event logs as **informational** instead of **error**. Event 611 is generated whenever password synchronization encounters an issue. -* Fixed an issue in the Azure AD Connect wizard that allows Group writeback feature to be enabled without selecting an OU required for Group writeback. +* Fixed an issue in the Microsoft Entra Connect wizard that allows Group writeback feature to be enabled without selecting an OU required for Group writeback. #### New features and improvements-* Added a Troubleshoot task to Azure AD Connect wizard under Additional Tasks. Customers can leverage this task to troubleshoot issues related to password synchronization and collect general diagnostics. In the future, the Troubleshoot task will be extended to include other directory synchronization-related issues. -* Azure AD Connect now supports a new installation mode called **Use Existing Database**. This installation mode allows customers to install Azure AD Connect that specifies an existing ADSync database. For more information about this feature, refer to article [Use an existing database](how-to-connect-install-existing-database.md). -* For improved security, Azure AD Connect now defaults to using TLS1.2 to connect to Azure AD for directory synchronization. Previously, the default was TLS1.0. -* When Azure AD Connect Password Synchronization Agent starts up, it tries to connect to Azure AD well-known endpoint for password synchronization. Upon successful connection, it's redirected to a region-specific endpoint. Previously, the Password Synchronization Agent caches the region-specific endpoint until it's restarted. Now, the agent clears the cache and retries with the well-known endpoint if it encounters connection issue with the region-specific endpoint. This change ensures that password synchronization can failover to a different region-specific endpoint when the cached region-specific endpoint is no longer available. -* To synchronize changes from an on-premises AD forest, an AD DS account is required. You can either (i) create the AD DS account yourself and provide its credential to Azure AD Connect, or (ii) provide an Enterprise Admin's credentials and let Azure AD Connect create the AD DS account for you. Previously, (i) is the default option in the Azure AD Connect wizard. Now, (ii) is the default option. +* Added a Troubleshoot task to Microsoft Entra Connect wizard under Additional Tasks. Customers can leverage this task to troubleshoot issues related to password synchronization and collect general diagnostics. In the future, the Troubleshoot task will be extended to include other directory synchronization-related issues. +* Microsoft Entra Connect now supports a new installation mode called **Use Existing Database**. This installation mode allows customers to install Microsoft Entra Connect that specifies an existing ADSync database. For more information about this feature, refer to article [Use an existing database](how-to-connect-install-existing-database.md). +* For improved security, Microsoft Entra Connect now defaults to using TLS1.2 to connect to Microsoft Entra ID for directory synchronization. Previously, the default was TLS1.0. +* When Microsoft Entra Connect Password Synchronization Agent starts up, it tries to connect to Microsoft Entra well-known endpoint for password synchronization. Upon successful connection, it's redirected to a region-specific endpoint. Previously, the Password Synchronization Agent caches the region-specific endpoint until it's restarted. Now, the agent clears the cache and retries with the well-known endpoint if it encounters connection issue with the region-specific endpoint. This change ensures that password synchronization can failover to a different region-specific endpoint when the cached region-specific endpoint is no longer available. +* To synchronize changes from an on-premises AD forest, an AD DS account is required. You can either (i) create the AD DS account yourself and provide its credential to Microsoft Entra Connect, or (ii) provide an Enterprise Admin's credentials and let Microsoft Entra Connect create the AD DS account for you. Previously, (i) is the default option in the Microsoft Entra Connect wizard. Now, (ii) is the default option. -### Azure AD Connect Health +<a name='azure-ad-connect-health'></a> ++### Microsoft Entra Connect Health #### New features and improvements * Added support for Microsoft Azure Government Cloud and Microsoft Cloud Germany. Status: September 05 2017 * The Initialize-ADSyncNGCKeysWriteBack cmdlet in the AD prep PowerShell module was incorrectly applying ACLs to the device registration container and would therefore only inherit existing permissions. This was updated so that the sync service account has the correct permissions. #### New features and improvements-* The Azure AD Connect Verify ADFS Login task was updated so that it verifies logins against Microsoft Online and not just token retrieval from ADFS. -* When setting up a new ADFS farm using Azure AD Connect, the page asking for ADFS credentials was moved so that it now occurs before the user is asked to provide ADFS and WAP servers. This allows Azure AD Connect to check that the account specified has the correct permissions. -* During Azure AD Connect upgrade, we will no longer fail an upgrade if the ADFS Azure AD Trust fails to update. If that happens, the user will be shown an appropriate warning message and should proceed to reset the trust via the Azure AD Connect additional task. +* The Microsoft Entra Connect Verify ADFS Login task was updated so that it verifies logins against Microsoft Online and not just token retrieval from ADFS. +* When setting up a new ADFS farm using Microsoft Entra Connect, the page asking for ADFS credentials was moved so that it now occurs before the user is asked to provide ADFS and WAP servers. This allows Microsoft Entra Connect to check that the account specified has the correct permissions. +* During Microsoft Entra Connect upgrade, we will no longer fail an upgrade if the ADFS Microsoft Entra ID Trust fails to update. If that happens, the user will be shown an appropriate warning message and should proceed to reset the trust via the Microsoft Entra Connect additional task. ### Seamless Single Sign-On #### Fixed issues-* Fixed an issue that caused Azure AD Connect wizard to return an error if you try to enable [Seamless Single Sign-On](how-to-connect-sso.md). The error message is *“Configuration of Microsoft Azure AD Connect Authentication Agent failed.”* This issue affects existing customers who had manually upgraded the preview version of the Authentication Agents for [Pass-through Authentication](how-to-connect-sso.md) based on the steps described in this [article](how-to-connect-pta-upgrade-preview-authentication-agents.md). +* Fixed an issue that caused Microsoft Entra Connect wizard to return an error if you try to enable [Seamless Single Sign-On](how-to-connect-sso.md). The error message is *“Configuration of Microsoft Entra Connect Authentication Agent failed.”* This issue affects existing customers who had manually upgraded the preview version of the Authentication Agents for [Pass-through Authentication](how-to-connect-sso.md) based on the steps described in this [article](how-to-connect-pta-upgrade-preview-authentication-agents.md). ## 1.1.561.0 Status: July 23 2017 -### Azure AD Connect +<a name='azure-ad-connect'></a> ++### Microsoft Entra Connect #### Fixed issue * Fixed an issue that caused the out-of-box synchronization rule “Out to AD - User ImmutableId” to be removed: - * The issue occurs when Azure AD Connect is upgraded, or when the task option *Update Synchronization Configuration* in the Azure AD Connect wizard is used to update Azure AD Connect synchronization configuration. + * The issue occurs when Microsoft Entra Connect is upgraded, or when the task option *Update Synchronization Configuration* in the Microsoft Entra Connect wizard is used to update Microsoft Entra Connect synchronization configuration. - * This synchronization rule is applicable to customers who have enabled the [ms-DS-ConsistencyGuid as Source Anchor feature](plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor). This feature was introduced in version 1.1.524.0 and after. When the synchronization rule is removed, Azure AD Connect can no longer populate on-premises AD ms-DS-ConsistencyGuid attribute with the ObjectGuid attribute value. It does not prevent new users from being provisioned into Azure AD. + * This synchronization rule is applicable to customers who have enabled the [ms-DS-ConsistencyGuid as Source Anchor feature](plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor). This feature was introduced in version 1.1.524.0 and after. When the synchronization rule is removed, Microsoft Entra Connect can no longer populate on-premises AD ms-DS-ConsistencyGuid attribute with the ObjectGuid attribute value. It does not prevent new users from being provisioned into Microsoft Entra ID. - * The fix ensures that the synchronization rule will no longer be removed during upgrade, or during configuration change, as long as the feature is enabled. For existing customers who have been affected by this issue, the fix also ensures that the synchronization rule is added back after upgrading to this version of Azure AD Connect. + * The fix ensures that the synchronization rule will no longer be removed during upgrade, or during configuration change, as long as the feature is enabled. For existing customers who have been affected by this issue, the fix also ensures that the synchronization rule is added back after upgrading to this version of Microsoft Entra Connect. * Fixed an issue that causes out-of-box synchronization rules to have precedence value that is less than 100: Status: July 23 2017 * The fix prevents the issue from occurring during upgrade. However, it does not restore the precedence values for existing customers who have been affected by the issue. A separate fix will be provided in the future to help with the restoration. -* Fixed an issue where the [Domain and OU Filtering screen](how-to-connect-install-custom.md#domain-and-ou-filtering) in the Azure AD Connect wizard is showing *Sync all domains and OUs* option as selected, even though OU-based filtering is enabled. +* Fixed an issue where the [Domain and OU Filtering screen](how-to-connect-install-custom.md#domain-and-ou-filtering) in the Microsoft Entra Connect wizard is showing *Sync all domains and OUs* option as selected, even though OU-based filtering is enabled. -* Fixed an issue that caused the [Configure Directory Partitions screen](how-to-connect-sync-configure-filtering.md#organizational-unitbased-filtering) in the Synchronization Service Manager to return an error if the *Refresh* button is clicked. The error message is *“An error was encountered while refreshing domains: Unable to cast object of type ‘System.Collections.ArrayList’ to type ‘Microsoft.DirectoryServices.MetadirectoryServices.UI.PropertySheetBase.MaPropertyPages.PartitionObject.”* The error occurs when new AD domain has been added to an existing AD forest and you are trying to update Azure AD Connect using the Refresh button. +* Fixed an issue that caused the [Configure Directory Partitions screen](how-to-connect-sync-configure-filtering.md#organizational-unitbased-filtering) in the Synchronization Service Manager to return an error if the *Refresh* button is clicked. The error message is *“An error was encountered while refreshing domains: Unable to cast object of type ‘System.Collections.ArrayList’ to type ‘Microsoft.DirectoryServices.MetadirectoryServices.UI.PropertySheetBase.MaPropertyPages.PartitionObject.”* The error occurs when new AD domain has been added to an existing AD forest and you are trying to update Microsoft Entra Connect using the Refresh button. #### New features and improvements Status: July 23 2017 * You've enabled the user writeback feature. >[!NOTE]- >The scope expansion of the Automatic Upgrade feature affects customers with Azure AD Connect build 1.1.105.0 and after. If you don't want your Azure AD Connect server to be automatically upgraded, you must run following cmdlet on your Azure AD Connect server: `Set-ADSyncAutoUpgrade -AutoUpgradeState disabled`. For more information about enabling/disabling Automatic Upgrade, refer to article [Azure AD Connect: Automatic upgrade](how-to-connect-install-automatic-upgrade.md). + >The scope expansion of the Automatic Upgrade feature affects customers with Microsoft Entra Connect build 1.1.105.0 and after. If you don't want your Microsoft Entra Connect server to be automatically upgraded, you must run following cmdlet on your Microsoft Entra Connect server: `Set-ADSyncAutoUpgrade -AutoUpgradeState disabled`. For more information about enabling/disabling Automatic Upgrade, refer to article [Microsoft Entra Connect: Automatic upgrade](how-to-connect-install-automatic-upgrade.md). ## 1.1.558.0 Status: Will not be released. Changes in this build are included in version 1.1.561.0. -### Azure AD Connect +<a name='azure-ad-connect'></a> ++### Microsoft Entra Connect #### Fixed issue * Fixed an issue that caused the out-of-box synchronization rule “Out to AD - User ImmutableId” to be removed when OU-based filtering configuration is updated. This synchronization rule is required for the [ms-DS-ConsistencyGuid as Source Anchor feature](plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor). -* Fixed an issue where the [Domain and OU Filtering screen](how-to-connect-install-custom.md#domain-and-ou-filtering) in the Azure AD Connect wizard is showing *Sync all domains and OUs* option as selected, even though OU-based filtering is enabled. +* Fixed an issue where the [Domain and OU Filtering screen](how-to-connect-install-custom.md#domain-and-ou-filtering) in the Microsoft Entra Connect wizard is showing *Sync all domains and OUs* option as selected, even though OU-based filtering is enabled. -* Fixed an issue that caused the [Configure Directory Partitions screen](how-to-connect-sync-configure-filtering.md#organizational-unitbased-filtering) in the Synchronization Service Manager to return an error if the *Refresh* button is clicked. The error message is *“An error was encountered while refreshing domains: Unable to cast object of type ‘System.Collections.ArrayList’ to type ‘Microsoft.DirectoryServices.MetadirectoryServices.UI.PropertySheetBase.MaPropertyPages.PartitionObject.”* The error occurs when new AD domain has been added to an existing AD forest and you are trying to update Azure AD Connect using the Refresh button. +* Fixed an issue that caused the [Configure Directory Partitions screen](how-to-connect-sync-configure-filtering.md#organizational-unitbased-filtering) in the Synchronization Service Manager to return an error if the *Refresh* button is clicked. The error message is *“An error was encountered while refreshing domains: Unable to cast object of type ‘System.Collections.ArrayList’ to type ‘Microsoft.DirectoryServices.MetadirectoryServices.UI.PropertySheetBase.MaPropertyPages.PartitionObject.”* The error occurs when new AD domain has been added to an existing AD forest and you are trying to update Microsoft Entra Connect using the Refresh button. #### New features and improvements Status: Will not be released. Changes in this build are included in version 1.1. * You've enabled the user writeback feature. >[!NOTE]- >The scope expansion of the Automatic Upgrade feature affects customers with Azure AD Connect build 1.1.105.0 and after. If you don't want your Azure AD Connect server to be automatically upgraded, you must run following cmdlet on your Azure AD Connect server: `Set-ADSyncAutoUpgrade -AutoUpgradeState disabled`. For more information about enabling/disabling Automatic Upgrade, refer to article [Azure AD Connect: Automatic upgrade](how-to-connect-install-automatic-upgrade.md). + >The scope expansion of the Automatic Upgrade feature affects customers with Microsoft Entra Connect build 1.1.105.0 and after. If you don't want your Microsoft Entra Connect server to be automatically upgraded, you must run following cmdlet on your Microsoft Entra Connect server: `Set-ADSyncAutoUpgrade -AutoUpgradeState disabled`. For more information about enabling/disabling Automatic Upgrade, refer to article [Microsoft Entra Connect: Automatic upgrade](how-to-connect-install-automatic-upgrade.md). ## 1.1.557.0 Status: July 2017 >[!NOTE]->This build is not available to customers through the Azure AD Connect Auto Upgrade feature. -### Azure AD Connect +>This build is not available to customers through the Microsoft Entra Connect Auto Upgrade feature. +<a name='azure-ad-connect'></a> ++### Microsoft Entra Connect #### Fixed issue-* Fixed an issue with the Initialize-ADSyncDomainJoinedComputerSync cmdlet that caused the verified domain configured on the existing service connection point object to be changed even if it's still a valid domain. This issue occurs when your Azure AD tenant has more than one verified domains that can be used for configuring the service connection point. +* Fixed an issue with the Initialize-ADSyncDomainJoinedComputerSync cmdlet that caused the verified domain configured on the existing service connection point object to be changed even if it's still a valid domain. This issue occurs when your Microsoft Entra tenant has more than one verified domains that can be used for configuring the service connection point. #### New features and improvements-* Password writeback is now available for preview with Microsoft Azure Government cloud and Microsoft Cloud Germany. For more information about Azure AD Connect support for the different service instances, refer to article [Azure AD Connect: Special considerations for instances](reference-connect-instances.md). +* Password writeback is now available for preview with Microsoft Azure Government cloud and Microsoft Cloud Germany. For more information about Microsoft Entra Connect support for the different service instances, refer to article [Microsoft Entra Connect: Special considerations for instances](reference-connect-instances.md). * The Initialize-ADSyncDomainJoinedComputerSync cmdlet now has a new optional parameter named AzureADDomain. This parameter lets you specify which verified domain to be used for configuring the service connection point. ### Pass-through Authentication #### New features and improvements-* The name of the agent required for Pass-through Authentication has been changed from *Microsoft Azure AD Application Proxy Connector* to *Microsoft Azure AD Connect Authentication Agent*. +* The name of the agent required for Pass-through Authentication has been changed from *Microsoft Entra application proxy Connector* to *Microsoft Entra Connect Authentication Agent*. * Enabling Pass-through Authentication no longer enables Password Hash Synchronization by default. Status: July 2017 Status: June 2017 > [!IMPORTANT]-> There are schema and sync rule changes introduced in this build. Azure AD Connect Synchronization Service will trigger Full Import and Full Synchronization steps after upgrade. Details of the changes are described below. To temporarily defer Full Import and Full Synchronization steps after upgrade, refer to article [How to defer full synchronization after upgrade](how-to-upgrade-previous-version.md#how-to-defer-full-synchronization-after-upgrade). +> There are schema and sync rule changes introduced in this build. Microsoft Entra Connect Synchronization Service will trigger Full Import and Full Synchronization steps after upgrade. Details of the changes are described below. To temporarily defer Full Import and Full Synchronization steps after upgrade, refer to article [How to defer full synchronization after upgrade](how-to-upgrade-previous-version.md#how-to-defer-full-synchronization-after-upgrade). > >-### Azure AD Connect Sync +<a name='azure-ad-connect-sync'></a> ++### Microsoft Entra Connect Sync #### Known issue-* There is an issue that affects customers who are using [OU-based filtering](how-to-connect-sync-configure-filtering.md#organizational-unitbased-filtering) with Azure AD Connect sync. When you navigate to the [Domain and OU Filtering page](how-to-connect-install-custom.md#domain-and-ou-filtering) in the Azure AD Connect wizard, the following behavior is expected: +* There is an issue that affects customers who are using [OU-based filtering](how-to-connect-sync-configure-filtering.md#organizational-unitbased-filtering) with Microsoft Entra Connect Sync. When you navigate to the [Domain and OU Filtering page](how-to-connect-install-custom.md#domain-and-ou-filtering) in the Microsoft Entra Connect wizard, the following behavior is expected: * If OU-based filtering is enabled, the **Sync selected domains and OUs** option is selected. * Otherwise, the **Sync all domains and OUs** option is selected. -The issue that arises is that the **Sync all domains and OUs option** is always selected when you run the Wizard. This occurs even if OU-based filtering was previously configured. Before saving any Azure AD Connect configuration changes, make sure the **Sync selected domains and OUs option is selected** and confirm that all OUs that need to synchronize are enabled again. Otherwise, OU-based filtering will be disabled. +The issue that arises is that the **Sync all domains and OUs option** is always selected when you run the Wizard. This occurs even if OU-based filtering was previously configured. Before saving any Microsoft Entra Connect configuration changes, make sure the **Sync selected domains and OUs option is selected** and confirm that all OUs that need to synchronize are enabled again. Otherwise, OU-based filtering will be disabled. #### Fixed issues -* Fixed an issue with Password writeback that allows an Azure AD Administrator to reset the password of an on-premises AD privileged user account. The issue occurs when Azure AD Connect is granted the Reset Password permission over the privileged account. The issue is addressed in this version of Azure AD Connect by not allowing an Azure AD Administrator to reset the password of an arbitrary on-premises AD privileged user account unless the administrator is the owner of that account. For more information, refer to [Security Advisory 4033453](/security-updates/SecurityAdvisories/2017/4033453). +* Fixed an issue with Password writeback that allows a Microsoft Entra Administrator to reset the password of an on-premises AD privileged user account. The issue occurs when Microsoft Entra Connect is granted the Reset Password permission over the privileged account. The issue is addressed in this version of Microsoft Entra Connect by not allowing a Microsoft Entra Administrator to reset the password of an arbitrary on-premises AD privileged user account unless the administrator is the owner of that account. For more information, refer to [Security Advisory 4033453](/security-updates/SecurityAdvisories/2017/4033453). -* Fixed an issue related to the [ms-DS-ConsistencyGuid as Source Anchor](./plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor) feature where Azure AD Connect does not writeback to on-premises AD ms-DS-ConsistencyGuid attribute. The issue occurs when there are multiple on-premises AD forests added to Azure AD Connect and the *User identities exist across multiple directories option* is selected. When such configuration is used, the resultant synchronization rules don't populate the sourceAnchorBinary attribute in the Metaverse. The sourceAnchorBinary attribute is used as the source attribute for ms-DS-ConsistencyGuid attribute. As a result, writeback to the ms-DSConsistencyGuid attribute does not occur. To fix the issue, following sync rules have been updated to ensure that the sourceAnchorBinary attribute in the Metaverse is always populated: +* Fixed an issue related to the [ms-DS-ConsistencyGuid as Source Anchor](./plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor) feature where Microsoft Entra Connect does not writeback to on-premises AD ms-DS-ConsistencyGuid attribute. The issue occurs when there are multiple on-premises AD forests added to Microsoft Entra Connect and the *User identities exist across multiple directories option* is selected. When such configuration is used, the resultant synchronization rules don't populate the sourceAnchorBinary attribute in the Metaverse. The sourceAnchorBinary attribute is used as the source attribute for ms-DS-ConsistencyGuid attribute. As a result, writeback to the ms-DSConsistencyGuid attribute does not occur. To fix the issue, following sync rules have been updated to ensure that the sourceAnchorBinary attribute in the Metaverse is always populated: * In from AD - InetOrgPerson AccountEnabled.xml * In from AD - InetOrgPerson Common.xml * In from AD - User AccountEnabled.xml * In from AD - User Common.xml * In from AD - User Join SOAInAAD.xml -* Previously, even if the [ms-DS-ConsistencyGuid as Source Anchor](./plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor) feature isn’t enabled, the “Out to AD – User ImmutableId” synchronization rule is still added to Azure AD Connect. The effect is benign and does not cause writeback of ms-DS-ConsistencyGuid attribute to occur. To avoid confusion, logic has been added to ensure that the sync rule is only added when the feature is enabled. +* Previously, even if the [ms-DS-ConsistencyGuid as Source Anchor](./plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor) feature isn’t enabled, the “Out to AD – User ImmutableId” synchronization rule is still added to Microsoft Entra Connect. The effect is benign and does not cause writeback of ms-DS-ConsistencyGuid attribute to occur. To avoid confusion, logic has been added to ensure that the sync rule is only added when the feature is enabled. * Fixed an issue that caused password hash synchronization to fail with error event 611. This issue occurs after one or more domain controllers have been removed from on-premises AD. At the end of each password synchronization cycle, the synchronization cookie issued by on-premises AD contains Invocation IDs of the removed domain controllers with USN (Update Sequence Number) value of 0. The Password Synchronization Manager is unable to persist synchronization cookie containing USN value of 0 and fails with error event 611. During the next synchronization cycle, the Password Synchronization Manager reuses the last persisted synchronization cookie that does not contain USN value of 0. This causes the same password changes to be resynchronized. With this fix, the Password Synchronization Manager persists the synchronization cookie correctly. -* Previously, even if Automatic Upgrade has been disabled using the Set-ADSyncAutoUpgrade cmdlet, the Automatic Upgrade process continues to check for upgrade periodically, and relies on the downloaded installer to honor disablement. With this fix, the Automatic Upgrade process no longer checks for upgrade periodically. The fix is automatically applied when upgrade installer for this Azure AD Connect version is executed once. +* Previously, even if Automatic Upgrade has been disabled using the Set-ADSyncAutoUpgrade cmdlet, the Automatic Upgrade process continues to check for upgrade periodically, and relies on the downloaded installer to honor disablement. With this fix, the Automatic Upgrade process no longer checks for upgrade periodically. The fix is automatically applied when upgrade installer for this Microsoft Entra Connect version is executed once. #### New features and improvements * Previously, the [ms-DS-ConsistencyGuid as Source Anchor](./plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor) feature was available to new deployments only. Now, it's available to existing deployments. More specifically:- * To access the feature, start the Azure AD Connect wizard and choose the *Update Source Anchor* option. + * To access the feature, start the Microsoft Entra Connect wizard and choose the *Update Source Anchor* option. * This option is only visible to existing deployments that are using objectGuid as sourceAnchor attribute. * When configuring the option, the wizard validates the state of the ms-DS-ConsistencyGuid attribute in your on-premises Active Directory. If the attribute isn't configured on any user object in the directory, the wizard uses the ms-DS-ConsistencyGuid as the sourceAnchor attribute. If the attribute is configured on one or more user objects in the directory, the wizard concludes the attribute is being used by other applications and is not suitable as sourceAnchor attribute and does not permit the Source Anchor change to proceed. If you are certain that the attribute isn't used by existing applications, you need to contact Support for information on how to suppress the error. -* Specific to **userCertificate** attribute on Device objects, Azure AD Connect now looks for certificates values required for [Connecting domain-joined devices to Azure AD for Windows 10 experience](../../devices/hybrid-join-plan.md) and filters out the rest before synchronizing to Azure AD. To enable this behavior, the out-of-box sync rule “Out to AAD - Device Join SOAInAD” has been updated. +* Specific to **userCertificate** attribute on Device objects, Microsoft Entra Connect now looks for certificates values required for [Connecting domain-joined devices to Microsoft Entra ID for Windows 10 experience](../../devices/hybrid-join-plan.md) and filters out the rest before synchronizing to Microsoft Entra ID. To enable this behavior, the out-of-box sync rule “Out to Microsoft Entra ID - Device Join SOAInAD” has been updated. -* Azure AD Connect now supports writeback of Exchange Online **cloudPublicDelegates** attribute to on-premises AD **publicDelegates** attribute. This enables the scenario where an Exchange Online mailbox can be granted SendOnBehalfTo rights to users with on-premises Exchange mailbox. To support this feature, a new out-of-box sync rule “Out to AD – User Exchange Hybrid PublicDelegates writeback” has been added. This sync rule is only added to Azure AD Connect when Exchange Hybrid feature is enabled. +* Microsoft Entra Connect now supports writeback of Exchange Online **cloudPublicDelegates** attribute to on-premises AD **publicDelegates** attribute. This enables the scenario where an Exchange Online mailbox can be granted SendOnBehalfTo rights to users with on-premises Exchange mailbox. To support this feature, a new out-of-box sync rule “Out to AD – User Exchange Hybrid PublicDelegates writeback” has been added. This sync rule is only added to Microsoft Entra Connect when Exchange Hybrid feature is enabled. -* Azure AD Connect now supports synchronizing the **altRecipient** attribute from Azure AD. To support this change, following out-of-box sync rules have been updated to include the required attribute flow: +* Microsoft Entra Connect now supports synchronizing the **altRecipient** attribute from Microsoft Entra ID. To support this change, following out-of-box sync rules have been updated to include the required attribute flow: * In from AD – User Exchange- * Out to AAD – User ExchangeOnline + * Out to Microsoft Entra ID – User ExchangeOnline -* The **cloudSOAExchMailbox** attribute in the Metaverse indicates whether a given user has Exchange Online mailbox or not. Its definition has been updated to include additional Exchange Online RecipientDisplayTypes as such Equipment and Conference Room mailboxes. To enable this change, the definition of the cloudSOAExchMailbox attribute, which is found under out-of-box sync rule “In from AAD – User Exchange Hybrid”, has been updated from: +* The **cloudSOAExchMailbox** attribute in the Metaverse indicates whether a given user has Exchange Online mailbox or not. Its definition has been updated to include additional Exchange Online RecipientDisplayTypes as such Equipment and Conference Room mailboxes. To enable this change, the definition of the cloudSOAExchMailbox attribute, which is found under out-of-box sync rule “In from Microsoft Entra ID – User Exchange Hybrid”, has been updated from: ``` CBool(IIF(IsNullOrEmpty([cloudMSExchRecipientDisplayType]),NULL,BitAnd([cloudMSExchRecipientDisplayType],&HFF) = 0)) The issue that arises is that the **Sync all domains and OUs option** is always * Group: domainFQDN * Person: distinguishedName - * Following attributes have been added to Azure AD Connector schema: + * Following attributes have been added to Microsoft Entra Connector schema: * Group: OnPremisesSamAccountName * Group: NetBiosName * Group: DnsDomainName * User: OnPremisesDistinguishedName -* The ADSyncDomainJoinedComputerSync cmdlet script now has a new optional parameter named AzureEnvironment. The parameter is used to specify which region the corresponding Azure Active Directory tenant is hosted in. Valid values include: +* The ADSyncDomainJoinedComputerSync cmdlet script now has a new optional parameter named AzureEnvironment. The parameter is used to specify which region the corresponding Microsoft Entra tenant is hosted in. Valid values include: * AzureCloud (default) * AzureChinaCloud * AzureGermanyCloud The issue that arises is that the **Sync all domains and OUs option** is always #### Issues fixed -* Following URLs are new WS-Federation endpoints introduced by Azure AD to improve resiliency against authentication outage and will be added to on-premises AD FS replying party trust configuration: +* Following URLs are new WS-Federation endpoints introduced by Microsoft Entra ID to improve resiliency against authentication outage and will be added to on-premises AD FS replying party trust configuration: * https:\//ests.login.microsoftonline.com/login.srf * https:\//stamp2.login.microsoftonline.com/login.srf * https://ccs.login.microsoftonline.com/login.srf * https://ccs-sdf.login.microsoftonline.com/login.srf -* Fixed an issue that caused AD FS to generate incorrect claim value for IssuerID. The issue occurs if there are multiple verified domains in the Azure AD tenant and the domain suffix of the userPrincipalName attribute used to generate the IssuerID claim is at least 3-levels deep (for example, johndoe@us.contoso.com). The issue is resolved by updating the regex used by the claim rules. +* Fixed an issue that caused AD FS to generate incorrect claim value for IssuerID. The issue occurs if there are multiple verified domains in the Microsoft Entra tenant and the domain suffix of the userPrincipalName attribute used to generate the IssuerID claim is at least 3-levels deep (for example, johndoe@us.contoso.com). The issue is resolved by updating the regex used by the claim rules. #### New features and improvements-* Previously, the ADFS Certificate Management feature provided by Azure AD Connect can only be used with ADFS farms managed through Azure AD Connect. Now, you can use the feature with ADFS farms that aren't managed using Azure AD Connect. +* Previously, the ADFS Certificate Management feature provided by Microsoft Entra Connect can only be used with ADFS farms managed through Microsoft Entra Connect. Now, you can use the feature with ADFS farms that aren't managed using Microsoft Entra Connect. ## 1.1.524.0 Released: May 2017 > [!IMPORTANT]-> There are schema and sync rule changes introduced in this build. Azure AD Connect Synchronization Service will trigger Full Import and Full Sync steps after upgrade. Details of the changes are described below. +> There are schema and sync rule changes introduced in this build. Microsoft Entra Connect Synchronization Service will trigger Full Import and Full Sync steps after upgrade. Details of the changes are described below. > > **Fixed issues:** -Azure AD Connect sync +Microsoft Entra Connect Sync -* Fixed an issue that causes Automatic Upgrade to occur on the Azure AD Connect server even if customer has disabled the feature using the Set-ADSyncAutoUpgrade cmdlet. With this fix, the Automatic Upgrade process on the server still checks for upgrade periodically, but the downloaded installer honors the Automatic Upgrade configuration. -* During DirSync in-place upgrade, Azure AD Connect creates an Azure AD service account to be used by the Azure AD connector for synchronizing with Azure AD. After the account is created, Azure AD Connect authenticates with Azure AD using the account. Sometimes, authentication fails because of transient issues, which in turn causes DirSync in-place upgrade to fail with error *“An error has occurred executing Configure AAD Sync task: AADSTS50034: To sign into this application, the account must be added to the xxx.onmicrosoft.com directory.”* To improve the resiliency of DirSync upgrade, Azure AD Connect now retries the authentication step. -* There was an issue with build 443 that causes DirSync in-place upgrade to succeed but run profiles required for directory synchronization aren't created. Healing logic is included in this build of Azure AD Connect. When customer upgrades to this build, Azure AD Connect detects missing run profiles and creates them. +* Fixed an issue that causes Automatic Upgrade to occur on the Microsoft Entra Connect server even if customer has disabled the feature using the Set-ADSyncAutoUpgrade cmdlet. With this fix, the Automatic Upgrade process on the server still checks for upgrade periodically, but the downloaded installer honors the Automatic Upgrade configuration. +* During DirSync in-place upgrade, Microsoft Entra Connect creates a Microsoft Entra service account to be used by the Microsoft Entra connector for synchronizing with Microsoft Entra ID. After the account is created, Microsoft Entra Connect authenticates with Microsoft Entra ID using the account. Sometimes, authentication fails because of transient issues, which in turn causes DirSync in-place upgrade to fail with error *“An error has occurred executing Configure Azure AD Sync task: AADSTS50034: To sign into this application, the account must be added to the xxx.onmicrosoft.com directory.”* To improve the resiliency of DirSync upgrade, Microsoft Entra Connect now retries the authentication step. +* There was an issue with build 443 that causes DirSync in-place upgrade to succeed but run profiles required for directory synchronization aren't created. Healing logic is included in this build of Microsoft Entra Connect. When customer upgrades to this build, Microsoft Entra Connect detects missing run profiles and creates them. * Fixed an issue that causes Password Synchronization process to fail to start with Event ID 6900 and error *“An item with the same key has already been added”*. This issue occurs if you update OU filtering configuration to include AD configuration partition. To fix this issue, Password Synchronization process now synchronizes password changes from AD domain partitions only. Non-domain partitions such as configuration partition are skipped.-* During Express installation, Azure AD Connect creates an on-premises AD DS account to be used by the AD connector to communicate with on-premises AD. Previously, the account is created with the PASSWD_NOTREQD flag set on the user-Account-Control attribute and a random password is set on the account. Now, Azure AD Connect explicitly removes the PASSWD_NOTREQD flag after the password is set on the account. +* During Express installation, Microsoft Entra Connect creates an on-premises AD DS account to be used by the AD connector to communicate with on-premises AD. Previously, the account is created with the PASSWD_NOTREQD flag set on the user-Account-Control attribute and a random password is set on the account. Now, Microsoft Entra Connect explicitly removes the PASSWD_NOTREQD flag after the password is set on the account. * Fixed an issue that causes DirSync upgrade to fail with error *“a deadlock occurred in sql server which trying to acquire an application lock”* when the mailNickname attribute is found in the on-premises AD schema, but is not bounded to the AD User object class.-* Fixed an issue that causes Device writeback feature to automatically be disabled when an administrator is updating Azure AD Connect sync configuration using Azure AD Connect wizard. This issue is caused by the wizard performing a pre-requisite check for the existing Device writeback configuration in on-premises AD and the check fails. The fix is to skip the check if Device writeback is already enabled previously. -* To configure OU filtering, you can either use the Azure AD Connect wizard or the Synchronization Service Manager. Previously, if you use the Azure AD Connect wizard to configure OU filtering, new OUs created afterwards are included for directory synchronization. If you don't want new OUs to be included, you must configure OU filtering using the Synchronization Service Manager. Now, you can achieve the same behavior using Azure AD Connect wizard. -* Fixed an issue that causes stored procedures required by Azure AD Connect to be created under the schema of the installing admin, instead of under the dbo schema. -* Fixed an issue that causes the TrackingId attribute returned by Azure AD to be omitted in the Azure AD Connect Server Event Logs. The issue occurs if Azure AD Connect receives a redirection message from Azure AD and Azure AD Connect is unable to connect to the endpoint provided. The TrackingId is used by Support Engineers to correlate with service side logs during troubleshooting. -* When Azure AD Connect receives LargeObject error from Azure AD, Azure AD Connect generates an event with EventID 6941 and message *“The provisioned object is too large. Trim the number of attribute values on this object.”* At the same time, Azure AD Connect also generates a misleading event with EventID 6900 and message *“Microsoft.Online.Coexistence.ProvisionRetryException: Unable to communicate with the Windows Azure Active Directory service.”* To minimize confusion, Azure AD Connect no longer generates the latter event when LargeObject error is received. +* Fixed an issue that causes Device writeback feature to automatically be disabled when an administrator is updating Microsoft Entra Connect sync configuration using Microsoft Entra Connect wizard. This issue is caused by the wizard performing a pre-requisite check for the existing Device writeback configuration in on-premises AD and the check fails. The fix is to skip the check if Device writeback is already enabled previously. +* To configure OU filtering, you can either use the Microsoft Entra Connect wizard or the Synchronization Service Manager. Previously, if you use the Microsoft Entra Connect wizard to configure OU filtering, new OUs created afterwards are included for directory synchronization. If you don't want new OUs to be included, you must configure OU filtering using the Synchronization Service Manager. Now, you can achieve the same behavior using Microsoft Entra Connect wizard. +* Fixed an issue that causes stored procedures required by Microsoft Entra Connect to be created under the schema of the installing admin, instead of under the dbo schema. +* Fixed an issue that causes the TrackingId attribute returned by Microsoft Entra ID to be omitted in the Microsoft Entra Connect Server Event Logs. The issue occurs if Microsoft Entra Connect receives a redirection message from Microsoft Entra ID and Microsoft Entra Connect is unable to connect to the endpoint provided. The TrackingId is used by Support Engineers to correlate with service side logs during troubleshooting. +* When Microsoft Entra Connect receives LargeObject error from Microsoft Entra ID, Microsoft Entra Connect generates an event with EventID 6941 and message *“The provisioned object is too large. Trim the number of attribute values on this object.”* At the same time, Microsoft Entra Connect also generates a misleading event with EventID 6900 and message *“Microsoft.Online.Coexistence.ProvisionRetryException: Unable to communicate with the Windows Azure Active Directory service.”* To minimize confusion, Microsoft Entra Connect no longer generates the latter event when LargeObject error is received. * Fixed an issue that causes the Synchronization Service Manager to become unresponsive when trying to update the configuration for Generic LDAP connector. **New features/improvements:** -Azure AD Connect sync +Microsoft Entra Connect Sync * Sync Rule Changes – The following sync rule changes have been implemented: * Updated default sync rule set to not export attributes **userCertificate** and **userSMIMECertificate** if the attributes have more than 15 values. * AD attributes **employeeID** and **msExchBypassModerationLink** are now included in the default sync rule set. * AD attribute **photo** has been removed from default sync rule set.- * Added **preferredDataLocation** to the Metaverse schema and Azure AD Connector schema. Customers who want to update either attributes in Azure AD can implement custom sync rules to do so. - * Added **userType** to the Metaverse schema and Azure AD Connector schema. Customers who want to update either attributes in Azure AD can implement custom sync rules to do so. --* Azure AD Connect now automatically enables the use of ConsistencyGuid attribute as the Source Anchor attribute for on-premises AD objects. Further, Azure AD Connect populates the ConsistencyGuid attribute with the objectGuid attribute value if it's empty. This feature is applicable to new deployment only. To find out more about this feature, refer to article section [Azure AD Connect: Design concepts - Using ms-DS-ConsistencyGuid as sourceAnchor](plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor). -* New troubleshooting cmdlet Invoke-ADSyncDiagnostics has been added to help diagnose Password Hash Synchronization related issues. For information about using the cmdlet, refer to article [Troubleshoot password hash synchronization with Azure AD Connect sync](tshoot-connect-password-hash-synchronization.md). -* Azure AD Connect now supports synchronizing Mail-Enabled Public Folder objects from on-premises AD to Azure AD. You can enable the feature using Azure AD Connect wizard under Optional Features. To find out more about this feature, refer to article [Office 365 Directory Based Edge Blocking support for on-premises Mail Enabled Public Folders](https://techcommunity.microsoft.com/t5/exchange/office-365-directory-based-edge-blocking-support-for-on-premises/m-p/74218). -* Azure AD Connect requires an AD DS account to synchronize from on-premises AD. Previously, if you installed Azure AD Connect using the Express mode, you could provide the credentials of an Enterprise Admin account and Azure AD Connect would create the AD DS account required. However, for a custom installation and adding forests to an existing deployment, you were required to provide the AD DS account instead. Now, you also have the option to provide the credentials of an Enterprise Admin account during a custom installation and let Azure AD Connect create the AD DS account required. -* Azure AD Connect now supports SQL AOA. You must enable SQL AOA before installing Azure AD Connect. During installation, Azure AD Connect detects whether the SQL instance provided is enabled for SQL AOA or not. If SQL AOA is enabled, Azure AD Connect further figures out if SQL AOA is configured to use synchronous replication or asynchronous replication. When setting up the Availability Group Listener, it's recommended that you set the RegisterAllProvidersIP property to 0. This recommendation is because Azure AD Connect currently uses SQL Native Client to connect to SQL and SQL Native Client does not support the use of MultiSubNetFailover property. -* If you are using LocalDB as the database for your Azure AD Connect server and has reached its 10-GB size limit, the Synchronization Service no longer starts. Previously, you need to perform ShrinkDatabase operation on the LocalDB to reclaim enough DB space for the Synchronization Service to start. After which, you can use the Synchronization Service Manager to delete run history to reclaim more DB space. Now, you can use Start-ADSyncPurgeRunHistory cmdlet to purge run history data from LocalDB to reclaim DB space. Further, this cmdlet supports an offline mode (by specifying the -offline parameter) which can be used when the Synchronization Service is not running. Note: The offline mode can only be used if the Synchronization Service is not running and the database used is LocalDB. -* To reduce the amount of storage space required, Azure AD Connect now compresses sync error details before storing them in LocalDB/SQL databases. When upgrading from an older version of Azure AD Connect to this version, Azure AD Connect performs a one-time compression on existing sync error details. -* Previously, after updating OU filtering configuration, you must manually run Full import to ensure existing objects are properly included/excluded from directory synchronization. Now, Azure AD Connect automatically triggers Full import during the next sync cycle. Further, Full import is only be applied to the AD connectors affected by the update. Note: this improvement is applicable to OU filtering updates made using the Azure AD Connect wizard only. It is not applicable to OU filtering update made using the Synchronization Service Manager. + * Added **preferredDataLocation** to the Metaverse schema and Microsoft Entra Connector schema. Customers who want to update either attributes in Microsoft Entra ID can implement custom sync rules to do so. + * Added **userType** to the Metaverse schema and Microsoft Entra Connector schema. Customers who want to update either attributes in Microsoft Entra ID can implement custom sync rules to do so. ++* Microsoft Entra Connect now automatically enables the use of ConsistencyGuid attribute as the Source Anchor attribute for on-premises AD objects. Further, Microsoft Entra Connect populates the ConsistencyGuid attribute with the objectGuid attribute value if it's empty. This feature is applicable to new deployment only. To find out more about this feature, refer to article section [Microsoft Entra Connect: Design concepts - Using ms-DS-ConsistencyGuid as sourceAnchor](plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor). +* New troubleshooting cmdlet Invoke-ADSyncDiagnostics has been added to help diagnose Password Hash Synchronization related issues. For information about using the cmdlet, refer to article [Troubleshoot password hash synchronization with Microsoft Entra Connect Sync](tshoot-connect-password-hash-synchronization.md). +* Microsoft Entra Connect now supports synchronizing Mail-Enabled Public Folder objects from on-premises AD to Microsoft Entra ID. You can enable the feature using Microsoft Entra Connect wizard under Optional Features. To find out more about this feature, refer to article [Office 365 Directory Based Edge Blocking support for on-premises Mail Enabled Public Folders](https://techcommunity.microsoft.com/t5/exchange/office-365-directory-based-edge-blocking-support-for-on-premises/m-p/74218). +* Microsoft Entra Connect requires an AD DS account to synchronize from on-premises AD. Previously, if you installed Microsoft Entra Connect using the Express mode, you could provide the credentials of an Enterprise Admin account and Microsoft Entra Connect would create the AD DS account required. However, for a custom installation and adding forests to an existing deployment, you were required to provide the AD DS account instead. Now, you also have the option to provide the credentials of an Enterprise Admin account during a custom installation and let Microsoft Entra Connect create the AD DS account required. +* Microsoft Entra Connect now supports SQL AOA. You must enable SQL AOA before installing Microsoft Entra Connect. During installation, Microsoft Entra Connect detects whether the SQL instance provided is enabled for SQL AOA or not. If SQL AOA is enabled, Microsoft Entra Connect further figures out if SQL AOA is configured to use synchronous replication or asynchronous replication. When setting up the Availability Group Listener, it's recommended that you set the RegisterAllProvidersIP property to 0. This recommendation is because Microsoft Entra Connect currently uses SQL Native Client to connect to SQL and SQL Native Client does not support the use of MultiSubNetFailover property. +* If you are using LocalDB as the database for your Microsoft Entra Connect server and has reached its 10-GB size limit, the Synchronization Service no longer starts. Previously, you need to perform ShrinkDatabase operation on the LocalDB to reclaim enough DB space for the Synchronization Service to start. After which, you can use the Synchronization Service Manager to delete run history to reclaim more DB space. Now, you can use Start-ADSyncPurgeRunHistory cmdlet to purge run history data from LocalDB to reclaim DB space. Further, this cmdlet supports an offline mode (by specifying the -offline parameter) which can be used when the Synchronization Service is not running. Note: The offline mode can only be used if the Synchronization Service is not running and the database used is LocalDB. +* To reduce the amount of storage space required, Microsoft Entra Connect now compresses sync error details before storing them in LocalDB/SQL databases. When upgrading from an older version of Microsoft Entra Connect to this version, Microsoft Entra Connect performs a one-time compression on existing sync error details. +* Previously, after updating OU filtering configuration, you must manually run Full import to ensure existing objects are properly included/excluded from directory synchronization. Now, Microsoft Entra Connect automatically triggers Full import during the next sync cycle. Further, Full import is only be applied to the AD connectors affected by the update. Note: this improvement is applicable to OU filtering updates made using the Microsoft Entra Connect wizard only. It is not applicable to OU filtering update made using the Synchronization Service Manager. * Previously, Group-based filtering supports Users, Groups, and Contact objects only. Now, Group-based filtering also supports Computer objects.-* Previously, you can delete Connector Space data without disabling Azure AD Connect sync scheduler. Now, the Synchronization Service Manager blocks the deletion of Connector Space data if it detects that the scheduler is enabled. Further, a warning is returned to inform customers about potential data loss if the Connector space data is deleted. -* Previously, you must disable PowerShell transcription for Azure AD Connect wizard to run correctly. This issue is partially resolved. You can enable PowerShell transcription if you are using Azure AD Connect wizard to manage sync configuration. You must disable PowerShell transcription if you are using Azure AD Connect wizard to manage ADFS configuration. +* Previously, you can delete Connector Space data without disabling Microsoft Entra Connect Sync scheduler. Now, the Synchronization Service Manager blocks the deletion of Connector Space data if it detects that the scheduler is enabled. Further, a warning is returned to inform customers about potential data loss if the Connector space data is deleted. +* Previously, you must disable PowerShell transcription for Microsoft Entra Connect wizard to run correctly. This issue is partially resolved. You can enable PowerShell transcription if you are using Microsoft Entra Connect wizard to manage sync configuration. You must disable PowerShell transcription if you are using Microsoft Entra Connect wizard to manage ADFS configuration. Azure AD Connect sync Released: April 2017 **Fixed issues:**-* Fixed the issue where Azure AD Connect will not install successfully on localized version of Windows Server. +* Fixed the issue where Microsoft Entra Connect will not install successfully on localized version of Windows Server. ## 1.1.484.0 Released: April 2017 **Known issues:** -* This version of Azure AD Connect will not install successfully if the following conditions are all true: - 1. You are performing either DirSync in-place upgrade or fresh installation of Azure AD Connect. +* This version of Microsoft Entra Connect will not install successfully if the following conditions are all true: + 1. You are performing either DirSync in-place upgrade or fresh installation of Microsoft Entra Connect. 2. You are using a localized version of Windows Server where the name of built-in Administrator group on the server isn't "Administrators".- 3. You are using the default SQL Server 2012 Express LocalDB installed with Azure AD Connect instead of providing your own full SQL. + 3. You are using the default SQL Server 2012 Express LocalDB installed with Microsoft Entra Connect instead of providing your own full SQL. **Fixed issues:** -Azure AD Connect sync +Microsoft Entra Connect Sync * Fixed an issue where the sync scheduler skips the entire sync step if one or more connectors are missing run profile for that sync step. For example, you manually added a connector using the Synchronization Service Manager without creating a Delta Import run profile for it. This fix ensures that the sync scheduler continues to run Delta Import for other connectors. * Fixed an issue where the Synchronization Service immediately stops processing a run profile when it's encounters an issue with one of the run steps. This fix ensures that the Synchronization Service skips that run step and continues to process the rest. For example, you've a Delta Import run profile for your AD connector with multiple run steps (one for each on-premises AD domain). The Synchronization Service will run Delta Import with the other AD domains even if one of them has network connectivity issues.-* Fixed an issue that causes the Azure AD Connector update to be skipped during Automatic Upgrade. -* Fixed an issue that causes Azure AD Connect to incorrectly determine whether the server is a domain controller during setup, which in turn causes DirSync upgrade to fail. -* Fixed an issue that causes DirSync in-place upgrade to not create any run profile for the Azure AD Connector. +* Fixed an issue that causes the Microsoft Entra Connector update to be skipped during Automatic Upgrade. +* Fixed an issue that causes Microsoft Entra Connect to incorrectly determine whether the server is a domain controller during setup, which in turn causes DirSync upgrade to fail. +* Fixed an issue that causes DirSync in-place upgrade to not create any run profile for the Microsoft Entra Connector. * Fixed an issue where the Synchronization Service Manager user interface becomes unresponsive when trying to configure Generic LDAP Connector. AD FS management-* Fixed an issue where the Azure AD Connect wizard fails if the AD FS primary node has been moved to another server. +* Fixed an issue where the Microsoft Entra Connect wizard fails if the AD FS primary node has been moved to another server. Desktop SSO-* Fixed an issue in the Azure AD Connect wizard where the Sign-In screen does not let you enable Desktop SSO feature if you chose Password Synchronization as your Sign-In option during new installation. +* Fixed an issue in the Microsoft Entra Connect wizard where the Sign-In screen does not let you enable Desktop SSO feature if you chose Password Synchronization as your Sign-In option during new installation. **New features/improvements:** -Azure AD Connect sync -* Azure AD Connect Sync now supports the use of Virtual Service Account, Managed Service Account and Group Managed Service Account as its service account. This applies to new installation of Azure AD Connect only. When installing Azure AD Connect: - * By default, Azure AD Connect wizard will create a Virtual Service Account and uses it as its service account. - * If you are installing on a domain controller, Azure AD Connect falls back to previous behavior where it will create a domain user account and uses it as its service account instead. +Microsoft Entra Connect Sync +* Microsoft Entra Connect Sync now supports the use of Virtual Service Account, Managed Service Account and Group Managed Service Account as its service account. This applies to new installation of Microsoft Entra Connect only. When installing Microsoft Entra Connect: + * By default, Microsoft Entra Connect wizard will create a Virtual Service Account and uses it as its service account. + * If you are installing on a domain controller, Microsoft Entra Connect falls back to previous behavior where it will create a domain user account and uses it as its service account instead. * You can override the default behavior by providing one of the following: * A Group Managed Service Account * A Managed Service Account * A domain user account * A local user account-* Previously, if you upgrade to a new build of Azure AD Connect containing connectors update or sync rule changes, Azure AD Connect will trigger a full sync cycle. Now, Azure AD Connect selectively triggers Full Import step only for connectors with update, and Full Synchronization step only for connectors with sync rule changes. +* Previously, if you upgrade to a new build of Microsoft Entra Connect containing connectors update or sync rule changes, Microsoft Entra Connect will trigger a full sync cycle. Now, Microsoft Entra Connect selectively triggers Full Import step only for connectors with update, and Full Synchronization step only for connectors with sync rule changes. * Previously, the Export Deletion Threshold only applies to exports which are triggered through the sync scheduler. Now, the feature is extended to include exports manually triggered by the customer using the Synchronization Service Manager.-* On your Azure AD tenant, there is a service configuration which indicates whether Password Synchronization feature is enabled for your tenant or not. Previously, it's easy for the service configuration to be incorrectly configured by Azure AD Connect when you've an active and a staging server. Now, Azure AD Connect will attempt to keep the service configuration consistent with your active Azure AD Connect server only. -* Azure AD Connect wizard now detects and returns a warning if on-premises AD does not have AD Recycle Bin enabled. -* Previously, Export to Azure AD times out and fails if the combined size of the objects in the batch exceeds certain threshold. Now, the Synchronization Service will reattempt to resend the objects in separate, smaller batches if the issue is encountered. -* The Synchronization Service Key Management application has been removed from Windows Start Menu. Management of encryption key will continue to be supported through command-line interface using miiskmu.exe. For information about managing encryption key, refer to article [Abandoning the Azure AD Connect Sync encryption key](./how-to-connect-sync-change-serviceacct-pass.md#abandoning-the-adsync-service-account-encryption-key). -* Previously, if you change the Azure AD Connect sync service account password, the Synchronization Service will not be able start correctly until you've abandoned the encryption key and reinitialized the Azure AD Connect sync service account password. Now, this process is no longer required. +* On your Microsoft Entra tenant, there is a service configuration which indicates whether Password Synchronization feature is enabled for your tenant or not. Previously, it's easy for the service configuration to be incorrectly configured by Microsoft Entra Connect when you've an active and a staging server. Now, Microsoft Entra Connect will attempt to keep the service configuration consistent with your active Microsoft Entra Connect server only. +* Microsoft Entra Connect wizard now detects and returns a warning if on-premises AD does not have AD Recycle Bin enabled. +* Previously, Export to Microsoft Entra ID times out and fails if the combined size of the objects in the batch exceeds certain threshold. Now, the Synchronization Service will reattempt to resend the objects in separate, smaller batches if the issue is encountered. +* The Synchronization Service Key Management application has been removed from Windows Start Menu. Management of encryption key will continue to be supported through command-line interface using miiskmu.exe. For information about managing encryption key, refer to article [Abandoning the Microsoft Entra Connect Sync encryption key](./how-to-connect-sync-change-serviceacct-pass.md#abandoning-the-adsync-service-account-encryption-key). +* Previously, if you change the Microsoft Entra Connect Sync service account password, the Synchronization Service will not be able start correctly until you've abandoned the encryption key and reinitialized the Microsoft Entra Connect Sync service account password. Now, this process is no longer required. Desktop SSO -* Azure AD Connect wizard no longer requires port 9090 to be opened on the network when configuring Pass-through Authentication and Desktop SSO. Only port 443 is required. +* Microsoft Entra Connect wizard no longer requires port 9090 to be opened on the network when configuring Pass-through Authentication and Desktop SSO. Only port 443 is required. ## 1.1.443.0 Released: March 2017 **Fixed issues:** -Azure AD Connect sync -* Fixed an issue which causes Azure AD Connect wizard to fail if the display name of the Azure AD Connector does not contain the initial onmicrosoft.com domain assigned to the Azure AD tenant. -* Fixed an issue which causes Azure AD Connect wizard to fail while making connection to SQL database when the password of the Sync Service Account contains special characters such as apostrophe, colon and space. -* Fixed an issue which causes the error “The dimage has an anchor that is different than the image” to occur on an Azure AD Connect server in staging mode, after you've temporarily excluded an on-premises AD object from syncing and then included it again for syncing. -* Fixed an issue which causes the error “The object located by DN is a phantom” to occur on an Azure AD Connect server in staging mode, after you've temporarily excluded an on-premises AD object from syncing and then included it again for syncing. +Microsoft Entra Connect Sync +* Fixed an issue which causes Microsoft Entra Connect wizard to fail if the display name of the Microsoft Entra Connector does not contain the initial onmicrosoft.com domain assigned to the Microsoft Entra tenant. +* Fixed an issue which causes Microsoft Entra Connect wizard to fail while making connection to SQL database when the password of the Sync Service Account contains special characters such as apostrophe, colon and space. +* Fixed an issue which causes the error “The dimage has an anchor that is different than the image” to occur on a Microsoft Entra Connect server in staging mode, after you've temporarily excluded an on-premises AD object from syncing and then included it again for syncing. +* Fixed an issue which causes the error “The object located by DN is a phantom” to occur on a Microsoft Entra Connect server in staging mode, after you've temporarily excluded an on-premises AD object from syncing and then included it again for syncing. AD FS management-* Fixed an issue where Azure AD Connect wizard does not update AD FS configuration and set the right claims on the relying party trust after Alternate Login ID is configured. -* Fixed an issue where Azure AD Connect wizard is unable to correctly handle AD FS servers whose service accounts are configured using userPrincipalName format instead of sAMAccountName format. +* Fixed an issue where Microsoft Entra Connect wizard does not update AD FS configuration and set the right claims on the relying party trust after Alternate Login ID is configured. +* Fixed an issue where Microsoft Entra Connect wizard is unable to correctly handle AD FS servers whose service accounts are configured using userPrincipalName format instead of sAMAccountName format. Pass-through Authentication-* Fixed an issue which causes Azure AD Connect wizard to fail if Pass Through Authentication is selected but registration of its connector fails. -* Fixed an issue which causes Azure AD Connect wizard to bypass validation checks on sign-in method selected when Desktop SSO feature is enabled. +* Fixed an issue which causes Microsoft Entra Connect wizard to fail if Pass Through Authentication is selected but registration of its connector fails. +* Fixed an issue which causes Microsoft Entra Connect wizard to bypass validation checks on sign-in method selected when Desktop SSO feature is enabled. Password Reset-* Fixed an issue which may cause the Azure Azure AD Connect server to not attempt to re-connect if the connection was killed by a firewall or proxy. +* Fixed an issue which may cause the Azure Microsoft Entra Connect server to not attempt to re-connect if the connection was killed by a firewall or proxy. **New features/improvements:** -Azure AD Connect sync +Microsoft Entra Connect Sync * Get-ADSyncScheduler cmdlet now returns a new Boolean property named SyncCycleInProgress. If the returned value is true, it means that there is a scheduled synchronization cycle in progress.-* Destination folder for storing Azure AD Connect installation and setup logs has been moved from %localappdata%\AADConnect to %programdata%\AADConnect to improve accessibility to the log files. +* Destination folder for storing Microsoft Entra Connect installation and setup logs has been moved from %localappdata%\AADConnect to %programdata%\AADConnect to improve accessibility to the log files. AD FS management * Added support for updating AD FS Farm TLS/SSL Certificate. * Added support for managing AD FS 2016. * You can now specify existing gMSA (Group Managed Service Account) during AD FS installation.-* You can now configure SHA-256 as the signature hash algorithm for Azure AD relying party trust. +* You can now configure SHA-256 as the signature hash algorithm for Microsoft Entra ID relying party trust. Password Reset * Introduced improvements to allow the product to function in environments with more stringent firewall rules. Released: December 2016 * Fixed the issue where the issuerid claim rule for Active Directory Federation Services (AD FS) is missing in this build. >[!NOTE]->This build is not available to customers through the Azure AD Connect Auto Upgrade feature. +>This build is not available to customers through the Microsoft Entra Connect Auto Upgrade feature. ## 1.1.371.0 Released: December 2016 **Known issue:** -* The issuerid claim rule for AD FS is missing in this build. The issuerid claim rule is required if you are federating multiple domains with Azure Active Directory (Azure AD). If you are using Azure AD Connect to manage your on-premises AD FS deployment, upgrading to this build removes the existing issuerid claim rule from your AD FS configuration. You can work around the issue by adding the issuerid claim rule after the installation/upgrade. For details on adding the issuerid claim rule, refer to this article on [Multiple domain support for federating with Azure AD](how-to-connect-install-multiple-domains.md). +* The issuerid claim rule for AD FS is missing in this build. The issuerid claim rule is required if you are federating multiple domains with Microsoft Entra ID. If you are using Microsoft Entra Connect to manage your on-premises AD FS deployment, upgrading to this build removes the existing issuerid claim rule from your AD FS configuration. You can work around the issue by adding the issuerid claim rule after the installation/upgrade. For details on adding the issuerid claim rule, refer to this article on [Multiple domain support for federating with Microsoft Entra ID](how-to-connect-install-multiple-domains.md). **Fixed issue:** -* If Port 9090 is not opened for the outbound connection, the Azure AD Connect installation or upgrade fails. +* If Port 9090 is not opened for the outbound connection, the Microsoft Entra Connect installation or upgrade fails. >[!NOTE]->This build is not available to customers through the Azure AD Connect Auto Upgrade feature. +>This build is not available to customers through the Microsoft Entra Connect Auto Upgrade feature. ## 1.1.370.0 Released: December 2016 **Known issues:** -* The issuerid claim rule for AD FS is missing in this build. The issuerid claim rule is required if you are federating multiple domains with Azure AD. If you are using Azure AD Connect to manage your on-premises AD FS deployment, upgrading to this build removes the existing issuerid claim rule from your AD FS configuration. You can work around the issue by adding the issuerid claim rule after installation/upgrade. For details on adding issuerid claim rule, refer to this article on [Multiple domain support for federating with Azure AD](how-to-connect-install-multiple-domains.md). +* The issuerid claim rule for AD FS is missing in this build. The issuerid claim rule is required if you are federating multiple domains with Microsoft Entra ID. If you are using Microsoft Entra Connect to manage your on-premises AD FS deployment, upgrading to this build removes the existing issuerid claim rule from your AD FS configuration. You can work around the issue by adding the issuerid claim rule after installation/upgrade. For details on adding issuerid claim rule, refer to this article on [Multiple domain support for federating with Microsoft Entra ID](how-to-connect-install-multiple-domains.md). * Port 9090 must be open outbound to complete installation. **New features:** Released: December 2016 * Pass-through Authentication (Preview). >[!NOTE]->This build is not available to customers through the Azure AD Connect Auto Upgrade feature. +>This build is not available to customers through the Microsoft Entra Connect Auto Upgrade feature. ## 1.1.343.0 Released: November 2016 **Known issue:** -* The issuerid claim rule for AD FS is missing in this build. The issuerid claim rule is required if you are federating multiple domains with Azure AD. If you are using Azure AD Connect to manage your on-premises AD FS deployment, upgrading to this build removes the existing issuerid claim rule from your AD FS configuration. You can work around the issue by adding the issuerid claim rule after installation/upgrade. For details on adding issuerid claim rule, refer to this article on [Multiple domain support for federating with Azure AD](how-to-connect-install-multiple-domains.md). +* The issuerid claim rule for AD FS is missing in this build. The issuerid claim rule is required if you are federating multiple domains with Microsoft Entra ID. If you are using Microsoft Entra Connect to manage your on-premises AD FS deployment, upgrading to this build removes the existing issuerid claim rule from your AD FS configuration. You can work around the issue by adding the issuerid claim rule after installation/upgrade. For details on adding issuerid claim rule, refer to this article on [Multiple domain support for federating with Microsoft Entra ID](how-to-connect-install-multiple-domains.md). **Fixed issues:** -* Sometimes, installing Azure AD Connect fails because it's unable to create a local service account whose password meets the level of complexity specified by the organization's password policy. +* Sometimes, installing Microsoft Entra Connect fails because it's unable to create a local service account whose password meets the level of complexity specified by the organization's password policy. * Fixed an issue where join rules aren't reevaluated when an object in the connector space simultaneously becomes out-of-scope for one join rule and become in-scope for another. This can happen if you've two or more join rules whose join conditions are mutually exclusive.-* Fixed an issue where inbound synchronization rules (from Azure AD), which don't contain join rules, aren't processed if they have lower precedence values than those containing join rules. +* Fixed an issue where inbound synchronization rules (from Microsoft Entra ID), which don't contain join rules, aren't processed if they have lower precedence values than those containing join rules. **Improvements:** -* Added support for installing Azure AD Connect on Windows Server 2016 Standard or higher. -* Added support for using SQL Server 2016 as the remote database for Azure AD Connect. +* Added support for installing Microsoft Entra Connect on Windows Server 2016 Standard or higher. +* Added support for using SQL Server 2016 as the remote database for Microsoft Entra Connect. ## 1.1.281.0 Released: August 2016 Released: August 2016 **Fixed issues:** * Changes to sync interval don't take place until after the next sync cycle is complete.-* Azure AD Connect wizard does not accept an Azure AD account whose username starts with an underscore (\_). -* Azure AD Connect wizard fails to authenticate the Azure AD account if the account password contains too many special characters. Error message "Unable to validate credentials. An unexpected error has occurred." is returned. -* Uninstalling staging server disables password synchronization in Azure AD tenant and causes password synchronization to fail with active server. +* Microsoft Entra Connect wizard does not accept a Microsoft Entra account whose username starts with an underscore (\_). +* Microsoft Entra Connect wizard fails to authenticate the Microsoft Entra account if the account password contains too many special characters. Error message "Unable to validate credentials. An unexpected error has occurred." is returned. +* Uninstalling staging server disables password synchronization in Microsoft Entra tenant and causes password synchronization to fail with active server. * Password synchronization fails in uncommon cases when there is no password hash stored on the user.-* When Azure AD Connect server is enabled for staging mode, password writeback is not temporarily disabled. -* Azure AD Connect wizard does not show the actual password synchronization and password writeback configuration when server is in staging mode. It always shows them as disabled. -* Configuration changes to password synchronization and password writeback aren't persisted by Azure AD Connect wizard when server is in staging mode. +* When Microsoft Entra Connect server is enabled for staging mode, password writeback is not temporarily disabled. +* Microsoft Entra Connect wizard does not show the actual password synchronization and password writeback configuration when server is in staging mode. It always shows them as disabled. +* Configuration changes to password synchronization and password writeback aren't persisted by Microsoft Entra Connect wizard when server is in staging mode. **Improvements:** * Updated the Start-ADSyncSyncCycle cmdlet to indicate whether it's able to successfully start a new sync cycle or not. * Added the Stop-ADSyncSyncCycle cmdlet to terminate sync cycle and operation, which are currently in progress. * Updated the Stop-ADSyncScheduler cmdlet to terminate sync cycle and operation, which are currently in progress.-* When configuring [Directory extensions](how-to-connect-sync-feature-directory-extensions.md) in Azure AD Connect wizard, the Azure AD attribute of type "Teletex string" can now be selected. +* When configuring [Directory extensions](how-to-connect-sync-feature-directory-extensions.md) in Microsoft Entra Connect wizard, the Microsoft Entra attribute of type "Teletex string" can now be selected. ## 1.1.189.0 Released: June 2016 **Fixed issues and improvements:** -* Azure AD Connect can now be installed on a FIPS-compliant server. +* Microsoft Entra Connect can now be installed on a FIPS-compliant server. * For password synchronization, see [Password hash sync and FIPS](how-to-connect-password-hash-synchronization.md#password-hash-synchronization-and-fips). * Fixed an issue where a NetBIOS name could not be resolved to the FQDN in the Active Directory Connector. Released: May 2016 **New features:** -* Warns and helps you verify domains if you didn’t do it before running Azure AD Connect. +* Warns and helps you verify domains if you didn’t do it before running Microsoft Entra Connect. * Added support for [Microsoft Cloud Germany](reference-connect-instances.md#microsoft-cloud-germany). * Added support for the latest [Microsoft Azure Government cloud](reference-connect-instances.md#microsoft-azure-government) infrastructure with new URL requirements. Released: February 2016 * Upgrade from earlier releases does not work if the installation is not in the default C:\Program Files folder. * If you install and clear **Start the synchronization process** at the end of the installation wizard, running the installation wizard a second time will not enable the scheduler. * The scheduler doesn't work as expected on servers where the US-en date/time format is not used. It will also block `Get-ADSyncScheduler` to return correct times.-* If you installed an earlier release of Azure AD Connect with AD FS as the sign-in option and upgrade, you cannot run the installation wizard again. +* If you installed an earlier release of Microsoft Entra Connect with AD FS as the sign-in option and upgrade, you cannot run the installation wizard again. ## 1.1.105.0 Released: February 2016 Released: February 2016 **New features:** * [Automatic upgrade](how-to-connect-install-automatic-upgrade.md) feature for Express settings customers.-* Support for the Hybrid Identity Administrator by using Azure AD Multi-Factor Authentication and Privileged Identity Management in the installation wizard. - * You need to allow your proxy to also allow traffic to ```https://secure.aadcdn.microsoftonline-p.com``` if you use Multi-Factor Authentication. - * You need to add ```https://secure.aadcdn.microsoftonline-p.com``` to your trusted sites list for Multi-Factor Authentication to properly work. +* Support for the Hybrid Identity Administrator by using Microsoft Entra multifactor Authentication and Privileged Identity Management in the installation wizard. + * You need to allow your proxy to also allow traffic to ```https://secure.aadcdn.microsoftonline-p.com``` if you use multifactor authentication. + * You need to add ```https://secure.aadcdn.microsoftonline-p.com``` to your trusted sites list for multifactor authentication to properly work. * Allow changing the user's sign-in method after initial installation. * Allow [Domain and OU filtering](how-to-connect-install-custom.md#domain-and-ou-filtering) in the installation wizard. This also allows connecting to forests where not all domains are available. * [Scheduler](how-to-connect-sync-feature-scheduler.md) is built in to the sync engine. Released: December 2015 **Fixed issues:** * Password sync might not work when you change passwords in Active Directory Domain Services (AD DS), but works when you do set a password.-* When you've a proxy server, authentication to Azure AD might fail during installation, or if an upgrade is canceled on the configuration page. -* Updating from a previous release of Azure AD Connect with a full SQL Server instance fails if you aren't a SQL Server system administrator (SA). -* Updating from a previous release of Azure AD Connect with a remote SQL Server shows the “Unable to access the ADSync SQL database” error. +* When you've a proxy server, authentication to Microsoft Entra ID might fail during installation, or if an upgrade is canceled on the configuration page. +* Updating from a previous release of Microsoft Entra Connect with a full SQL Server instance fails if you aren't a SQL Server system administrator (SA). +* Updating from a previous release of Microsoft Entra Connect with a remote SQL Server shows the “Unable to access the ADSync SQL database” error. ## 1.0.9125.0 Released: November 2015 **New features:** -* Can reconfigure AD FS to Azure AD trust. +* Can reconfigure AD FS to Microsoft Entra ID trust. * Can refresh the Active Directory schema and regenerate sync rules. * Can disable a sync rule. * Can define "AuthoritativeNull" as a new literal in a sync rule. **New preview features:** -* [Azure AD Connect Health for sync](how-to-connect-health-sync.md). -* Support for [Azure AD Domain Services](https://support.microsoft.com/account-billing/reset-your-work-or-school-password-using-security-info-23dde81f-08bb-4776-ba72-e6b72b9dda9e) password synchronization. +* [Microsoft Entra Connect Health for sync](how-to-connect-health-sync.md). +* Support for [Microsoft Entra Domain Services](https://support.microsoft.com/account-billing/reset-your-work-or-school-password-using-security-info-23dde81f-08bb-4776-ba72-e6b72b9dda9e) password synchronization. **New supported scenario:** Released: November 2015 * The password retry queue is infinite and the previous limit of 5,000 objects to be retired has been removed. * Not able to connect to Active Directory with Windows Server 2016 forest-functional level. * Not able to change the group that is used for group filtering after the initial installation.-* No longer creates a new user profile on the Azure AD Connect server for every user doing a password change with password writeback enabled. +* No longer creates a new user profile on the Microsoft Entra Connect server for every user doing a password change with password writeback enabled. * Not able to use Long Integer values in sync rules scopes. * The check box "device writeback" remains disabled if there are unreachable domain controllers. Released: August 2015 **New features:** -* The Azure AD Connect installation wizard is now localized to all Windows Server languages. -* Added support for account unlock when using Azure AD password management. +* The Microsoft Entra Connect installation wizard is now localized to all Windows Server languages. +* Added support for account unlock when using Microsoft Entra password management. **Fixed issues:** -* Azure AD Connect installation wizard crashes if another user continues installation rather than the person who first started the installation. -* If a previous uninstallation of Azure AD Connect fails to uninstall Azure AD Connect sync cleanly, it's not possible to reinstall. -* Cannot install Azure AD Connect using Express installation if the user is not in the root domain of the forest or if a non-English version of Active Directory is used. +* Microsoft Entra Connect installation wizard crashes if another user continues installation rather than the person who first started the installation. +* If a previous uninstallation of Microsoft Entra Connect fails to uninstall Microsoft Entra Connect Sync cleanly, it's not possible to reinstall. +* Cannot install Microsoft Entra Connect using Express installation if the user is not in the root domain of the forest or if a non-English version of Active Directory is used. * If the FQDN of the Active Directory user account cannot be resolved, a misleading error message “Failed to commit the schema” is shown. * If the account used on the Active Directory Connector is changed outside the wizard, the wizard fails on subsequent runs.-* Azure AD Connect sometimes fails to install on a domain controller. +* Microsoft Entra Connect sometimes fails to install on a domain controller. * Cannot enable and disable “Staging mode” if extension attributes have been added. * Password writeback fails in some configurations because of a bad password on the Active Directory Connector. * DirSync cannot be upgraded if a distinguished name (DN) is used in attribute filtering. Released: August 2015 ## 1.0.8641.0 Released: June 2015 -**Initial release of Azure AD Connect.** +**Initial release of Microsoft Entra Connect.** -Changed name from Azure AD Sync to Azure AD Connect. +Changed name from Azure AD Sync to Microsoft Entra Connect. **New features:** Released: May 2015 **Fixed issues:** -* Password writeback from Azure AD is failing with an Azure Service Bus connectivity error. +* Password writeback from Microsoft Entra ID is failing with an Azure Service Bus connectivity error. ## 1.0.491.0413 Released: April 2015 Released: April 2015 **Fixed issues and improvements:** * The Active Directory Connector does not process deletes correctly if the recycle bin is enabled and there are multiple domains in the forest.-* The performance of import operations has been improved for the Azure Active Directory Connector. -* When a group has exceeded the membership limit (by default, the limit's set to 50,000 objects), the group was deleted in Azure Active Directory. With the new behavior, the group is not deleted, an error is thrown, and new membership changes aren't exported. +* The performance of import operations has been improved for the Microsoft Entra Connector. +* When a group has exceeded the membership limit (by default, the limit's set to 50,000 objects), the group was deleted in Microsoft Entra ID. With the new behavior, the group is not deleted, an error is thrown, and new membership changes aren't exported. * A new object cannot be provisioned if a staged delete with the same DN is already present in the connector space. * Some objects are marked for synchronization during a delta sync even though there's no change staged on the object. * Forcing a password sync also removes the preferred DC list. Released: February 2015 * Password Sync honors the cloudFiltered attribute that is used by attribute filtering. Filtered objects are no longer in scope for password synchronization. * In rare situations where the topology had many domain controllers, password sync doesn’t work.-* “Stopped-server” when importing from the Azure AD Connector after device management has been enabled in Azure AD/Intune. +* “Stopped-server” when importing from the Microsoft Entra Connector after device management has been enabled in Azure AD/Intune. * Joining Foreign Security Principals (FSPs) from multiple domains in same forest causes an ambiguous-join error. ## 1.0.475.1202 Released: October 2014 **New features:** -* Password synchronization from multiple on-premises Active Directory to Azure AD. +* Password synchronization from multiple on-premises Active Directory to Microsoft Entra ID. * Localized installation UI to all Windows Server languages. **Upgrading from AADSync 1.0 GA** Released: September 2014 **Initial release of Azure AD Sync.** ## Next steps-Learn more about [Integrating your on-premises identities with Azure Active Directory](../whatis-hybrid-identity.md). +Learn more about [Integrating your on-premises identities with Microsoft Entra ID](../whatis-hybrid-identity.md). |
active-directory | Reference Connect Version History | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-version-history.md | Title: 'Azure AD Connect: Version release history' -description: This article lists all releases of Azure AD Connect and Azure AD Sync. + Title: 'Microsoft Entra Connect: Version release history' +description: This article lists all releases of Microsoft Entra Connect and Azure AD Sync. ms.assetid: ef2797d7-d440-4a9a-a648-db32ad137494 -# Azure AD Connect: Version release history +# Microsoft Entra Connect: Version release history -The Azure Active Directory (Azure AD) team regularly updates Azure AD Connect with new features and functionality. Not all additions apply to all audiences. +The Microsoft Entra team regularly updates Microsoft Entra Connect with new features and functionality. Not all additions apply to all audiences. This article helps you keep track of the versions that have been released and understand what the changes are in the latest version. ## Looking for the latest versions? -You can upgrade your Azure AD Connect server from all supported versions with the latest versions: +You can upgrade your Microsoft Entra Connect server from all supported versions with the latest versions: -You can download the latest version of Azure AD Connect 2.0 from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=47594). See the [release notes for the latest V2.0 release](reference-connect-version-history.md#21200).\ +You can download the latest version of Microsoft Entra Connect 2.0 from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=47594). See the [release notes for the latest V2.0 release](reference-connect-version-history.md#21200).\ Get notified about when to revisit this page for updates by copying and pasting this URL: `https://aka.ms/aadconnectrss` into your ![RSS feed reader icon](media/reference-connect-version-history/feed-icon-16x16.png) feed reader. The following table lists related topics: Topic | Details | |-Steps to upgrade from Azure AD Connect | Different methods to [upgrade from a previous version to the latest](how-to-upgrade-previous-version.md) Azure AD Connect release. -Required permissions | For permissions required to apply an update, see [Azure AD Connect: Accounts and permissions](reference-connect-accounts-permissions.md#upgrade). +Steps to upgrade from Microsoft Entra Connect | Different methods to [upgrade from a previous version to the latest](how-to-upgrade-previous-version.md) Microsoft Entra Connect release. +Required permissions | For permissions required to apply an update, see [Microsoft Entra Connect: Accounts and permissions](reference-connect-accounts-permissions.md#upgrade). -## Retiring Azure AD Connect 1.x versions +<a name='retiring-azure-ad-connect-1x-versions'></a> ++## Retiring Microsoft Entra Connect 1.x versions > [!IMPORTANT]-> Action required: Synchronization will stop working on October 1, 2023, for any customers still running Azure AD Connect Sync V1. Customers using cloud sync or Azure AD Connect V2 will remain fully operational with no action required. For more information and next step guidance, see [Decommission Azure AD Connect V1](https://aka.ms/DecommissionAADConnectV1) if an upgrade is required. +> Action required: Synchronization will stop working on October 1, 2023, for any customers still running Microsoft Entra Connect Sync V1. Customers using cloud sync or Microsoft Entra Connect V2 will remain fully operational with no action required. For more information and next step guidance, see [Decommission Azure AD Connect V1](https://aka.ms/DecommissionAADConnectV1) if an upgrade is required. ++<a name='retiring-azure-ad-connect-2x-versions'></a> -## Retiring Azure AD Connect 2.x versions +## Retiring Microsoft Entra Connect 2.x versions > [!IMPORTANT]-> We will begin retiring past versions of Azure AD Connect Sync 2.x 12 months from the date they are superseded by a newer version. +> We will begin retiring past versions of Microsoft Entra Connect Sync 2.x 12 months from the date they are superseded by a newer version. > This policy will go into effect on 15 March 2023, when we will retire all versions that are superseded by a newer version on 15 March 2022. > > Currently only builds 2.1.16.0 (release August 8th 2022) or later are supported. > -> If you are not already using the latest release version of Azure AD Connect Sync, you should upgrade your Azure AD Connect Sync software before that date. +> If you are not already using the latest release version of Microsoft Entra Connect Sync, you should upgrade your Microsoft Entra Connect Sync software before that date. -If you run a retired version of Azure AD Connect, it might unexpectedly stop working. You also might not have the latest security fixes, performance improvements, troubleshooting and diagnostic tools, and service enhancements. If you require support, we might not be able to provide you with the level of service your organization needs. +If you run a retired version of Microsoft Entra Connect, it might unexpectedly stop working. You also might not have the latest security fixes, performance improvements, troubleshooting and diagnostic tools, and service enhancements. If you require support, we might not be able to provide you with the level of service your organization needs. -To learn more about what has changed in V2.0 and how this change affects you, see [Azure AD Connect V2.0](whatis-azure-ad-connect-v2.md). +To learn more about what has changed in V2.0 and how this change affects you, see [Microsoft Entra Connect V2.0](whatis-azure-ad-connect-v2.md). -To learn more about how to upgrade Azure AD Connect to the latest version, see [Azure AD Connect: Upgrade from a previous version to the latest](./how-to-upgrade-previous-version.md). +To learn more about how to upgrade Microsoft Entra Connect to the latest version, see [Microsoft Entra Connect: Upgrade from a previous version to the latest](./how-to-upgrade-previous-version.md). -For version history information on retired versions, see [Azure AD Connect: Version release history archive](reference-connect-version-history-archive.md). +For version history information on retired versions, see [Microsoft Entra Connect: Version release history archive](reference-connect-version-history-archive.md). > [!NOTE]-> Releasing a new version of Azure AD Connect requires several quality-control steps to ensure the operation functionality of the service. While we go through this process, the version number of a new release and the release status are updated to reflect the most recent state. +> Releasing a new version of Microsoft Entra Connect requires several quality-control steps to ensure the operation functionality of the service. While we go through this process, the version number of a new release and the release status are updated to reflect the most recent state. -Not all releases of Azure AD Connect are made available for autoupgrade. The release status indicates whether a release is made available for autoupgrade or for download only. If autoupgrade was enabled on your Azure AD Connect server, that server automatically upgrades to the latest version of Azure AD Connect that's released for autoupgrade. Not all Azure AD Connect configurations are eligible for autoupgrade. +Not all releases of Microsoft Entra Connect are made available for autoupgrade. The release status indicates whether a release is made available for autoupgrade or for download only. If autoupgrade was enabled on your Microsoft Entra Connect server, that server automatically upgrades to the latest version of Microsoft Entra Connect that's released for autoupgrade. Not all Microsoft Entra Connect configurations are eligible for autoupgrade. Auto-upgrade is meant to push all important updates and critical fixes to you. It isn't necessarily the latest version because not all versions will require or include a fix to a critical security issue. (This example is just one of many.) Critical issues are usually addressed with a new version provided via autoupgrade. If there are no such issues, there are no updates pushed out by using autoupgrade. In general, if you're using the latest autoupgrade version, you should be good. If you want all the latest features and updates, check this page and install what you need. -To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to-connect-install-automatic-upgrade.md). +To read more about autoupgrade, see [Microsoft Entra Connect: Automatic upgrade](how-to-connect-install-automatic-upgrade.md). ## 2.2.1.0 To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to ### Functional Changes - We have enabled Auto Upgrade for tenants with custom synchronization rules. Note that deleted (not disabled) default rules will be re-created and enabled upon Auto Upgrade.+ - We have added Microsoft Entra Connect Agent Updater service to the install. This new service will be used for future auto upgrades. - We have removed the Synchronization Service WebService Connector Config program from the install. - Default sync rule ΓÇ£In from AD ΓÇô User CommonΓÇ¥ was updated to flow the employeeType attribute. To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to ### Bug fixes + - We fixed a bug where the new employeeLeaveDateTime attribute wasn't syncing correctly in version 2.1.19.0. Note that if the incorrect attribute was already used in a rule, then the rule must be updated with the new attribute and any objects in the Microsoft Entra connector space that have the incorrect attribute must be removed with the "Remove-ADSyncCSObject" cmdlet, and then a full sync cycle must be run. ## 2.1.19.0 To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to ### Functional changes + - We added a new attribute 'employeeLeaveDateTime' for syncing to Microsoft Entra ID. To learn more about how to use this attribute to manage your users' life cycles, please refer to [this article](../../governance/how-to-lifecycle-workflow-sync-attributes.md) ### Bug fixes + - we fixed a bug where Microsoft Entra Connect Password writeback stopped with error code "SSPR_0029 ERROR_ACCESS_DENIED" ## 2.1.18.0 To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to ### Bug fixes - we fixed a bug where upgrade from version 1.6 to version 2.1 got stuck in a loop due to IsMemberOfLocalGroup enumeration.+ - we fixed a bug where the Microsoft Entra Connect Configuration Wizard was sending incorrect credentials (username format) while validating if Enterprise Admin. ## 2.1.16.0 To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to 7/6/2022: Released for download, will be made available for autoupgrade soon. > [!IMPORTANT] -> We have discovered a security vulnerability in the Azure AD Connect Admin Agent. If you have installed the Admin Agent previously it is important that you update your Azure AD Connect server(s) to this version to mitigate the vulnerability. +> We have discovered a security vulnerability in the Microsoft Entra Connect Admin Agent. If you have installed the Admin Agent previously it is important that you update your Microsoft Entra Connect server(s) to this version to mitigate the vulnerability. ### Functional changes+ - We have removed the public preview functionality for the Admin Agent from Microsoft Entra Connect. We won't provide this functionality going forward. - We added support for two new attributes: employeeOrgDataCostCenter and employeeOrgDataDivision.+ - We added CertificateUserIds attribute to Microsoft Entra Connector static schema. + - The Microsoft Entra Connect wizard will now abort if write event logs permission is missing. - We updated the AADConnect health endpoints to support the US government clouds. - We added new cmdlets ΓÇ£Get-ADSyncToolsDuplicateUsersSourceAnchor and Set-ADSyncToolsDuplicateUsersSourceAnchorΓÇ£ to fix bulk "source anchor has changed" errors. When a new forest is added to AADConnect with duplicate user objects, the objects are running into bulk "source anchor has changed" errors. This is happening due to the mismatch between msDsConsistencyGuid & ImmutableId. More information about this module and the new cmdlets can be found in [this article](./reference-connect-adsynctools.md). To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to - We fixed a bug to prevent database corruption when using localDB. - We added timeout and size limit errors to the connection log. - We fixed a bug where, if child domain has a user with same name as parent domain user that happens to be an enterprise admin, the group membership failed.+ - We updated the expressions used in the "In from Microsoft Entra ID - Group SOAInAAD" rule to limit the description attribute to 448 characters. - We made a change to set extended rights for "Unexpire Password" for Password Reset. - We modified the AD connector upgrade to refresh the schema ΓÇô we no longer show constructed and non-replicated attributes in the Wizard during upgrade. - We fixed a bug in ADSyncConfig functions ConvertFQDNtoDN and ConvertDNtoFQDN - If a user decides to set variables called '$dn' or '$fqdn', these variables will no longer be used inside the script scope. To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to ### Functional changes -- We updated the Azure AD Connect Health component in this release from version 3.1.110.0 to version 3.2.1823.12. This new version provides compliance of the Azure AD Connect Health component with the [Federal Information Processing Standards (FIPS)](https://www.nist.gov/standardsgov/compliance-faqs-federal-information-processing-standards-fips) requirements. +- We updated the Microsoft Entra Connect Health component in this release from version 3.1.110.0 to version 3.2.1823.12. This new version provides compliance of the Microsoft Entra Connect Health component with the [Federal Information Processing Standards (FIPS)](https://www.nist.gov/standardsgov/compliance-faqs-federal-information-processing-standards-fips) requirements. ## 2.0.89.0 To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to ### Bug fixes - We fixed a bug in version 2.0.88.0 where, under certain conditions, linked mailboxes of disabled users and mailboxes of certain resource objects, were getting deleted.-- We fixed an issue which causes upgrade to Azure AD Connect version 2.x to fail, when using SQL localdb along with a VSA service account for ADSync.+- We fixed an issue which causes upgrade to Microsoft Entra Connect version 2.x to fail, when using SQL localdb along with a VSA service account for ADSync. ## 2.0.88.0 > [!NOTE]-> This release requires Windows Server 2016 or newer. It fixes a vulnerability that's present in version 2.0 of Azure AD Connect and other bug fixes and minor feature updates. +> This release requires Windows Server 2016 or newer. It fixes a vulnerability that's present in version 2.0 of Microsoft Entra Connect and other bug fixes and minor feature updates. ### Release status To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to - We upgraded the version of Microsoft.Data.OData from 5.8.1 to 5.8.4 to fix a vulnerability. - Accessibility fixes:- - We made the Azure AD Connect wizard resizable to account for different zoom levels and screen resolutions. + - We made the Microsoft Entra Connect wizard resizable to account for different zoom levels and screen resolutions. - We named elements to satisfy accessibility requirements. - We fixed a bug where miisserver failed because of a null reference.-- We fixed a bug to ensure the desktop SSO value persists after upgrading Azure AD Connect to a newer version.+- We fixed a bug to ensure the desktop SSO value persists after upgrading Microsoft Entra Connect to a newer version. - We modified the inetorgperson sync rules to fix an issue with account/resource forests. - We fixed a radio button test to display a **Link More** link. To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to - We made a change so that group writeback DN is now configurable with the display name of the synced group. - We removed the hard requirement for exchange schema when you enable group writeback.-- Azure AD Kerberos changes:+- Microsoft Entra Kerberos changes: - We extended the PowerShell command to support custom top-level names for trusted object creation.- - We made a change to set an official brand name for the Azure AD Kerberos feature. + - We made a change to set an official brand name for the Microsoft Entra Kerberos feature. ## 1.6.16.0 > [!NOTE]-> This release is an update release of Azure AD Connect. This version is intended to be used by customers who are running an older version of Windows Server and can't upgrade their server to Windows Server 2016 or newer at this time. You can't use this version to update an Azure AD Connect V2.0 server. +> This release is an update release of Microsoft Entra Connect. This version is intended to be used by customers who are running an older version of Windows Server and can't upgrade their server to Windows Server 2016 or newer at this time. You can't use this version to update a Microsoft Entra Connect V2.0 server. >-> Don't install this release on Windows Server 2016 or newer. This release includes SQL Server 2012 components and will be retired on August 31, 2022. Upgrade your Server OS and Azure AD Connect version before that date. +> Don't install this release on Windows Server 2016 or newer. This release includes SQL Server 2012 components and will be retired on August 31, 2022. Upgrade your Server OS and Microsoft Entra Connect version before that date. > > When you upgrade to this V1.6 build or any newer builds, the group membership limit resets to 50,000. When a server is upgraded to this build, or any newer 1.6 builds, reapply the rule changes you applied when you initially increased the group membership limit to 250,000 before you enable sync for the server. To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to ### Bug fixes -- We fixed a bug where the autoupgrade process attempted to upgrade Azure AD Connect servers that are running older Windows OS version 2008 or 2008 R2 and failed. These versions of Windows Server are no longer supported. In this release, we only attempt autoupgrade on machines that run Windows Server 2012 or newer.+- We fixed a bug where the autoupgrade process attempted to upgrade Microsoft Entra Connect servers that are running older Windows OS version 2008 or 2008 R2 and failed. These versions of Windows Server are no longer supported. In this release, we only attempt autoupgrade on machines that run Windows Server 2012 or newer. - We fixed an issue where, under certain conditions, miisserver failed because of an access violation exception. ### Known issues When you upgrade to this V1.6 build or any newer builds, the group membership li ## 2.0.28.0 > [!NOTE]-> This release is a maintenance update release of Azure AD Connect. It requires Windows Server 2016 or newer. +> This release is a maintenance update release of Microsoft Entra Connect. It requires Windows Server 2016 or newer. ### Release status A change was made that allows a user to deselect objects and attributes from the ## 1.6.14.2 > [!NOTE]-> This release is an update release of Azure AD Connect. This version is intended to be used by customers who are running an older version of Windows Server and can't upgrade their server to Windows Server 2016 or newer at this time. You can't use this version to update an Azure AD Connect V2.0 server. +> This release is an update release of Microsoft Entra Connect. This version is intended to be used by customers who are running an older version of Windows Server and can't upgrade their server to Windows Server 2016 or newer at this time. You can't use this version to update a Microsoft Entra Connect V2.0 server. We'll begin auto-upgrading eligible tenants when this version is available for download. Auto-upgrade will take a few weeks to complete. When you upgrade to this V1.6 build or any newer builds, the group membership li ### Functional changes - We added the latest versions of Microsoft Identity Manager (MIM) Connectors (1.1.1610.0). For more information, see the [release history page of the MIM Connectors](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-version-history#1116100-september-2021).-- We added a configuration option to disable the Soft Matching feature in Azure AD Connect. We recommend that you disable Soft Matching unless you need it to take over cloud-only accounts. To disable Soft Matching, see [this reference article](/powershell/module/msonline/set-msoldirsyncfeature#example-2--block-soft-matching-for-the-tenant).+- We added a configuration option to disable the Soft Matching feature in Microsoft Entra Connect. We recommend that you disable Soft Matching unless you need it to take over cloud-only accounts. To disable Soft Matching, see [this reference article](/powershell/module/msonline/set-msoldirsyncfeature#example-2--block-soft-matching-for-the-tenant). ### Bug fixes When you upgrade to this V1.6 build or any newer builds, the group membership li ## 2.0.25.1 > [!NOTE]-> This release is a hotfix update release of Azure AD Connect. This release requires Windows Server 2016 or newer. It fixes a security issue that's present in version 2.0 of Azure AD Connect and includes other bug fixes. +> This release is a hotfix update release of Microsoft Entra Connect. This release requires Windows Server 2016 or newer. It fixes a security issue that's present in version 2.0 of Microsoft Entra Connect and includes other bug fixes. ### Release status When you upgrade to this V1.6 build or any newer builds, the group membership li ### Bug fixes -- We fixed a security issue where an unquoted path was used to point to the Azure AD Connect service. This path is now a quoted path.-- We fixed an import configuration issue with writeback enabled when you use the existing Azure AD Connector account.+- We fixed a security issue where an unquoted path was used to point to the Microsoft Entra Connect service. This path is now a quoted path. +- We fixed an import configuration issue with writeback enabled when you use the existing Microsoft Entra Connector account. - We fixed an issue in Set-ADSyncExchangeHybridPermissions and other related cmdlets, which were broken from V1.6 because of an invalid inheritance type.-- We fixed an issue with the cmdlet we published in a previous release to set the TLS version. The cmdlet overwrote the keys, which destroyed any values that were in them. Now a new key is created only if one doesn't already exist. We added a warning to let users know the TLS registry changes aren't exclusive to Azure AD Connect and might affect other applications on the same server.+- We fixed an issue with the cmdlet we published in a previous release to set the TLS version. The cmdlet overwrote the keys, which destroyed any values that were in them. Now a new key is created only if one doesn't already exist. We added a warning to let users know the TLS registry changes aren't exclusive to Microsoft Entra Connect and might affect other applications on the same server. - We added a check to enforce autoupgrade for V2.0 to require Windows Server 2016 or newer. - We added the Replicating Directory Changes permission in the Set-ADSyncBasicReadPermissions cmdlet. - We made a change to prevent UseExistingDatabase and import configuration from being used together because they could contain conflicting configuration settings. - We made a change to allow a user with the Application Admin role to change the App Proxy service configuration. - We removed the (Preview) label from the labels of **Import/Export** settings. This functionality is generally available. - We changed some labels that still referred to Company Administrator. We now use the role name Global Administrator.-- We created new Azure AD Kerberos PowerShell cmdlets (\*-AADKerberosServer) to add a Claims Transform rule to the Azure AD Service Principal.+- We created new Microsoft Entra Kerberos PowerShell cmdlets (\*-AADKerberosServer) to add a Claims Transform rule to the Microsoft Entra service principal. ### Functional changes - We added the latest versions of MIM Connectors (1.1.1610.0). For more information, see the [release history page of the MIM Connectors](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-version-history#1116100-september-2021).-- We added a configuration option to disable the Soft Matching feature in Azure AD Connect. We recommend that you disable Soft Matching unless you need it to take over cloud-only accounts. To disable Soft Matching, see [this reference article](/powershell/module/msonline/set-msoldirsyncfeature#example-2--block-soft-matching-for-the-tenant).+- We added a configuration option to disable the Soft Matching feature in Microsoft Entra Connect. We recommend that you disable Soft Matching unless you need it to take over cloud-only accounts. To disable Soft Matching, see [this reference article](/powershell/module/msonline/set-msoldirsyncfeature#example-2--block-soft-matching-for-the-tenant). ## 2.0.10.0 When you upgrade to this V1.6 build or any newer builds, the group membership li 8/19/2021: Released for download only, not available for autoupgrade > [!NOTE]-> This is a hotfix update release of Azure AD Connect. This release requires Windows Server 2016 or newer. This hotfix addresses an issue that's present in version 2.0 and in Azure AD Connect version 1.6. If you're running Azure AD Connect on an older Windows server, install the [1.6.13.0](#16130) build instead. +> This is a hotfix update release of Microsoft Entra Connect. This release requires Windows Server 2016 or newer. This hotfix addresses an issue that's present in version 2.0 and in Microsoft Entra Connect version 1.6. If you're running Microsoft Entra Connect on an older Windows server, install the [1.6.13.0](#16130) build instead. ### Release status When you upgrade to this V1.6 build or any newer builds, the group membership li ### Known issues -Under certain circumstances, the installer for this version displays an error that states TLS 1.2 isn't enabled and stops the installation. This issue occurs because of an error in the code that verifies the registry setting for TLS 1.2. We'll correct this issue in a future release. If you see this issue, follow the instructions to enable TLS 1.2 in [TLS 1.2 enforcement for Azure AD Connect](reference-connect-tls-enforcement.md). +Under certain circumstances, the installer for this version displays an error that states TLS 1.2 isn't enabled and stops the installation. This issue occurs because of an error in the code that verifies the registry setting for TLS 1.2. We'll correct this issue in a future release. If you see this issue, follow the instructions to enable TLS 1.2 in [TLS 1.2 enforcement for Microsoft Entra Connect](reference-connect-tls-enforcement.md). ### Bug fixes We fixed a bug that occurred when a domain was renamed and Password Hash Sync fa ## 1.6.13.0 > [!NOTE]-> This release is a hotfix update release of Azure AD Connect. It's intended to be used by customers who are running Azure AD Connect on a server with Windows Server 2012 or 2012 R2. +> This release is a hotfix update release of Microsoft Entra Connect. It's intended to be used by customers who are running Microsoft Entra Connect on a server with Windows Server 2012 or 2012 R2. 8/19/2021: Released for download only, not available for autoupgrade There are no functional changes in this release. ### Bug fixes > [!NOTE]-> This release is a hotfix update release of Azure AD Connect. This release requires Windows Server 2016 or newer. It addresses an issue that's present in version 2.0.8.0. This issue isn't present in Azure AD Connect version 1.6. +> This release is a hotfix update release of Microsoft Entra Connect. This release requires Windows Server 2016 or newer. It addresses an issue that's present in version 2.0.8.0. This issue isn't present in Microsoft Entra Connect version 1.6. We fixed a bug that occurred when you synced a large number of Password Hash Sync transactions and the Event log entry length exceeded the maximum-allowed length for a Password Hash Sync event entry. We now split the lengthy log entry into multiple entries. ## 2.0.8.0 > [!NOTE]-> This release is a security update release of Azure AD Connect. This release requires Windows Server 2016 or newer. If you're using an older version of Windows Server, use [version 1.6.11.3](#16113). +> This release is a security update release of Microsoft Entra Connect. This release requires Windows Server 2016 or newer. If you're using an older version of Windows Server, use [version 1.6.11.3](#16113). This release addresses a vulnerability as documented in [this CVE](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36949). For more information about this vulnerability, see the CVE. -To download the latest version of Azure AD Connect 2.0, see the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=47594). +To download the latest version of Microsoft Entra Connect 2.0, see the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=47594). ### Release status There are no functional changes in this release. ## 1.6.11.3 > [!NOTE]-> This release is a security update release of Azure AD Connect. It's intended to be used by customers who are running an older version of Windows Server and can't upgrade their server to Windows Server 2016 or newer at this time. You can't use this version to update an Azure AD Connect V2.0 server. +> This release is a security update release of Microsoft Entra Connect. It's intended to be used by customers who are running an older version of Windows Server and can't upgrade their server to Windows Server 2016 or newer at this time. You can't use this version to update a Microsoft Entra Connect V2.0 server. This release addresses a vulnerability as documented in [this CVE](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36949). For more information about this vulnerability, see the CVE. There are no functional changes in this release. ## 2.0.3.0 > [!NOTE]-> This release is a major release of Azure AD Connect. For more information, see [Introduction to Azure AD Connect V2.0](whatis-azure-ad-connect-v2.md). +> This release is a major release of Microsoft Entra Connect. For more information, see [Introduction to Microsoft Entra Connect V2.0](whatis-azure-ad-connect-v2.md). ### Release status There are no functional changes in this release. ### Functional changes - We upgraded the LocalDB components of SQL Server to SQL 2019.-- This release requires Windows Server 2016 or newer because of the requirements of SQL Server 2019. An in-place upgrade of Windows Server on an Azure AD Connect server isn't supported. For this reason, you might need to use a [swing migration](how-to-upgrade-previous-version.md#swing-migration).-- We enforce the use of TLS 1.2 in this release. If you enabled your Windows Server for TLS 1.2, Azure AD Connect uses this protocol. If TLS 1.2 isn't enabled on the server, you'll see an error message when you attempt to install Azure AD Connect. The installation won't continue until you've enabled TLS 1.2. You can use the new Set-ADSyncToolsTls12 cmdlets to enable TLS 1.2 on your server.-- We made a change so that with this release, you can use the Hybrid Identity Administrator role to authenticate when you install Azure AD Connect. You no longer need to use the Global Administrator role.+- This release requires Windows Server 2016 or newer because of the requirements of SQL Server 2019. An in-place upgrade of Windows Server on a Microsoft Entra Connect server isn't supported. For this reason, you might need to use a [swing migration](how-to-upgrade-previous-version.md#swing-migration). +- We enforce the use of TLS 1.2 in this release. If you enabled your Windows Server for TLS 1.2, Microsoft Entra Connect uses this protocol. If TLS 1.2 isn't enabled on the server, you'll see an error message when you attempt to install Microsoft Entra Connect. The installation won't continue until you've enabled TLS 1.2. You can use the new Set-ADSyncToolsTls12 cmdlets to enable TLS 1.2 on your server. +- We made a change so that with this release, you can use the Hybrid Identity Administrator role to authenticate when you install Microsoft Entra Connect. You no longer need to use the Global Administrator role. - We upgraded the Visual C++ runtime library to version 14 as a prerequisite for SQL Server 2019. - We updated this release to use the Microsoft Authentication Library for authentication. We removed the older Azure AD Authentication Library, which will be retired in 2022. - We no longer apply permissions on AdminSDHolders following Windows security guidance. We changed the parameter SkipAdminSdHolders to IncludeAdminSdHolders in the ADSyncConfig.psm1 module.-- We made a change so that passwords are now reevaluated when an expired password is "unexpired," no matter if the password itself is changed. If the password is set to "Must change password at next logon" for a user, and this flag is cleared (which "unexpires" the password), the unexpired status and the password hash are synced to Azure AD. In Azure AD, when the user attempts to sign in, they can use the unexpired password.-To sync an expired password from Active Directory to Azure AD, use the feature in Azure AD Connect to [synchronize temporary passwords](how-to-connect-password-hash-synchronization.md#synchronizing-temporary-passwords-and-force-password-change-on-next-logon). Enable password writeback to use this feature so that the password the user updates is written back to Active Directory. +- We made a change so that passwords are now reevaluated when an expired password is "unexpired," no matter if the password itself is changed. If the password is set to "Must change password at next logon" for a user, and this flag is cleared (which "unexpires" the password), the unexpired status and the password hash are synced to Microsoft Entra ID. In Microsoft Entra ID, when the user attempts to sign in, they can use the unexpired password. +To sync an expired password from Active Directory to Microsoft Entra ID, use the feature in Microsoft Entra Connect to [synchronize temporary passwords](how-to-connect-password-hash-synchronization.md#synchronizing-temporary-passwords-and-force-password-change-on-next-logon). Enable password writeback to use this feature so that the password the user updates is written back to Active Directory. - We added two new cmdlets to the ADSyncTools module to enable or retrieve TLS 1.2 settings from the Windows Server: - Get-ADSyncToolsTls12 - Set-ADSyncToolsTls12 -You can use these cmdlets to retrieve the TLS 1.2 enablement status or set it as needed. TLS 1.2 must be enabled on the server for the installation or Azure AD Connect to succeed. +You can use these cmdlets to retrieve the TLS 1.2 enablement status or set it as needed. TLS 1.2 must be enabled on the server for the installation or Microsoft Entra Connect to succeed. - We revamped ADSyncTools with several new and improved cmdlets. The [ADSyncTools article](reference-connect-adsynctools.md) has more details about these cmdlets. The following cmdlets have been added or updated: You can use these cmdlets to retrieve the TLS 1.2 enablement status or set it as - Set-ADSyncToolsMsDsConsistencyGuid - Trace-ADSyncToolsADImport - Trace-ADSyncToolsLdapQuery-- We now use the V2 endpoint for import and export. We fixed an issue in the Get-ADSyncAADConnectorExportApiVersion cmdlet. To learn more about the V2 endpoint, see [Azure AD Connect sync V2 endpoint](how-to-connect-sync-endpoint-api-v2.md).-- We added the following new user properties to sync from on-premises Active Directory to Azure AD:+- We now use the V2 endpoint for import and export. We fixed an issue in the Get-ADSyncAADConnectorExportApiVersion cmdlet. To learn more about the V2 endpoint, see [Microsoft Entra Connect Sync V2 endpoint](how-to-connect-sync-endpoint-api-v2.md). +- We added the following new user properties to sync from on-premises Active Directory to Microsoft Entra ID: - employeeType - employeeHireDate >[!NOTE] You can use these cmdlets to retrieve the TLS 1.2 enablement status or set it as - We updated the Generic LDAP Connector and the Generic SQL Connector to the latest versions. To learn more about these connectors, see the reference documentation for: - [Generic LDAP Connector](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-genericldap) - [Generic SQL Connector](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-genericsql)-- In the Microsoft 365 admin center, we now report the Azure AD Connect client version whenever there's export activity to Azure AD. This reporting ensures that the Microsoft 365 admin center always has the most up-to-date Azure AD Connect client version, and that it can detect when you're using an outdated version.+- In the Microsoft 365 admin center, we now report the Microsoft Entra Connect client version whenever there's export activity to Microsoft Entra ID. This reporting ensures that the Microsoft 365 admin center always has the most up-to-date Microsoft Entra Connect client version, and that it can detect when you're using an outdated version. ### Bug fixes - We fixed an accessibility bug where the screen reader announced an incorrect role of the **Learn More** link. - We fixed a bug where sync rules with large precedence values (for example, 387163089) caused an upgrade to fail. We updated the sproc mms_UpdateSyncRulePrecedence to cast the precedence number as an integer prior to incrementing the value. - We fixed a bug where group writeback permissions weren't set on the sync account if a group writeback configuration was imported. We now set the group writeback permissions if group writeback is enabled on the imported configuration.-- We updated the Azure AD Connect Health agent version to 3.1.110.0 to fix an installation failure.-- We're seeing an issue with nondefault attributes from exported configurations where directory extension attributes are configured. In the process of importing these configurations to a new server or installation, the attribute inclusion list is overridden by the directory extension configuration step. As a result, after import, only default and directory extension attributes are selected in the sync service manager. Nondefault attributes aren't included in the installation, so the user must manually reenable them from the sync service manager if they want their imported sync rules to work. We now refresh the Azure AD Connector before configuring the directory extension to keep existing attributes from the attribute inclusion list.+- We updated the Microsoft Entra Connect Health agent version to 3.1.110.0 to fix an installation failure. +- We're seeing an issue with nondefault attributes from exported configurations where directory extension attributes are configured. In the process of importing these configurations to a new server or installation, the attribute inclusion list is overridden by the directory extension configuration step. As a result, after import, only default and directory extension attributes are selected in the sync service manager. Nondefault attributes aren't included in the installation, so the user must manually reenable them from the sync service manager if they want their imported sync rules to work. We now refresh the Microsoft Entra Connector before configuring the directory extension to keep existing attributes from the attribute inclusion list. - We fixed an accessibility issue where the page header's font weight was set as Light. Font weight is now set to Bold for the page title, which applies to the header of all pages. - We renamed the function Get-AdObject in ADSyncSingleObjectSync.ps1 to Get-AdDirectoryObject to prevent ambiguity with the Active Directory cmdlet. - We removed the condition that allowed duplicate rule precedence. The SQL function mms_CheckSynchronizationRuleHasUniquePrecedence had allowed duplicates precedence on outbound sync rules on different connectors. - We fixed a bug where the Single Object Sync cmdlet fails if the attribute flow data is null. An example is on exporting a delete operation. - We fixed a bug where the installation fails because the ADSync bootstrap service can't be started. We now add Sync Service Account to the Local Builtin User Group before starting the bootstrap service.-- We fixed an accessibility issue where the active tab on Azure AD Connect wizard wasn't showing the correct color on High Contrast theme. The selected color code was being overwritten because of a missing condition in the normal color code configuration.+- We fixed an accessibility issue where the active tab on Microsoft Entra Connect wizard wasn't showing the correct color on High Contrast theme. The selected color code was being overwritten because of a missing condition in the normal color code configuration. - We addressed an issue where you were allowed to deselect objects and attributes used in sync rules by using the UI and PowerShell. We now show friendly error messages if you try to deselect any attribute or object that's used in any sync rules.-- We made some updates to the "migrate settings code" to check and fix backward compatibility issues when the script runs on an older version of Azure AD Connect.+- We made some updates to the "migrate settings code" to check and fix backward compatibility issues when the script runs on an older version of Microsoft Entra Connect. - We fixed a bug that occurred when PHS tried to look up an incomplete object. It didn't use the same algorithm to resolve the DC as it used originally to fetch the passwords. In particular, it ignored affinitized DC information. The Incomplete object lookup should use the same logic to locate the DC in both instances.-- We fixed a bug where Azure AD Connect can't read Application Proxy items by using Microsoft Graph because of a permissions issue with calling Microsoft Graph directly based on the Azure AD Connect client identifier. To fix this issue, we removed the dependency on Microsoft Graph and instead use Azure AD PowerShell to work with the App Proxy Application objects.+- We fixed a bug where Microsoft Entra Connect can't read Application Proxy items by using Microsoft Graph because of a permissions issue with calling Microsoft Graph directly based on the Microsoft Entra Connect client identifier. To fix this issue, we removed the dependency on Microsoft Graph and instead use Azure AD PowerShell to work with the App Proxy Application objects. - We removed the writeback member limit from the Out to AD - Group SOAInAAD Exchange sync rule. - We fixed a bug that occurred when you changed connector account permissions. If an object came in scope that hadn't changed since the last delta import, a delta import wouldn't import it. We now display a warning to alert you of the issue. - We fixed an accessibility issue where the screen reader wasn't reading the radio button position. We added positional text to the radio button accessibility text field. - We updated the Pass-Thru Authentication Agent bundle. The older bundle didn't have the correct reply URL for the HIP's first-party application in US Government.-- We fixed a bug where a stopped-extension-dll-exception error on Azure AD Connector exported after clean installing the Azure AD Connect version 1.6.X.X, which defaulted to using DirSyncWebServices API V2, by using an existing database. Previously, the setting export version to V2 was only being done for upgrades. We changed it so that it's set on clean install.+- We fixed a bug where a stopped-extension-dll-exception error on Microsoft Entra Connector exported after clean installing the Microsoft Entra Connect version 1.6.X.X, which defaulted to using DirSyncWebServices API V2, by using an existing database. Previously, the setting export version to V2 was only being done for upgrades. We changed it so that it's set on clean install. - We removed the ADSyncPrep.psm1 module from the installation because it's no longer used. ### Known issues -- The Azure AD Connect wizard shows the **Import Synchronization Settings** option as **Preview**, although this feature is generally available.+- The Microsoft Entra Connect wizard shows the **Import Synchronization Settings** option as **Preview**, although this feature is generally available. - Some Active Directory connectors might be installed in a different order when you use the output of the migrate settings script to install the product.-- The **User Sign In** options page in the Azure AD Connect wizard mentions Company Administrator. This term is no longer used and needs to be replaced by Global Administrator.+- The **User Sign In** options page in the Microsoft Entra Connect wizard mentions Company Administrator. This term is no longer used and needs to be replaced by Global Administrator. - The **Export settings** option is broken when the **Sign In** option has been configured to use PingFederate.-- While Azure AD Connect can now be deployed by using the Hybrid Identity Administrator role, configuring Self-Service Password Reset, Passthru Authentication, or single sign-on still requires a user with the Global Administrator role.-- When you import the Azure AD Connect configuration while you deploy to connect with a different tenant than the original Azure AD Connect configuration, directory extension attributes aren't configured correctly.+- While Microsoft Entra Connect can now be deployed by using the Hybrid Identity Administrator role, configuring Self-Service Password Reset, Passthru Authentication, or single sign-on still requires a user with the Global Administrator role. +- When you import the Microsoft Entra Connect configuration while you deploy to connect with a different tenant than the original Microsoft Entra Connect configuration, directory extension attributes aren't configured correctly. ## 1.6.4.0 > [!NOTE]-> The Azure AD Connect sync V2 endpoint API is now available in these Azure environments: +> The Microsoft Entra Connect Sync V2 endpoint API is now available in these Azure environments: > > - Azure Commercial > - Microsoft Azure operated by 21Vianet You can use these cmdlets to retrieve the TLS 1.2 enablement status or set it as ### Bug fixes -This release fixes a bug that occurred in version 1.6.2.4. After upgrade to that release, the Azure AD Connect Health feature wasn't registered correctly and didn't work. If you deployed build 1.6.2.4, update your Azure AD Connect server with this build to register the Health feature correctly. +This release fixes a bug that occurred in version 1.6.2.4. After upgrade to that release, the Microsoft Entra Connect Health feature wasn't registered correctly and didn't work. If you deployed build 1.6.2.4, update your Microsoft Entra Connect server with this build to register the Health feature correctly. ## 1.6.2.4 > [!IMPORTANT] > Update per March 30, 2021: We've discovered an issue in this build. After installation of this build, the Health services aren't registered. We recommend that you not install this build. We'll release a hotfix shortly.-> If you already installed this build, you can manually register the Health services by using the cmdlet, as shown in [Azure AD Connect Health agent installation](./how-to-connect-health-agent-install.md#manually-register-azure-ad-connect-health-for-sync). +> If you already installed this build, you can manually register the Health services by using the cmdlet, as shown in [Microsoft Entra Connect Health agent installation](./how-to-connect-health-agent-install.md#manually-register-azure-ad-connect-health-for-sync). - This release will be made available for download only. - The upgrade to this release will require a full synchronization because of sync rule changes.-- This release defaults the Azure AD Connect server to the new V2 endpoint.+- This release defaults the Microsoft Entra Connect server to the new V2 endpoint. ### Release status This release fixes a bug that occurred in version 1.6.2.4. After upgrade to that ### Functional changes - We updated default sync rules to limit membership in writeback groups to 50,000 members.- - We added new default sync rules for limiting the membership count in group writeback (Out to AD - Group Writeback Member Limit) and group sync to Azure AD (Out to AAD - Group Writeup Member Limit) groups. + - We added new default sync rules for limiting the membership count in group writeback (Out to AD - Group Writeback Member Limit) and group sync to Microsoft Entra ID (Out to Microsoft Entra ID - Group Writeup Member Limit) groups. - We added a member attribute to the Out to AD - Group SOAInAAD - Exchange rule to limit members in writeback groups to 50,000. - We updated sync rules to support group writeback V2:- - If the In from AAD - Group SOAInAAD rule is cloned and Azure AD Connect is upgraded: + - If the In from Microsoft Entra ID - Group SOAInAAD rule is cloned and Microsoft Entra Connect is upgraded: - The updated rule will be disabled by default, so targetWritebackType will be null.- - Azure AD Connect will write back all Cloud Groups (including Azure AD Security Groups enabled for writeback) as Distribution Groups. - - If the Out to AD - Group SOAInAAD rule is cloned and Azure AD Connect is upgraded: + - Microsoft Entra Connect will write back all Cloud Groups (including Microsoft Entra Security Groups enabled for writeback) as Distribution Groups. + - If the Out to AD - Group SOAInAAD rule is cloned and Microsoft Entra Connect is upgraded: - The updated rule will be disabled by default. A new sync rule, Out to AD - Group SOAInAAD - Exchange, which is added will be enabled.- - Depending on the Cloned Custom Sync Rule's precedence, Azure AD Connect will flow the Mail and Exchange attributes. + - Depending on the Cloned Custom Sync Rule's precedence, Microsoft Entra Connect will flow the Mail and Exchange attributes. - If the Cloned Custom Sync Rule doesn't flow some Mail and Exchange attributes, the new Exchange Sync Rule will add those attributes. - We added support for [Selective Password Hash Synchronization](./how-to-connect-selective-password-hash-synchronization.md).-- We added the new [Single Object Sync cmdlet](./how-to-connect-single-object-sync.md). Use this cmdlet to troubleshoot your Azure AD Connect sync configuration.-- Azure AD Connect now supports the Hybrid Identity Administrator role for configuring the service.-- We updated the Azure AD ConnectHealth agent to 3.1.83.0.+- We added the new [Single Object Sync cmdlet](./how-to-connect-single-object-sync.md). Use this cmdlet to troubleshoot your Microsoft Entra Connect Sync configuration. +- Microsoft Entra Connect now supports the Hybrid Identity Administrator role for configuring the service. +- We updated the Microsoft Entra Connect Health agent to 3.1.83.0. - We introduced a new version of the [ADSyncTools PowerShell module](./reference-connect-adsynctools.md), which has several new or improved cmdlets: - Clear-ADSyncToolsMsDsConsistencyGuid - ConvertFrom-ADSyncToolsAadDistinguishedName This release fixes a bug that occurred in version 1.6.2.4. After upgrade to that - We removed the **Explicit** column from the **CS Search** page in the old sync UI. - We added to the UI for the group writeback flow to prompt users for credentials or to configure their own permissions by using the ADSyncConfig module if credentials weren't already provided in an earlier step. - We added the ability to autocreate a managed service account for an ADSync service account on a DC.-- We added the ability to set and get the Azure AD DirSync feature group writeback V2 in the existing cmdlets:+- We added the ability to set and get the Microsoft Entra DirSync feature group writeback V2 in the existing cmdlets: - Set-ADSyncAADCompanyFeature - Get-ADSyncAADCompanyFeature This release fixes a bug that occurred in version 1.6.2.4. After upgrade to that - We increased granularity for Set-ADSyncPasswordHashSyncPermissions cmdlet. - We updated the PHS permissions script (Set-ADSyncPasswordHashSyncPermissions) to include an optional ADobjectDN parameter. - We made an accessibility bug fix. The screen reader now describes the UX element that holds the list of forests as **Forests list** instead of **Forest List list**.-- We updated screen reader output for some items in the Azure AD Connect wizard. We updated the button hover color to satisfy contrast requirements. We updated Synchronization Service Manager title color to satisfy contrast requirements.-- We fixed an issue with installing Azure AD Connect from exported configuration having custom extension attributes.+- We updated screen reader output for some items in the Microsoft Entra Connect wizard. We updated the button hover color to satisfy contrast requirements. We updated Synchronization Service Manager title color to satisfy contrast requirements. +- We fixed an issue with installing Microsoft Entra Connect from exported configuration having custom extension attributes. - We added a condition to skip checking for extension attributes in the target schema while applying the sync rule. - We added appropriate permissions on installation if the group writeback feature is enabled. - We fixed duplicate default sync rule precedence on import. This release fixes a bug that occurred in version 1.6.2.4. After upgrade to that - We modified policy import and export to fail if custom rule has duplicate precedence. - We fixed a bug in the domain selection logic. - We fixed an issue with build 1.5.18.0 if you use mS-DS-ConsistencyGuid as the source anchor and have cloned the In from AD - Group Join rule.-- Fresh Azure AD Connect installations will use the Export Deletion Threshold stored in the cloud if there's one available and if there isn't a different one passed in.-- We fixed an issue where Azure AD Connect wouldn't read Active Directory displayName changes of hybrid-joined devices.+- Fresh Microsoft Entra Connect installations will use the Export Deletion Threshold stored in the cloud if there's one available and if there isn't a different one passed in. +- We fixed an issue where Microsoft Entra Connect wouldn't read Active Directory displayName changes of hybrid-joined devices. ## 1.5.45.0 This is a bug fix release. There are no functional changes in this release. ## Next steps -Learn more about how to [integrate your on-premises identities with Azure AD](../whatis-hybrid-identity.md). +Learn more about how to [integrate your on-premises identities with Microsoft Entra ID](../whatis-hybrid-identity.md). |
active-directory | Tshoot Connect Sync Errors | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/tshoot-connect-sync-errors.md | -# Understanding errors during Azure AD synchronization +# Understanding errors during Microsoft Entra synchronization Errors can occur when identity data is synced from Windows Server Active Directory to Microsoft Entra ID. This article provides an overview of different types of sync errors, some of the possible scenarios that cause those errors, and potential ways to fix the errors. This article includes common error types and might not cover all possible errors. |
active-directory | Whatis Azure Ad Connect V2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/whatis-azure-ad-connect-v2.md | -# Introduction to Microsoft Entra Connect V2.0 +# Introduction to Microsoft Entra Connect V2.0 Microsoft Entra Connect was released several years ago. Since this time, several of the components that Microsoft Entra Connect uses have been scheduled for deprecation and updated to newer versions. Attempting to update all of these components individually would take time and planning. |
active-directory | Howto Identity Protection Graph Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-graph-api.md | Microsoft Graph is the Microsoft unified API endpoint and the home of [Microsoft To successfully complete this tutorial, make sure you have the required prerequisites: - Microsoft Graph PowerShell SDK is installed. For more information, see the article [Install the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation?view=graph-powershell-1.0&preserve-view=true).-- Identity Protection is available in the beta version of Microsoft Graph PowerShell. Run the following command to set your profile to beta.-- ```powershell - # Connect to Graph beta Endpoint - Select-MgProfile -Name 'beta' - ``` --- Microsoft Graph PowerShell using a global administrator role and the appropriate permissions. The IdentityRiskEvent.Read.All, IdentityRiskyUser.ReadWrite.All Or IdentityRiskyUser.ReadWrite.All delegated permissions are required. To set the permissions to IdentityRiskEvent.Read.All and IdentityRiskyUser.ReadWrite.All, run:+- Microsoft Graph PowerShell using a [Security Administrator](../roles/permissions-reference.md#security-administrator) role. The IdentityRiskEvent.Read.All, IdentityRiskyUser.ReadWrite.All Or IdentityRiskyUser.ReadWrite.All delegated permissions are required. To set the permissions to IdentityRiskEvent.Read.All and IdentityRiskyUser.ReadWrite.All, run: ```powershell Connect-MgGraph -Scopes "IdentityRiskEvent.Read.All","IdentityRiskyUser.ReadWrite.All" |
active-directory | Howto Identity Protection Remediate Unblock | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-remediate-unblock.md | After completing your [investigation](howto-identity-protection-investigate-risk All active risk detections contribute to the calculation of the user's risk level. The user risk level is an indicator (low, medium, high) of the probability that the user's account has been compromised. As an administrator, after thorough investigation of the risky users and the corresponding risky sign-ins and detections, you want to remediate the risky users so that they're no longer at risk and won't be blocked. -Identity Protection marks some risk detections and the corresponding risky sign-ins as dismissed with risk state "Dismissed" and risk detail "Microsoft Entra ID Protection assessed sign-in safe". It takes this action, because those events were no longer determined to be risky. +Microsoft Entra ID Protection marks some risk detections and the corresponding risky sign-ins as dismissed with risk state **Dismissed** and risk detail **Azure AD Identity Protection assessed sign-in safe**. It takes this action, because those events were no longer determined to be risky. Administrators have the following options to remediate: Administrators have the following options to remediate: ### Self-remediation with risk-based policy -You can allow users to self-remediate their sign-in risks and user risks by setting up [risk-based policies](howto-identity-protection-configure-risk-policies.md). If users pass the required access control, such as Microsoft Entra multifactor authentication or secure password change, then their risks are automatically remediated. The corresponding risk detections, risky sign-ins, and risky users are reported with the risk state "Remediated" instead of "At risk". +You can allow users to self-remediate their sign-in risks and user risks by setting up [risk-based policies](howto-identity-protection-configure-risk-policies.md). If users pass the required access control, such as multifactor authentication or secure password change, then their risks are automatically remediated. The corresponding risk detections, risky sign-ins, and risky users are reported with the risk state **Remediated** instead of **At risk**. -Here are the prerequisites on users before risk-based policies can be applied to them to allow self-remediation of risks: +The prerequisites for users before risk-based policies can be applied to allow self-remediation of risks are: - To perform MFA to self-remediate a sign-in risk: - The user must have registered for Microsoft Entra multifactor authentication. - To perform secure password change to self-remediate a user risk: - The user must have registered for Microsoft Entra multifactor authentication.- - For hybrid users that are synced from on-premises to cloud, password writeback must have been enabled on them. + - For hybrid users that are synced from on-premises to cloud, password writeback must be enabled. If a risk-based policy is applied to a user during sign-in before the above prerequisites are met, then the user is blocked. This block action is because they aren't able to perform the required access control, and admin intervention is required to unblock the user. -Risk-based policies are configured based on risk levels and only apply if the risk level of the sign-in or user matches the configured level. Some detections may not raise risk to the level where the policy applies, and administrators need to handle those risky users manually. Administrators may determine that extra measures are necessary like [blocking access from locations](../conditional-access/howto-conditional-access-policy-location.md) or lowering the acceptable risk in their policies. +Risk-based policies are configured based on risk levels and only apply if the risk level of the sign-in or user matches the configured level. Some detections might not raise risk to the level where the policy applies, and administrators need to handle those risky users manually. Administrators can determine that extra measures are necessary like [blocking access from locations](../conditional-access/howto-conditional-access-policy-location.md) or lowering the acceptable risk in their policies. ### Self-remediation with self-service password reset -If a user has registered for self-service password reset (SSPR), then they can also remediate their own user risk by performing a self-service password reset. +If a user has registered for self-service password reset (SSPR), then they can remediate their own user risk by performing a self-service password reset. ### Manual password reset -If requiring a password reset using a user risk policy isn't an option, administrators can remediate a risky user by requiring a password reset. +If requiring a password reset using a user risk policy isn't an option, or time is of the essence, administrators can remediate a risky user by requiring a password reset. -Administrators are given two options when resetting a password for their users: +Administrators have options they can choose from: - **Generate a temporary password** - By generating a temporary password, you can immediately bring an identity back into a safe state. This method requires contacting the affected users because they need to know what the temporary password is. Because the password is temporary, the user is prompted to change the password to something new during the next sign-in.+ - They can generate passwords for cloud and hybrid users in the Microsoft Entra admin center. + - They can generate passwords for hybrid users from an on-premises directory when password hash synchronization and the [Allow on-premises password change to reset user risk](#allow-on-premises-password-reset-to-remediate-user-risks-preview) setting is enabled. -- **Require the user to reset password** - Requiring the users to reset passwords enables self-recovery without contacting help desk or an administrator. This method only applies to users that are registered for Microsoft Entra multifactor authentication and SSPR. For users that haven't been registered, this option isn't available.+ > [!WARNING] + > Don't select the option **User must change password at next logon**. This is unsupported. ++- **Require the user to reset password** - Requiring the users to reset passwords enables self-recovery without contacting help desk or an administrator. + - Cloud and hybrid users can complete a secure password change. This method only applies to users that can perform MFA already. For users that haven't registered, this option isn't available. + - Hybrid users can complete a password change by pressing Ctrl+Alt+Del and changing their password from an on-premises or hybrid joined Windows device, when password hash synchronization and the [Allow on-premises password change to reset user risk](#allow-on-premises-password-reset-to-remediate-user-risks-preview) setting is enabled. ++#### Allow on-premises password reset to remediate user risks (Preview) ++Organizations who have enabled [password hash synchronization](../hybrid/connect/whatis-phs.md) can allow password changes on-premises to remediate user risk. ++This configuration provides organizations two new capabilities: ++- Risky hybrid users can self-remediate without administrators intervention. When a password is changed on-premises, user risk is now automatically remediated within Entra ID Protection, bringing the user to a safe state. +- Organizations can proactively deploy [user risk policies that require password changes](howto-identity-protection-configure-risk-policies.md#user-risk-policy-in-conditional-access) to confidently protect their hybrid users. This option strengthens your organization's security posture and simplifies security management by ensuring that user risks are promptly addressed, even in complex hybrid environments. +++To configure this setting ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Security Operator](../roles/permissions-reference.md#security-operator). +1. Browse to **Protection** > **Identity Protection** > **Settings**. +1. Check the box to **Allow on-premises password change to reset user risk**. +1. Select **Save**. ### Dismiss user risk To Dismiss user risk in the [Microsoft Entra admin center](https://entra.microso When you select **Dismiss user risk**, the user is no longer at risk, and all the risky sign-ins of this user and corresponding risk detections are dismissed as well. -Because this method doesn't have an impact on the user's existing password, it doesn't bring their identity back into a safe state. +Because this method doesn't affect the user's existing password, it doesn't bring their identity back into a safe state. #### Risk state and detail based on dismissal of risk It isn't possible for administrators to dismiss risk for users who have been del ## Unblocking users -An administrator may choose to block a sign-in based on their risk policy or investigations. A block may occur based on either sign-in or user risk. +An administrator can choose to block a sign-in based on their risk policy or investigations. A block can occur based on either sign-in or user risk. ### Unblocking based on user risk To unblock an account based on sign-in risk, administrators have the following o Using the Microsoft Graph PowerShell SDK Preview module, organizations can manage risk using PowerShell. The preview modules and sample code can be found in the [Microsoft Entra GitHub repo](https://github.com/AzureAD/IdentityProtectionTools). -The `Invoke-AzureADIPDismissRiskyUser.ps1` script included in the repo allows organizations to dismiss all risky users in their directory. +The `Invoke-AzureADIPDismissRiskyUser.ps1` script included in the repository allows organizations to dismiss all risky users in their directory. ## Next steps -To get an overview of Microsoft Entra ID Protection, see the [Microsoft Entra ID Protection overview](overview-identity-protection.md). +[Simulate a high user risk](howto-identity-protection-graph-api.md#confirm-users-compromised-using-powershell) |
active-directory | Howto Identity Protection Risk Feedback | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-risk-feedback.md | An Identity Protection detection is an indicator of suspicious activity from an ## Why should I give risk feedback to Microsoft Entra IDΓÇÖs risk assessments? -There are several reasons why you should give Microsoft Entra ID risk feedback: +There are several reasons why you should give Microsoft Entra risk feedback: - **You found Microsoft Entra IDΓÇÖs user or sign-in risk assessment incorrect**. For example, a sign-in shown in ΓÇÿRisky sign-insΓÇÖ report was benign and all the detections on that sign-in were false positives. - **You validated that Microsoft Entra IDΓÇÖs user or sign-in risk assessment was correct**. For example, a sign-in shown in ΓÇÿRisky sign-insΓÇÖ report was indeed malicious and you want Microsoft Entra ID to know that all the detections on that sign-in were true positives. |
active-directory | Application Sign In Unexpected User Consent Prompt | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/application-sign-in-unexpected-user-consent-prompt.md | Determining whether an individual user can consent to an application can be conf ## Next steps -- [Apps, permissions, and consent in Microsoft Entra ID (v1.0 endpoint)](../develop/quickstart-register-app.md)+- [Apps, permissions, and consent in Azure Active Directory (v1.0 endpoint)](../develop/quickstart-register-app.md) -- [Scopes, permissions, and consent in the Microsoft Entra ID (v2.0 endpoint)](../develop/permissions-consent-overview.md)+- [Scopes, permissions, and consent in the Microsoft identity platform (v2.0 endpoint)](../develop/permissions-consent-overview.md) - [Unexpected error when performing consent to an application](application-sign-in-unexpected-user-consent-error.md) |
active-directory | Cloudflare Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/cloudflare-integration.md | Integrate Cloudflare Zero Trust account with an instance of Microsoft Entra ID. ![Screenshot of the Login methods option on Authentication.](./media/cloudflare-integration/login-methods.png) -5. Under **Select an identity provider**, select **Azure AD.** +5. Under **Select an identity provider**, select **Microsoft Entra ID**. ![Screenshot of the Microsoft Entra option under Select an identity provider.](./media/cloudflare-integration/idp.png) 6. The **Add Azure ID** dialog appears. 7. Enter Microsoft Entra instance credentials and make needed selections. - ![Screenshot of options and selections for Add Azure AD.](./media/cloudflare-integration/add-idp.png) + ![Screenshot of options and selections for Add Microsoft Entra ID.](./media/cloudflare-integration/add-idp.png) 8. Select **Save**. |
active-directory | F5 Big Ip Header Advanced | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-header-advanced.md | A virtual server is a BIG-IP data plane object represented by a virtual IP addre Use the BIG-IPs session management setting to define the conditions for user session termination or continuation. Create policy with **Access Policy** > **Access Profiles**. Select an application from the list. -Regarding SLO functionality, a SLO URI in Microsoft Entra ensures an IdP-initiated sign-out from the MyApps portal terminates the session between the client and the BIG-IP APM. The imported application federation metadata.xml provides the APM with the Microsoft Entra SAML sign-out endpoint, for SP initiated sign-out. Therefore, enable the APM to know when a user signs out. +Regarding SLO functionality, a SLO URI in Microsoft Entra ID ensures an IdP-initiated sign-out from the MyApps portal terminates the session between the client and the BIG-IP APM. The imported application federation metadata.xml provides the APM with the Microsoft Entra SAML sign-out endpoint, for SP initiated sign-out. Therefore, enable the APM to know when a user signs out. If there's no BIG-IP web portal, the user can't instruct the APM to sign out. If the user signs out of the application, the BIG-IP is oblivious to the action. The application session can be reinstated through SSO. Therefore, SP-initiated sign out needs careful consideration. |
active-directory | F5 Big Ip Kerberos Easy Button | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-kerberos-easy-button.md | Prior BIG-IP experience isn't necessary, but you need: ## BIG-IP configuration methods -This tutorial covers the latest Guided Configuration 16.1 with an Easy Button template. With the Easy Button, Admins don't go back and forth between Microsoft Entra ID and a BIG-IP to enable services for SHA. The deployment and policy management is handled by the APM Guided Configuration wizard and Microsoft Graph. This integration between BIG-IP APM and Microsoft Entra ensures applications support identity federation, SSO, and Microsoft Entra Conditional Access, reducing administrative overhead. +This tutorial covers the latest Guided Configuration 16.1 with an Easy Button template. With the Easy Button, Admins don't go back and forth between Microsoft Entra ID and a BIG-IP to enable services for SHA. The deployment and policy management is handled by the APM Guided Configuration wizard and Microsoft Graph. This integration between BIG-IP APM and Microsoft Entra ID ensures applications support identity federation, SSO, and Microsoft Entra Conditional Access, reducing administrative overhead. >[!NOTE] > Replace example strings or values in this article with those for your environment. Before a client or service can access Microsoft Graph, it must be trusted by the Initiate the APM Guided Configuration to launch the Easy Button template. -1. Navigate to **Access > Guided Configuration > Microsoft Integration** and select **Azure AD Application**. +1. Navigate to **Access > Guided Configuration > Microsoft Integration** and select **Microsoft Entra Application**. - ![Screenshot of the Azure A D Application option on Guided Configuration.](./media/f5-big-ip-easy-button-ldap/easy-button-template.png) + ![Screenshot of the Microsoft Entra Application option on Guided Configuration.](./media/f5-big-ip-easy-button-ldap/easy-button-template.png) 2. Review the configuration steps and select **Next** |
active-directory | F5 Big Ip Ldap Header Easybutton | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-ldap-header-easybutton.md | Prior BIG-IP experience isn't necessary, but you need: ## BIG-IP configuration -This tutorial uses Guided Configuration 16.1 with an Easy Button template. With the Easy Button, admins don't go back and forth between Microsoft Entra ID and a BIG-IP to enable services for SHA. The deployment and policy management is handled between the APM Guided Configuration wizard and Microsoft Graph. This integration between BIG-IP APM and Microsoft Entra ensures applications support identity federation, SSO, and Microsoft Entra Conditional Access, reducing administrative overhead. +This tutorial uses Guided Configuration 16.1 with an Easy Button template. With the Easy Button, admins don't go back and forth between Microsoft Entra ID and a BIG-IP to enable services for SHA. The deployment and policy management is handled between the APM Guided Configuration wizard and Microsoft Graph. This integration between BIG-IP APM and Microsoft Entra ID ensures applications support identity federation, SSO, and Microsoft Entra Conditional Access, reducing administrative overhead. >[!NOTE] >Replace example strings or values in this guide with those for your environment. This first step creates a tenant app registration to authorize the **Easy Button Initiate the APM **Guided Configuration** to launch the **Easy Button** template. -1. Navigate to **Access > Guided Configuration > Microsoft Integration** and select **Azure AD Application**. +1. Navigate to **Access > Guided Configuration > Microsoft Integration** and select **Microsoft Entra Application**. - ![Screenshot of the Azure A D Application option on Guided Configuration.](./media/f5-big-ip-easy-button-ldap/easy-button-template.png) + ![Screenshot of the Microsoft Entra Application option on Guided Configuration.](./media/f5-big-ip-easy-button-ldap/easy-button-template.png) 2. Review the list of steps and select **Next** |
active-directory | F5 Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-integration.md | Advanced configuration tutorials: The BIG-IP version 13.1 Guided Configuration wizard, minimizes time and effort to implement common BIG-IP publishing scenarios. Its workflow framework provides an intuitive deployment experience, for specific access topologies. -Guided Configuration version 16.x has the Easy Button feature: admins no longer go back and forth between Microsoft Entra ID and a BIG-IP to enable services for SHA. The end-to-end deployment and policy management is handled by the APM Guided Configuration wizard and Microsoft Graph. This integration between BIG-IP APM and Microsoft Entra ensures applications support identity federation, SSO, and Microsoft Entra Conditional Access, without the management overhead of doing so for each app. +Guided Configuration version 16.x has the Easy Button feature: admins no longer go back and forth between Microsoft Entra ID and a BIG-IP to enable services for SHA. The end-to-end deployment and policy management is handled by the APM Guided Configuration wizard and Microsoft Graph. This integration between BIG-IP APM and Microsoft Entra ID ensures applications support identity federation, SSO, and Microsoft Entra Conditional Access, without the management overhead of doing so for each app. Tutorials for using Easy Button templates, *F5 BIG-IP Easy Button for SSO to*: |
active-directory | Hide Application From User Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/hide-application-from-user-portal.md | Title: Hide an Enterprise application -description: How to hide an Enterprise application from user's experience in Microsoft Entra access portals or Microsoft 365 launchers. +description: How to hide an Enterprise application from user's experience in Microsoft Entra ID access portals or Microsoft 365 launchers. |
active-directory | Manage Self Service Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/manage-self-service-access.md | To enable self-service application access, you need: - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). - One of the following roles: Global Administrator, Cloud Application Administrator, or Application Administrator.-- A Microsoft Entra ID P1 or P2 (P1 or P2) license is required for users to request to join a self-service app and for owners to approve or deny requests. Without a Microsoft Entra ID P1 or P2 license, users can't add self-service apps.+- A Microsoft Entra ID P1 or P2 license is required for users to request to join a self-service app and for owners to approve or deny requests. Without a Microsoft Entra ID P1 or P2 license, users can't add self-service apps. ## Enable self-service application access to allow users to find their own applications |
active-directory | Migrate Adfs Plan Management Insights | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-adfs-plan-management-insights.md | Microsoft Entra ID provides a centralized access location to manage your migrate You can also use the [Microsoft Entra admin center](https://entra.microsoft.com) to audit all your apps from a centralized location, -- **Audit your app** using **Enterprise Applications, Audit**, or access the same information from the [Microsoft Entra ID Reporting API](../reports-monitoring/howto-configure-prerequisites-for-reporting-api.md) to integrate into your favorite tools.+- **Audit your app** using **Enterprise Applications, Audit**, or access the same information from the [Microsoft Entra reporting API](../reports-monitoring/howto-configure-prerequisites-for-reporting-api.md) to integrate into your favorite tools. - **View the permissions for an app** using **Enterprise Applications, Permissions** for apps using OAuth/OpenID Connect.-- **Get sign-in insights** using **Enterprise Applications, Sign-Ins**. Access the same information from the [Microsoft Entra ID Reporting API.](../reports-monitoring/howto-configure-prerequisites-for-reporting-api.md)+- **Get sign-in insights** using **Enterprise Applications, Sign-Ins**. Access the same information from the [Microsoft Entra reporting API.](../reports-monitoring/howto-configure-prerequisites-for-reporting-api.md) - **Visualize your appΓÇÖs usage** from the [Microsoft Entra ID Power BI content pack](../reports-monitoring/howto-use-azure-monitor-workbooks.md) ## Exit criteria |
active-directory | Migrate Adfs Represent Security Policies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-adfs-represent-security-policies.md | This maps to Microsoft Entra ID in one of the following ways: 1. In the **Users and groups tab**, assign your application to the **All Users** automatic group. You must [enable Dynamic Groups](../enterprise-users/groups-create-rule.md) in your Microsoft Entra tenant for the default **All Users** group to be available. - :::image type="content" source="media/migrate-adfs-represent-security-policies/permit-access-to-all-users-3.png" alt-text="Screenshot shows My SaaS Apps in Azure AD."::: + :::image type="content" source="media/migrate-adfs-represent-security-policies/permit-access-to-all-users-3.png" alt-text="Screenshot shows My SaaS Apps in Microsoft Entra ID."::: ### Example 2: Allow a group explicitly |
active-directory | Migrate Okta Federation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-okta-federation.md | For this tutorial, you configure password hash synchronization and seamless SSO. 1. On the Microsoft Entra Connect server, open the **Microsoft Entra Connect** app. 2. Select **Configure**. - ![Screenshot of the Microsoft Entra icon and the Configure button in the Microsoft Entra Connect app.](media/migrate-okta-federation/configure.png) + ![Screenshot of the Microsoft Entra ID icon and the Configure button in the Microsoft Entra Connect app.](media/migrate-okta-federation/configure.png) 3. Select **Change user sign-in**. 4. Select **Next**. |
active-directory | Migrate Okta Sign On Policies Conditional Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-okta-sign-on-policies-conditional-access.md | See the following two sections for licensing and credentials prerequisites. There are licensing requirements if you switch from Okta sign-on to Conditional Access. The process requires a Microsoft Entra ID P1 license to enable registration for Microsoft Entra multifactor authentication. -Learn more: [Assign or remove licenses in the Microsoft Entra portal](/azure/active-directory/fundamentals/license-users-groups) +Learn more: [Assign or remove licenses in the Microsoft Entra admin center](/azure/active-directory/fundamentals/license-users-groups) ### Enterprise Administrator credentials |
active-directory | Plan Sso Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/plan-sso-deployment.md | Implement your communication plan. Make sure you're letting your users know that Ensure the application is covered by the following licensing requirements: -- **Microsoft Entra licensing** - SSO for pre-integrated enterprise applications is free. However, the number of objects in your directory and the features you wish to deploy may require more licenses. For a full list of license requirements, see [Microsoft Entra pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).+- **Microsoft Entra ID licensing** - SSO for pre-integrated enterprise applications is free. However, the number of objects in your directory and the features you wish to deploy may require more licenses. For a full list of license requirements, see [Microsoft Entra pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing). - **Application licensing** - You'll need the appropriate licenses for your applications to meet your business needs. Work with the application owner to determine whether the users assigned to the application have the appropriate licenses for their roles within the application. If Microsoft Entra ID manages the automatic provisioning based on roles, the roles assigned in Microsoft Entra ID must align with the number of licenses owned within the application. Improper number of licenses owned in the application may lead to errors during the provisioning or updating of a user account. |
active-directory | Secure Hybrid Access Integrations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/secure-hybrid-access-integrations.md | Title: Secure hybrid access with Microsoft Entra ID integration + Title: Secure hybrid access with Microsoft Entra integration description: Help customers discover and migrate SaaS applications into Microsoft Entra ID and connect apps that use legacy authentication methods with Microsoft Entra ID. -# Secure hybrid access with Microsoft Entra partner integrations +# Secure hybrid access with Microsoft Entra integration Microsoft Entra ID supports modern authentication protocols that help keep applications secure. However, many business applications work in a protected corporate network, and some use legacy authentication methods. As companies build Zero Trust strategies and support hybrid and cloud environments, there are solutions that connect apps to Microsoft Entra ID and provide authentication for legacy applications. The following diagram illustrates the user authentication flow: ### Users sign in to the applications -When users sign in to applications, they use OIDC or SAML. If the applications need to interact with Microsoft Graph or Microsoft Entra ID-protected API, we recommend you configure them to use OICD. This configuration ensures the JWT is applied to interact with Microsoft Graph. If there's no need for applications to interact with Microsoft Graph, or Microsoft Entra protected APIs, then use SAML. +When users sign in to applications, they use OIDC or SAML. If the applications need to interact with Microsoft Graph or Microsoft Entra protected API, we recommend you configure them to use OICD. This configuration ensures the JWT is applied to interact with Microsoft Graph. If there's no need for applications to interact with Microsoft Graph, or Microsoft Entra protected APIs, then use SAML. The following diagram shows user authentication flow: |
active-directory | Secure Hybrid Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/secure-hybrid-access.md | Microsoft partners with various companies that deliver pre-built solutions for o <a name='secure-hybrid-access-through-azure-ad-partner-integrations'></a> -### Secure hybrid access through Microsoft Entra partner integrations +<a name='secure-hybrid-access-through-microsoft-entra-partner-integrations'></a> ++### Secure hybrid access through Microsoft Entra ID partner integrations The following partners offer solutions to support [Conditional Access policies per application](secure-hybrid-access-integrations.md#apply-conditional-access-policies). Use the tables in the following sections to learn about the partners and Microsoft Entra integration documentation. |
active-directory | Tenant Restrictions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/tenant-restrictions.md | The following configuration is required to enable tenant restrictions through yo - Clients must trust the certificate chain presented by the proxy for TLS communications. For example, if certificates from an internal public key infrastructure (PKI) are used, the internal issuing root certificate authority certificate must be trusted. -- Microsoft Entra ID P1 or P2 1 licenses are required for use of tenant restrictions.+- Microsoft Entra ID P1 or P2 licenses are required for use of tenant restrictions. #### Configuration |
active-directory | V2 Howto App Gallery Listing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/v2-howto-app-gallery-listing.md | To publish your application in the gallery, you must first read and agree to spe - For password SSO, make sure that your application supports form authentication so that password vaulting can be used. - For federated applications (SAML/WS-Fed), the application should preferably support [software-as-a-service (SaaS) model](https://azure.microsoft.com/overview/what-is-saas/) but it is not mandatory and it can be an on-premises application as well. Enterprise gallery applications must support multiple user configurations and not any specific user. - - For OpenID Connect, the application should be multitenant and [Microsoft Entra ID consent framework](../develop/application-consent-experience.md) must be correctly implemented. Refer to [this](../develop/howto-convert-app-to-be-multi-tenant.md) link to convert the application into multitenant. -- Provisioning is optional yet highly recommended. To learn more about Microsoft Entra SCIM, see [build a SCIM endpoint and configure user provisioning with Azure AD](../app-provisioning/use-scim-to-provision-users-and-groups.md).+ - For OpenID Connect, the application should be multitenant and [Microsoft Entra consent framework](../develop/application-consent-experience.md) must be correctly implemented. Refer to [this](../develop/howto-convert-app-to-be-multi-tenant.md) link to convert the application into multitenant. +- Provisioning is optional yet highly recommended. To learn more about Microsoft Entra SCIM, see [build a SCIM endpoint and configure user provisioning with Microsoft Entra ID](../app-provisioning/use-scim-to-provision-users-and-groups.md). You can sign up for a free, test Development account. It's free for 90 days and you get all of the premium Microsoft Entra features with it. You can also extend the account if you use it for development work: [Join the Microsoft 365 Developer Program](/office/developer-program/microsoft-365-developer-program). |
active-directory | Groups Assign Member Owner | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/groups-assign-member-owner.md | -In Microsoft Entra ID, formerly known as Microsoft Entra ID, you can use Privileged Identity Management (PIM) to manage just-in-time membership in the group or just-in-time ownership of the group. +In Azure Active Directory, formerly known as Microsoft Entra ID, you can use Privileged Identity Management (PIM) to manage just-in-time membership in the group or just-in-time ownership of the group. When a membership or ownership is assigned, the assignment: |
active-directory | Concept Diagnostic Settings Logs Options | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/concept-diagnostic-settings-logs-options.md | The `NetworkAccessTrafficLogs` logs are associated with Microsoft Entra Internet ## Next steps -- [Learn about the sign-ins logs](concept-all-sign-ins.md)+- [Learn about the sign-in logs](concept-all-sign-ins.md) - [Explore how to access the activity logs](howto-access-activity-logs.md) |
active-directory | Concept Log Monitoring Integration Options Considerations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/concept-log-monitoring-integration-options-considerations.md | There's a cost for sending data to a Log Analytics workspace, archiving data in Because the size and cost for sending logs to an endpoint is difficult to predict, the most accurate way to determine your expected costs is to route your logs to an endpoint for day or two. With this snapshot, you can get an accurate prediction for your expected costs. You can also get an estimate of your costs by downloading a sample of your logs and multiplying accordingly to get an estimate for one day. -Other considerations for sending Microsoft Entra ID logs to Azure Monitor logs are covered in the following Azure Monitor cost details articles: +Other considerations for sending Microsoft Entra logs to Azure Monitor logs are covered in the following Azure Monitor cost details articles: - [Azure Monitor logs cost calculations and options](../../azure-monitor/logs/cost-logs.md) - [Azure Monitor cost and usage](../../azure-monitor/usage-estimated-costs.md) |
active-directory | Concept Sign In Log Activity Details | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/concept-sign-in-log-activity-details.md | -Microsoft Entra ID logs all sign-ins into an Azure tenant for compliance purposes. As an IT administrator, you need to know what the values in the sign-in logs mean, so that you can interpret the log values correctly. +Microsoft Entra logs all sign-ins into an Azure tenant for compliance purposes. As an IT administrator, you need to know what the values in the sign-in logs mean, so that you can interpret the log values correctly. - [Learn about the sign-in logs](concept-sign-ins.md). - [Customize and filter the sign-in logs](howto-customize-filter-logs.md) -This article explains the values on the Basic info tab of the sign-ins log. +This article explains the values on the Basic info tab of the sign-in log. ## [Basic info](#tab/basic-info) |
active-directory | Concept Sign Ins | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/concept-sign-ins.md | -Microsoft Entra ID logs all sign-ins into an Azure tenant, which includes your internal apps and resources. As an IT administrator, you need to know what the values in the sign-in logs mean, so that you can interpret the log values correctly. +Microsoft Entra logs all sign-ins into an Azure tenant, which includes your internal apps and resources. As an IT administrator, you need to know what the values in the sign-in logs mean, so that you can interpret the log values correctly. Reviewing sign-in errors and patterns provides valuable insight into how your users access applications and services. The sign-in logs provided by Microsoft Entra ID are a powerful type of [activity log](overview-reports.md) that you can analyze. This article explains how to access and utilize the sign-in logs. The classic sign-in logs only include interactive user sign-ins. Interactive sign-ins are performed *by* a user. They provide an authentication factor to Microsoft Entra ID. That authentication factor could also interact with a helper app, such as the Microsoft Authenticator app. Users can provide passwords, responses to MFA challenges, biometric factors, or QR codes to Microsoft Entra ID or to a helper app. This log also includes federated sign-ins from identity providers that are federated to Microsoft Entra ID. **Report size:** small </br> **Examples:** You may identify Microsoft Graph events that don't correlate to a service princi Non-interactive sign-ins are done *on behalf of a* user. These delegated sign-ins were performed by a client app or OS components on behalf of a user and don't require the user to provide an authentication factor. Instead, Microsoft Entra ID recognizes when the user's token needs to be refreshed and does so behind the scenes, without interrupting the user's session. In general, the user perceives these sign-ins as happening in the background. -![Screenshot of the non-interactive user sign-ins log.](media/concept-sign-ins/sign-in-logs-user-noninteractive.png) +![Screenshot of the non-interactive user sign-in log.](media/concept-sign-ins/sign-in-logs-user-noninteractive.png) **Report size:** Large </br> **Examples:** To make it easier to digest the data, non-interactive sign-in events are grouped :::image type="content" source="media/concept-sign-ins/aggregate-sign-in.png" alt-text="Screenshot of an aggregate sign-in expanded to show all rows." lightbox="media/concept-sign-ins/aggregate-sign-in-expanded.png"::: -When Microsoft Entra ID logs multiple sign-ins that are identical other than time and date, those sign-ins are from the same entity and are aggregated into a single row. A row with multiple identical sign-ins (except for date and time issued) has a value greater than one in the *# sign-ins* column. These aggregated sign-ins may also appear to have the same time stamps. The **Time aggregate** filter can set to 1 hour, 6 hours, or 24 hours. You can expand the row to see all the different sign-ins and their different time stamps. +When Microsoft Entra logs multiple sign-ins that are identical other than time and date, those sign-ins are from the same entity and are aggregated into a single row. A row with multiple identical sign-ins (except for date and time issued) has a value greater than one in the *# sign-ins* column. These aggregated sign-ins may also appear to have the same time stamps. The **Time aggregate** filter can set to 1 hour, 6 hours, or 24 hours. You can expand the row to see all the different sign-ins and their different time stamps. Sign-ins are aggregated in the non-interactive users when the following data matches: Sign-ins are aggregated in the non-interactive users when the following data mat Unlike interactive and non-interactive user sign-ins, service principal sign-ins don't involve a user. Instead, they're sign-ins by any nonuser account, such as apps or service principals (except managed identity sign-in, which are in included only in the managed identity sign-in log). In these sign-ins, the app or service provides its own credential, such as a certificate or app secret to authenticate or access resources. -![Screenshot of the service principal sign-ins log.](media/concept-sign-ins/sign-in-logs-service-principal.png) +![Screenshot of the service principal sign-in log.](media/concept-sign-ins/sign-in-logs-service-principal.png) **Report size:** Large </br> **Examples:** To make it easier to digest the data in the service principal sign-in logs, serv Managed identities for Azure resources sign-ins are sign-ins that were performed by resources that have their secrets managed by Azure to simplify credential management. A VM with managed credentials uses Microsoft Entra ID to get an Access Token. -![Screenshot of the managed identity sign-ins log.](media/concept-sign-ins/sign-in-logs-managed-identity.png) +![Screenshot of the managed identity sign-in log.](media/concept-sign-ins/sign-in-logs-managed-identity.png) **Report size:** Small </br> **Examples:** |
active-directory | Concept Usage Insights Report | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/concept-usage-insights-report.md | With the Microsoft Entra **Usage and insights** reports, you can get an applicat To access the data from Usage and insights you must have: * A Microsoft Entra tenant-* A Microsoft Entra ID P1 or P2 (P1/P2) license to view the sign-in data +* A Microsoft Entra ID P1 or P2 license to view the sign-in data * A user in the Reports Reader, Security Reader, Security Administrator, or Global Administrator role. ## Access Usage and insights |
active-directory | Howto Access Activity Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-access-activity-logs.md | The required roles and licenses may vary based on the report. Global Administrat |--|--|--| | Audit | Reports Reader<br>Security Reader<br>Security Administrator<br>Global Reader | All editions of Microsoft Entra ID | | Sign-ins | Reports Reader<br>Security Reader<br>Security Administrator<br>Global Reader | All editions of Microsoft Entra ID |-| Provisioning | Same as audit and sign-ins, plus<br>Security Operator<br>Application Administrator<br>Cloud App Administrator<br>A custom role with `provisioningLogs` permission | Premium P1/P2 | -| Usage and insights | Security Reader<br>Reports Reader<br> Security Administrator | Premium P1/P2 | -| Identity Protection* | Security Administrator<br>Security Operator<br>Security Reader<br>Global Reader | Microsoft Entra ID Free/Microsoft 365 Apps<br>Microsoft Entra ID P1/P2 | +| Provisioning | Same as audit and sign-ins, plus<br>Security Operator<br>Application Administrator<br>Cloud App Administrator<br>A custom role with `provisioningLogs` permission | Premium P1 or P2 | +| Usage and insights | Security Reader<br>Reports Reader<br> Security Administrator | Premium P1 or P2 | +| Identity Protection* | Security Administrator<br>Security Operator<br>Security Reader<br>Global Reader | Microsoft Entra ID Free/Microsoft 365 Apps<br>Microsoft Entra ID P1 or P2 | *The level of access and capabilities for Identity Protection vary with the role and license. For more information, see the [license requirements for Identity Protection](../identity-protection/overview-identity-protection.md#license-requirements). -Audit logs are available for features that you've licensed. To access the sign-ins logs using the Microsoft Graph API, your tenant must have a Microsoft Entra ID P1 or P2 license associated with it. +Audit logs are available for features that you've licensed. To access the sign-in logs using the Microsoft Graph API, your tenant must have a Microsoft Entra ID P1 or P2 license associated with it. ## Stream logs to an event hub to integrate with SIEM tools |
active-directory | Howto Analyze Provisioning Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-analyze-provisioning-logs.md | -This article describes the options for downloading the provisioning logs from the Microsoft Entra portal as well as how to analyze the logs. Error codes and special considerations are also included. +This article describes the options for downloading the provisioning logs from the Microsoft Entra admin center as well as how to analyze the logs. Error codes and special considerations are also included. ## Prerequisites |
active-directory | Howto Configure Prerequisites For Reporting Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-configure-prerequisites-for-reporting-api.md | Programmatic access APIs: - GET `https://graph.microsoft.com/v1.0/auditLogs/directoryAudits` - GET `https://graph.microsoft.com/v1.0/auditLogs/signIns` -**Error: Neither tenant is B2C or tenant doesn't have premium license**: Accessing sign-in reports requires a Microsoft Entra ID P1 or P2 1 (P1) license. If you see this error message while accessing sign-ins, make sure that your tenant is licensed with a Microsoft Entra ID P1 license. +**Error: Neither tenant is B2C or tenant doesn't have premium license**: Accessing sign-in reports requires a Microsoft Entra ID P1 or P2 license. If you see this error message while accessing sign-ins, make sure that your tenant is licensed with a Microsoft Entra ID P1 license. **Error: User isn't in the allowed roles**: If you see this error message while trying to access audit logs or sign-ins using the API, make sure that your account is part of the **Security Reader** or **Reports Reader** role in your Microsoft Entra tenant. |
active-directory | Howto Customize Filter Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-customize-filter-logs.md | The required roles and licenses may vary based on the report. Global Administrat |--|--|--| | Audit | Report Reader<br>Security Reader<br>Security Administrator<br>Global Reader | All editions of Microsoft Entra ID | | Sign-ins | Report Reader<br>Security Reader<br>Security Administrator<br>Global Reader | All editions of Microsoft Entra ID |-| Provisioning | Same as audit and sign-ins, plus<br>Security Operator<br>Application Administrator<br>Cloud App Administrator<br>A custom role with `provisioningLogs` permission | Premium P1/P2 | -| Conditional Access data in the sign-in logs | Company Administrator<br>Global Reader<br>Security Administrator<br>Security Reader<br>Conditional Access Administrator | Premium P1/P2 | +| Provisioning | Same as audit and sign-ins, plus<br>Security Operator<br>Application Administrator<br>Cloud App Administrator<br>A custom role with `provisioningLogs` permission | Premium P1 or P2 | +| Conditional Access data in the sign-in logs | Company Administrator<br>Global Reader<br>Security Administrator<br>Security Reader<br>Conditional Access Administrator | Premium P1 or P2 | ## How to access the activity logs in the Microsoft Entra admin center |
active-directory | Howto Download Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-download-logs.md | The required roles and licenses may vary based on the report. Global Administrat |--|--|--| | Audit | Report Reader<br>Security Reader<br>Security Administrator<br>Global Reader | All editions of Microsoft Entra ID | | Sign-ins | Report Reader<br>Security Reader<br>Security Administrator<br>Global Reader | All editions of Microsoft Entra ID |-| Provisioning | Same as audit and sign-ins, plus<br>Security Operator<br>Application Administrator<br>Cloud App Administrator<br>A custom role with `provisioningLogs` permission | Premium P1/P2 | +| Provisioning | Same as audit and sign-ins, plus<br>Security Operator<br>Application Administrator<br>Cloud App Administrator<br>A custom role with `provisioningLogs` permission | P1 or P2 | ## Log download details |
active-directory | Howto Stream Logs To Event Hub | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-stream-logs-to-event-hub.md | To use this feature, you need the [Splunk Add-on for Microsoft Cloud Services](h <a name='integrate-azure-ad-logs-with-splunk'></a> -### Integrate Microsoft Entra ID logs with Splunk +<a name='integrate-microsoft-entra-id-logs-with-splunk'></a> ++### Integrate Microsoft Entra logs with Splunk 1. Open your Splunk instance and select **Data Summary**. To use this feature, you need a SumoLogic single sign-on enabled subscription. <a name='integrate-azure-ad-logs-with-sumologic-'></a> -### Integrate Microsoft Entra ID logs with SumoLogic +<a name='integrate-microsoft-entra-id-logs-with-sumologic'></a> ++### Integrate Microsoft Entra logs with SumoLogic 1. Configure your SumoLogic instance to [collect logs for Microsoft Entra ID](https://help.sumologic.com/docs/integrations/microsoft-azure/active-directory-azure#collecting-logs-for-azure-active-directory). Download and open the [configuration guide for ArcSight SmartConnector for Azure <a name='integrate-azure-ad-logs-with-arcsight'></a> -## Integrate Microsoft Entra ID logs with ArcSight +<a name='integrate-microsoft-entra-id-logs-with-arcsight'></a> ++## Integrate Microsoft Entra logs with ArcSight 1. Complete the steps in the **Prerequisites** section of the ArcSight configuration guide. This section includes the following steps: * Set user permissions in Azure to ensure there's a user with the **owner** role to deploy and configure the connector. |
active-directory | Howto Troubleshoot Sign In Errors | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-troubleshoot-sign-in-errors.md | The Microsoft Entra sign-in logs enable you to find answers to questions around - How many users have users signed in over a week? - WhatΓÇÖs the status of these sign-ins? -In addition, the sign-ins logs can also help you troubleshoot sign-in failures for users in your organization. In this guide, you learn how to isolate a sign-in failure in the sign-ins report, and use it to understand the root cause of the failure. Some common sign-in errors are also described. +In addition, the sign-in logs can also help you troubleshoot sign-in failures for users in your organization. In this guide, you learn how to isolate a sign-in failure in the sign-ins report, and use it to understand the root cause of the failure. Some common sign-in errors are also described. ## Prerequisites You need: -* A Microsoft Entra tenant with a Premium P1/P2 license. +* A Microsoft Entra tenant with a P1 or P2 license. * A user with the **Reports Reader**, **Security Reader**, **Security Administrator**, or **Global Administrator** role for the tenant. * In addition, any user can access their own sign-ins from https://mysignins.microsoft.com. |
active-directory | Howto Use Recommendations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-use-recommendations.md | +- Help you identify opportunities to implement best practices for Microsoft Entra related features. - Improve the state of your Microsoft Entra tenant. - Optimize the configurations for your scenarios. |
active-directory | Howto Use Sign In Diagnostics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-use-sign-in-diagnostics.md | You can start the Sign-in diagnostic from a specific sign-in event in the Sign-i - You can filter your list to make it easier to find specific sign-in events. 1. From the Activity Details window that opens, select the **Launch the Sign-in diagnostic** link. - ![Screenshot showing how to launch sign-in diagnostics from Azure AD.](./media/overview-sign-in-diagnostics/sign-in-logs-link.png) + ![Screenshot showing how to launch sign-in diagnostics from Microsoft Entra ID.](./media/overview-sign-in-diagnostics/sign-in-logs-link.png) 1. Explore the results and take action as necessary. ### From a support request |
active-directory | Overview Flagged Sign Ins | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/overview-flagged-sign-ins.md | -As an IT admin, when a user failed to sign-in, you want to resolve the issue as soon as possible to unblock your user. Due to the amount of available data in the sign-ins log, locating the right information can be a challenge. +As an IT admin, when a user failed to sign-in, you want to resolve the issue as soon as possible to unblock your user. Due to the amount of available data in the sign-in log, locating the right information can be a challenge. This article gives you an overview of a feature that significantly improves the time it takes to resolve user sign-in problems by making the related problems easy to find. Microsoft Entra sign-in events are critical to understanding what went right or Flagged Sign-ins is a feature intended to increase the signal to noise ratio for user sign-ins requiring help. The functionality is intended to empower users to raise awareness about sign-in errors they want help with. Admins and help desk workers also benefit from finding the right events more efficiently. Flagged Sign-in events contain the same information as other sign-in events contain with one addition: they also indicate that a user flagged the event for review by admins. -Flagged sign-ins give the user the ability to enable flagging when an error is seen on a sign-in page and then reproduce that error. The error event then appears as ΓÇ£Flagged for ReviewΓÇ¥ in the Microsoft Entra sign-ins log. +Flagged sign-ins give the user the ability to enable flagging when an error is seen on a sign-in page and then reproduce that error. The error event then appears as ΓÇ£Flagged for ReviewΓÇ¥ in the Microsoft Entra sign-in log. In summary, you can use flagged sign-ins to: |
active-directory | Overview Monitoring Health | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/overview-monitoring-health.md | Audit logs provide you with records of system activities for compliance. This da ### Sign-in logs -The sign-ins logs enable you to find answers to questions such as: +The sign-in logs enable you to find answers to questions such as: - What is the sign-in pattern of a user? - How many users have users signed in over a week? Monitoring Microsoft Entra activity logs requires routing the log data to a moni For an overview of how to access, store, and analyze activity logs, see [How to access activity logs](howto-access-activity-logs.md).- |
active-directory | Overview Recommendations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/overview-recommendations.md | Microsoft Entra recommendations now include *identity secure score* recommendati All these Microsoft Entra recommendations provide you with personalized insights with actionable guidance to: -- Help you identify opportunities to implement best practices for Microsoft Entra ID-related features.+- Help you identify opportunities to implement best practices for Microsoft Entra related features. - Improve the state of your Microsoft Entra tenant. - Optimize the configurations for your scenarios. |
active-directory | Quickstart Access Log With Graph Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/quickstart-access-log-with-graph-api.md | Title: Analyze Microsoft Entra sign-in logs with the Microsoft Graph API -description: Learn how to access the sign-ins log and analyze a single sign-in attempt using the Microsoft Graph API. +description: Learn how to access the sign-in log and analyze a single sign-in attempt using the Microsoft Graph API. -With the information in the Microsoft Entra sign-in logs, you can figure out what happened if a sign-in of a user failed. This quickstart shows you how to access the sign-ins log using the Microsoft Graph API. +With the information in the Microsoft Entra sign-in logs, you can figure out what happened if a sign-in of a user failed. This quickstart shows you how to access the sign-in log using the Microsoft Graph API. ## Prerequisites To complete the scenario in this quickstart, you need: [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -The goal of this step is to create a record of a failed sign-in in the Microsoft Entra sign-ins log. +The goal of this step is to create a record of a failed sign-in in the Microsoft Entra sign-in log. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as Isabella Simonsen using an incorrect password. -2. Wait for 5 minutes to ensure that you can find a record of the sign-in in the sign-ins log. +2. Wait for 5 minutes to ensure that you can find a record of the sign-in in the sign-in log. ## Find the failed sign-in |
active-directory | Quickstart Analyze Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/quickstart-analyze-sign-in.md | Title: Quickstart guide to analyze a failed Microsoft Entra sign-in -description: In this quickstart, you learn how you can use the sign-ins log to determine the reason for a failed sign-in to Microsoft Entra ID. +description: In this quickstart, you learn how you can use the sign-in log to determine the reason for a failed sign-in to Microsoft Entra ID. -#Customer intent: As an IT admin, you need to know how to use the sign-ins log so that you can fix sign-in issues. +#Customer intent: As an IT admin, you need to know how to use the sign-in log so that you can fix sign-in issues. -# Quickstart: Analyze sign-ins with the Microsoft Entra sign-ins log +# Quickstart: Analyze sign-ins with the Microsoft Entra sign-in log -With the information in the Microsoft Entra sign-ins log, you can figure out what happened if a sign-in of a user failed. This quickstart shows how to you can locate failed sign-in using the sign-ins log. +With the information in the Microsoft Entra sign-in log, you can figure out what happened if a sign-in of a user failed. This quickstart shows how to you can locate failed sign-in using the sign-in log. ## Prerequisites To complete the scenario in this quickstart, you need: ## Perform a failed sign-in -The goal of this step is to create a record of a failed sign-in in the Microsoft Entra sign-ins log. +The goal of this step is to create a record of a failed sign-in in the Microsoft Entra sign-in log. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as Isabella Simonsen using an incorrect password. -2. Wait for 5 minutes to ensure that you can find the event in the sign-ins log. +2. Wait for 5 minutes to ensure that you can find the event in the sign-in log. ## Find the failed sign-in -This section provides you with the steps to analyze a failed sign-in. Filter the sign-ins log to remove all records that aren't relevant to your analysis. For example, set a filter to display only the records of a specific user. Then you can review the error details. The log details provide helpful information. You can also look up the error using the [sign-in error lookup tool](https://login.microsoftonline.com/error). This tool might provide you with information to troubleshoot a sign-in error. +This section provides you with the steps to analyze a failed sign-in. Filter the sign-in log to remove all records that aren't relevant to your analysis. For example, set a filter to display only the records of a specific user. Then you can review the error details. The log details provide helpful information. You can also look up the error using the [sign-in error lookup tool](https://login.microsoftonline.com/error). This tool might provide you with information to troubleshoot a sign-in error. [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] |
active-directory | Recommendation Remove Unused Credential From Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/recommendation-remove-unused-credential-from-apps.md | Applications that the recommendation identified appear in the list of **Impacted 1. Navigate to the **Certificates & Secrets** section of the app registration. - ![Screenshot of the Certificates and secrets section of Azure AD.](media/recommendation-remove-unused-credential-from-apps/app-certificates-secrets.png) + ![Screenshot of the Certificates and secrets section of Microsoft Entra ID.](media/recommendation-remove-unused-credential-from-apps/app-certificates-secrets.png) 1. Locate the unused credential and remove it. |
active-directory | Recommendation Renew Expiring Application Credential | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/recommendation-renew-expiring-application-credential.md | Applications that the recommendation identified appear in the list of **Impacted 1. Navigate to the **Certificates & Secrets** section of the app registration. 1. Pick the credential type that you want to rotate and navigate to either **Certificates** or **Client Secret** tab and follow the prompts. - ![Screenshot of the Certificates and secrets section of Azure AD.](media/recommendation-renew-expiring-application-credential/app-certificates-secrets.png) + ![Screenshot of the Certificates and secrets section of Microsoft Entra ID.](media/recommendation-renew-expiring-application-credential/app-certificates-secrets.png) 1. Once the certificate or secret is successfully added, update the service code to ensure it works with the new credential and doesn't negatively affect customers. 1. Use the Microsoft Entra sign-in logs to validate that the Key ID of the credential matches the one that was recently added. |
active-directory | Reference Audit Activities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/reference-audit-activities.md | The Self-service password management logs provide insight into changes made to p - [Microsoft Entra monitoring and health overview](overview-monitoring-health.md). - [Audit logs report](concept-audit-logs.md). -- [Programmatic access to Microsoft Entra ID reports](./howto-configure-prerequisites-for-reporting-api.md)+- [Programmatic access to Microsoft Entra reports](./howto-configure-prerequisites-for-reporting-api.md) |
active-directory | Reference Azure Monitor Sign Ins Log Schema | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema.md | This article describes the Microsoft Entra sign-in log schema in Azure Monitor. | ResultDescription | N/A or blank | Provides the error description for the sign-in operation. | | riskDetail | riskDetail | Provides the 'reason' behind a specific state of a risky user, sign-in or a risk detection. The possible values are: `none`, `adminGeneratedTemporaryPassword`, `userPerformedSecuredPasswordChange`, `userPerformedSecuredPasswordReset`, `adminConfirmedSigninSafe`, `aiConfirmedSigninSafe`, `userPassedMFADrivenByRiskBasedPolicy`, `adminDismissedAllRiskForUser`, `adminConfirmedSigninCompromised`, `unknownFutureValue`. The value `none` means that no action has been performed on the user or sign-in so far. <br>**Note:** Details for this property require a Microsoft Entra ID P2 license. Other licenses return the value `hidden`. | | riskEventTypes | riskEventTypes | Risk detection types associated with the sign-in. The possible values are: `unlikelyTravel`, `anonymizedIPAddress`, `maliciousIPAddress`, `unfamiliarFeatures`, `malwareInfectedIPAddress`, `suspiciousIPAddress`, `leakedCredentials`, `investigationsThreatIntelligence`, `generic`, and `unknownFutureValue`. |-| authProcessingDetails | Azure Active Directory authentication library | Contains Family, Library, and Platform information in format: "Family: Microsoft Authentication Library: ADAL.JS 1.0.0 Platform: JS" | +| authProcessingDetails | Azure Active Directory Authentication Library | Contains Family, Library, and Platform information in format: "Family: Microsoft Authentication Library: ADAL.JS 1.0.0 Platform: JS" | | authProcessingDetails | IsCAEToken | Values are True or False | | riskLevelAggregated | riskLevel | Aggregated risk level. The possible values are: `none`, `low`, `medium`, `high`, `hidden`, and `unknownFutureValue`. The value `hidden` means the user or sign-in wasn't enabled for Microsoft Entra ID Protection. **Note:** Details for this property are only available for Microsoft Entra ID P2 customers. All other customers will be returned `hidden`. | | riskLevelDuringSignIn | riskLevel | Risk level during sign-in. The possible values are: `none`, `low`, `medium`, `high`, `hidden`, and `unknownFutureValue`. The value `hidden` means the user or sign-in wasn't enabled for Microsoft Entra ID Protection. **Note:** Details for this property are only available for Microsoft Entra ID P2 customers. All other customers will be returned `hidden`. | |
active-directory | Reference Powershell Reporting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/reference-powershell-reporting.md | Install-module AzureADPreview For more information on how to connect to Microsoft Entra ID using PowerShell, see the article [Azure AD PowerShell for Graph](/powershell/azure/active-directory/install-adv2). -With Microsoft Entra ID reports, you can get details on activities around all the write operations in your direction (audit logs) and authentication data (sign-in logs). Although the information is available by using the MS Graph API, now you can retrieve the same data by using the Azure AD PowerShell cmdlets for reporting. +With Microsoft Entra reports, you can get details on activities around all the write operations in your direction (audit logs) and authentication data (sign-in logs). Although the information is available by using the MS Graph API, now you can retrieve the same data by using the Azure AD PowerShell cmdlets for reporting. This article gives you an overview of the PowerShell cmdlets to use for audit logs and sign-in logs. You get access to the audit logs using the `Get-AzureADAuditDirectoryLogs` cmdle The following image shows an example for this command. -![Screenshot shows the result of the `Get Azure A D Audit Directory Logs command.](./media/reference-powershell-reporting/get-azureadauditdirectorylogs.png) +![Screenshot shows the result of the `Get Azure AD Audit Directory Logs` command.](./media/reference-powershell-reporting/get-azureadauditdirectorylogs.png) The following image shows an example for this command. The [sign-ins](concept-sign-ins.md) logs provide information about the usage of managed applications and user sign-in activities. -You get access to the sign-in logs using the `Get-AzureADAuditSignInLogs cmdlet. +You get access to the sign-in logs using the `Get-AzureADAuditSignInLogs` cmdlet. | Scenario | PowerShell command | You get access to the sign-in logs using the `Get-AzureADAuditSignInLogs cmdlet. The following image shows an example for this command. -![Screenshot shows the result of the Get Azure A D Audit Sign In Logs command.](./media/reference-powershell-reporting/get-azureadauditsigninlogs.png) +![Screenshot shows the result of the `Get Azure A D Audit Sign In Logs` command.](./media/reference-powershell-reporting/get-azureadauditsigninlogs.png) ## Next steps -- [Microsoft Entra ID reports overview](overview-reports.md).+- [Microsoft Entra reports overview](overview-reports.md). - [Audit logs report](concept-audit-logs.md). -- [Programmatic access to Microsoft Entra ID reports](./howto-configure-prerequisites-for-reporting-api.md)+- [Programmatic access to Microsoft Entra reports](./howto-configure-prerequisites-for-reporting-api.md) |
active-directory | Reference Sla Performance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/reference-sla-performance.md | To access your tenant-level SLA performance: * [Microsoft Entra monitoring and health overview](overview-monitoring-health.md) * [Programmatic access to Microsoft Entra reports](./howto-configure-prerequisites-for-reporting-api.md)-* [Microsoft Entra ID risk detections](../identity-protection/overview-identity-protection.md) -+* [Microsoft Entra risk detections](../identity-protection/overview-identity-protection.md) |
active-directory | Tutorial Configure Log Analytics Workspace | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/tutorial-configure-log-analytics-workspace.md | Title: Configure a log analytics workspace in Microsoft Entra ID -description: Learn how to configure a Microsoft Entra Log Analytics workspace and run Kusto queries on your identity data. +description: Learn how to configure a log analytics workspace in Microsoft Entra ID and run Kusto queries on your identity data. |
active-directory | Admin Units Manage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/admin-units-manage.md | You can create a new administrative unit by using either the Microsoft Entra adm 1. Browse to **Identity** > **Roles & admins** > **Admin units**. - ![Screenshot of the Administrative units page in Azure AD.](./media/admin-units-manage/nav-to-admin-units.png) + ![Screenshot of the Administrative units page.](./media/admin-units-manage/nav-to-admin-units.png) 1. Select **Add**. |
active-directory | Permissions Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/permissions-reference.md | This article lists the Microsoft Entra built-in roles you can assign to allow ma > | [Partner Tier1 Support](#partner-tier1-support) | Do not use - not intended for general use.<br/>[![Privileged label icon.](./medi) | 4ba39ca4-527c-499a-b93d-d9b492c50246 | > | [Partner Tier2 Support](#partner-tier2-support) | Do not use - not intended for general use.<br/>[![Privileged label icon.](./medi) | e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8 | > | [Password Administrator](#password-administrator) | Can reset passwords for non-administrators and Password Administrators.<br/>[![Privileged label icon.](./medi) | 966707d0-3269-4727-9be2-8c3a10f19b9d |-> | [Permissions Management Administrator](#permissions-management-administrator) | Manage all aspects of Entra Permissions Management. | af78dc32-cf4d-46f9-ba4e-4428526346b5 | +> | [Permissions Management Administrator](#permissions-management-administrator) | Manage all aspects of Microsoft Entra Permissions Management. | af78dc32-cf4d-46f9-ba4e-4428526346b5 | > | [Power Platform Administrator](#power-platform-administrator) | Can create and manage all aspects of Microsoft Dynamics 365, Power Apps and Power Automate. | 11648597-926c-4cf3-9c36-bcebb0ba8dcc | > | [Printer Administrator](#printer-administrator) | Can manage all aspects of printers and printer connectors. | 644ef478-e28f-4e28-b9dc-3fdde9aa0b1f | > | [Printer Technician](#printer-technician) | Can register and unregister printers and update printer status. | e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477 | This is a [privileged role](privileged-roles-permissions.md). Users with this ro > | microsoft.commerce.billing/purchases/standard/read | Read purchase services in M365 Admin Center. | > | microsoft.dynamics365/allEntities/allTasks | Manage all aspects of Dynamics 365 | > | microsoft.edge/allEntities/allProperties/allTasks | Manage all aspects of Microsoft Edge |-> | microsoft.networkAccess/allEntities/allProperties/allTasks | Manage all aspects of Entra Network Access | +> | microsoft.networkAccess/allEntities/allProperties/allTasks | Manage all aspects of Microsoft Entra Network Access | > | microsoft.flow/allEntities/allTasks | Manage all aspects of Microsoft Power Automate | > | microsoft.hardware.support/shippingAddress/allProperties/allTasks | Create, read, update, and delete shipping addresses for Microsoft hardware warranty claims, including shipping addresses created by others | > | microsoft.hardware.support/shippingStatus/allProperties/read | Read shipping status for open Microsoft hardware warranty claims | This is a [privileged role](privileged-roles-permissions.md). Users with this ro > | microsoft.office365.userCommunication/allEntities/allTasks | Read and update what's new messages visibility | > | microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center | > | microsoft.office365.yammer/allEntities/allProperties/allTasks | Manage all aspects of Yammer |-> | microsoft.permissionsManagement/allEntities/allProperties/allTasks | Manage all aspects of Entra Permissions Management | +> | microsoft.permissionsManagement/allEntities/allProperties/allTasks | Manage all aspects of Microsoft Entra Permissions Management | > | microsoft.powerApps/allEntities/allTasks | Manage all aspects of Power Apps | > | microsoft.powerApps.powerBI/allEntities/allTasks | Manage all aspects of Fabric and Power BI | > | microsoft.teams/allEntities/allProperties/allTasks | Manage all resources in Teams | Users with this role **cannot** do the following: > | microsoft.commerce.billing/allEntities/allProperties/read | Read all resources of Office 365 billing | > | microsoft.commerce.billing/purchases/standard/read | Read purchase services in M365 Admin Center. | > | microsoft.edge/allEntities/allProperties/read | Read all aspects of Microsoft Edge |-> | microsoft.networkAccess/allEntities/allProperties/read | Read all aspects of Entra Network Access | +> | microsoft.networkAccess/allEntities/allProperties/read | Read all aspects of Microsoft Entra Network Access | > | microsoft.hardware.support/shippingAddress/allProperties/read | Read shipping addresses for Microsoft hardware warranty claims, including existing shipping addresses created by others | > | microsoft.hardware.support/shippingStatus/allProperties/read | Read shipping status for open Microsoft hardware warranty claims | > | microsoft.hardware.support/warrantyClaims/allProperties/read | Read Microsoft hardware warranty claims | Users with this role **cannot** do the following: > | microsoft.office365.usageReports/allEntities/allProperties/read | Read Office 365 usage reports | > | microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center | > | microsoft.office365.yammer/allEntities/allProperties/read | Read all aspects of Yammer |-> | microsoft.permissionsManagement/allEntities/allProperties/read | Read all aspects of Entra Permissions Management | +> | microsoft.permissionsManagement/allEntities/allProperties/read | Read all aspects of Microsoft Entra Permissions Management | > | microsoft.teams/allEntities/allProperties/read | Read all properties of Microsoft Teams | > | microsoft.virtualVisits/allEntities/allProperties/read | Read all aspects of Virtual Visits | > | microsoft.viva.goals/allEntities/allProperties/read | Read all aspects of Microsoft Viva Goals | Users with this role **cannot** do the following: > | microsoft.directory/crossTenantAccessPolicy/standard/read | Read basic properties of cross-tenant access policy | > | microsoft.directory/namedLocations/standard/read | Read basic properties of custom rules that define network locations | > | microsoft.directory/signInReports/allProperties/read | Read all properties on sign-in reports, including privileged properties |-> | microsoft.networkAccess/allEntities/allProperties/allTasks | Manage all aspects of Entra Network Access | +> | microsoft.networkAccess/allEntities/allProperties/allTasks | Manage all aspects of Microsoft Entra Network Access | > | microsoft.office365.messageCenter/messages/read | Read messages in Message Center in the Microsoft 365 admin center, excluding security messages | > | microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center | > | microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests | Users with this role **cannot** do the following: Assign the Permissions Management Administrator role to users who need to do the following tasks: -- Manage all aspects of Entra Permissions Management, when the service is present+- Manage all aspects of Microsoft Entra Permissions Management, when the service is present Learn more about Permissions Management roles and polices at [View information about roles/policies](../cloud-infrastructure-entitlement-management/how-to-view-role-policy.md). > [!div class="mx-tableFixed"] > | Actions | Description | > | | |-> | microsoft.permissionsManagement/allEntities/allProperties/allTasks | Manage all aspects of Entra Permissions Management | +> | microsoft.permissionsManagement/allEntities/allProperties/allTasks | Manage all aspects of Microsoft Entra Permissions Management | ## Power Platform Administrator Azure Advanced Threat Protection | Monitor and respond to suspicious security ac > | microsoft.directory/signInReports/allProperties/read | Read all properties on sign-in reports, including privileged properties | > | microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health | > | microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |-> | microsoft.networkAccess/allEntities/allProperties/allTasks | Manage all aspects of Entra Network Access | +> | microsoft.networkAccess/allEntities/allProperties/allTasks | Manage all aspects of Microsoft Entra Network Access | > | microsoft.office365.protectionCenter/allEntities/standard/read | Read standard properties of all resources in the Security and Compliance centers | > | microsoft.office365.protectionCenter/allEntities/basic/update | Update basic properties of all resources in the Security and Compliance centers | > | microsoft.office365.protectionCenter/attackSimulator/payload/allProperties/allTasks | Create and manage attack payloads in Attack Simulator | In | Can do > | microsoft.directory/provisioningLogs/allProperties/read | Read all properties of provisioning logs | > | microsoft.directory/signInReports/allProperties/read | Read all properties on sign-in reports, including privileged properties | > | microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |-> | microsoft.networkAccess/allEntities/allProperties/read | Read all aspects of Entra Network Access | +> | microsoft.networkAccess/allEntities/allProperties/read | Read all aspects of Microsoft Entra Network Access | > | microsoft.office365.protectionCenter/allEntities/standard/read | Read standard properties of all resources in the Security and Compliance centers | > | microsoft.office365.protectionCenter/attackSimulator/payload/allProperties/read | Read all properties of attack payloads in Attack Simulator | > | microsoft.office365.protectionCenter/attackSimulator/reports/allProperties/read | Read reports of attack simulation, responses, and associated training | |
active-directory | Prerequisites | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/prerequisites.md | You must have the Microsoft Graph PowerShell SDK installed: ## Azure AD PowerShell module + To use PowerShell commands to do the following: - List role assignments To use PowerShell commands to do the following: You must have the following module installed: -- [Microsoft Entra ID](https://www.powershellgallery.com/packages/AzureAD) (current version)-+- [Azure AD PowerShell module](https://www.powershellgallery.com/packages/AzureAD) (current version) <a name='check-azuread-version'></a> To use Azure AD PowerShell, follow these steps to make sure it is imported into ## AzureADPreview module + To use PowerShell commands to do the following: - Assign roles to users or groups |
active-directory | Privileged Roles Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/privileged-roles-permissions.md | For example: | | | | namespace | Product or service that exposes the task and is prepended with `microsoft`. For example, all tasks in Microsoft Entra ID use the `microsoft.directory` namespace. | | entity | Logical feature or component exposed by the service in Microsoft Graph. For example, Microsoft Entra ID exposes User and Groups, OneNote exposes Notes, and Exchange exposes Mailboxes and Calendars. There is a special `allEntities` keyword for specifying all entities in a namespace. This is often used in roles that grant access to an entire product. |-| propertySet | Specific properties or aspects of the entity for which access is being granted. For example, `microsoft.directory/applications/authentication/read` grants the ability to read the reply URL, logout URL, and implicit flow property on the application object in Azure AD.<ul><li>`allProperties` designates all properties of the entity, including privileged properties.</li><li>`standard` designates common properties, but excludes privileged ones related to `read` action. For example, `microsoft.directory/user/standard/read` includes the ability to read standard properties like public phone number and email address, but not the private secondary phone number or email address used for multifactor authentication.</li><li>`basic` designates common properties, but excludes privileged ones related to the `update` action. The set of properties that you can read may be different from what you can update. ThatΓÇÖs why there are `standard` and `basic` keywords to reflect that.</li></ul> | +| propertySet | Specific properties or aspects of the entity for which access is being granted. For example, `microsoft.directory/applications/authentication/read` grants the ability to read the reply URL, logout URL, and implicit flow property on the application object in Microsoft Entra ID.<ul><li>`allProperties` designates all properties of the entity, including privileged properties.</li><li>`standard` designates common properties, but excludes privileged ones related to `read` action. For example, `microsoft.directory/user/standard/read` includes the ability to read standard properties like public phone number and email address, but not the private secondary phone number or email address used for multifactor authentication.</li><li>`basic` designates common properties, but excludes privileged ones related to the `update` action. The set of properties that you can read may be different from what you can update. ThatΓÇÖs why there are `standard` and `basic` keywords to reflect that.</li></ul> | | action | Operation being granted, most typically create, read, update, or delete (CRUD). There is a special `allTasks` keyword for specifying all of the above abilities (create, read, update, and delete). | ## Compare authentication roles |
active-directory | Akamai Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/akamai-tutorial.md | Click Save and to go Deployment. ### Kerberos Authentication -In the below example we will publish an Internal web server <code>http://frp-app1.superdemo.live</code> and enable SSO using KCD. +In the below example we will publish an internal web server at `http://frp-app1.superdemo.live` and enable SSO using KCD. #### General Tab |
active-directory | Alibaba Cloud Service Role Based Sso Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/alibaba-cloud-service-role-based-sso-tutorial.md | the **Note** field, click **Upload** to upload the federation metadata file you 6. In the **RAM Role Name** field enter `AADrole`, select `AAD` from the **Select IdP** drop-down list and click OK. - >[!NOTE] - >You can grant permission to the role as needed. After creating the IdP and the corresponding role, we recommend that you save the ARNs of the IdP and the role for subsequent use. You can obtain the ARNs on the IdP information page and the role information page. + >[!NOTE] + >You can grant permission to the role as needed. After creating the IdP and the corresponding role, we recommend that you save the ARNs of the IdP and the role for subsequent use. You can obtain the ARNs on the IdP information page and the role information page. 7. Associate the Alibaba Cloud RAM role (AADrole) with the Microsoft Entra user (u2):-To associate the RAM role with the Microsoft Entra user, you must create a role in Microsoft Entra ID by following these steps: - a. Sign on to the [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer). + To associate the RAM role with the Microsoft Entra user, you must create a role in Microsoft Entra ID by following these steps: - b. Click **modify permissions** to obtain required permissions for creating a role. + 1. Sign in to the [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer). - ![Graph config1](./media/alibaba-cloud-service-role-based-sso-tutorial/graph01.png) + 1. Click **modify permissions** to obtain required permissions for creating a role. - c. Select the following permissions from the list and click **Modify Permissions**, as shown in the following figure. + ![Graph config1](./media/alibaba-cloud-service-role-based-sso-tutorial/graph01.png) - ![Graph config2](./media/alibaba-cloud-service-role-based-sso-tutorial/graph02.png) + 1. Select the following permissions from the list and click **Modify Permissions**, as shown in the following figure. - >[!NOTE] - >After permissions are granted, log on to the Graph Explorer again. + ![Graph config2](./media/alibaba-cloud-service-role-based-sso-tutorial/graph02.png) - d. On the Graph Explorer page, select **GET** from the first drop-down list and **beta** from the second drop-down list. Then enter `https://graph.microsoft.com/beta/servicePrincipals` in the field next to the drop-down lists, and click **Run Query**. + > [!NOTE] + > After permissions are granted, sign in to the Graph Explorer again. - ![Graph config3](./media/alibaba-cloud-service-role-based-sso-tutorial/graph03.png) + 1. On the Graph Explorer page, select **GET** from the first drop-down list and **beta** from the second drop-down list. Then enter `https://graph.microsoft.com/beta/servicePrincipals` in the field next to the drop-down lists, and click **Run Query**. - >[!NOTE] - >If you are using multiple directories, you can enter `https://graph.microsoft.com/beta/contoso.com/servicePrincipals` in the field of the query. + ![Graph config3](./media/alibaba-cloud-service-role-based-sso-tutorial/graph03.png) - e. In the **Response Preview** section, extract the appRoles property from the 'Service Principal' for subsequent use. + > [!NOTE] + > If you are using multiple directories, you can enter `https://graph.microsoft.com/beta/contoso.com/servicePrincipals` in the field of the query. - ![Graph config4](./media/alibaba-cloud-service-role-based-sso-tutorial/graph05.png) + 1. In the **Response Preview** section, extract the appRoles property from the 'Service Principal' for subsequent use. - >[!NOTE] - >You can locate the appRoles property by entering `https://graph.microsoft.com/beta/servicePrincipals/<objectID>` in the field of the query. Note that the `objectID` is the object ID you have copied from the Microsoft Entra ID **Properties** page. -- f. Go back to the Graph Explorer, change the method from **GET** to **PATCH**, paste the following content into the **Request Body** section, and click **Run Query**: - ``` - { - "appRoles": [ - { - "allowedMemberTypes":[ - "User" - ], - "description": "msiam_access", - "displayName": "msiam_access", - "id": "41be2db8-48d9-4277-8e86-f6d22d35****", - "isEnabled": true, - "origin": "Application", - "value": null - }, - { "allowedMemberTypes": [ - "User" - ], - "description": "Admin,AzureADProd", - "displayName": "Admin,AzureADProd", - "id": "68adae10-8b6b-47e6-9142-6476078cdbce", - "isEnabled": true, - "origin": "ServicePrincipal", - "value": "acs:ram::187125022722****:role/aadrole,acs:ram::187125022722****:saml-provider/AAD" - } - ] - } - ``` - > [!NOTE] - > The `value` is the ARNs of the IdP and the role you created in the RAM console. Here, you can add multiple roles as needed. Microsoft Entra ID will send the value of these roles as the claim value in SAML response. However, you can only add new roles after the `msiam_access` part for the patch operation. To smooth the creation process, we recommend that you use an ID generator, such as GUID Generator, to generate IDs in real time. -- g. After the 'Service Principal' is patched with the required role, attach the role with the Microsoft Entra user (u2) by following the steps of **Assign the Microsoft Entra test user** section of the tutorial. + ![Graph config4](./media/alibaba-cloud-service-role-based-sso-tutorial/graph05.png) ++ > [!NOTE] + > You can locate the appRoles property by entering `https://graph.microsoft.com/beta/servicePrincipals/<objectID>` in the field of the query. Note that the `objectID` is the object ID you have copied from the Microsoft Entra ID **Properties** page. ++ 1. Go back to the Graph Explorer, change the method from **GET** to **PATCH**, paste the following content into the **Request Body** section, and click **Run Query**: ++ ```json + { + "appRoles": [ + { + "allowedMemberTypes": [ + "User" + ], + "description": "msiam_access", + "displayName": "msiam_access", + "id": "41be2db8-48d9-4277-8e86-f6d22d35****", + "isEnabled": true, + "origin": "Application", + "value": null + }, + { + "allowedMemberTypes": [ + "User" + ], + "description": "Admin,AzureADProd", + "displayName": "Admin,AzureADProd", + "id": "68adae10-8b6b-47e6-9142-6476078cdbce", + "isEnabled": true, + "origin": "ServicePrincipal", + "value": "acs:ram::187125022722****:role/aadrole,acs:ram::187125022722****:saml-provider/AAD" + } + ] + } + ``` ++ > [!NOTE] + > The `value` is the ARNs of the IdP and the role you created in the RAM console. Here, you can add multiple roles as needed. Microsoft Entra ID will send the value of these roles as the claim value in SAML response. However, you can only add new roles after the `msiam_access` part for the patch operation. To smooth the creation process, we recommend that you use an ID generator, such as GUID Generator, to generate IDs in real time. ++ 1. After the 'Service Principal' is patched with the required role, attach the role with the Microsoft Entra user (u2) by following the steps of **Assign the Microsoft Entra test user** section of the tutorial. ### Configure Alibaba Cloud Service (Role-based SSO) SSO |
active-directory | Arcgisenterprise Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/arcgisenterprise-tutorial.md | In this section, you'll enable B.Simon to use single sign-on by granting access ## Configure ArcGIS Enterprise SSO --- 1. In a different web browser window, sign in to your ArcGIS Enterprise company site as an administrator --1. Select **Organization >EDIT SETTINGS**. +1. Select **Organization** > **Edit Settings**. ![Screenshot shows the ArcGIS Enterprise Organization tab with Edit settings called out.](./media/arcgisenterprise-tutorial/configure-1.png) |
active-directory | Aws Multi Accounts Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/aws-multi-accounts-tutorial.md | In this section, you enable Microsoft Entra SSO in the Azure portal and configur ![Screenshot showing where the account ID is displayed on the "Identity and Access Management" pane.](./media/aws-multi-accounts-tutorial/aws-accountid.png) -1. Sign in to the Azure portal, and then go to **Groups**. +1. Sign in to the [Azure portal](https://portal.azure.com/), and then browse to **Groups**. 1. Create new groups with the same name as that of the IAM roles you created earlier, and then note the value in the **Object Id** box of each of these new groups. |
active-directory | Brightidea Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/brightidea-tutorial.md | In this section, you'll enable B.Simon to use single sign-on by granting access ![Screenshot shows the Brightidea Identity Provider Setting where you enter information.](./media/brightidea-tutorial/metadata.png) - * Enter the **SAML Profile Name** like e.g `Azure Ad SSO` + * Enter the **SAML Profile Name**, such as `Microsoft Entra SSO`. * For **Upload Metadata**, click choose file and upload the downloaded metadata file. |
active-directory | Brivo Onair Identity Connector Provisioning Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/brivo-onair-identity-connector-provisioning-tutorial.md | Before configuring Brivo Onair Identity Connector for automatic user provisionin **To add Brivo Onair Identity Connector from the Microsoft Entra application gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, in the left navigation panel, select **Microsoft Entra ID**. -- ![The Microsoft Entra button](common/select-azuread.png) --2. Go to **Enterprise applications**, and then select **All applications**. -- ![The Enterprise applications blade](common/enterprise-applications.png) --3. To add a new application, select the **New application** button at the top of the pane. -- ![The New application button](common/add-new-app.png) --4. In the search box, enter **Brivo Onair Identity Connector**, select **Brivo Onair Identity Connector** in the search box. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**. +1. In the **Add from the gallery** section, type **Brivo Onair Identity Connector** in the search box. 1. Select **Brivo Onair Identity Connector** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.- ![Brivo Onair Identity Connector in the results list](common/search-new-app.png) ## Configuring automatic user provisioning to Brivo Onair Identity Connector |
active-directory | Check Point Remote Access Vpn Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/check-point-remote-access-vpn-tutorial.md | For example: ![screenshot for to Add a new object.](./media/check-point-remote-access-vpn-tutorial/add-new-object.png) 1. Enter a name and a display name, and add/edit an authentication method:- In case the Login Option will be use on GWs who participate in MEP, in order to allow smooth user experience the Name should start with ΓÇ£SAMLVPN_ΓÇ¥ prefix. + In case the Login Option will be use on GWs who participate in MEP, in order to allow smooth user experience the Name should start with `SAMLVPN_` prefix. ![screenshot about Login Option.](./media/check-point-remote-access-vpn-tutorial/login-option.png) There are two options: 4. In the top right pane, select the **Security Gateway object**. - 5. In the bottom pane, go to **realms_for_blades > vpn**. + 5. In the bottom pane, go to **realms_for_blades** > **vpn**. 6. If you do not want to use an on-premises Active Directory (LDAP), set **do_ldap_fetch** to **false** and **do_generic_fetch** to **true**. Then click **OK**. If you do want to use an on-premises Active Directory (LDAP), set **do_ldap_fetch** to **true** and **do_generic_fetch** to **false**. Then click **OK**. |
active-directory | Cisco Anyconnect | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/cisco-anyconnect.md | To configure the integration of Cisco AnyConnect into Microsoft Entra ID, you ne 1. In the **Add from the gallery** section, type **Cisco AnyConnect** in the search box. 1. Select **Cisco AnyConnect** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides) --Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide&preserve-view=true). +Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides) <a name='configure-and-test-azure-ad-sso-for-cisco-anyconnect'></a> |
active-directory | Corptax Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/corptax-tutorial.md | To configure the integration of Corptax into Microsoft Entra ID, you need to add **To add Corptax from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Microsoft Entra ID** icon. -- ![The Microsoft Entra button](common/select_azuread.png) --2. Navigate to **Enterprise Applications** and then select the **All Applications** option. -- ![The Enterprise applications blade](common/enterprise_applications.png) --3. To add new application, click **New application** button on the top of dialog. -- ![The New application button](common/add_new_app.png) --4. In the search box, type **Corptax**, select **Corptax** from result panel then click **Add** button to add the application. -- ![Corptax in the results list](common/search_new_app.png) +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**. +1. In the **Add from the gallery** section, type **Corptax** in the search box. +1. Select **Corptax** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. <a name='configure-and-test-azure-ad-single-sign-on'></a> |
active-directory | Directory Services Protector Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/directory-services-protector-tutorial.md | In this section, you'll enable B.Simon to use Microsoft Entra single sign-on by 1. In Step **3 - User Attributes & Claims**, we don't need this information now, so we can skip to Step 4. -1. In Step **4 ΓÇô Data received from the SAML identity provider**, DSP supports both importing from a metadata URL and importing of a metadata XML provided by Entra ID. +1. In Step **4 ΓÇô Data received from the SAML identity provider**, DSP supports both importing from a metadata URL and importing of a metadata XML provided by Microsoft Entra ID. - 1. Select **App federation metadata URL** radio button, and paste the **Metadata URL** in the field from Entra ID, and then select **IMPORT**. + 1. Select **App federation metadata URL** radio button, and paste the **Metadata URL** in the field from Microsoft Entra ID, and then select **IMPORT**. ![Screenshot shows settings of the app metadata URL.](./media/directory-services-protector-tutorial/field.png "Application") |
active-directory | Druva Provisioning Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/druva-provisioning-tutorial.md | Before configuring and enabling automatic user provisioning, you should decide w Before configuring Druva for automatic user provisioning with Microsoft Entra ID, you will need to enable SCIM provisioning on Druva. -1. Sign in to your [Druva Admin Console](https://console.druva.com). Navigate to **Druva > inSync**. +1. Sign in to your [Druva Admin Console](https://console.druva.com). Navigate to **Druva** > **inSync**. - ![Druva Admin Console](media/druva-provisioning-tutorial/menubar.png) + ![Druva Admin Console](media/druva-provisioning-tutorial/menubar.png) 2. Navigate to **Manage** > **Deployments** > **Users**. - :::image type="content" source="media/druva-provisioning-tutorial/manage.png" alt-text="Screenshot of the Druva admin console. Manage is highlighted, and the Manage menu is visible. In that menu, under Deployments, Users is highlighted." border="false"::: + :::image type="content" source="media/druva-provisioning-tutorial/manage.png" alt-text="Screenshot of the Druva admin console. Manage is highlighted, and the Manage menu is visible. In that menu, under Deployments, Users is highlighted." border="false"::: -3. Navigate to **Settings**. Click **Generate Token**. +3. Navigate to **Settings**. Click **Generate Token**. - :::image type="content" source="media/druva-provisioning-tutorial/settings.png" alt-text="Screenshot of a page in the Druva admin console. Settings is highlighted, and the Settings tab is open. The Generate token button is highlighted." border="false"::: + :::image type="content" source="media/druva-provisioning-tutorial/settings.png" alt-text="Screenshot of a page in the Druva admin console. Settings is highlighted, and the Settings tab is open. The Generate token button is highlighted." border="false"::: -4. Copy the **Auth token** value. This value will be entered in the **Secret Token** field in the Provisioning tab of your Druva application. - - :::image type="content" source="media/druva-provisioning-tutorial/auth.png" alt-text="Screenshot of the Create token page in the Druva admin console. A link labeled Copy Token is available for copying the Auth token value." border="false"::: +4. Copy the **Auth token** value. This value will be entered in the **Secret Token** field in the Provisioning tab of your Druva application. ++ :::image type="content" source="media/druva-provisioning-tutorial/auth.png" alt-text="Screenshot of the Create token page in the Druva admin console. A link labeled Copy Token is available for copying the Auth token value." border="false"::: ## Add Druva from the gallery To configure Druva for automatic user provisioning with Microsoft Entra ID, you 1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**. 1. In the **Add from the gallery** section, type **Druva**, select **Druva** in the search box. 1. Select **Druva** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.- ![Druva in the results list](common/search-new-app.png) + ![Druva in the results list](common/search-new-app.png) ## Configuring automatic user provisioning to Druva This section guides you through the steps to configure the Microsoft Entra provi 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). 1. Browse to **Identity** > **Applications** > **Enterprise applications** - ![Enterprise applications blade](common/enterprise-applications.png) + ![Enterprise applications blade](common/enterprise-applications.png) 1. In the applications list, select **Druva**. - ![The Druva link in the Applications list](common/all-applications.png) + ![The Druva link in the Applications list](common/all-applications.png) 3. Select the **Provisioning** tab. - ![Screenshot of the Manage options with the Provisioning option called out.](common/provisioning.png) + ![Screenshot of the Manage options with the Provisioning option called out.](common/provisioning.png) 4. Set the **Provisioning Mode** to **Automatic**. - ![Screenshot of the Provisioning Mode dropdown list with the Automatic option called out.](common/provisioning-automatic.png) + ![Screenshot of the Provisioning Mode dropdown list with the Automatic option called out.](common/provisioning-automatic.png) -5. Under the Admin Credentials section, input `https://apis.druva.com/insync/scim` in **Tenant URL**. Input the **Auth token** value in **Secret Token**. Click **Test Connection** to ensure Microsoft Entra ID can connect to Druva. If the connection fails, ensure your Druva account has Admin permissions and try again. +5. Under the Admin Credentials section, input `https://apis.druva.com/insync/scim` in **Tenant URL**. Input the **Auth token** value in **Secret Token**. Click **Test Connection** to ensure Microsoft Entra ID can connect to Druva. If the connection fails, ensure your Druva account has Admin permissions and try again. - ![Tenant URL + Token](common/provisioning-testconnection-tenanturltoken.png) + ![Tenant URL + Token](common/provisioning-testconnection-tenanturltoken.png) 6. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications, and select **Send an email notification when a failure occurs**. - ![Notification Email](common/provisioning-notification-email.png) + ![Notification Email](common/provisioning-notification-email.png) 7. Click **Save**. 8. Under the **Mappings** section, select **Synchronize Microsoft Entra users to Druva**. - ![Druva User Mappings](media/druva-provisioning-tutorial/usermapping.png) + ![Druva User Mappings](media/druva-provisioning-tutorial/usermapping.png) 9. Review the user attributes that are synchronized from Microsoft Entra ID to Druva in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Druva for update operations. Select the **Save** button to commit any changes. - ![Druva User Attributes](media/druva-provisioning-tutorial/userattribute.png) + ![Druva User Attributes](media/druva-provisioning-tutorial/userattribute.png) 10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). 11. To enable the Microsoft Entra provisioning service for Druva, change the **Provisioning Status** to **On** in the **Settings** section. - ![Provisioning Status Toggled On](common/provisioning-toggle-on.png) + ![Provisioning Status Toggled On](common/provisioning-toggle-on.png) 12. Define the users and/or groups that you would like to provision to Druva by choosing the desired values in **Scope** in the **Settings** section. - ![Provisioning Scope](common/provisioning-scope.png) + ![Provisioning Scope](common/provisioning-scope.png) 13. When you are ready to provision, click **Save**. - ![Saving Provisioning Configuration](common/provisioning-configuration-save.png) + ![Saving Provisioning Configuration](common/provisioning-configuration-save.png) ++ This operation starts the initial synchronization of all users and/or groups defined in **Scope** in the **Settings** section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the Microsoft Entra provisioning service is running. You can use the **Synchronization Details** section to monitor progress and follow links to provisioning activity report, which describes all actions performed by the Microsoft Entra provisioning service on Druva. - This operation starts the initial synchronization of all users and/or groups defined in **Scope** in the **Settings** section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the Microsoft Entra provisioning service is running. You can use the **Synchronization Details** section to monitor progress and follow links to provisioning activity report, which describes all actions performed by the Microsoft Entra provisioning service on Druva. + For more information on how to read the Microsoft Entra provisioning logs, see [Reporting on automatic user account provisioning](../app-provisioning/check-status-user-account-provisioning.md). - For more information on how to read the Microsoft Entra provisioning logs, see [Reporting on automatic user account provisioning](../app-provisioning/check-status-user-account-provisioning.md). - ## Connector limitations * Druva requires **email** as a mandatory attribute. |
active-directory | F5 Big Ip Headers Easy Button | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/f5-big-ip-headers-easy-button.md | Before a client or service can access Microsoft Graph, it must be trusted by the This first step creates a tenant app registration that will be used to authorize the **Easy Button** access to Graph. Through these permissions, the BIG-IP will be allowed to push the configurations required to establish a trust between a SAML SP instance for published application, and Microsoft Entra ID as the SAML IdP. 1. Sign in to the [Azure portal](https://portal.azure.com/) using an account with Application Administrative rights.+ 2. From the left navigation pane, select the **Microsoft Entra ID** service.-3. Under Manage, select **App registrations > New registration**. -4. Enter a display name for your application. For example, `F5 BIG-IP Easy Button`. ++3. Under Manage, select **App registrations** > **New registration**. ++4. Enter a display name for your application, such as `F5 BIG-IP Easy Button`. + 5. Specify who can use the application > **Accounts in this organizational directory only**.+ 6. Select **Register** to complete the initial app registration.+ 7. Navigate to **API permissions** and authorize the following Microsoft Graph **Application permissions**: * Application.Read.All |
active-directory | F5 Big Ip Oracle Enterprise Business Suite Easy Button | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/f5-big-ip-oracle-enterprise-business-suite-easy-button.md | Before a client or service can access Microsoft Graph, it must be trusted by the This first step creates a tenant app registration that will be used to authorize the **Easy Button** access to Graph. Through these permissions, the BIG-IP will be allowed to push the configurations required to establish a trust between a SAML SP instance for published application, and Microsoft Entra ID as the SAML IdP. -1. Sign in to the [Azure portal](https://portal.azure.com/) with Application Administrative rights +1. Sign in to the [Azure portal](https://portal.azure.com/) using an account with Application Administrative rights. -2. From the left navigation pane, select the **Microsoft Entra ID** service +2. From the left navigation pane, select the **Microsoft Entra ID** service. -3. Under Manage, select **App registrations > New registration** +3. Under Manage, select **App registrations** > **New registration**. -4. Enter a display name for your application. For example, F5 BIG-IP Easy Button +4. Enter a display name for your application, such as `F5 BIG-IP Easy Button`. -5. Specify who can use the application > **Accounts in this organizational directory only** +5. Specify who can use the application > **Accounts in this organizational directory only**. -6. Select **Register** to complete the initial app registration +6. Select **Register** to complete the initial app registration. 7. Navigate to **API permissions** and authorize the following Microsoft Graph **Application permissions**: |
active-directory | F5 Big Ip Oracle Jd Edwards Easy Button | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/f5-big-ip-oracle-jd-edwards-easy-button.md | Before a client or service can access Microsoft Graph, it must be trusted by the This first step creates a tenant app registration that will be used to authorize the **Easy Button** access to Graph. Through these permissions, the BIG-IP will be allowed to push the configurations required to establish a trust between a SAML SP instance for published application, and Microsoft Entra ID as the SAML IdP. -1. Sign in to the [Azure portal](https://portal.azure.com/) with Application Administrative rights +1. Sign in to the [Azure portal](https://portal.azure.com/) using an account with Application Administrative rights. -2. From the left navigation pane, select the **Microsoft Entra ID** service +2. From the left navigation pane, select the **Microsoft Entra ID** service. -3. Under Manage, select **App registrations > New registration** +3. Under Manage, select **App registrations** > **New registration**. -4. Enter a display name for your application. For example, F5 BIG-IP Easy Button +4. Enter a display name for your application, such as `F5 BIG-IP Easy Button`. -5. Specify who can use the application > **Accounts in this organizational directory only** +5. Specify who can use the application > **Accounts in this organizational directory only**. -6. Select **Register** to complete the initial app registration +6. Select **Register** to complete the initial app registration. 7. Navigate to **API permissions** and authorize the following Microsoft Graph **Application permissions**: |
active-directory | F5 Big Ip Sap Erp Easy Button | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/f5-big-ip-sap-erp-easy-button.md | Before a client or service can access Microsoft Graph, it must be trusted by the The Easy Button client must also be registered in Microsoft Entra ID, before it is allowed to establish a trust between each SAML SP instance of a BIG-IP published application, and Microsoft Entra ID as the SAML IdP. -1. Sign in to the [Azure portal](https://portal.azure.com/) using an account with Application Administrative rights +1. Sign in to the [Azure portal](https://portal.azure.com/) using an account with Application Administrative rights. -2. From the left navigation pane, select the **Microsoft Entra ID** service +2. From the left navigation pane, select the **Microsoft Entra ID** service. -3. Under Manage, select **App registrations > New registration** +3. Under Manage, select **App registrations** > **New registration**. -4. Enter a display name for your application. For example, *F5 BIG-IP Easy Button* +4. Enter a display name for your application, such as `F5 BIG-IP Easy Button`. -5. Specify who can use the application > **Accounts in this organizational directory only** +5. Specify who can use the application > **Accounts in this organizational directory only**. -6. Select **Register** to complete the initial app registration +6. Select **Register** to complete the initial app registration. 7. Navigate to **API permissions** and authorize the following Microsoft Graph **Application permissions**: |
active-directory | Fortigate Ssl Vpn Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/fortigate-ssl-vpn-tutorial.md | In this section, you'll enable B.Simon to use single sign-on by granting that us In this section, you'll create a security group in Microsoft Entra ID for the test user. FortiGate will use this security group to grant the user network access via the VPN. -1. In the left pane of the Azure portal, select **Microsoft Entra ID**. Then select **Groups**. -1. Select **New group** at the top of the screen. +1. In the Microsoft Entra admin center, navigate to **Identity** > **Groups** > **New group**. 1. In the **New Group** properties, complete these steps: 1. In the **Group type** list, select **Security**. 1. In the **Group name** box, enter **FortiGateAccess**. |
active-directory | Highgear Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/highgear-tutorial.md | To configure the integration of HighGear into Microsoft Entra ID, you need to ad **To add HighGear from the gallery, perform the following steps:** -1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click the **Microsoft Entra ID** icon. -- ![The Microsoft Entra button](common/select-azuread.png) --2. Navigate to **Enterprise Applications** and then select the **All Applications** option. -- ![The Enterprise applications blade](common/enterprise-applications.png) --3. To add a new application, click the **New application** button on the top of the dialog. -- ![The New application button](common/add-new-app.png) --4. In the search box, type **HighGear**, select **HighGear** from result panel, and then click the **Add** button to add the application. -- ![HighGear in the results list](common/search-new-app.png) +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**. +1. In the **Add from the gallery** section, type **HighGear** in the search box. +1. Select **HighGear** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. <a name='configure-and-test-azure-ad-single-sign-on'></a> |
active-directory | Insperityexpensable Tutorial |