Updates from: 10/13/2022 02:36:38
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Add Password Reset Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/add-password-reset-policy.md
Previously updated : 08/24/2021 Last updated : 10/07/2022
Declare your claims in the [claims schema](claimsschema.md). Open the extensions
[Page layout version](contentdefinitions.md#migrating-to-page-layout) 2.1.2 is required to enable the self-service password reset flow in the sign-up or sign-in journey. To upgrade the page layout version:
+1. Open the base file of your policy, for example, *SocialAndLocalAccounts/TrustFrameworkBase.xml*.
1. Search for the [BuildingBlocks](buildingblocks.md) element. If the element doesn't exist, add it. 1. Locate the [ContentDefinitions](contentdefinitions.md) element. If the element doesn't exist, add it. 1. Modify the **DataURI** element within the **ContentDefinition** element to have the ID `api.signuporsignin`:
Declare your claims in the [claims schema](claimsschema.md). Open the extensions
``` ### Add the technical profiles
-A claims transformation technical profile accesses the `isForgotPassword` claim. The technical profile is referenced later. When it's invoked, it sets the value of the `isForgotPassword` claim to `true`. Find the **ClaimsProviders** element (if the element doesn't exist, create it), and then add the following claims provider:
+A claims transformation technical profile accesses the `isForgotPassword` claim. The technical profile is referenced later. When it's invoked, it sets the value of the `isForgotPassword` claim to `true`.
+
+1. Open the extensions file of your policy, for example, in *SocialAndLocalAccounts/TrustFrameworkExtensions.xml*.
+1. Find the **ClaimsProviders** element (if the element doesn't exist, create it), and then add the following claims provider:
```xml <!--
The user can now sign in, sign up, and perform password reset in your user journ
The sub journey is called from the user journey and performs the specific steps that deliver the password reset experience to the user. Use the `Call` type sub journey so that when the sub journey is finished, control is returned to the orchestration step that initiated the sub journey.
-Find the **SubJourneys** element. If the element doesn't exist, add it after the **User Journeys** element. Then, add the following sub journey:
+1. Open the extensions file of your policy, such as *SocialAndLocalAccounts/TrustFrameworkExtensions.xml*.
+1. Find the **SubJourneys** element. If the element doesn't exist, add it after the **User Journeys** element. Then, add the following sub journey:
```xml <!--
Next, connect the **Forgot your password?** link to the Forgot Password sub jour
If you don't have your own custom user journey that has a **CombinedSignInAndSignUp** step, complete the following steps to duplicate an existing sign-up or sign-in user journey. Otherwise, continue to the next section.
-1. In the starter pack, open the *TrustFrameworkBase.xml* file.
+1. In the starter pack, open the *TrustFrameworkBase.xml* file such as *SocialAndLocalAccounts/TrustFrameworkBase.xml*.
1. Find and copy the entire contents of the **UserJourney** element that includes `Id="SignUpOrSignIn"`.
-1. Open *TrustFrameworkExtensions.xml* and find the **UserJourneys** element. If the element doesn't exist, add one.
+1. Open *TrustFrameworkExtensions.xml* file, such as *SocialAndLocalAccounts/TrustFrameworkExtensions.xml*, and find the **UserJourneys** element. If the element doesn't exist, create it.
1. Create a child element of the **UserJourneys** element by pasting the entire contents of the **UserJourney** element you copied in step 2. 1. Rename the ID of the user journey. For example, `Id="CustomSignUpSignIn"`. ### Connect the Forgot Password link to the Forgot Password sub journey
-In your user journey, you can represent the Forgot Password sub journey as a **ClaimsProviderSelection**. Adding this element connects the **Forgot your password?** link to the Forgot Password sub journey.
+In your user journey, you can represent the Forgot Password sub journey as a **ClaimsProviderSelection**. By adding this element, you connect the **Forgot your password?** link to the Forgot Password sub journey.
+
+1. Open the *TrustFrameworkExtensions.xml* file, such as *SocialAndLocalAccounts/TrustFrameworkExtensions.xml*.
1. In the user journey, find the orchestration step element that includes `Type="CombinedSignInAndSignUp"` or `Type="ClaimsProviderSelection"`. It's usually the first orchestration step. The **ClaimsProviderSelections** element contains a list of identity providers that a user can use to sign in. Add the following line:
In your user journey, you can represent the Forgot Password sub journey as a **C
<ClaimsProviderSelection TargetClaimsExchangeId="ForgotPasswordExchange" /> ```
-1. In the next orchestration step, add a **ClaimsExchange** element. Add the following line:
+1. In the next orchestration step, add a **ClaimsExchange** element by adding the following line:
```xml <ClaimsExchange Id="ForgotPasswordExchange" TechnicalProfileReferenceId="ForgotPassword" />
In your user journey, you can represent the Forgot Password sub journey as a **C
### Set the user journey to be executed
-Now that you've modified or created a user journey, in the **Relying Party** section, specify the journey that Azure AD B2C will execute for this custom policy. In the [RelyingParty](relyingparty.md) element, find the **DefaultUserJourney** element. Update the **DefaultUserJourney ReferenceId** to match the ID of the user journey in which you added the **ClaimsProviderSelections**.
+Now that you've modified or created a user journey, in the **Relying Party** section, specify the journey that Azure AD B2C will execute for this custom policy.
+
+1. Open the file that has the **Relying Party** element, such as *SocialAndLocalAccounts/SignUpOrSignin.xml*.
+
+1. In the [RelyingParty](relyingparty.md) element, find the **DefaultUserJourney** element.
+
+1. Update the **DefaultUserJourney ReferenceId** to match the ID of the user journey in which you added the **ClaimsProviderSelections**.
```xml <RelyingParty>
Your application might need to detect whether the user signed in by using the Fo
1. In the Azure portal, search for and select **Azure AD B2C**. 1. In the menu under **Policies**, select **Identity Experience Framework**. 1. Select **Upload custom policy**. In the following order, upload the two policy files that you changed:
- 1. The extension policy, for example, *TrustFrameworkExtensions.xml*.
- 1. The relying party policy, for example, *SignUpSignIn.xml*.
+ 1. The extension policy, for example, *SocialAndLocalAccounts/TrustFrameworkExtensions.xml*.
+ 1. The relying party policy, for example, *SocialAndLocalAccounts/SignUpOrSignin.xml*.
::: zone-end
active-directory-b2c Application Types https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/application-types.md
Previously updated : 08/10/2022 Last updated : 10/11/2022
These steps can differ slightly based on the type of application you're building
## Web applications
-For web applications (including .NET, PHP, Java, Ruby, Python, and Node.js) that are hosted on a server and accessed through a browser, Azure AD B2C supports [OpenID Connect](protocols-overview.md) for all user experiences. In the Azure AD B2C implementation of OpenID Connect, your web application initiates user experiences by issuing authentication requests to Azure AD. The result of the request is an `id_token`. This security token represents the user's identity. It also provides information about the user in the form of claims:
+For web applications (including .NET, PHP, Java, Ruby, Python, and Node.js) that are hosted on a web server and accessed through a browser, Azure AD B2C supports [OpenID Connect](protocols-overview.md) for all user experiences. In the Azure AD B2C implementation of OpenID Connect, your web application initiates user experiences by issuing authentication requests to Azure AD. The result of the request is an `id_token`. This security token represents the user's identity. It also provides information about the user in the form of claims:
```json // Partial raw id_token
Validation of the `id_token` by using a public signing key that is received from
To see this scenario in action, try one of the web application sign-in code samples in our [Getting started section](overview.md).
-In addition to facilitating simple sign in, a web server application might also need to access a back-end web service. In this case, the web application can perform a slightly different [OpenID Connect flow](openid-connect.md) and acquire tokens by using authorization codes and refresh tokens. This scenario is depicted in the following [Web APIs section](#web-apis).
+In addition to facilitating simple sign in, a web application might also need to access a back-end web service. In this case, the web application can perform a slightly different [OpenID Connect flow](openid-connect.md) and acquire tokens by using authorization codes and refresh tokens. This scenario is depicted in the following [Web APIs section](#web-apis).
## Single-page applications
active-directory-b2c Configure Authentication Sample React Spa App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/configure-authentication-sample-react-spa-app.md
export const msalConfig: Configuration = {
export const protectedResources = { todoListApi: { endpoint: "http://localhost:5000/hello",
- scopes: ["https://your-tenant-namee.onmicrosoft.com/tasks-api/tasks.read"],
+ scopes: ["https://your-tenant-name.onmicrosoft.com/tasks-api/tasks.read"],
}, } ```
active-directory-b2c Custom Email Mailjet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/custom-email-mailjet.md
Previously updated : 06/22/2022 Last updated : 10/06/2022 zone_pivot_groups: b2c-policy-type
With a Mailjet account created and the Mailjet API key stored in an Azure AD B2C
<td valign="top" width="50%"></td> </tr> </table>
- <img src="https://mucp.api.account.microsoft.com/m/v2/v?d=AIAACWEPFYXYIUTJIJVV4ST7XLBHVI5MLLYBKJAVXHBDTBHUM5VBSVVPTTVRWDFIXJ5JQTHYOH5TUYIPO4ZAFRFK52UAMIS3UNIPPI7ZJNDZPRXD5VEJBN4H6RO3SPTBS6AJEEAJOUYL4APQX5RJUJOWGPKUABY&amp;i=AIAACL23GD2PFRFEY5YVM2XQLM5YYWMHFDZOCDXUI2B4LM7ETZQO473CVF22PT6WPGR5IIE6TCS6VGEKO5OZIONJWCDMRKWQQVNP5VBYAINF3S7STKYOVDJ4JF2XEW4QQVNHMAPQNHFV3KMR3V3BA4I36B6BO7L4VQUHQOI64EOWPLMG5RB3SIMEDEHPILXTF73ZYD3JT6MYOLAZJG7PJJCAXCZCQOEFVH5VCW2KBQOKRYISWQLRWAT7IINZ3EFGQI2CY2EMK3FQOXM7UI3R7CZ6D73IKDI" width="1" height="1"></body>
+ </body>
</html> ```
active-directory-b2c Custom Email Sendgrid https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/custom-email-sendgrid.md
Previously updated : 04/25/2022 Last updated : 10/06/2022 zone_pivot_groups: b2c-policy-type
With a SendGrid account created and SendGrid API key stored in an Azure AD B2C p
<td valign="top" width="50%"></td> </tr> </table>
- <img src="https://mucp.api.account.microsoft.com/m/v2/v?d=AIAACWEPFYXYIUTJIJVV4ST7XLBHVI5MLLYBKJAVXHBDTBHUM5VBSVVPTTVRWDFIXJ5JQTHYOH5TUYIPO4ZAFRFK52UAMIS3UNIPPI7ZJNDZPRXD5VEJBN4H6RO3SPTBS6AJEEAJOUYL4APQX5RJUJOWGPKUABY&amp;i=AIAACL23GD2PFRFEY5YVM2XQLM5YYWMHFDZOCDXUI2B4LM7ETZQO473CVF22PT6WPGR5IIE6TCS6VGEKO5OZIONJWCDMRKWQQVNP5VBYAINF3S7STKYOVDJ4JF2XEW4QQVNHMAPQNHFV3KMR3V3BA4I36B6BO7L4VQUHQOI64EOWPLMG5RB3SIMEDEHPILXTF73ZYD3JT6MYOLAZJG7PJJCAXCZCQOEFVH5VCW2KBQOKRYISWQLRWAT7IINZ3EFGQI2CY2EMK3FQOXM7UI3R7CZ6D73IKDI" width="1" height="1"></body>
+ </body>
</html> ```
active-directory-b2c Enable Authentication Android App Options https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/enable-authentication-android-app-options.md
Previously updated : 11/11/2021 Last updated : 10/06/2022
b2cApp.acquireToken(parameters);
#### [Kotlin](#tab/kotlin) ```kotlin
-val extraQueryParameters: MutableList<Pair<String, String>> = ArrayList()
-extraQueryParameters.add(Pair("ui_locales", "en-us"))
+val extraQueryParameters: MutableList<Map.Entry<String, String>> = ArrayList()
+
+val mapEntry = object : Map.Entry<String, String> {
+ override val key: String = "ui_locales"
+ override val value: String = "en-us"
+ }
+
+extraQueryParameters.add(mapEntry )
val parameters = AcquireTokenParameters.Builder() .startAuthorizationFromActivity(activity)
val parameters = AcquireTokenParameters.Builder()
b2cApp!!.acquireToken(parameters) ```- #### [Java](#tab/java) ```java
active-directory-b2c Identity Provider Azure Ad Single Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/identity-provider-azure-ad-single-tenant.md
Previously updated : 06/08/2022 Last updated : 10/11/2022
As of November 2020, new application registrations show up as unverified in the
To enable sign-in for users with an Azure AD account from a specific Azure AD organization, in Azure Active Directory B2C (Azure AD B2C), you need to create an application in [Azure portal](https://portal.azure.com). For more information, see [Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md). 1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Make sure you're using the directory that contains your organizational Azure AD tenant (for example, Contoso). Select the **Directories + subscriptions** icon in the portal toolbar.
-1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the **Directory name** list, and then select **Switch**.
-1. Under **Azure services**, select **App registrations** or search for and select **App registrations**.
-1. Select **New registration**.
+1. Make sure you're using the directory that contains your organizational Azure AD tenant (for example, Contoso):
+ 1. Select the **Directories + subscriptions** icon in the portal toolbar.
+ 2. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the **Directory name** list, and then select **Switch**.
+1. In the Azure portal, search for and select **Azure Active Directory**.
+1. In the left menu, under **Manage**, select **App registrations**.
+1. Select **+ New registration**.
1. Enter a **Name** for your application. For example, `Azure AD B2C App`. 1. Accept the default selection of **Accounts in this organizational directory only (Default Directory only - Single tenant)** for this application. 1. For the **Redirect URI**, accept the value of **Web**, and enter the following URL in all lowercase letters, where `your-B2C-tenant-name` is replaced with the name of your Azure AD B2C tenant.
To enable sign-in for users with an Azure AD account from a specific Azure AD or
If you want to get the `family_name` and `given_name` claims from Azure AD, you can configure optional claims for your application in the Azure portal UI or application manifest. For more information, see [How to provide optional claims to your Azure AD app](../active-directory/develop/active-directory-optional-claims.md).
-1. Sign in to the [Azure portal](https://portal.azure.com) using your organizational Azure AD tenant. Search for and select **Azure Active Directory**.
-1. From the **Manage** section, select **App registrations**.
-1. Select the application you want to configure optional claims for in the list.
+1. Sign in to the [Azure portal](https://portal.azure.com) using your organizational Azure AD tenant. Or if you're already signed in, make sure you're using the directory that contains your organizational Azure AD tenant (for example, Contoso):
+ 1. Select the **Directories + subscriptions** icon in the portal toolbar.
+ 2. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the **Directory name** list, and then select **Switch**.
+1. In the Azure portal, search for and select **Azure Active Directory**.
+1. In the left menu, under **Manage**, select **App registrations**.
+1. Select the application you want to configure optional claims for in the list, such as `Azure AD B2C App`.
1. From the **Manage** section, select **Token configuration**. 1. Select **Add optional claim**. 1. For the **Token type**, select **ID**.
active-directory-b2c Json Transformations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/json-transformations.md
Previously updated : 08/10/2022 Last updated : 09/07/2022
The following claims transformation outputs a JSON string claim that will be the
} ```
+The **GenerateJson** claims transformation accepts plain strings. If an input claim contains a JSON string, that string will be escaped. In the following example, if you use email output from [CreateJsonArray above](json-transformations.md#example-of-createjsonarray), that is ["someone@contoso.com"], as an input parameter, the email will look like as shown in the following JSON claim:
+
+- Output claim:
+ - **requestBody**:
+
+ ```json
+ {
+ "customerEntity":{
+ "email":"[\"someone@contoso.com\"]",
+ "userObjectId":"01234567-89ab-cdef-0123-456789abcdef",
+ "firstName":"John",
+ "lastName":"Smith",
+ "role":{
+ "name":"Administrator",
+ "id": 1
+ }
+ }
+ }
+ ```
+ ## GetClaimFromJson Get a specified element from a JSON data. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/json#getclaimfromjson) of this claims transformation.
active-directory-b2c Partner Gallery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-gallery.md
Microsoft partners with the following ISVs for Web Application Firewall (WAF).
| ![Screenshot of Azure WAF logo](./medi) provides centralized protection of your web applications from common exploits and vulnerabilities. | ![Screenshot of Cloudflare logo](./medi) is a WAF provider that helps organizations protect against malicious attacks that aim to exploit vulnerabilities such as SQLi, and XSS. |
+## Identity verification tools
+
+Microsoft partners with the following ISVs for tools that can help with implementation of your authentication solution.
+
+| ISV partner | Description and integration walkthroughs |
+|:-|:--|
+| ![Screenshot of a grit ief editor logo.](./medi) is a tool that saves time during authentication deployment. It supports multiple languages without the need to write code. It also has a no code debugger for user journeys.|
## Additional information
active-directory-b2c Partner Grit Editor https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-grit-editor.md
+
+ Title: Edit identity experience framework XML with Grit Visual Identity Experience Framework (IEF) Editor
+
+description: Learn how Grit Visual IEF Editor enables fast authentication deployments in Azure AD B2C
++++++ Last updated : 10/10/2022++++++
+# Edit Azure Active Directory B2C Identity Experience Framework (IEF) XML with Grit Visual IEF Editor
+
+[Grit Software Systems Visual Identity Experience Framework (IEF) Editor](https://www.gritiam.com/iefeditor), is a tool that saves time during Azure Active Directory B2C (Azure AD B2C) authentication deployment. It supports multiple languages without the need to write code. It also has a no code debugger for user journeys.
+
+Use the Visual IEF Editor to:
+
+- Create Azure AD B2C IEF XML, HTML/CSS/JS, and .NET API to deploy Azure AD B2C.
+- Load your Azure AD B2C IEF XML.
+- Visualize and modify your current code, check it in, and run it through a continuous integration/continuous delivery (CI/CD) pipeline.
+
+## Prerequisites
+
+To get started with the IEF Editor, ensure the following prerequisites are met:
+
+- An Azure AD subscription. If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/).
+- An Azure AD B2C tenant linked to the Azure subscription. Learn more at [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md).
+- [Visual IEF Editor](https://www.gritiefedit.com) is free and works only with Google Chrome browser.
+- Review and download policies from [Azure AD B2C customer policies starter pack](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack)
+- Install Google Chrome browser
+
+## Sample code development workflow
+
+The following illustration shows a sample code-development workflow from XML files to production.
+
+![Screenshot shows the sample code-development workflow.](./media/partner-grit-editor/sample-code-development-workflow.png)
+
+| Step | Description |
+|:--|:|
+| 1. | Go to https://www.gritiefedit.com and upload the policies from [Azure AD B2C customer policies starter pack](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack) using the upload policy button in the user interface.|
+| 2. | Using the Visual IEF editor tool, select and edit any user journey and self asserted profile that needs update/modification.|
+|3. | Once the files are updated, select the download button. All the policies will be downloaded to the local machine.|
+|4. | Check in the files in GitHub or CI/CD pipeline. |
+|5. | Use the files in the lower environment for testing the Azure AD B2C policies.|
+|6. | Deploy the policies in Azure AD B2C production environment. |
+
+Learn more about [IEF Editor](https://app.archbee.com/doc/uwPRnuvZNjyEaJ8odNOEC/WmcXf6fTZjAHpx7-rAlac).
+
+## Scenario descriptions
+
+The following sections describe two Visual IEF Editor scenarios for *Contoso* and *Fabrikam* to consider when you plan your Azure AD B2C deployment using this tool.
+
+### Case 1 - Contoso: IEF logic, make changes, and enable features
+
+The *Contoso* enterprise uses Azure AD B2C, and has an extensive IEF deployment. Current challenges for *Contoso* are:
+
+- Teaching IEF logic to new-hire developers.
+- Making changes to IEF.
+- Enabling features such as, fraud protection, identity protection, and biometrics.
+
+When IEF files are loaded into Visual IEF Editor, a list of user journeys appears with a flow chart for each journey. The user journey elements contain useful data and functionalities. Search eases the process of tracing through IEF logic, and enables needed features. The modified files can be:
+
+- Downloaded to a local machine.
+- Uploaded to GitHub.
+- Run through CI/CD.
+- Deployed to a lower environment for testing.
+
+### Case 2 - Fabrikam: Fast implementation
+
+*Fabrikam* is a large enterprise, which has decided to use Azure AD B2C. Their goals are:
+
+- Implement Azure AD B2C quickly
+- Discover functionalities without learning IEF
+
+>[!NOTE]
+>This scenario is in private preview. For access, or questions, contact [Grit IAM Solutions support](https://www.gritiam.com/).
+
+Fabrikam has a set of pre-built templates with intuitive charts that show user flows. Use Visual IEF Editor to modify templates and then deploy them into a lower environment, or upload them to GitHub for CI/CD.
+
+After the IEF is modified, download, and upload the files to Azure AD B2C to see them in action.
+
+## Next steps
+
+For additional information, review the following articles:
+
+- [Tutorial: Create user flows and custom policies in Azure Active Directory B2C](custom-policy-get-started.md?tabs=applications)
+
+- [IEF Editor](https://app.archbee.com/doc/uwPRnuvZNjyEaJ8odNOEC/WmcXf6fTZjAHpx7-rAlac) documentation
+
+- [Grit IAM B2B2C](partner-grit-iam.md)
+
active-directory-b2c User Profile Attributes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/user-profile-attributes.md
Previously updated : 09/24/2021 Last updated : 10/11/2021 + # User profile attributes
The table below lists the [user resource type](/graph/api/resources/user) attrib
|creationType |String|If the user account was created as a local account for an Azure Active Directory B2C tenant, the value is LocalAccount or nameCoexistence. Read only.|No|No|Persisted, Output| |dateOfBirth |Date|Date of birth.|No|No|Persisted, Output| |department |String|The name for the department in which the user works. Max length 64.|Yes|No|Persisted, Output|
-|displayName |String|The display name for the user. Max length 256.|Yes|Yes|Persisted, Output|
+|displayName |String|The display name for the user. Max length 256. \< \> characters aren't allowed. | Yes|Yes|Persisted, Output|
|facsimileTelephoneNumber<sup>1</sup>|String|The telephone number of the user's business fax machine.|Yes|No|Persisted, Output| |givenName |String|The given name (first name) of the user. Max length 64.|Yes|Yes|Persisted, Output| |jobTitle |String|The user's job title. Max length 128.|Yes|Yes|Persisted, Output|
In user migration scenarios, if the accounts you want to migrate have weaker pas
## MFA phone number attribute
-When using a phone for multi-factor authentication (MFA), the mobile phone is used to verify the user identity. To [add](/graph/api/authentication-post-phonemethods) a new phone number programmatically, [update](/graph/api/b2cauthenticationmethodspolicy-update), [get](/graph/api/b2cauthenticationmethodspolicy-get), or [delete](/graph/api/phoneauthenticationmethod-delete) the phone number, use MS Graph API [phone authentication method](/graph/api/resources/phoneauthenticationmethod).
+When using a phone for multi-factor authentication (MFA), the mobile phone is used to verify the user identity. To [add](/graph/api/authentication-post-phonemethods) a new phone number programmatically, [update](/graph/api/phoneauthenticationmethod-update), [get](/graph/api/phoneauthenticationmethod-get), or [delete](/graph/api/phoneauthenticationmethod-delete) the phone number, use MS Graph API [phone authentication method](/graph/api/resources/phoneauthenticationmethod).
In Azure AD B2C [custom policies](custom-policy-overview.md), the phone number is available through `strongAuthenticationPhoneNumber` claim type.
active-directory Accidental Deletions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/accidental-deletions.md
Previously updated : 09/30/2022 Last updated : 10/06/2022
active-directory Application Provisioning Config Problem No Users Provisioned https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-config-problem-no-users-provisioned.md
Previously updated : 05/11/2021 Last updated : 10/06/2022
active-directory Application Provisioning Config Problem Scim Compatibility https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-config-problem-scim-compatibility.md
Previously updated : 05/25/2022 Last updated : 10/06/2022
active-directory Application Provisioning Config Problem https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-config-problem.md
Previously updated : 05/11/2021 Last updated : 10/06/2022
active-directory Application Provisioning Configuration Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-configuration-api.md
Previously updated : 06/03/2021 Last updated : 10/06/2022
active-directory Application Provisioning Log Analytics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-log-analytics.md
Previously updated : 05/11/2021 Last updated : 10/06/2022
active-directory Application Provisioning Quarantine Status https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-quarantine-status.md
Previously updated : 05/11/2021 Last updated : 10/06/2022
active-directory Application Provisioning When Will Provisioning Finish Specific User https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md
Previously updated : 05/11/2021 Last updated : 10/06/2022
active-directory Configure Automatic User Provisioning Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/configure-automatic-user-provisioning-portal.md
Previously updated : 05/11/2021 Last updated : 10/06/2022
active-directory Customize Application Attributes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/customize-application-attributes.md
Previously updated : 11/15/2021 Last updated : 10/06/2022
active-directory What Is Application Proxy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/what-is-application-proxy.md
Last updated 08/29/2022 -+ # Using Azure AD Application Proxy to publish on-premises apps for remote users
The following diagram illustrates in general how Azure AD authentication service
|**Component**|**Description**| |:-|:-|
-|Endpoint|The endpoint is a URL or an [user portal](../manage-apps/end-user-experiences.md). Users can reach applications while outside of your network by accessing an external URL. Users within your network can access the application through a URL or an user portal. When users go to one of these endpoints, they authenticate in Azure AD and then are routed through the connector to the on-premises application.|
+|Endpoint|The endpoint is a URL or an [user portal](../manage-apps/end-user-experiences.md). Users can reach applications while outside of your network by accessing an external URL. Users within your network can access the application through a URL or a user portal. When users go to one of these endpoints, they authenticate in Azure AD and then are routed through the connector to the on-premises application.|
|Azure AD|Azure AD performs the authentication using the tenant directory stored in the cloud.| |Application Proxy service|This Application Proxy service runs in the cloud as part of Azure AD. It passes the sign-on token from the user to the Application Proxy Connector. Application Proxy forwards any accessible headers on the request and sets the headers as per its protocol, to the client IP address. If the incoming request to the proxy already has that header, the client IP address is added to the end of the comma-separated list that is the value of the header.| |Application Proxy connector|The connector is a lightweight agent that runs on a Windows Server inside your network. The connector manages communication between the Application Proxy service in the cloud and the on-premises application. The connector only uses outbound connections, so you don't have to open any inbound ports or put anything in the DMZ. The connectors are stateless and pull information from the cloud as necessary. For more information about connectors, like how they load-balance and authenticate, see [Understand Azure AD Application Proxy connectors](./application-proxy-connectors.md).|
active-directory Active Directory Certificate Based Authentication Android https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/active-directory-certificate-based-authentication-android.md
Title: Android certificate-based authentication - Azure Active Directory
+ Title: Android certificate-based authentication with federation - Azure Active Directory
description: Learn about the supported scenarios and the requirements for configuring certificate-based authentication in solutions with Android devices Previously updated : 02/16/2022 Last updated : 09/30/2022
-# Azure Active Directory certificate-based authentication on Android
+# Azure Active Directory certificate-based authentication with federation on Android
Android devices can use certificate-based authentication (CBA) to authenticate to Azure Active Directory using a client certificate on their device when connecting to:
The device OS version must be Android 5.0 (Lollipop) and above.
A federation server must be configured.
-For Azure Active Directory to revoke a client certificate, the ADFS token must have the following claims:
+For Azure Active Directory to revoke a client certificate, the AD FS token must have the following claims:
* `http://schemas.microsoft.com/ws/2008/06/identity/claims/<serialnumber>` (The serial number of the client certificate) * `http://schemas.microsoft.com/2012/12/certificatecontext/field/<issuer>` (The string for the issuer of the client certificate)
-Azure Active Directory adds these claims to the refresh token if they are available in the ADFS token (or any other SAML token). When the refresh token needs to be validated, this information is used to check the revocation.
+Azure Active Directory adds these claims to the refresh token if they're available in the AD FS token (or any other SAML token). When the refresh token needs to be validated, this information is used to check the revocation.
-As a best practice, you should update your organization's ADFS error pages with the following information:
+As a best practice, you should update your organization's AD FS error pages with the following information:
* The requirement for installing the Microsoft Authenticator on Android. * Instructions on how to get a user certificate. For more information, see [Customizing the AD FS Sign-in Pages](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn280950(v=ws.11)).
-Some Office apps (with modern authentication enabled) send '*prompt=login*' to Azure AD in their request. By default, Azure AD translates '*prompt=login*' in the request to ADFS as '*wauth=usernamepassworduri*' (asks ADFS to do U/P Auth) and '*wfresh=0*' (asks ADFS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, you need to modify the default Azure AD behavior. Set the '*PromptLoginBehavior*' in your federated domain settings to '*Disabled*'.
+Office apps with modern authentication enabled send '*prompt=login*' to Azure AD in their request. By default, Azure AD translates '*prompt=login*' in the request to AD FS as '*wauth=usernamepassworduri*' (asks AD FS to do U/P Auth) and '*wfresh=0*' (asks AD FS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, you need to modify the default Azure AD behavior. Set the '*PromptLoginBehavior*' in your federated domain settings to '*Disabled*'.
You can use the [MSOLDomainFederationSettings](/powershell/module/msonline/set-msoldomainfederationsettings) cmdlet to perform this task:
-`Set-MSOLDomainFederationSettings -domainname <domain> -PromptLoginBehavior Disabled`
+```powershell
+Set-MSOLDomainFederationSettings -domainname <domain> -PromptLoginBehavior Disabled
+```
## Exchange ActiveSync clients support
active-directory Active Directory Certificate Based Authentication Ios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/active-directory-certificate-based-authentication-ios.md
Title: Certificate-based authentication on iOS - Azure Active Directory
+ Title: Certificate-based authentication with federation on iOS - Azure Active Directory
description: Learn about the supported scenarios and the requirements for configuring certificate-based authentication for Azure Active Directory in solutions with iOS devices Previously updated : 05/04/2022 Last updated : 09/30/2022
-# Azure Active Directory certificate-based authentication on iOS
+# Azure Active Directory certificate-based authentication with federation on iOS
To improve security, iOS devices can use certificate-based authentication (CBA) to authenticate to Azure Active Directory (Azure AD) using a client certificate on their device when connecting to the following applications or
To use CBA with iOS, the following requirements and considerations apply:
* The device OS version must be iOS 9 or above. * Microsoft Authenticator is required for Office applications on iOS.
-* An identity preference must be created in the macOS Keychain that include the authentication URL of the ADFS server. For more information, see [Create an identity preference in Keychain Access on Mac](https://support.apple.com/guide/keychain-access/create-an-identity-preference-kyca6343b6c9/mac).
+* An identity preference must be created in the macOS Keychain that includes the authentication URL of the AD FS server. For more information, see [Create an identity preference in Keychain Access on Mac](https://support.apple.com/guide/keychain-access/create-an-identity-preference-kyca6343b6c9/mac).
-The following Active Directory Federation Services (ADFS) requirements and considerations apply:
+The following Active Directory Federation Services (AD FS) requirements and considerations apply:
-* The ADFS server must be enabled for certificate authentication and use federated authentication.
+* The AD FS server must be enabled for certificate authentication and use federated authentication.
* The certificate needs to have to use Enhanced Key Usage (EKU) and contain the UPN of the user in the *Subject Alternative Name (NT Principal Name)*.
-## Configure ADFS
+## Configure AD FS
-For Azure AD to revoke a client certificate, the ADFS token must have the following claims. Azure AD adds these claims to the refresh token if they're available in the ADFS token (or any other SAML token). When the refresh token needs to be validated, this information is used to check the revocation:
+For Azure AD to revoke a client certificate, the AD FS token must have the following claims. Azure AD adds these claims to the refresh token if they're available in the AD FS token (or any other SAML token). When the refresh token needs to be validated, this information is used to check the revocation:
* `http://schemas.microsoft.com/ws/2008/06/identity/claims/<serialnumber>` - add the serial number of your client certificate * `http://schemas.microsoft.com/2012/12/certificatecontext/field/<issuer>` - add the string for the issuer of your client certificate
-As a best practice, you also should update your organization's ADFS error pages with the following information:
+As a best practice, you also should update your organization's AD FS error pages with the following information:
* The requirement for installing the Microsoft Authenticator on iOS. * Instructions on how to get a user certificate.
For more information, see [Customizing the AD FS sign in page](/previous-version
## Use modern authentication with Office apps
-Some Office apps with modern authentication enabled send `prompt=login` to Azure AD in their request. By default, Azure AD translates `prompt=login` in the request to ADFS as `wauth=usernamepassworduri` (asks ADFS to do U/P Auth) and `wfresh=0` (asks ADFS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, modify the default Azure AD behavior.
+Some Office apps with modern authentication enabled send `prompt=login` to Azure AD in their request. By default, Azure AD translates `prompt=login` in the request to AD FS as `wauth=usernamepassworduri` (asks AD FS to do U/P Auth) and `wfresh=0` (asks AD FS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, modify the default Azure AD behavior.
To update the default behavior, set the '*PromptLoginBehavior*' in your federated domain settings to *Disabled*. You can use the [MSOLDomainFederationSettings](/powershell/module/msonline/set-msoldomainfederationsettings) cmdlet to perform this task, as shown in the following example:
active-directory Concept Authentication Strengths https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-strengths.md
+
+ Title: Overview of Azure Active Directory authentication strength (preview)
+description: Learn how admins can use Azure AD Conditional Access to distinguish which authentication methods can be used based on relevant security factors.
+++++ Last updated : 10/04/2022++++++++
+# Conditional Access authentication strength (preview)
+
+Authentication strength is a Conditional Access control that allows administrators to specify which combination of authentication methods can be used to access a resource. For example, they can make only phishing-resistant authentication methods available to access a sensitive resource. But to access a nonsensitive resource, they can allow less secure multifactor authentication (MFA) combinations, such as password + SMS.
+
+Authentication strength is based on the [Authentication methods policy](concept-authentication-methods.md), where administrators can scope authentication methods for specific users and groups to be used across Azure Active Directory (Azure AD) federated applications. Authentication strength allows further control over the usage of these methods based upon specific scenarios such as sensitive resource access, user risk, location, and more.
+
+Administrators can specify an authentication strength to access a resource by creating a Conditional Access policy with the **Require authentication strength** control. They can choose from three built-in authentication strengths: **Multifactor authentication strength**, **Passwordless MFA strength**, and **Phishing-resistant MFA strength**. They can also create a custom authentication strength based on the authentication method combinations they want to allow.
++
+## Scenarios for authentication strengths
+
+Authentication strengths can help customers address scenarios, such as:
+
+- Require specific authentication methods to access a sensitive resource.
+- Require a specific authentication method when a user takes a sensitive action within an application (in combination with Conditional Access authentication context).
+- Require users to use a specific authentication method when they access sensitive applications outside of the corporate network.
+- Require more secure authentication methods for users at high risk.
+- Require specific authentication methods from guest users who access a resource tenant (in combination with cross-tenant settings). <!-- Namrata - Add / review external users scenario here -->
+
+## Authentication strengths
+
+An authentication strength can include a combination of authentication methods. Users can satisfy the strength requirements by authenticating with any of the allowed combinations. For example, the built-in **Phishing-resistant MFA strength** allows the following combinations:
+
+- Windows Hello for Business
+
+ Or
+
+- FIDO2 security key
+
+ Or
+
+- Azure AD Certificate-Based Authentication (Multi-Factor)
++
+### Built-in authentication strengths
+
+Built-in authentication strengths are combinations of authentication methods that are predefined by Microsoft. Built-in authentication strengths are always available and can't be modified. Microsoft will update built-in authentication strengths when new methods become available.
+
+The following table lists the combinations of authentication methods for each built-in authentication strength. Depending on which methods are available in the authentication methods policy and registered for users, they can use any one of the combinations to sign-in.
+
+- **MFA strength** - the same set of combinations that could be used to satisfy the **Require multifactor authentication** setting.
+- **Passwordless MFA strength** - includes authentication methods that satisfy MFA but don't require a password.
+- **Phishing-resistant MFA strength** - includes methods that require an interaction between the authentication method and the sign-in surface.
+
+|Authentication method combination |MFA strength | Passwordless MFA strength| Phishing-resistant MFA strength|
+|-|-|-|-|
+|FIDO2 security key| &#x2705; | &#x2705; | &#x2705; |
+|Windows Hello for Business| &#x2705; | &#x2705; | &#x2705; |
+|Certificate-based authentication (Multi-Factor) | &#x2705; | &#x2705; | &#x2705; |
+|Microsoft Authenticator (Phone Sign-in)| &#x2705; | &#x2705; | |
+|Temporary Access Pass (One-time use AND Multi-use)| &#x2705; | | |
+|Password + something you have<sup>1</sup>| &#x2705; | | |
+|Federated single-factor + something you have<sup>1</sup>| &#x2705; | | |
+|Federated Multi-Factor| &#x2705; | | |
+|Certificate-based authentication (single-factor)| | | |
+|SMS sign-in | | | |
+|Password | | | |
+|Federated single-factor| | | |
+
+<!-- We will move these methods back to the table as they become supported - expected very soon
+|Email One-time pass (Guest)| | | |
+-->
+
+<sup>1</sup> Something you have refers to one of the following methods: SMS, voice, push notification, software OATH token. Hardware OATH token is currently not supported.
+
+The following API call can be used to list definitions of all the built-in authentication strengths:
+
+```http
+GET https://graph.microsoft.com/beta/identity/conditionalAccess/authenticationStrengths/policies?$filter=policyType eq 'builtIn'
+```
+
+### Custom authentication strengths
+
+In addition to the three built-in authentication strengths, administrators can create up to 15 of their own custom authentication strengths to exactly suit their requirements. A custom authentication strength can contain any of the supported combinations in the preceding table.
+
+1. In the Azure portal, browse to **Azure Active Directory** > **Security** > **Authentication methods** > **Authentication strengths (Preview)**.
+1. Select **New authentication strength**.
+1. Provide a descriptive **Name** for your new authentication strength.
+1. Optionally provide a **Description**.
+1. Select any of the available methods you want to allow.
+1. Choose **Next** and review the policy configuration.
+
+ :::image type="content" border="true" source="media/concept-authentication-strengths/authentication-strength-custom.png" alt-text="Screenshot showing the creation of a custom authentication strength.":::
+
+#### Update and delete custom authentication strengths
+
+You can edit a custom authentication strength. If it's referenced by a Conditional Access policy, it can't be deleted, and you need to confirm any edit.
+To check if an authentication strength is referenced by a Conditional Access policy,click **Conditional Access policies** column.
+
+#### FIDO2 security key advanced options
+Custom authentication strengths allow customers to further restrict the usage of some FIDO2 security keys based on their Authenticator Attestation GUIDs (AAGUIDs). The capability allows administrators to require a FIDO2 key from a specific manufacture in order to access the resource. To require a specific FIDO2 security key, complete the preceding steps to create a custom authentication strength, select **FIDO2 Security Key**, and click **Advanced options**.
++
+Next to **Allowed FIDO2 Keys** click **+**, copy the AAGUID value, and click **Save**.
++
+## Using authentication strength in Conditional Access
+After you determine the authentication strength you need, you'll need to create a Conditional Access policy to require that authentication strength to access a resource. When the Conditional Access policy gets applied, the authentication strength restricts which authentication methods are allowed.
+<!-- ### Place holder:How to create conditional access policy that uses authentication strength
+- Add a note that you can use either require mfa or require auth strengths
+- (JF) Possibly add a reference doc that lists all the definitions of the things you can configure?
+-->
+
+### How authentication strength works with the Authentication methods policy
+There are two policies that determine which authentication methods can be used to access resources. If a user is enabled for an authentication method in either policy, they can sign in with that method.
+
+- **Security** > **Authentication methods** > **Policies** is a more modern way to manage authentication methods for specific users and groups. You can specify users and groups for different methods. You can also configure parameters to control how a method can be used.
+
+ :::image type="content" border="true" source="./media/concept-authentication-strengths/authentication-methods-policy.png" alt-text="Screenshot of Authentication methods policy.":::
+
+- **Security** > **Multifactor Authentication** > **Additional cloud-based multifactor authentication settings** is a legacy way to control multifactor authentication methods for all of the users in the tenant.
+
+ :::image type="content" border="true" source="./media/concept-authentication-strengths/service-settings.png" alt-text="Screenshot of MFA service settings.":::
+
+Users may register for authentications for which they are enabled, and in other cases, an administrator can configure a user's device with a method, such as certificate-based authentication.
+
+The authentication strength Conditional Access policy defines which methods can be used. Azure AD checks the policy during sign-in to determine the userΓÇÖs access to the resource. For example, an administrator configures a Conditional Access policy with a custom authentication strength that requires FIDO2 Security Key or Password + SMS. The user accesses a resource protected by this policy. During sign-in, all settings are checked to determine which methods are allowed, which methods are registered, and which methods are required by the Conditional Access policy. To be used, a method must be allowed, registered by the user (either before or as part of the access request), and satisfy the authentication strength.
+
+## User experience
+
+The following factors determine if the user gains access to the resource:
+
+- Which authentication method was previously used?
+- Which methods are available for the authentication strength?
+- Which methods are allowed for user sign-in in the Authentication methods policy?
+- Is the user registered for any available method?
+
+When a user accesses a resource protected by an authentication strength Conditional Access policy, Azure AD evaluates if the methods they have previously used satisfy the authentication strength. If a satisfactory method was used, Azure AD grants access to the resource. For example, let's say a user signs in with password + SMS. They access a resource protected by MFA authentication strength. In this case, the user can access the resource without another authentication prompt.
+
+Let's suppose they next access a resource protected by Phishing-resistant MFA authentication strength. At this point, they'll be prompted to provide a phishing-resistant authentication method, such as Windows Hello for Business.
+
+If the user hasn't registered for any methods that satisfy the authentication strength, they are redirected to [combined registration](concept-registration-mfa-sspr-combined.md#interrupt-mode). <!-- making this a comment for now because we have a limitation. Once it is fixed we can remove the comment::: Only users who satisfy MFA are redirected to register another strong authentication method.-->
+
+If the authentication strength doesn't include a method that the user can register and use, the user is blocked from sign-in to the resource.
+
+### Registering authentication methods
+
+The following authentication methods can't be registered as part of combined registration interrupt mode:
+* [Microsoft Authenticator (phone sign-in)](https://support.microsoft.com/account-billing/add-your-work-or-school-account-to-the-microsoft-authenticator-app-43a73ab5-b4e8-446d-9e54-2a4cb8e4e93c) - Can be registered from the Authenticator app.
+* [FIDO2](howto-authentication-passwordless-security-key.md) - can be registered using [combined registration managed mode](concept-registration-mfa-sspr-combined.md#manage-mode).
+* [Certificate-based authentication](concept-certificate-based-authentication.md) - Require administrator setup, cannot be registered by the user.
+* [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use) - Can be registered in the Windows Out of Box Experience (OOBE) or the Windows Settings menu.
+
+If a user isn't registered for these methods, they can't access the resource until the required method is registered. For the best user experience, make sure users complete combined registered in advance for the different methods they may need to use.
+
+### Federated user experience
+For federated domains, MFA may be enforced by Azure AD Conditional Access or by the on-premises federation provider by setting the federatedIdpMfaBehavior. If the federatedIdpMfaBehavior setting is set to enforceMfaByFederatedIdp, the user must authenticate on their federated IdP and can only satisfy the **Federated Multi-Factor** combination of the authentication strength requirement. For more information about the federation settings, see [Plan support for MFA](../hybrid/migrate-from-federation-to-cloud-authentication.md#plan-support-for-mfa).
+
+If a user from a federated domain has multifactor authentication settings in scope for Staged Rollout, the user can complete multifactor authentication in the cloud and satisfy any of the **Federated single-factor + something you have** combinations. For more information about staged rollout, see [Enable Staged Rollout using Azure portal](how-to-mfa-server-migration-utility.md#enable-staged-rollout-using-azure-portal).
+
+## External users
+
+The Authentication methods policy is especially useful for restricting external access to sensitive apps in your organization because you can enforce specific authentication methods, such as phishing-resistant methods, for external users.
+
+When you apply an authentication strength Conditional Access policy to external Azure AD users, the policy works together with MFA trust settings in your cross-tenant access settings to determine where and how the external user must perform MFA. An Azure AD user authenticates in their home Azure AD tenant. Then when they access your resource, Azure AD applies the policy and checks to see if you've enabled MFA trust. Note that enabling MFA trust is optional for B2B collaboration but is *required* for [B2B direct connect](../external-identities/b2b-direct-connect-overview.md#multi-factor-authentication-mfa).
+
+In external user scenarios, the authentication methods that can satisfy authentication strength vary, depending on whether the user is completing MFA in their home tenant or the resource tenant. The following table indicates the allowed methods in each tenant. If a resource tenant has opted to trust claims from external Azure AD organizations, only those claims listed in the ΓÇ£Home tenantΓÇ¥ column below will be accepted by the resource tenant for MFA. If the resource tenant has disabled MFA trust, the external user must complete MFA in the resource tenant using one of the methods listed in the ΓÇ£Resource tenantΓÇ¥ column.
+
+|Authentication method |Home tenant | Resource tenant |
+||||
+|SMS as second factor | &#x2705; | &#x2705; |
+|Voice call | &#x2705; | &#x2705; |
+|Microsoft Authenticator push notification | &#x2705; | &#x2705; |
+|Microsoft Authenticator phone sign-in | &#x2705; | &#x2705; |
+|OATH software token | &#x2705; | &#x2705; |
+|OATH hardware token | &#x2705; | |
+|FIDO2 security key | &#x2705; | |
+|Windows Hello for Business | &#x2705; | |
++
+### User experience for external users
+
+An authentication strength Conditional Access policy works together with [MFA trust settings](../external-identities/cross-tenant-access-settings-b2b-collaboration.md#to-change-inbound-trust-settings-for-mfa-and-device-claims) in your cross-tenant access settings. First, an Azure AD user authenticates with their own account in their home tenant. Then when this user tries to access your resource, Azure AD applies the authentication strength Conditional Access policy and checks to see if you've enabled MFA trust.
+
+- **If MFA trust is enabled**, Azure AD checks the user's authentication session for a claim indicating that MFA has been fulfilled in the user's home tenant. See the preceding table for authentication methods that are acceptable for MFA when completed in an external user's home tenant. If the session contains a claim indicating that MFA policies have already been met in the user's home tenant, and the methods satisfy the authentication strength requirements, the user is allowed access. Otherwise, Azure AD presents the user with a challenge to complete MFA in the home tenant using an acceptable authentication method.
+- **If MFA trust is disabled**, Azure AD presents the user with a challenge to complete MFA in the resource tenant using an acceptable authentication method. (See the table above for authentication methods that are acceptable for MFA by an external user.)
+
+## Known issues
+
+- **Users who signed in by using certificate-based authentication aren't prompted to reauthenticate** - If a user first authenticated by using certificate-based authentication and the authentication strength requires another method, such as a FIDO2 security key, the user isn't prompted to use a FIDO2 security key and authentication fails. The user must restart their session to sign-in with a FIDO2 security key.
+
+- **Authentication methods that are currently not supported by authentication strength** - The following authentication methods are included in the available combinations but currently have limited functionality:
+ - Email one-time pass (Guest)
+ - Hardware-based OATH token
+
+- **Conditional Access What-if tool** ΓÇô When running the what-if tool, it will return policies that require authentication strength correctly. However, when clicking on the authentication strength name, a name page is open with additional information about the methods the user can use. This information may be incorrect.
+
+- **Authentication strength is not enforced on Register security information user action** ΓÇô If an Authentication strength Conditional Access policy targets **Register security information** user action, the policy would not apply.
+
+- **Conditional Access audit log** ΓÇô When a Conditional Access policy with the authentication strength grant control is created or updated in the Azure AD portal, the auditing log includes details about the policy that was updated, but doesn't include the details about which authentication strength is referenced by the Conditional Access policy. This issue doesn't exist when a policy is created or updated By using Microsoft Graph APIs.
+<!-- Namrata to update about B2B>
+
+## Limitations
+
+- **Conditional Access policies are only evaluated after the initial authentication** - As a result, authentication strength will not restrict a user's initial authentication. Suppose you are using the built-in phishing-resistant MFA strength. A user can still type in their password, but they will be required to use a phishing-resistant method such as FIDO2 security key before they can continue.
+
+- **Require multifactor authentication and Require authentication strength can't be used together in the same Conditional Access policy** - These two Conditional Access grant controls can't be used together because the built-in authentication strength **Multifactor authentication** is equivalent to the **Require multifactor authentication** grant control.
++
+<!place holder: Auth Strength with CCS - will be documented in resilience-defaults doc-->
+
+## FAQ
+
+### Should I use authentication strength or the Authentication methods policy?
+Authentication strength is based on the Authentication methods policy. The Authentication methods policy helps to scope and configure authentication methods to be used across Azure AD by specific users and groups. Authentication strength allows another restriction of methods for specific scenarios, such as sensitive resource access, user risk, location, and more.
+
+For example, the administrator of Contoso wants to allow their users to use Microsoft Authenticator with either push notifications or passwordless authentication mode. The administrator goes to the Microsoft Authenticator settings in the Authentication method policy, scopes the policy for the relevant users and set the **Authentication mode** to **Any**.
+
+Then for ContosoΓÇÖs most sensitive resource, the administrator wants to restrict the access to only passwordless authentication methods. The administrator creates a new Conditional Access policy, using the built-in **Passwordless MFA strength**.
+
+As a result, users in Contoso can access most of the resources in the tenant using password + push notification from the Microsoft Authenticator OR only using Microsoft Authenticator (phone sign-in). However, when the users in the tenant access the sensitive application, they must use Microsoft Authenticator (phone sign-in).
+
+## Prerequisites
+
+- **Azure AD Premium P1** - Your tenant needs to have Azure AD Premium P1 license to use Conditional Access. If needed, you can enable a [free trial](https://www.microsoft.com/security/business/get-started/start-free-trial).
+- **Enable combined registration** - Authentication strengths are supported when using [combined MFA and SSPR registration](howto-registration-mfa-sspr-combined.md). Using the legacy registration will result in poor user experience as the user may register methods that aren't required by the authentication method policy.
+
+## Next steps
+
+- [Troubleshoot authentication strengths](troubleshoot-authentication-strengths.md)
+
active-directory Concept Certificate Based Authentication Certificateuserids https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-certificateuserids.md
+
+ Title: Certificate user IDs for Azure AD certificate-based authentication - Azure Active Directory
+description: Learn about certificate user IDs for Azure AD certificate-based authentication without federation
+++++ Last updated : 10/05/2022++++++++++
+# Certificate user IDs
+
+You can add certificate user IDs to users in Azure AD can have certificate user IDs. a multivalued attribute named **certificateUserIds**. The attribute allows up to four values, and each value can be of 120-character length. It can store any value, and doesn't require email ID format. It can store non-routable User Principal Names (UPNs) like _bob@woodgrove_ or _bob@local_.
+
+## Supported patterns for certificate user IDs
+
+The values stored in **certificateUserIds** should be in the format described in the following table.
+
+|Certificate mapping Field | Examples of values in CertificateUserIds |
+|--|--|
+|PrincipalName | ΓÇ£X509:\<PN>bob@woodgrove.comΓÇ¥ |
+|PrincipalName | ΓÇ£X509:\<PN>bob@woodgroveΓÇ¥ |
+|RFC822Name | ΓÇ£X509:\<RFC822>user@woodgrove.comΓÇ¥ |
+|X509SKI | ΓÇ£X509:\<SKI>123456789abcdefΓÇ¥|
+|X509SHA1PublicKey |ΓÇ£X509:\<SHA1-PUKEY>123456789abcdefΓÇ¥ |
+
+## Roles to update certificateUserIds
+
+For cloud only users, only users with roles **Global Administrators**, **Privileged Authentication Administrator** can write into certificateUserIds.
+For sync'd users, AD users with role **Hybrid Identity Administrator** can write into the attribute.
+
+>[!NOTE]
+>Active Directory Administrators (including accounts with delegated administrative privilege over sync'd user accounts as well as administrative rights over the Azure >AD Connect Servers) can make changes that impact the certificateUserIds value in Azure AD for any sync'd accounts.
+
+## Update certificate user IDs in the Azure portal
+
+Tenant admins can use the following steps Azure portal to update certificate user IDs for a user account:
+
+1. In the Azure AD portal, click **All users (preview)**.
+
+ :::image type="content" border="true" source="./media/concept-certificate-based-authentication-certificateuserids/user.png" alt-text="Screenshot of test user account.":::
+
+1. Click a user, and click **Edit Properties**.
+
+1. Next to **Authorization info**, click **View**.
+
+ :::image type="content" border="true" source="./media/concept-certificate-based-authentication-certificateuserids/view.png" alt-text="Screenshot of View authorization info.":::
+
+1. Click **Edit certificate user IDs**.
+
+ :::image type="content" border="true" source="./media/concept-certificate-based-authentication-certificateuserids/edit-cert.png" alt-text="Screenshot of Edit certificate user IDs.":::
+
+1. Click **Add**.
+
+ :::image type="content" border="true" source="./media/concept-certificate-based-authentication-certificateuserids/add.png" alt-text="Screenshot of how to add a CertificateUserID.":::
+
+1. Enter the value and click **Save**. You can add up to four values, each of 120 characters.
+
+ :::image type="content" border="true" source="./media/concept-certificate-based-authentication-certificateuserids/save.png" alt-text="Screenshot of a value to enter for CertificateUserId.":::
+
+## Update certificate user IDs using Azure AD Connect
+
+To update certificate user IDs for federated users, configure Azure AD Connect to sync userPrincipalName to certificateUserIds.
+
+1. On the Azure AD Connect server, find and start the **Synchronization Rules Editor**.
+
+ :::image type="content" border="true" source="./media/concept-certificate-based-authentication-certificateuserids/sync-rules-editor.png" alt-text="Screenshot of Synchronization Rules Editor.":::
+
+1. Click **Direction**, and click **Outbound**.
+
+ :::image type="content" border="true" source="./media/concept-certificate-based-authentication-certificateuserids/outbound.png" alt-text="Screenshot of outbound synchronization rule.":::
+
+1. Find the rule **Out to AAD ΓÇô User Identity**, click **Edit**, and click **Yes** to confirm.
+
+ :::image type="content" border="true" source="./media/concept-certificate-based-authentication-certificateuserids/user-identity.png" alt-text="Screenshot of user identity.":::
+
+1. Enter a high number in the **Precedence** field, and then click **Next**.
+
+ :::image type="content" border="true" source="./media/concept-certificate-based-authentication-certificateuserids/precedence.png" alt-text="Screenshot of a precedence value.":::
+
+1. Click **Transformations** > **Add transformation**. You may need to scroll down the list of transformations before you can create a new one.
+
+### Synchronize X509:\<PN>PrincipalNameValue
+
+To synchronize X509:\<PN>PrincipalNameValue, create an outbound synchronization rule, and choose **Expression** in the flow type. Choose the target attribute as \<certificateUserIds>, and in the source field, add the expression <"X509:\<PN>"&[userPrincipalName]>. If your source attribute isn't userPrincipalName, you can change the expression accordingly.
+
+
+### Synchronize X509:\<RFC822>RFC822Name
+
+To synchronize X509:\<RFC822>RFC822Name, create an outbound synchronization rule, choose **Expression** in the flow type. Choose the target attribute as \<certificateUserIds>, and in the source field, add the expression <"X509:\<RFC822>"&[userPrincipalName]>. If your source attribute isn't userPrincipalName, you can change the expression accordingly.
++
+1. Click **Target Attribute**, select **CertificateUserIds**, click **Source**, select **UserPrincipalName**, and then click **Save**.
+
+ :::image type="content" border="true" source="./media/concept-certificate-based-authentication-certificateuserids/edit-rule.png" alt-text="Screenshot of how to save a rule.":::
+
+1. Click **OK** to confirm.
+
+> [!NOTE]
+> Make sure you use the latest version of [Azure AD Connect](https://www.microsoft.com/download/details.aspx?id=47594).
+
+For more information about declarative provisioning expressions, see [Azure AD Connect: Declarative Provisioning Expressions](../hybrid/concept-azure-ad-connect-sync-declarative-provisioning-expressions.md).
+
+## Synchronize alternativeSecurityId attribute from AD to Azure AD CBA CertificateUserIds
+
+AlternativeSecurityId isn't part of the default attributes. An administrator needs to add the attribute to the person object, and then create the appropriate synchronization rules.
+
+1. Open Metaverse Designer, and select alternativeSecurityId to add it to the person object.
+
+ :::image type="content" border="true" source="./media/concept-certificate-based-authentication-certificateuserids/alt-security-identity-add.png" alt-text="Screenshot of how to add alternativeSecurityId to the person object":::
+
+1. Create an inbound synchronization rule to transform from altSecurityIdentities to alternateSecurityId attribute.
+
+ :::image type="content" border="true" source="./media/concept-certificate-based-authentication-certificateuserids/alt-security-identity-inbound.png" alt-text="Screenshot of how to transform from altSecurityIdentities to alternateSecurityId attribute":::
+
+1. Create an outbound synchronization rule to transform from alternateSecurityId attribute to certificateUserIds
+alt-security-identity-add.
+
+ :::image type="content" border="true" source="./media/concept-certificate-based-authentication-certificateuserids/alt-security-identity-outbound.png" alt-text="Screenshot of outbound synchronization rule to transform from alternateSecurityId attribute to certificateUserIds":::
+
+To map the pattern supported by certificateUserIds, administrators must use expressions to set the correct value.
+
+You can use the following expression for mapping to SKI and SHA1-PUKEY:
+
+```
+(Contains([alternativeSecurityId],"x509:\<SKI>")>0,[alternativeSecurityId],Error("No altSecurityIdentities SKI match found."))
+& IIF(Contains([alternativeSecurityId],"x509:\<SHA1-PUKEY>")>0,[alternativeSecurityId],Error("No altSecurityIdentities SHA1-PUKEY match found."))
+```
+
+## Look up certificateUserIds using Microsoft Graph queries
+
+Tenant admins can run MS Graph queries to find all the users with a given certificateUserId value.
+
+GET all user objects that have the value 'bob@contoso.com' value in certificateUserIds:
+
+```http
+GET https://graph.microsoft.com/v1.0/users?$filter=certificateUserIds/any(x:x eq 'bob@contoso.com')
+```
+
+```http
+GET https://graph.microsoft.com/v1.0/users?$filter=startswith(certificateUserIds, 'bob@contoso.com')
+```
+
+```http
+GET https://graph.microsoft.com/v1.0/users?$filter=certificateUserIds eq 'bob@contoso.com'
+```
+
+## Next steps
+
+- [Overview of Azure AD CBA](concept-certificate-based-authentication.md)
+- [Technical deep dive for Azure AD CBA](concept-certificate-based-authentication-technical-deep-dive.md)
+- [How to configure Azure AD CBA](how-to-certificate-based-authentication.md)
+- [Azure AD CBA on iOS devices](concept-certificate-based-authentication-mobile-ios.md)
+- [Azure AD CBA on Android devices](concept-certificate-based-authentication-mobile-android.md)
+- [Windows smart card logon using Azure AD CBA](concept-certificate-based-authentication-smartcard.md)
+- [How to migrate federated users](concept-certificate-based-authentication-migration.md)
+- [FAQ](certificate-based-authentication-faq.yml)
active-directory Concept Certificate Based Authentication Limitations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-limitations.md
Previously updated : 06/07/2022 Last updated : 10/10/2022
This topic covers supported and unsupported scenarios for Azure Active Directory (Azure AD) certificate-based authentication.
->[!NOTE]
->Azure AD certificate-based authentication is currently in public preview. Some features might not be supported or have limited capabilities. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
- ## Supported scenarios The following scenarios are supported: - User sign-ins to web browser-based applications on all platforms.
+- User sign-ins to Office mobile apps, including Outlook, OneDrive, and so on.
- User sign-ins on mobile native browsers. - Support for granular authentication rules for multifactor authentication by using the certificate issuer **Subject** and **policy OIDs**.-- Configuring certificate-to-user account bindings by using the certificate Subject Alternate Name (SAN) principal name and SAN RFC822 name.
+- Configuring certificate-to-user account bindings by using any of the certificate fields:
+ - Subject Alternate Name (SAN) PrincipalName and SAN RFC822Name
+ - Subject Key Identifier (SKI) and SHA1PublicKey
+- Configuring certificate-to-user account bindings by using any of the user object attributes:
+ - User Principal Name
+ - onPremisesUserPrincipalName
+ - CertificateUserIds
## Unsupported scenarios
The following scenarios aren't supported:
- Certificate Authority hints aren't supported, so the list of certificates that appears for users in the UI isn't scoped. - Only one CRL Distribution Point (CDP) for a trusted CA is supported. - The CDP can be only HTTP URLs. We don't support Online Certificate Status Protocol (OCSP), or Lightweight Directory Access Protocol (LDAP) URLs.-- Configuring other certificate-to-user account bindings, such as using the **subject field**, or **keyid** and **issuer**, arenΓÇÖt available in this release.
+- Configuring other certificate-to-user account bindings, such as using the **subject + issuer** or **Issuer + Serial Number**, arenΓÇÖt available in this release.
- Currently, password can't be disabled when CBA is enabled and the option to sign in using a password is displayed.
+## Supported operating systems
+
+| Operating system | Certificate on-device/Derived PIV | Smart cards |
+|:--|::|:-:|
+| Windows | &#x2705; | &#x2705; |
+| macOS | &#x2705; | &#x2705; |
+| iOS | &#x2705; | Supported vendors only |
+| Android | &#x2705; | Supported vendors only |
++
+## Supported browsers
+
+| Operating system | Chrome certificate on-device | Chrome smart card | Safari certificate on-device | Safari smart card | Edge certificate on-device | Edge smart card |
+|:--|:-:|:-:|:-:|:-:|:--|:-:|
+| Windows | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |
+| macOS | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |
+| iOS | &#10060; | &#10060; | &#x2705; | Supported vendors only | &#10060; | &#10060; |
+| Android | &#x2705; | &#10060; | N/A | N/A | &#10060; | &#10060; |
+
+>[!NOTE]
+> On iOS and Android mobile, Edge browser users can sign into Edge to set up a profile by using the Microsoft Authentication Library (MSAL), like the Add account flow. When logged in to Edge with a profile, CBA is supported with on-device certificates and smart cards.
+
+## Smart card providers
+
+|Provider | Windows | Mac OS | iOS | Android |
+|:|:-:|:-:|:-:|:-:|
+|YubiKey | &#x2705; | &#x2705; | &#x2705; | &#x2705; |
++ ## Next steps - [Overview of Azure AD CBA](concept-certificate-based-authentication.md) - [Technical deep dive for Azure AD CBA](concept-certificate-based-authentication-technical-deep-dive.md) - [How to configure Azure AD CBA](how-to-certificate-based-authentication.md)
+- [Windows SmartCard logon using Azure AD CBA](concept-certificate-based-authentication-smartcard.md)
+- [Azure AD CBA on mobile devices (Android and iOS)](concept-certificate-based-authentication-mobile.md)
+- [CertificateUserIDs](concept-certificate-based-authentication-certificateuserids.md)
+- [How to migrate federated users](concept-certificate-based-authentication-migration.md)
- [FAQ](certificate-based-authentication-faq.yml)-- [Troubleshoot Azure AD CBA](troubleshoot-certificate-based-authentication.md)+
active-directory Concept Certificate Based Authentication Migration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-migration.md
+
+ Title: Migrate from federation to Azure AD CBA
+description: Learn how to migrate from Federated server to Azure AD
+++++ Last updated : 10/05/2022+++++++++++
+# Migrate from federation to Azure AD certificate-based authentication (CBA)
+
+This article explains how to migrate from running federated servers such as Active Directory Federation Services (AD FS) on-premises to cloud authentication using Azure Active Directory (Azure AD) certificate-based authentication (CBA).
+
+## Staged Rollout
+
+[Staged Rollout](../hybrid/how-to-connect-staged-rollout.md) helps customers transition from AD FS to Azure AD by testing cloud authentication with selected groups of users before switching the entire tenant.
+
+## Enable Staged Rollout for certificate-based authentication on your tenant
+
+To configure Staged Rollout, follow these steps:
+
+1. Sign in to the [Azure portal](https://portal.azure.com/) in the User Administrator role for the organization.
+1. Search for and select **Azure Active Directory**.
+1. From the left menu, select **Azure AD Connect**.
+1. On the Azure AD Connect page, under the Staged Rollout of cloud authentication, click **Enable Staged Rollout for managed user sign-in**.
+1. On the **Enable Staged Rollout** feature page, click **On** for the option [Certificate-based authentication](active-directory-certificate-based-authentication-get-started.md)
+1. Click **Manage groups** and add groups you want to be part of cloud authentication. To avoid a time-out, ensure that the security groups contain no more than 200 members initially.
+
+For more information, see [Staged Rollout](../hybrid/how-to-connect-staged-rollout.md).
+
+## Use Azure AD connect to update certificateUserIds attribute
+
+An AD FS admin can use **Synchronization Rules Editor** to create rules to sync the values of attributes from AD FS to Azure AD user objects. For more information, see [Sync rules for certificateUserIds](concept-certificate-based-authentication-certificateuserids.md#update-certificate-user-ids-using-azure-ad-connect).
+
+Azure AD Connect requires a special role named **Hybrid Identity Administrator**, which grants the necessary permissions. You need this role for permission to write to the new cloud attribute.
+
+>[!NOTE]
+>If a user is using synchronized attributes, such as the onPremisesUserPrincipalName attribute in the user object for username binding, be aware that any user that has administrative access to the Azure AD Connect server can change the synchronized attribute mapping, and change the value of the synchronized attribute. The user does not need to be a cloud admin. The AD FS admin should make sure the administrative access to the Azure AD Connect server should be limited, and privileged accounts should be cloud-only accounts.
+
+## Frequently asked questions about migrating from AD FS to Azure AD
+
+### Can we have privileged accounts with a federated AD FS server?
+
+Although it's possible, Microsoft recommends privileged accounts be cloud-only accounts. Using cloud-only accounts for privileged access limits exposure in Azure AD from a compromised on-premises environment. For more information, see [Protecting Microsoft 365 from on-premises attacks](../fundamentals/protect-m365-from-on-premises-attacks.md).
+
+### If an organization is a hybrid running both AD FS and Azure CBA, are they still vulnerable to the AD FS compromise?
+
+Microsoft recommends privileged accounts be cloud-only accounts. This practice will limit the exposure in Azure AD from a compromised on-premises environment. Maintaining privileged accounts a cloud-only is foundational to this goal.
+
+For synchronized accounts:
+
+- If they're in a managed domain (not federated), there's no risk from the federated IdP.
+- If they're in a federated domain, but a subset of accounts is being moved to Azure AD CBA by Staged Rollout, they're subject to risks related to the federated Idp until the federated domain is fully switched to cloud authentication.
+
+### Should organizations eliminate federated servers like AD FS to prevent the capability to pivot from AD FS to Azure?
+
+With federation, an attacker could impersonate anyone, such as a CIO, even if they can't obtain a cloud-only role like the Global Administrator account.
+
+When a domain is federated in Azure AD, a high level of trust is being placed on the Federated IdP. AD FS is one example, but the notion holds true for *any* federated IdP. Many organizations deploy a federated IdP such as AD FS exclusively to accomplish certificate based authentication. Azure AD CBA completely removes the AD FS dependency in this case. With Azure AD CBA, customers can move their application estate to Azure AD to modernize their IAM infrastructure and reduce costs with increased security.
+
+From a security perspective, there's no change to the credential, including the X.509 certificate, CACs, PIVs, and so on, or to the PKI being used. The PKI owners retain complete control of the certificate issuance and revocation lifecycle and policy. The revocation check and the authentication happen at Azure AD instead of federated Idp. These checks enable passwordless, phishing-resistant authentication directly to Azure AD for all users.
+
+### How does authentication work with Federated AD FS and Azure AD cloud authentication with Windows?
+
+Azure AD CBA requires the user or application to supply the Azure AD UPN of the user who signs in.
+
+In the browser example, the user most often types in their Azure AD UPN. The Azure AD UPN is used for realm and user discovery. The certificate used then must match this user by using one of the configured username bindings in the policy.
+
+In Windows sign-in, the match depends on if the device is hybrid or Azure AD joined. But in both cases, if username hint is provided, Windows will send the hint as an Azure AD UPN. The certificate used then must match this user by using one of the configured username bindings in the policy.
++
+## Next steps
+
+- [Overview of Azure AD CBA](concept-certificate-based-authentication.md)
+- [Technical deep dive for Azure AD CBA](concept-certificate-based-authentication-technical-deep-dive.md)
+- [How to configure Azure AD CBA](how-to-certificate-based-authentication.md)
+- [Azure AD CBA on iOS devices](concept-certificate-based-authentication-mobile-ios.md)
+- [Azure AD CBA on Android devices](concept-certificate-based-authentication-mobile-android.md)
+- [Windows smart card logon using Azure AD CBA](concept-certificate-based-authentication-smartcard.md)
+- [Certificate user IDs](concept-certificate-based-authentication-certificateuserids.md)
+- [FAQ](certificate-based-authentication-faq.yml)
active-directory Concept Certificate Based Authentication Mobile Android https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-mobile-android.md
+
+ Title: Azure Active Directory certificate-based authentication on Android devices - Azure Active Directory
+description: Learn about Azure Active Directory certificate-based authentication on Android devices
+++++ Last updated : 10/05/2022+++++++++
+# Azure Active Directory certificate-based authentication on Android devices
+
+Android devices can use a client certificate on their device for certificate-based authentication (CBA) to Azure Active Directory (Azure AD). CBA can be used to connect to:
+
+- Office mobile applications such as Microsoft Outlook and Microsoft Word
+- Exchange ActiveSync (EAS) clients
+
+Azure AD CBA is supported for certificates on-device on native browsers, and on Microsoft first-party applications on Android devices.
+
+## Prerequisites
+
+- Android version must be Android 5.0 (Lollipop) or later.
+
+## Support for on-device certificates
+
+On-device certificates are provisioned on the device. Customers can use Mobile Device Management (MDM) to provision the certificates on the device.
+
+## Supported platforms
+
+- Applications using latest MSAL libraries or Microsoft Authenticator can do CBA
+- Edge with profile, when users add account and sign in with a profile, will support CBA
+- Microsoft first-party apps with latest MSAL libraries or Microsoft Authenticator can do CBA
+
+## Microsoft mobile applications support
+
+| Applications | Support |
+|:|::|
+|Azure Information Protection app| &#x2705; |
+|Company Portal | &#x2705; |
+|Microsoft Teams | &#x2705; |
+|Office (mobile) | &#x2705; |
+|OneNote | &#x2705; |
+|OneDrive | &#x2705; |
+|Outlook | &#x2705; |
+|Power BI | &#x2705; |
+|Skype for Business | &#x2705; |
+|Word / Excel / PowerPoint | &#x2705; |
+|Yammer | &#x2705; |
+
+## Support for Exchange ActiveSync clients
+
+Certain Exchange ActiveSync applications on Android 5.0 (Lollipop) or later are supported.
+
+To determine if your email application supports Azure AD CBA, contact your application developer.
+
+## Next steps
+
+- [Overview of Azure AD CBA](concept-certificate-based-authentication.md)
+- [Technical deep dive for Azure AD CBA](concept-certificate-based-authentication-technical-deep-dive.md)
+- [How to configure Azure AD CBA](how-to-certificate-based-authentication.md)
+- [Azure AD CBA on iOS devices](concept-certificate-based-authentication-mobile-ios.md)
+- [Windows SmartCard logon using Azure AD CBA](concept-certificate-based-authentication-smartcard.md)
+- [Certificate user IDs](concept-certificate-based-authentication-certificateuserids.md)
+- [How to migrate federated users](concept-certificate-based-authentication-migration.md)
+- [FAQ](certificate-based-authentication-faq.yml)
active-directory Concept Certificate Based Authentication Mobile Ios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-mobile-ios.md
+
+ Title: Azure Active Directory certificate-based authentication on iOS devices - Azure Active Directory
+description: Learn about Azure Active Directory certificate-based authentication on iOS devices
+++++ Last updated : 10/05/2022+++++++++
+# Azure Active Directory certificate-based authentication on iOS
+
+Devices that run iOS can use certificate-based authentication (CBA) to authenticate to Azure Active Directory (Azure AD) using a client certificate on their device when connecting to:
+
+- Office mobile applications such as Microsoft Outlook and Microsoft Word
+- Exchange ActiveSync (EAS) clients
+
+Azure AD CBA is supported for certificates on-device on native browsers and on Microsoft first-party applications on iOS devices.
+
+## Prerequisites
+
+- iOS version must be iOS 9 or later.
+- Microsoft Authenticator is required for Office applications and Outlook on iOS.
+
+## Support for on-device certificates and external storage
+
+On-device certificates are provisioned on the device. Customers can use Mobile Device Management (MDM) to provision the certificates on the device. Since iOS doesn't support hardware protected keys out of the box, customers can use external storage devices for certificates.
+
+## Advantages of external storage for certificates
+
+Customers can use external security keys to store their certificates. Security keys with certificates:
+
+- Enable the usage on any device and doesn't require the provision on every device the user has
+- Are hardware secured with a PIN, which makes them phishing resistant
+- Provide multifactor authentication with a PIN as second factor to access the private key of the certificate in the key
+- Satisfy the industry requirement to have MFA on separate device
+- Future proofing where multiple credentials can be stored including FIDO2 keys
+
+## Supported platforms
+
+- Only native browsers are supported
+- Applications using latest MSAL libraries or Microsoft Authenticator can do CBA
+- Edge with profile, when users add account and logged in a profile will support CBA
+- Microsoft first party apps with latest MSAL libraries or Microsoft Authenticator can do CBA
+
+### Browsers
+
+|Edge | Chrome | Safari | Firefox |
+|--|||-|
+|&#10060; | &#10060; | &#x2705; |&#10060; |
+
+### Vendors for External storage
+
+Azure AD CBA will support certificates on YubiKeys. Users can install YubiKey authenticator application from YubiKey and do Azure AD CBA. Applications that don't use latest MSAL libraries need to also install Microsoft Authenticator.
+
+## Microsoft mobile applications support
+
+| Applications | Support |
+|:|::|
+|Azure Information Protection app| &#x2705; |
+|Company Portal | &#x2705; |
+|Microsoft Teams | &#x2705; |
+|Office (mobile) | &#x2705; |
+|OneNote | &#x2705; |
+|OneDrive | &#x2705; |
+|Outlook | &#x2705; |
+|Power BI | &#x2705; |
+|Skype for Business | &#x2705; |
+|Word / Excel / PowerPoint | &#x2705; |
+|Yammer | &#x2705; |
+
+## Support for Exchange ActiveSync clients
+
+On iOS 9 or later, the native iOS mail client is supported.
+
+To determine if your email application supports Azure AD CBA, contact your application developer.
+
+## Known issue
+
+On iOS, users will see a "double prompt", where they must click the option to use certificate-based authentication twice. We're working to create a seamless user experience.
+
+## Next steps
+
+- [Overview of Azure AD CBA](concept-certificate-based-authentication.md)
+- [Technical deep dive for Azure AD CBA](concept-certificate-based-authentication-technical-deep-dive.md)
+- [How to configure Azure AD CBA](how-to-certificate-based-authentication.md)
+- [Azure AD CBA on Android devices](concept-certificate-based-authentication-mobile-android.md)
+- [Windows smart card logon using Azure AD CBA](concept-certificate-based-authentication-smartcard.md)
+- [Certificate user IDs](concept-certificate-based-authentication-certificateuserids.md)
+- [How to migrate federated users](concept-certificate-based-authentication-migration.md)
+- [FAQ](certificate-based-authentication-faq.yml)
active-directory Concept Certificate Based Authentication Mobile https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-mobile.md
- Title: Azure Active Directory certificate-based authentication on mobile devices (Android and iOS) - Azure Active Directory
-description: Learn about Azure Active Directory certificate-based authentication on mobile devices (Android and iOS)
----- Previously updated : 06/07/2022---------
-# Azure Active Directory certificate-based authentication on mobile devices (Android and iOS) (Preview)
-
-Android and iOS devices can use certificate-based authentication (CBA) to authenticate to Azure Active Directory using a client certificate on their device when connecting to:
--- Office mobile applications such as Microsoft Outlook and Microsoft Word-- Exchange ActiveSync (EAS) clients-
-Azure AD certificate-based authentication (CBA) is supported for certificates on-device on native browsers as well as on Microsoft first-party applications on both iOS and Android devices.
-
-Azure AD CBA eliminates the need to enter a username and password combination into certain mail and Microsoft Office applications on your mobile device.
-
-## Prerequisites
--- For Android device, OS version must be Android 5.0 (Lollipop) and above.-- For iOS device, OS version must be iOS 9 or above.-- Microsoft Authenticator is required for Office applications on iOS.-
-## Microsoft mobile applications support
-
-| Applications | Support |
-|:|::|
-|Azure Information Protection app| &#x2705; |
-|Company Portal | &#x2705; |
-|Microsoft Teams | &#x2705; |
-|Office (mobile) | &#x2705; |
-|OneNote | &#x2705; |
-|OneDrive | &#x2705; |
-|Outlook | &#x2705; |
-|Power BI | &#x2705; |
-|Skype for Business | &#x2705; |
-|Word / Excel / PowerPoint | &#x2705; |
-|Yammer | &#x2705; |
-
-## Support for Exchange ActiveSync clients
-
-On iOS 9 or later, the native iOS mail client is supported.
-
-Certain Exchange ActiveSync applications on Android 5.0 (Lollipop) or later are supported.
-
-To determine if your email application supports this feature, contact your application developer.
-
-## Known issue
-
-On iOS, users will see a double prompt, where they must click the option to use certificate-based authentication twice. We are working on making the user experience better.
-
-## Next steps
--- [Overview of Azure AD CBA](concept-certificate-based-authentication.md)-- [Technical deep dive for Azure AD CBA](concept-certificate-based-authentication-technical-deep-dive.md) -- [Limitations with Azure AD CBA](concept-certificate-based-authentication-limitations.md)-- [Windows SmartCard logon using Azure AD CBA](concept-certificate-based-authentication-smartcard.md)-- [FAQ](certificate-based-authentication-faq.yml)-- [Troubleshoot Azure AD CBA](troubleshoot-certificate-based-authentication.md)--
active-directory Concept Certificate Based Authentication Smartcard https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-smartcard.md
Title: Windows SmartCard logon using Azure Active Directory certificate-based authentication - Azure Active Directory
-description: Learn how to enable Windows SmartCard logon using Azure Active Directory certificate-based authentication
+ Title: Windows smart card sign-in using Azure Active Directory certificate-based authentication - Azure Active Directory
+description: Learn how to enable Windows smart card sign-in using Azure Active Directory certificate-based authentication
Previously updated : 06/15/2022 Last updated : 10/05/2022 -+
-# Windows SmartCard logon using Azure Active Directory certificate-based authentication (Preview)
+# Windows smart card sign-in using Azure Active Directory certificate-based authentication
-Azure AD users can authenticate using X.509 certificates on their SmartCards directly against Azure AD at Windows logon. There is no special configuration needed on the Windows client to accept the SmartCard authentication.
+Azure Active Directory (Azure AD) users can authenticate using X.509 certificates on their smart cards directly against Azure AD at Windows sign-in. There's no special configuration needed on the Windows client to accept the smart card authentication.
## User experience
-Follow these steps to set up Windows SmartCard logon:
+Follow these steps to set up Windows smart card sign-in:
1. Join the machine to either Azure AD or a hybrid environment (hybrid join). 1. Configure Azure AD CBA in your tenant as described in [Configure Azure AD CBA](how-to-certificate-based-authentication.md).
-1. Make sure the user is either on managed authentication or using staged rollout.
-1. Present the physical or virtual SmartCard to the test machine.
-1. Select SmartCard icon, enter the PIN and authenticate the user.
+1. Make sure the user is either on managed authentication or using [Staged Rollout](../hybrid/how-to-connect-staged-rollout.md).
+1. Present the physical or virtual smart card to the test machine.
+1. Select the smart card icon, enter the PIN, and authenticate the user.
- :::image type="content" border="false" source="./media/concept-certificate-based-authentication/smartcard.png" alt-text="Screenshot of SmartCard sign in.":::
+ :::image type="content" border="false" source="./media/concept-certificate-based-authentication/smartcard.png" alt-text="Screenshot of smart card sign-in.":::
-Users will get a primary refresh token (PRT) from Azure Active Directory after the successful login and depending on the Certificate-based authentication configuration, the PRT will contain the multifactor claim.
+Users will get a primary refresh token (PRT) from Azure AD after the successful sign-in. Depending on the CBA configuration, the PRT will contain the multifactor claim.
+
+## Expected behavior of Windows sending user UPN to Azure AD CBA
+
+|Sign-in | Azure AD join | Hybrid join |
+|--||-|
+|First sign-in | Pull from certificate | AD UPN or x509Hint |
+|Subsequent sign-in | Pull from certificate | Cached Azure AD UPN |
+
+### Windows rules for sending UPN for Azure AD-joined devices
+
+Windows will first use a principal name and if not present then RFC822Name from the SubjectAlternativeName (SAN) of the certificate being used to sign into Windows. If neither are present, the user must additionally supply a User Name Hint. For more information, see [User Name Hint](/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings#allow-user-name-hint)
+
+### Windows rules for sending UPN for hybrid Azure AD-joined devices
+
+Hybrid Join sign-in must first successfully sign-in against the Active Directory(AD) domain. The users AD UPN is sent to Azure AD. In most cases, the Active Directory UPN value is the same as the Azure AD UPN value and is synchronized with Azure AD Connect.
+
+Some customers may maintain different and sometimes may have non-routable UPN values in Active Directory (such as user@woodgrove.local) In these cases the value sent by Windows may not match the users Azure Active Directory UPN. To support these scenarios where Azure AD can't match the value sent by Windows, a subsequent lookup is performed for a user with a matching value in their **onPremisesUserPrincipalName** attribute. If the sign-in is successful, Windows will cache the users Azure AD UPN and is sent in subsequent sign-ins.
+
+>[!NOTE]
+>In all cases, a user supplied username login hint (X509UserNameHint) will be sent if provided. For more information, see [User Name Hint](/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings#allow-user-name-hint)
+
+For more information about the Windows flow, see [Certificate Requirements and Enumeration (Windows)](/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration).
+
+## Supported Windows platforms
+
+The Windows smart card sign-in works with the latest preview build of Windows 11. The functionality is also available for these earlier Windows versions after you apply one of the following updates [KB5017383](https://support.microsoft.com/topic/september-20-2022-kb5017383-os-build-22000-1042-preview-62753265-68e9-45d2-adcb-f996bf3ad393):
+
+- [Windows 11 - kb5017383](https://support.microsoft.com/topic/september-20-2022-kb5017383-os-build-22000-1042-preview-62753265-68e9-45d2-adcb-f996bf3ad393)
+- [Windows 10 - kb5017379](https://support.microsoft.com/topic/20-september-2022-kb5017379-os-build-17763-3469-preview-50a9b9e2-745d-49df-aaae-19190e10d307)
+- [Windows Server 20H2- kb5017380](https://support.microsoft.com/topic/20-september-2022-kb5017380-os-builds-19042-2075-19043-2075-og-19044-2075-preview-59ab550c-105e-4481-b440-c37f07bf7897)
+- [Windows Server 2022 - kb5017381](https://support.microsoft.com/topic/20-september-2022-kb5017381-os-build-20348-1070-preview-dc843fea-bccd-4550-9891-a021ae5088f0)
+- [Windows Server 2019 - kb5017379](https://support.microsoft.com/topic/20-september-2022-kb5017379-os-build-17763-3469-preview-50a9b9e2-745d-49df-aaae-19190e10d307)
+
+## Supported browsers
+
+|Edge | Chrome | Safari | Firefox |
+|--|||-|
+|&#x2705; | &#x2705; | &#x2705; |&#x2705; |
+
+>[!NOTE]
+>Azure AD CBA supports both certificates on-device as well as external storage like security keys on Windows.
## Restrictions and caveats -- The Windows login only works with the latest preview build of Windows 11. We are working to backport the functionality to Windows 10 and Windows Server.-- Only Windows machines that are joined to either Azure AD or a hybrid environment can test SmartCard logon. -- Like in the other Azure AD CBA scenarios, the user must be on a managed domain or using staged rollout and cannot use a federated authentication model.
+- Azure AD CBA is supported on Windows Hybrid or Azure AD Joined.
+- Users must be in a managed domain or using Staged Rollout and can't use a federated authentication model.
## Next steps - [Overview of Azure AD CBA](concept-certificate-based-authentication.md)-- [Technical deep dive for Azure AD CBA](concept-certificate-based-authentication-technical-deep-dive.md) -- [Limitations with Azure AD CBA](concept-certificate-based-authentication-limitations.md)-- [Azure AD CBA on mobile devices (Android and iOS)](concept-certificate-based-authentication-mobile.md)
+- [Technical deep dive for Azure AD CBA](concept-certificate-based-authentication-technical-deep-dive.md)
+- [How to configure Azure AD CBA](how-to-certificate-based-authentication.md)
+- [Azure AD CBA on iOS devices](concept-certificate-based-authentication-mobile-ios.md)
+- [Azure AD CBA on Android devices](concept-certificate-based-authentication-mobile-android.md)
+- [Certificate user IDs](concept-certificate-based-authentication-certificateuserids.md)
+- [How to migrate federated users](concept-certificate-based-authentication-migration.md)
- [FAQ](certificate-based-authentication-faq.yml)-- [Troubleshoot Azure AD CBA](troubleshoot-certificate-based-authentication.md)
active-directory Concept Certificate Based Authentication Technical Deep Dive https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md
Title: Azure AD certificate-based authentication technical deep dive (Preview) - Azure Active Directory
+ Title: Azure AD certificate-based authentication technical deep dive - Azure Active Directory
description: Learn how Azure AD certificate-based authentication works Previously updated : 06/15/2022 Last updated : 10/10/2022
-# Azure AD certificate-based authentication technical deep dive (Preview)
+# Azure AD certificate-based authentication technical deep dive
-This article explains how Azure Active Directory (Azure AD) certificate-based authentication (CBA) works, with background information and testing scenarios.
+This article explains how Azure Active Directory (Azure AD) certificate-based authentication (CBA) works, and dives into technical details on Azure AD CBA configurations.
->[!NOTE]
->Azure AD certificate-based authentication is currently in public preview. Some features might not be supported or have limited capabilities. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-
-## How does Azure Active Directory certificate-based authentication work?
+## How does Azure AD certificate-based authentication work?
-This diagram shows what happens when a user tries to sign into an application secured by Azure AD CBA is enabled on the tenant:
+The following image describes what happens when a user tries to sign in to an application in a tenant where Azure AD CBA is enabled.
:::image type="content" border="false" source="./media/concept-certificate-based-authentication-technical-deep-dive/how-it-works.png" alt-text="Illustration with steps about how Azure AD certificate-based authentication works." :::
-Let's cover each step:
+Now we'll walk through each step:
1. The user tries to access an application, such as [MyApps portal](https://myapps.microsoft.com/).
-1. If the user is not already signed in, the user is redirected to the Azure AD **User Sign-in** page at [https://login.microsoftonline.com/](https://login.microsoftonline.com/).
-1. The user enters their username into the Azure AD sign-in page, and then clicks **Next**.
+1. If the user isn't already signed in, the user is redirected to the Azure AD **User Sign-in** page at [https://login.microsoftonline.com/](https://login.microsoftonline.com/).
+1. The user enters their username into the Azure AD sign-in page, and then clicks **Next**. Azure AD does home realm discovery using the tenant name and the username is used to look up the user in Azure AD tenant.
:::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in.png" alt-text="Screenshot of the Sign-in for MyApps portal.":::
-1. Azure AD checks whether CBA is enabled for the tenant. If CBA is enabled for the tenant, the user sees a link to **Sign in with a certificate** on the password page. If you do not see the sign-in link, make sure CBA is enabled on the tenant. For more information, see [How do I enable Azure AD CBA?](certificate-based-authentication-faq.yml#how-do-i-enable-azure-ad-cba-).
+1. Azure AD checks whether CBA is enabled for the tenant. If CBA is enabled, the user sees a link to **Use a certificate or smartcard** on the password page. If the user doesn't see the sign-in link, make sure CBA is enabled on the tenant. For more information, see [How do I enable Azure AD CBA?](certificate-based-authentication-faq.yml#how-can-an-administrator-enable-azure-ad-cba-).
>[!NOTE]
- > If CBA is enabled on the tenant, all users will see the link to **Sign in with a certificate** on the password page. However, only the users in scope for CBA will be able to authenticate successfully against an application that uses Azure Active Directory as their Identity provider.
+ > If CBA is enabled on the tenant, all users will see the link to **Use a certificate or smart card** on the password page. However, only the users in scope for CBA will be able to authenticate successfully against an application that uses Azure AD as their Identity provider (IdP).
- :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-cert.png" alt-text="Screenshot of the Sign-in with a certificate.":::
+ :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-cert.png" alt-text="Screenshot of the Use a certificate or smart card.":::
- If you have enabled other authentication methods like **Phone sign-in** or **FIDO2**, users may see a different sign-in screen.
+ If you enabled other authentication methods like **Phone sign-in** or **FIDO2**, users may see a different sign-in screen.
:::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-alt.png" alt-text="Screenshot of the Sign-in if FIDO2 is also enabled.":::
-1. After the user clicks the link, the client is redirected to the certauth endpoint, which is [https://certauth.login.microsoftonline.com](https://certauth.login.microsoftonline.com) for Azure Global. For [Azure Government](../../azure-government/compare-azure-government-global-azure.md#guidance-for-developers), the certauth endpoint is [https://certauth.login.microsoftonline.us](https://certauth.login.microsoftonline.us). For the correct endpoint for other environments, see the specific Microsoft cloud docs.
+1. Once the user selects certificate-based authentication, the client is redirected to the certauth endpoint, which is [https://certauth.login.microsoftonline.com](https://certauth.login.microsoftonline.com) for Azure Global. For [Azure Government](../../azure-government/compare-azure-government-global-azure.md#guidance-for-developers), the certauth endpoint is [https://certauth.login.microsoftonline.us](https://certauth.login.microsoftonline.us).
- The endpoint performs mutual authentication and requests the client certificate as part of the TLS handshake. You will see an entry for this request in the Sign-in logs. There is a [known issue](#known-issues) where User ID is displayed instead of Username.
+ The endpoint performs TLS mutual authentication, and requests the client certificate as part of the TLS handshake. You'll see an entry for this request in the Sign-ins log.
- :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-log.png" alt-text="Screenshot of the Sign-in log in Azure AD." lightbox="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-log.png":::
+ :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-log.png" alt-text="Screenshot of the Sign-ins log in Azure AD." lightbox="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-log.png":::
>[!NOTE]
- >The network administrator should allow access to certauth endpoint for the customerΓÇÖs cloud environment in addition to login.microsoftonline.com. Disable TLS inspection on the certauth endpoint to make sure the client certificate request succeeds as part of the TLS handshake.
+ >The network administrator should allow access to the User sign-in page and certauth endpoint for the customerΓÇÖs cloud environment. Disable TLS inspection on the certauth endpoint to make sure the client certificate request succeeds as part of the TLS handshake.
- Click the log entry to bring up **Activity Details** and click **Authentication Details**. You will see an entry for X.509 certificate.
+ Click the log entry to bring up **Activity Details** and click **Authentication Details**. You'll see an entry for the X.509 certificate.
:::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/entry.png" alt-text="Screenshot of the entry for X.509 certificate.":::
-1. Azure AD will request a client certificate and the user picks the client certificate and clicks **Ok**.
+1. Azure AD will request a client certificate, the user picks the client certificate, and clicks **Ok**.
>[!NOTE]
- >TrustedCA hints are not supported, so the list of certificates can't be further scoped.
+ >Trusted CA hints are not supported, so the list of certificates can't be further scoped. We're looking into adding this functionality in the future.
:::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/cert-picker.png" alt-text="Screenshot of the certificate picker." lightbox="./media/concept-certificate-based-authentication-technical-deep-dive/cert-picker.png":::
-1. Azure AD verifies the certificate revocation list to make sure the certificate is not revoked and is valid. Azure AD identifies the user in the tenant by using the [username binding configured](how-to-certificate-based-authentication.md#step-4-configure-username-binding-policy) on the tenant by mapping the certificate field value to user attribute value.
-1. If a unique user is found and the user has a conditional access policy and needs multifactor authentication (MFA) and the [certificate authentication binding rule](how-to-certificate-based-authentication.md#step-3-configure-authentication-binding-policy) satisfies MFA, then Azure AD signs the user in immediately. If the certificate satisfies only a single factor, then it requests the user for a second factor to complete Azure AD Multi-Factor Authentication.
+1. Azure AD verifies the certificate revocation list to make sure the certificate isn't revoked and is valid. Azure AD identifies the user by using the [username binding configured](how-to-certificate-based-authentication.md#step-4-configure-username-binding-policy) on the tenant to map the certificate field value to the user attribute value.
+1. If a unique user is found with a Conditional Access policy that requires multifactor authentication (MFA), and the [certificate authentication binding rule](how-to-certificate-based-authentication.md#step-3-configure-authentication-binding-policy) satisfies MFA, then Azure AD signs the user in immediately. If the certificate satisfies only a single factor, then it requests the user for a second factor to complete Azure AD Multi-Factor Authentication.
1. Azure AD completes the sign-in process by sending a primary refresh token back to indicate successful sign-in. 1. If the user sign-in is successful, the user can access the application. ## Understanding the authentication binding policy
-The authentication binding policy helps determine the strength of authentication as either single-factor or multi-factor. An administrator can change the default value from single factor to multifactor or set up custom policy configurations either by issuer subject or policy OID fields in the certificate.
+The authentication binding policy helps determine the strength of authentication as either single-factor or multifactor. An administrator can change the default value from single factor to multifactor, or set up custom policy configurations either by using issuer subject or policy OID fields in the certificate.
+
+### Certificate strengths
+
+An admin can determine whether the certificates are single-factor or multifactor strength. For more information, see the documentation that maps [NIST Authentication Assurance Levels to Azure AD Auth Methods](https://aka.ms/AzureADNISTAAL), which builds upon [NIST 800-63B SP 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Mgmt](https://csrc.nist.gov/publications/detail/sp/800-63b/final).
+
+### Single-factor certificate authentication
+
+When a user has a single-factor certificate, they can't perform multifactor authentication. There's no support for a second factor when the first factor is a single-factor certificate. We're working to add support for second factors.
-Since multiple authentication binding policy rules can be created with different certificate fields, there are some rules that determine the authentication protection level. They are as follows:
-1. Exact match is used for strong authentication via policy OID. If you have a certificate A with policy OID **1.2.3.4.5** and a derived credential B based on that certificate has a policy OID **1.2.3.4.5.6** and the custom rule is defined as **Policy OID** with value **1.2.3.4.5** with MFA, only certificate A will satisfy MFA and credential B will satisfy only single-factor authentication. If the user used derived credential during sign-in and was configured to have MFA, the user will be asked for a second factor for successful authentication.
-1. Policy OID rules will take precedence over certificate issuer rules. If a certificate has both policy OID and Issuer, the policy OID is always checked first and if no policy rule is found then the issuer subject bindings are checked. Policy OID has a higher strong authentication binding priority than the issuer.
+### Multifactor certificate authentication
+
+When a user has a multifactor certificate, they can perform multifactor authentication only with certificates. However, the tenant admin should make sure the certificates are protected with a PIN or hardware module to be considered multifactor.
+
+### How Azure AD resolves multiple authentication policy binding rules
+
+Because multiple authentication binding policy rules can be created with different certificate fields, there are some rules that determine the authentication protection level. They are as follows:
+
+1. Exact match is used for strong authentication by using policy OID. If you have a certificate A with policy OID **1.2.3.4.5** and a derived credential B based on that certificate has a policy OID **1.2.3.4.5.6**, and the custom rule is defined as **Policy OID** with value **1.2.3.4.5** with MFA, only certificate A will satisfy MFA, and credential B will satisfy only single-factor authentication. If the user used derived credential during sign-in and was configured to have MFA, the user will be asked for a second factor for successful authentication.
+1. Policy OID rules will take precedence over certificate issuer rules. If a certificate has both policy OID and Issuer, the policy OID is always checked first, and if no policy rule is found then the issuer subject bindings are checked. Policy OID has a higher strong authentication binding priority than the issuer.
1. If one CA binds to MFA, all user certificates that the CA issues qualify as MFA. The same logic applies for single-factor authentication. 1. If one policy OID binds to MFA, all user certificates that include this policy OID as one of the OIDs (A user certificate could have multiple policy OIDs) qualify as MFA.
-1. If there is a conflict between multiple policy OIDs (such as when a certificate has two policy OIDs, where one binds to single-factor authentication and the other binds to MFA) then treat the certificate as a single-factor authentication.
-1. One certificate can only have one valid strong authentication binding (that is, a certificate cannot bind to both single-factor and MFA).
+1. If there's a conflict between multiple policy OIDs (such as when a certificate has two policy OIDs, where one binds to single-factor authentication and the other binds to MFA) then treat the certificate as a single-factor authentication.
+1. One certificate can only have one valid strong authentication binding (that is, a certificate can't bind to both single-factor and MFA).
## Understanding the username binding policy
-The username binding policy helps locate the user in the tenant. By default, Subject Alternate Name (SAN) Principal Name in the certificate is mapped to onPremisesUserPrincipalName attribute of the user object to determine the user.
+The username binding policy helps validate the certificate of the user. By default, Subject Alternate Name (SAN) Principal Name in the certificate is mapped to UserPrincipalName attribute of the user object to determine the user.
+
+### Achieve higher security with certificate bindings
+
+There are four supported methods. In general, mapping types are considered high-affinity if they're based on identifiers that you can't reuse (Such as Subject Key Identifiers or SHA1 Public Key). These identifiers convey a higher assurance that only a single certificate can be used to authenticate the respective user. Therefore, all mapping types based on usernames and email addresses are considered low-affinity. Therefore, Azure AD implements two mappings considered low-affinity (based on reusable identifiers), and the other two are considered high-affinity bindings. For more information, see [certificateUserIds](concept-certificate-based-authentication-certificateuserids.md).
-An administrator can override the default and create a custom mapping. Currently, we support two certificate fields SAN Principal Name and SAN RFC822Name to map against the user object attribute userPrincipalName and onPremisesUserPrincipalName.
+|Certificate mapping Field | Examples of values in certificateUserIds | User object attributes | Type |
+|--|--||-|
+|PrincipalName | ΓÇ£X509:\<PN>bob@woodgrove.comΓÇ¥ | userPrincipalName <br> onPremisesUserPrincipalName <br> certificateUserIds | low-affinity |
+|RFC822Name | ΓÇ£X509:\<RFC822>user@woodgrove.comΓÇ¥ | userPrincipalName <br> onPremisesUserPrincipalName <br> certificateUserIds | low-affinity |
+|X509SKI | ΓÇ£X509:\<SKI>123456789abcdefΓÇ¥| certificateUserIds | high-affinity |
+|X509SHA1PublicKey |ΓÇ£X509:\<SHA1-PUKEY>123456789abcdefΓÇ¥ | certificateUserIds | high-affinity |
-**Rules applied for user bindings:**
+### How Azure AD resolves multiple username policy binding rules
Use the highest priority (lowest number) binding.
-1. If the X.509 certificate field is on the presented certificate, try to look up the user by using the value in the specified field.
- 1. If a unique user is found, authenticate the user.
- 1. If a unique user is not found, authentication fails.
-1. If the X.509 certificate field is not on the presented certificate, move to the next priority binding.
-1. If the specified X.509 certificate field is found on the certificate, but Azure AD does not find a user object in the directory matching that value, the authentication fails. Azure AD does not attempt to use the next binding in the list in this case. Only if the X.509 certificate field is not on the certificate does it try the next binding, as mentioned in Step 2.
+1. Look up the user object by using the username or User Principal Name.
+1. If the X.509 certificate field is on the presented certificate, Azure AD will match the value in the certificate field to the user object attribute value.
+ 1. If a match is found, user authentication is successful.
+ 1. If a match isn't found, move to the next priority binding.
+1. If the X.509 certificate field isn't on the presented certificate, move to the next priority binding.
+1. Validate all the configured username bindings until one of them results in a match and user authentication is successful.
+1. If a match isn't found on any of the configured username bindings, user authentication fails.
+
+## Securing Azure AD configuration with multiple username bindings
+
+Each of the Azure AD attributes (userPrincipalName, onPremiseUserPrincipalName, certificateUserIds) available to bind certificates to Azure AD user accounts has unique constraint to ensure a certificate only matches a single Azure AD user account. However, Azure AD CBA does support configuring multiple binding methods in the username binding policy. This allows an administrator to accommodate multiple certificate configurations. However the combination of some methods can also potentially permit one certificate to match to multiple Azure AD user accounts.
+
+>[!IMPORTANT]
+>When using multiple bindings, Azure AD CBA authentication is only as secure as your low-affinity binding as Azure AD CBA will validate each of the bindings to authenticate the user. In order to eliminate a scenario where a single certificate matching multiple Azure AD accounts, the tenant administrator should:
+>- Configure a single binding method in the username binding policy.
+>- If a tenant has multiple binding methods configured and doesn't want to allow one certificate to multiple accounts, the tenant admin must ensure all allowable methods configured in the policy map to the same Azure AD Account, i.e all user accounts should have values matching all the bindings.
+>- If a tenant has multiple binding methods configured, the admin should make sure that they do not have more than one low-affinity binding
+
+For example, if the tenant admin has two username bindings on PrincipalName mapped to Azure AD UPN and SubjectKeyIdentifier (SKI) to certificateUserIds and wants a certificate to only be used for a single Azure AD Account, the admin must make sure that account has the UPN that is present in the certificate and implements the SKI mapping in the same account certificateUserId attribute.
+
+Here's an example of potential values for UPN and certificateUserIDs:
+
+Azure AD User Principal Name = Bob.Smith@Contoso.com <br>
+certificateUserIDs = [x509:\<SKI>89b0f468c1abea65ec22f0a882b8fda6fdd6750p]<br>
+
+Having both PrincipalName and SKI values from the user's certificate mapped to the same account ensures that while the tenant policy permits mapping PrincipalName to Azure AD UPN & SKI values in certificateUserIds, that certificate can only match a single Azure AD account. With unique constraint on both UserPrincipalName and certificateUserIds, no other user account can have the same values and can't successfully authenticate with the same certificate.
## Understanding the certificate revocation process
-The certificate revocation process allows the admin to revoke a previously issued certificate from being used for future authentication. The certificate revocation will not revoke already issued tokens of the user. Follow the steps to manually revoke tokens at [Configure revocation](active-directory-certificate-based-authentication-get-started.md#step-3-configure-revocation).
+The certificate revocation process allows the admin to revoke a previously issued certificate from being used for future authentication. The certificate revocation won't revoke already issued tokens of the user. Follow the steps to manually revoke tokens at [Configure revocation](active-directory-certificate-based-authentication-get-started.md#step-3-configure-revocation).
Azure AD downloads and caches the customers certificate revocation list (CRL) from their certificate authority to check if certificates are revoked during the authentication of the user.
-An admin can configure the CRL distribution point during the setup process of the trusted issuers in the Azure AD tenant. Each trusted issuer should have a CRL that can be referenced via an internet-facing URL.
+An admin can configure the CRL distribution point during the setup process of the trusted issuers in the Azure AD tenant. Each trusted issuer should have a CRL that can be referenced by using an internet-facing URL.
>[!IMPORTANT]
->The maximum size of a CRL for Azure Active Directory to successfully download and cache is 20MB in Azure Global and 45MB in Azure US Government clouds, and the time required to download the CRL must not exceed 10 seconds. If Azure Active Directory can't download a CRL, certificate-based authentications using certificates issued by the corresponding CA will fail. Best practices to ensure CRL files are within size constraints are to keep certificate lifetimes to within reasonable limits and to clean up expired certificates. For more information, see [Is there a limit for CRL size?](certificate-based-authentication-faq.yml#is-there-a-limit-for-crl-size-).
+>The maximum size of a CRL for Azure AD to successfully download on an interactive sign-in and cache is 20 MB in Azure Global and 45 MB in Azure US Government clouds, and the time required to download the CRL must not exceed 10 seconds. If Azure AD can't download a CRL, certificate-based authentications using certificates issued by the corresponding CA will fail. As a best practice to keep CRL files within size limits, keep certificate lifetimes within reasonable limits and to clean up expired certificates. For more information, see [Is there a limit for CRL size?](certificate-based-authentication-faq.yml#is-there-a-limit-for-crl-size-).
+
+When a user performs an interactive sign-in with a certificate, and the CRL exceeds the interactive limit for a cloud, their initial sign-in will fail with the following error:
+
+"The Certificate Revocation List (CRL) downloaded from {uri} has exceeded the maximum allowed size ({size} bytes) for CRLs in Azure Active Directory. Try again in few minutes. If the issue persists, contact your tenant administrators."
+
+After the error, Azure AD will attempt to download the CRL subject to the service-side limits (45 MB in Azure Global and 150 MB in Azure US Government clouds).
>[!IMPORTANT]
->If the admin skips the configuration of the CRL, Azure AD will not perform any CRL checks during the certificate-based authentication of the user. This can be helpful for initial troubleshooting but should not be considered for production use.
+>If the admin skips the configuration of the CRL, Azure AD will not perform any CRL checks during the certificate-based authentication of the user. This can be helpful for initial troubleshooting, but shouldn't be considered for production use.
As of now, we don't support Online Certificate Status Protocol (OCSP) because of performance and reliability reasons. Instead of downloading the CRL at every connection by the client browser for OCSP, Azure AD downloads once at the first sign-in and caches it, thereby improving the performance and reliability of CRL verification. We also index the cache so the search is much faster every time. Customers must publish CRLs for certificate revocation.
-**Typical flow of the CRL check:**
+The following steps are a typical flow of the CRL check:
1. Azure AD will attempt to download the CRL at the first sign-in event of any user with a certificate of the corresponding trusted issuer or certificate authority. 1. Azure AD will cache and re-use the CRL for any subsequent usage. It will honor the **Next update date** and, if available, **Next CRL Publish date** (used by Windows Server CAs) in the CRL document. 1. The user certificate-based authentication will fail if:
- - A CRL has been configured for the trusted issuer and Azure AD cannot download the CRL, due to availability, size, or latency constraints.
+ - A CRL has been configured for the trusted issuer and Azure AD can't download the CRL, due to availability, size, or latency constraints.
- The user's certificate is listed as revoked on the CRL.
- :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/user-cert.png" alt-text="Screenshot of the revoked user certificate in the CRL." :::
+ :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/user-cert.png" alt-text="Screenshot of the revoked user certificate in the CRL." :::
- Azure AD will attempt to download a new CRL from the distribution point if the cached CRL document is expired. >[!NOTE]
->Azure AD will only check the CRL of the issuing CA but not of the entire PKI trust chain up to the root CA. In case of a CA compromise, the administrator should remove the compromised trusted issuer from the Azure AD tenant configuration.
+>Azure AD will check the CRL of the issuing CA and other CAs in the PKI trust chain up to the root CA. We have a limit of up to 5 CAs from the leaf client certificate for CRL validation in the PKI chain. The limitation is to make sure a bad actor will not bring down the service by uploading a PKI chain with a huge number of CAs with a bigger CRL size.
+If the tenantΓÇÖs PKI chain has more than 5 CAs and in case of a CA compromise, the administrator should remove the compromised trusted issuer from the Azure AD tenant configuration.
+
>[!IMPORTANT] >Due to the nature of CRL caching and publishing cycles, it is highly recommended in case of a certificate revocation to also revoke all sessions of the affected user in Azure AD.
-There is no way for the administrator to manually force or re-trigger the download of the CRL.
+As of now, there's no way for the administrator to manually force or re-trigger the download of the CRL.
### How to configure revocation [!INCLUDE [Configure revocation](../../../includes/active-directory-authentication-configure-revocation.md)]
-## Understanding Sign in logs
+## Understanding Sign-in logs
Sign-in logs provide information about sign-ins and how your resources are used by your users. For more information about sign-in logs, see [Sign-in logs in Azure Active Directory](../reports-monitoring/concept-all-sign-ins.md). Let's walk through two scenarios, one where the certificate satisfies single-factor authentication and another where the certificate satisfies MFA.
-**Test scenario configuration**
- For the test scenarios, choose a user with a conditional access policy that requires MFA. Configure the user binding policy by mapping SAN Principal Name to UserPrincipalName.
For the first test scenario, configure the authentication policy where the Issue
:::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/single-factor.png" alt-text="Screenshot of the Authentication policy configuration showing single-factor authentication required." lightbox="./media/concept-certificate-based-authentication-technical-deep-dive/single-factor.png":::
-1. Sign in to the Azure portal as the test user by using CBA. The authentication policy is set where Issuer subject rule satisfies single-factor authentication, but the user has MFA required by the conditional access policy, so a second authentication factor is requested.
+1. Sign in to the Azure portal as the test user by using CBA. The authentication policy is set where Issuer subject rule satisfies single-factor authentication.
1. After sign-in was succeeds, click **Azure Active Directory** > **Sign-in logs**. Let's look closer at some of the entries you can find in the **Sign-in logs**.
- The first entry requests the X.509 certificate from the user. The status **Success** means that Azure AD validated that CBA is enabled in the tenant and a certificate is requested for authentication.
+ The first entry requests the X.509 certificate from the user. The status **Interrupted** means that Azure AD validated that CBA is enabled in the tenant and a certificate is requested for authentication.
:::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/entry-one.png" alt-text="Screenshot of single-factor authentication entry in the sign-in logs." lightbox="./media/concept-certificate-based-authentication-technical-deep-dive/entry-one.png":::
- The next entry provides more information about the authentication request and the certificate used. We can see that since the certificate satisfies only a single-factor and the user requires MFA, a second factor was requested.
-
- :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/second-factor.png" alt-text="Screenshot of second-factor sign-in details in the sign-in logs." :::
-
- The **Authentication Details** also show the second factor request.
-
- :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-details-mfa.png" alt-text="Screenshot of multifactor sign-in details in the sign-in logs." :::
+ The **Activity Details** shows this is just part of the expected login flow where the user selects a certificate.
+
+ :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/cert-activity-details.png" alt-text="Screenshot of activity details in the sign-in logs." :::
The **Additional Details** show the certificate information. :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/additional-details.png" alt-text="Screenshot of multifactor additional details in the sign-in logs." :::
- These additional entries show that the authentication is complete and a primary refresh token is sent back to the browser and user is given access to the resource.
+ These additional entries show that the authentication is complete, a primary refresh token is sent back to the browser, and user is given access to the resource.
:::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/refresh-token.png" alt-text="Screenshot of refresh token entry in the sign-in logs." lightbox="./media/concept-certificate-based-authentication-technical-deep-dive/refresh-token.png":::
- Click **Additional Details** to MFA succeeded.
-
- :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/refresh-token-details.png" alt-text="Screenshot of refresh token authentication details in the sign-in logs." :::
-- ### Test multifactor authentication For the next test scenario, configure the authentication policy where the **policyOID** rule satisfies multifactor authentication. :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/multifactor.png" alt-text="Screenshot of the Authentication policy configuration showing multifactor authentication required." lightbox="./media/concept-certificate-based-authentication-technical-deep-dive/multifactor.png":::
-1. Sign in to the Azure portal using CBA. since the policy was set to satisfy multifactor authentication, the user sign-in is successful without a second factor.
-1. Click **Azure Active Directory** > **Sign-in logs**, including and entry with **Interrupted** status.
+1. Sign in to the Azure portal using CBA. Since the policy was set to satisfy multifactor authentication, the user sign-in is successful without a second factor.
+1. Click **Azure Active Directory** > **Sign-ins**.
- You will see several entries in the Sign-in logs.
+ You'll see several entries in the Sign-in logs, including an entry with **Interrupted** status.
:::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/several-entries.png" alt-text="Screenshot of several entries in the sign-in logs." lightbox="./media/concept-certificate-based-authentication-technical-deep-dive/several-entries.png":::
+ The **Activity Details** shows this is just part of the expected login flow where the user selects a certificate.
+
+ :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/mfacert-activity-details.png" alt-text="Screenshot of second-factor sign-in details in the sign-in logs." :::
+
The entry with **Interrupted** status has more diagnostic info on the **Additional Details** tab. :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/interrupted-user-details.png" alt-text="Screenshot of interrupted attempt details in the sign-in logs." :::
For the next test scenario, configure the authentication policy where the **poli
| User certificate authentication level type | PolicyId<br>This shows policy OID was used to determine the authentication strength. | | User certificate authentication level identifier | 1.2.3.4<br>This shows the value of the identifier policy OID from the certificate. |
-## Known issues
+## Understanding the certificate-based authentication error page
+
+Certificate-based authentication can fail for reasons such as the certificate being invalid, or the user selected the wrong certificate or an expired certificate, or because of a Certificate Revocation List (CRL) issue. When certificate validation fails, the user sees this error:
-- The Sign-in log shows the User ID instead of the username in one of the log entries.
- :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/known-issue.png" alt-text="Screenshot of username in the sign-in logs." :::
+If CBA fails on a browser, even if the failure is because you cancel the certificate picker, you need to close the browser session and open a new session to try CBA again. A new session is required because browsers cache the certificate. When CBA is re-tried, the browser will send the cached certificate during the TLS challenge, which causes sign-in failure and the validation error.
-- The **Additional Details** tab shows **User certificate subject name** as the attribute name but it is actually "User certificate binding identifier". It is the value of the certificate field that username binding is configured to use.
+Click **More details** to get logging information that can be sent to an administrator, who in turn can get more information from the Sign-in logs.
-- There is a double prompt for iOS because iOS only supports pushing certificates to a device storage. When an organization pushes user certificates to an iOS device through Mobile Device Management (MDM) or when a user accesses first-party or native apps, there is no access to device storage. Only Safari can access device storage.
- When an iOS client sees a client TLS challenge and the user clicks **Sign in with certificate**, iOS client knows it cannot handle it and sends a completely new authorization request using the Safari browser. The user clicks **Sign in with certificate** again, at which point Safari which has access to certificates for authentication in device storage. This requires users to click **Sign in with certificate** twice, once in appΓÇÖs WKWebView and once in SafariΓÇÖs System WebView.
+Click **Other ways to sign in** to try other methods available to the user to sign in.
+
+>[!NOTE]
+>If you retry CBA in a browser, it'll keep failing due to the browser caching issue. Users need to open a new browser session and sign in again.
++
+## Certificate-based authentication in MostRecentlyUsed (MRU) methods
+
+Once a user authenticates successfully using CBA, the user's MostRecentlyUsed (MRU) authentication method will be set to CBA. Next time, when the user enters their UPN and clicks **Next**, the user will be taken to the CBA method directly, and need not select **Use the certificate or smart card**.
+
+To reset the MRU method, the user needs to cancel the certificate picker, click **Other ways to sign in**, and select another method available to the user and authenticate successfully.
- We are aware of the UX experience issue and are working to fix this on iOS and to have a seamless UX experience.
+## External identity support
+
+An external identity can't perform multifactor authentication (MFA) to the resource tenant with Azure AD CBA. Instead, have the user perform MFA using CBA in the home tenant, and set up cross tenant settings for the resource tenant to trust MFA from the home tenant.
+
+For more information about how to enable **Trust multi-factor authentication from Azure AD tenants**, see [Configure B2B collaboration cross-tenant access](../external-identities/cross-tenant-access-settings-b2b-collaboration.md#to-change-inbound-trust-settings-for-mfa-and-device-claims).
+
+## Known issues
+
+- On iOS clients, there's a double prompt issue as part of the Azure AD CBA flow where the user needs to click **Use the certificate or smart card** twice. We're aware of the UX experience issue and working on fixing this for a seamless UX experience.
## Next steps - [Overview of Azure AD CBA](concept-certificate-based-authentication.md)-- [Limitations with Azure AD CBA](concept-certificate-based-authentication-limitations.md) - [How to configure Azure AD CBA](how-to-certificate-based-authentication.md)-- [Windows SmartCard logon using Azure AD CBA](concept-certificate-based-authentication-smartcard.md)-- [Azure AD CBA on mobile devices (Android and iOS)](concept-certificate-based-authentication-mobile.md)
+- [Azure AD CBA on iOS devices](concept-certificate-based-authentication-mobile-ios.md)
+- [Azure AD CBA on Android devices](concept-certificate-based-authentication-mobile-android.md)
+- [Windows smart card logon using Azure AD CBA](concept-certificate-based-authentication-smartcard.md)
+- [Certificate user IDs](concept-certificate-based-authentication-certificateuserids.md)
+- [How to migrate federated users](concept-certificate-based-authentication-migration.md)
- [FAQ](certificate-based-authentication-faq.yml) - [Troubleshoot Azure AD CBA](troubleshoot-certificate-based-authentication.md)+
active-directory Concept Certificate Based Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication.md
Title: Overview of Azure AD certificate-based authentication (Preview) - Azure Active Directory
+ Title: Overview of Azure AD certificate-based authentication - Azure Active Directory
description: Learn about Azure AD certificate-based authentication without federation Previously updated : 06/07/2022 Last updated : 10/05/2022 -+
-# Overview of Azure AD certificate-based authentication (Preview)
+# Overview of Azure AD certificate-based authentication
-Azure AD certificate-based authentication (CBA) enables customers to allow or require users to authenticate with X.509 certificates against their Azure Active Directory (Azure AD) for applications and browser sign-in.
-This feature enables customers to adopt a phishing resistant authentication and authenticate with an X.509 certificate against their Enterprise Public Key Infrastructure (PKI).
-
->[!NOTE]
->Azure AD certificate-based authentication is currently in public preview. Some features might not be supported or have limited capabilities. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+Azure AD certificate-based authentication (CBA) enables customers to allow or require users to authenticate directly with X.509 certificates against their Azure Active Directory (Azure AD) for applications and browser sign-in.
+This feature enables customers to adopt a phishing resistant authentication and authenticate with an X.509 certificate against their Public Key Infrastructure (PKI).
## What is Azure AD CBA?
-Before this feature brought cloud-managed support for CBA to Azure AD, customers had to implement federated certificate-based authentication. Federated CBA requires deploying Active Directory Federation Services (AD FS) to be able to authenticate using X.509 certificates against Azure AD. With Azure AD certificate-based authentication, customers can authenticate directly against Azure AD. Azure AD CBA eliminates the need for federated AD FS, which helps simplify customer environments and reduce costs.
+Before cloud-managed support for CBA to Azure AD, customers had to implement federated certificate-based authentication, which requires deploying Active Directory Federation Services (AD FS) to be able to authenticate using X.509 certificates against Azure AD. With Azure AD certificate-based authentication, customers can authenticate directly against Azure AD and eliminate the need for federated AD FS, with simplified customer environments and cost reduction.
The following images show how Azure AD CBA simplifies the customer environment by eliminating federated AD FS.
The following images show how Azure AD CBA simplifies the customer environment b
| Benefits | Description | ||| | Great user experience |- Users who need certificate-based authentication can now directly authenticate against Azure AD and not have to invest in federated AD FS.<br>- Portal UI enables users to easily configure how to map certificate fields to a user object attribute to look up the user in the tenant ([certificate username bindings](concept-certificate-based-authentication-technical-deep-dive.md#understanding-the-username-binding-policy))<br>- Portal UI to [configure authentication policies](concept-certificate-based-authentication-technical-deep-dive.md#understanding-the-authentication-binding-policy) to help determine which certificates are single-factor versus multifactor. |
-| Easy to deploy and administer |- No need for complex on-premises deployments or network configuration.<br>- Directly authenticate against Azure AD. <br>- No management overhead or cost. |
-| Secure |- On-premises passwords need not be stored in the cloud in any form.<br>- Protects your user accounts by working seamlessly with Azure AD Conditional Access policies, including multifactor authentication (MFA) and blocking legacy authentication.<br>- Strong authentication support where users can define authentication policies through the certificate fields like issuer or policy OID (object identifiers) to determine which certificates qualify as single-factor versus multifactor. |
+| Easy to deploy and administer |- Azure AD CBA is a free feature, and you don't need any paid editions of Azure AD to use it. <br>- No need for complex on-premises deployments or network configuration.<br>- Directly authenticate against Azure AD. |
+| Secure |- On-premises passwords don't need to be stored in the cloud in any form.<br>- Protects your user accounts by working seamlessly with Azure AD Conditional Access policies, including unphishable [multifactor authentication](concept-mfa-howitworks.md) (MFA which requires [licensed edition](concept-mfa-licensing.md)) and blocking legacy authentication.<br>- Strong authentication support where users can define authentication policies through the certificate fields, such as issuer or policy OID (object identifiers), to determine which certificates qualify as single-factor versus multifactor.<br>- The feature works seamlessly with [Conditional Access features](../conditional-access/overview.md) and authentication strength capability to enforce MFA to help secure your users. |
++
+## Supported scenarios
+
+The following scenarios are supported:
+
+- User sign-ins to web browser-based applications on all platforms.
+- User sign-ins to Office mobile apps, including Outlook, OneDrive, and so on.
+- User sign-ins on mobile native browsers.
+- Support for granular authentication rules for multifactor authentication by using the certificate issuer **Subject** and **policy OIDs**.
+- Configuring certificate-to-user account bindings by using any of the certificate fields:
+ - Subject Alternate Name (SAN) PrincipalName and SAN RFC822Name
+ - Subject Key Identifier (SKI) and SHA1PublicKey
+- Configuring certificate-to-user account bindings by using any of the user object attributes:
+ - User Principal Name
+ - onPremisesUserPrincipalName
+ - CertificateUserIds
-## Feature highlights
+## Unsupported scenarios
-- Facilitates onboarding to Azure quickly without being delayed by additional on-premises infrastructure to support certificate-based authentication in public and United States Government clouds. -- Provides support for unphishable multifactor authentication.-- Supports user sign-in against cloud Azure AD using X.509 certificates into all web browser-based applications and into Microsoft Office client applications that use modern authentication.-- The feature works seamlessly with Conditional Access features such as MFA to help secure your users.-- It's a free feature, and you don't need any paid editions of Azure AD to use it.-- Eliminates the need for federated AD FS and reduces the cost and on-premises footprint.
+The following scenarios aren't supported:
+
+- Certificate Authority hints aren't supported, so the list of certificates that appears for users in the certificate picket UI isn't scoped.
+- Only one CRL Distribution Point (CDP) for a trusted CA is supported.
+- The CDP can be only HTTP URLs. We don't support Online Certificate Status Protocol (OCSP), or Lightweight Directory Access Protocol (LDAP) URLs.
+- Configuring other certificate-to-user account bindings, such as using the **Subject**, **Subject + Issuer** or **Issuer + Serial Number**, arenΓÇÖt available in this release.
+- Password as an authentication method cannot be disabled and the option to sign in using a password is displayed even with Azure AB CBA method available to the user.
+
+## Out of Scope
+
+The following scenarios are out of scope for Azure AD CBA:
+
+- Public Key Infrastructure for creating client certificates. Customers need to configure their own Public Key Infrastructure (PKI) and provision certificates to their users and devices.
## Next steps - [Technical deep dive for Azure AD CBA](concept-certificate-based-authentication-technical-deep-dive.md)-- [Limitations with CBA](concept-certificate-based-authentication-limitations.md)-- [How to configure CBA](how-to-certificate-based-authentication.md)-- [Windows SmartCard logon using Azure AD CBA](concept-certificate-based-authentication-smartcard.md)-- [Azure AD CBA on mobile devices (Android and iOS)](concept-certificate-based-authentication-mobile.md)
+- [How to configure Azure AD CBA](how-to-certificate-based-authentication.md)
+- [Azure AD CBA on iOS devices](concept-certificate-based-authentication-mobile-ios.md)
+- [Azure AD CBA on Android devices](concept-certificate-based-authentication-mobile-android.md)
+- [Windows smart card logon using Azure AD CBA](concept-certificate-based-authentication-smartcard.md)
+- [Certificate user IDs](concept-certificate-based-authentication-certificateuserids.md)
+- [How to migrate federated users](concept-certificate-based-authentication-migration.md)
- [FAQ](certificate-based-authentication-faq.yml)-- [Troubleshoot CBA](troubleshoot-certificate-based-authentication.md)-
active-directory How To Certificate Based Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-certificate-based-authentication.md
Title: How to configure Azure AD certificate-based authentication without federation (Preview) - Azure Active Directory
+ Title: How to configure Azure AD certificate-based authentication - Azure Active Directory
description: Topic that shows how to configure Azure AD certificate-based authentication in Azure Active Directory Previously updated : 06/15/2022 Last updated : 10/10/2022 ---+++
-# How to configure Azure AD certificate-based authentication (Preview)
+# How to configure Azure AD certificate-based authentication
-Azure Active Directory (Azure AD) certificate-based authentication (CBA) enables customers to configure their Azure AD tenants to allow or require users to authenticate with X.509 certificates verified against their Enterprise Public Key Infrastructure (PKI) for app and browser sign-in. This feature enables customers to adopt phishing resistant authentication by using an x.509 certificate.
+Azure Active Directory (Azure AD) certificate-based authentication (CBA) enables organizations to configure their Azure AD tenants to allow or require users to authenticate with X.509 certificates created by their Enterprise Public Key Infrastructure (PKI) for app and browser sign-in. This feature enables organizations to adopt phishing-resistant modern passwordless authentication by using an x.509 certificate.
-During sign-in, users will see an option to authenticate with a certificate instead of entering a password.
-If multiple matching certificates are present on the device, the user can pick which one to use. The certificate is validated, the binding to the user account is checked, and if successful, they are signed in.
+During sign-in, users will see also an option to authenticate with a certificate instead of entering a password.
+If multiple matching certificates are present on the device, the user can pick which one to use. The certificate is validated against the user account and if successful, they sign in.
<!Clarify plans that are covered >
-This topic covers how to configure and use certificate-based authentication for tenants in Office 365 Enterprise and US Government plans. You should already have a [public key infrastructure (PKI)](https://aka.ms/securingpki) configured.
-
-Follow these instructions to configure and use Azure AD CBA.
-
->[!NOTE]
->Azure AD certificate-based authentication is currently in public preview. Some features might not be supported or have limited capabilities. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+Follow these instructions to configure and use Azure AD CBA for tenants in Office 365 Enterprise and US Government plans. You should already have a [public key infrastructure (PKI)](https://aka.ms/securingpki) configured.
## Prerequisites
-Make sure that the following prerequisites are in place.
+Make sure that the following prerequisites are in place:
-- Configure at least one certification authority (CA) and any intermediate certification authorities in Azure Active Directory.
+- Configure at least one certification authority (CA) and any intermediate CAs in Azure AD.
- The user must have access to a user certificate (issued from a trusted Public Key Infrastructure configured on the tenant) intended for client authentication to authenticate against Azure AD.
+- Each CA should have a certificate revocation list (CRL) that can be referenced from internet-facing URLs. If the trusted CA doesn't have a CRL configured, Azure AD won't perform any CRL checking, revocation of user certificates won't work, and authentication won't be blocked.
>[!IMPORTANT]
->Each CA should have a certificate revocation list (CRL) that can be referenced from internet-facing URLs. If the trusted CA does not have a CRL configured, Azure AD will not perform any CRL checking, revocation of user certificates will not work, and authentication will not be blocked.
+>Make sure the PKI is secure and can't be easily compromised. In the event of a compromise, the attacker can create and sign client certificates and compromise any user in the tenant, both users whom are synchronized from on-premises and cloud-only users. However, a strong key protection strategy, along with other physical and logical controls, such as HSM activation cards or tokens for the secure storage of artifacts, can provide defense-in-depth to prevent external attackers or insider threats from compromising the integrity of the PKI. For more information, see [Securing PKI](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786443(v=ws.11)).
->[!IMPORTANT]
->Make sure the PKI is secure and cannot be easily compromised. In the event of a compromise, the attacker can create and sign client certificates and compromise any user in the tenant, both synced and cloud-only users. However, a strong key protection strategy, along with other physical and logical controls such as HSM activation cards or tokens for the secure storage of artifacts, can provide defense-in-depth to prevent external attackers or insider threats from compromising the integrity of the PKI. For more information, see [Securing PKI](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786443(v=ws.11)).
+>[!NOTE]
+>When evaluating a PKI, it is important to review certificate issuance policies and enforcement. As mentioned, adding certificate authorities (CAs) to Azure AD configuration allows certificates issued by those CAs to authenticate any user in Azure AD. For this reason, it is important to consider how and when the CAs are allowed to issue certificates, and how they implement reusable identifiers. Where administrators need to ensure only a specific certificate is able to be used to authenticate a user, admins should exclusively use high-affinity bindings to achieve a higher level of assurance that only a specific certificate is able to authenticate the user. For more information, see [high-affinity bindings](concept-certificate-based-authentication-technical-deep-dive.md#understanding-the-username-binding-policy).
## Steps to configure and test Azure AD CBA
-There are some configuration steps to complete before enabling Azure AD CBA. First, an admin must configure the trusted CAs that issue user certificates. As seen in the following diagram, we use role-based access control to make sure only least-privileged administrators make changes. Configuring the certification authority is done only by the [Privileged Authentication Administrator](../roles/permissions-reference.md#privileged-authentication-administrator) role.
+Some configuration steps to be done before you enable Azure AD CBA. First, an admin must configure the trusted CAs that issue user certificates. As seen in the following diagram, we use role-based access control to make sure only least-privileged administrators are needed to make changes. Only the [Privileged Authentication Administrator](../roles/permissions-reference.md#privileged-authentication-administrator) role can configure the CA.
-Optionally, you can also configure authentication bindings to map certificates to single-factor or multifactor and configure username bindings to map certificate field to a user object attribute. Configuring user-related settings can be done by [Authentication Policy Administrators](../roles/permissions-reference.md#authentication-policy-administrator). Once all the configurations are complete, enable Azure AD CBA on the tenant.
+Optionally, you can also configure authentication bindings to map certificates to single-factor or multifactor authentication, and configure username bindings to map the certificate field to an attribute of the user object. [Authentication Policy Administrators](../roles/permissions-reference.md#authentication-policy-administrator) can configure user-related settings. Once all the configurations are complete, enable Azure AD CBA on the tenant.
:::image type="content" border="false" source="./media/how-to-certificate-based-authentication/steps.png" alt-text="Diagram of the steps required to enable Azure Active Directory certificate-based authentication."::: ## Step 1: Configure the certification authorities
+You can configure CAs by using the Azure portal or PowerShell.
+ ### Configure certification authorities using the Azure portal To enable the certificate-based authentication and configure user bindings in the Azure portal, complete the following steps: 1. Sign in to the Azure portal as a Global Administrator.
-1. Select Azure Active Directory, then choose Security from the menu on the left-hand side.
+1. Click **Azure Active Directory** > **Security**.
:::image type="content" border="true" source="./media/how-to-certificate-based-authentication/certificate-authorities.png" alt-text="Screenshot of certification authorities."::: 1. To upload a CA, click **Upload**: 1. Select the CA file. 1. Select **Yes** if the CA is a root certificate, otherwise select **No**.
- 1. Set the http internet-facing URL for the certification authority's base CRL that contains all revoked certificates. This should be set or authentication with revoked certificates will not fail.
+ 1. Set the http internet-facing URL for the CA base CRL that contains all revoked certificates. If the URL isn't set, authentication with revoked certificates won't fail.
1. Set **Delta CRL URL** - the http internet-facing URL for the CRL that contains all revoked certificates since the last base CRL was published. 1. Click **Add**.
To enable the certificate-based authentication and configure user bindings in th
### Configure certification authorities using PowerShell
-Only one CRL Distribution Point (CDP) for a trusted CA is supported. The CDP can only be HTTP URLs. Online Certificate Status Protocol (OCSP) or Lightweight Directory Access Protocol (LDAP) URLs are not supported.
+Only one CRL Distribution Point (CDP) for a trusted CA is supported. The CDP can only be HTTP URLs. Online Certificate Status Protocol (OCSP) or Lightweight Directory Access Protocol (LDAP) URLs aren't supported.
[!INCLUDE [Configure certification authorities](../../../includes/active-directory-authentication-configure-certificate-authorities.md)]
Only one CRL Distribution Point (CDP) for a trusted CA is supported. The CDP can
[!INCLUDE [New-AzureAD](../../../includes/active-directory-authentication-new-trusted-azuread.md)] **AuthorityType**-- Use 0 to indicate that this is a Root certification authority-- Use 1 to indicate that this is an Intermediate or Issuing certification authority
+- Use 0 to indicate a Root certification authority
+- Use 1 to indicate an Intermediate or Issuing certification authority
**crlDistributionPoint**
-You can validate the crlDistributionPoint value you provide in the above PowerShell example are valid for the certification authority being added by downloading the CRL and comparing the CA certificate and the CRL Information.
+You can download the CRL and compare the CA certificate and the CRL information to validate the crlDistributionPoint value in the preceding PowerShell example is valid for the CA you want to add.
-The below table and graphic indicate how to map information from the CA Certificate to the attributes of the downloaded CRL.
+The following table and graphic show how to map information from the CA certificate to the attributes of the downloaded CRL.
| CA Certificate Info |= |Downloaded CRL Info| |-|:-:|-|
The below table and graphic indicate how to map information from the CA Certific
:::image type="content" border="false" source="./media/how-to-certificate-based-authentication/certificate-crl-compare.png" alt-text="Compare CA Certificate with CRL Information."::: >[!TIP]
->The value for crlDistributionPoint in the above is the http location for the CAΓÇÖs Certificate Revocation List (CRL). This can be found in a few places.
+>The value for crlDistributionPoint in the preceding example is the http location for the CAΓÇÖs Certificate Revocation List (CRL). This can be found in a few places.
>
->- In the CRL Distribution Point (CDP) attribute of a certificate issued from the CA
+>- In the CRL Distribution Point (CDP) attribute of a certificate issued from the CA.
>
->If Issuing CA is Windows Server
+>If Issuing CA is Windows Server:
> >- On the [Properties](/windows-server/networking/core-network-guide/cncg/server-certs/configure-the-cdp-and-aia-extensions-on-ca1#to-configure-the-cdp-and-aia-extensions-on-ca1)
- of the CA in the certification authority Microsoft Management Console (MMC)
->- On the CA running [certutil](/windows-server/administration/windows-commands/certutil#-cainfo) -cainfo cdp
+ of the CA in the certification authority Microsoft Management Console (MMC).
+>- On the CA by running `certutil -cainfo cdp`. For more information, see [certutil](/windows-server/administration/windows-commands/certutil#-cainfo).
-For additional details see: [Understanding the certificate revocation process](./concept-certificate-based-authentication-technical-deep-dive.md#understanding-the-certificate-revocation-process).
+For more information, see [Understanding the certificate revocation process](./concept-certificate-based-authentication-technical-deep-dive.md#understanding-the-certificate-revocation-process).
### Remove
For additional details see: [Understanding the certificate revocation process](.
## Step 2: Enable CBA on the tenant
-To enable the certificate-based authentication in the Azure Portal, complete the following steps:
+To enable the certificate-based authentication in the Azure portal, complete the following steps:
1. Sign in to the [Azure portal](https://portal.azure.com/) as an Authentication Policy Administrator. 1. Select **Azure Active Directory**, then choose **Security** from the menu on the left-hand side.
Once certificate-based authentication is enabled on the tenant, all users in the
The authentication binding policy helps determine the strength of authentication to either a single factor or multi factor. An admin can change the default value from single-factor to multifactor and configure custom policy rules by mapping to issuer Subject or policy OID fields in the certificate.
-To enable the certificate-based authentication and configure user bindings in the Azure portal, complete the following steps:
+To enable Azure AD CBA and configure user bindings in the Azure portal, complete the following steps:
1. Sign in to the [Azure portal](https://portal.azure.com) as an Authentication Policy Administrator. 1. Select **Azure Active Directory**, then choose **Security** from the menu on the left-hand side.
To enable the certificate-based authentication and configure user bindings in th
:::image type="content" border="true" source="./media/how-to-certificate-based-authentication/multifactor-issuer.png" alt-text="Screenshot of multifactor authentication policy."::: - To create a rule by Policy OID, click **Policy OID**. 1. Enter a value for **Policy OID**.
To enable the certificate-based authentication and configure user bindings in th
## Step 4: Configure username binding policy
-The username binding policy helps determine the user in the tenant. By default, we map Principal Name in the certificate to onPremisesUserPrincipalName in the user object to determine the user.
+The username binding policy helps validate the certificate of the user. By default, we map Principal Name in the certificate to UserPrincipalName in the user object to determine the user. An admin can override the default and create a custom mapping.
-An admin can override the default and create a custom mapping. Currently, we support two certificate fields, SAN (Subject Alternate Name) Principal Name and SAN RFC822Name, to map against the user object attribute userPrincipalName and onPremisesUserPrincipalName.
+To determine how to configure username binding, see [How username binding works](concept-certificate-based-authentication-technical-deep-dive.md#understanding-the-username-binding-policy).
>[!IMPORTANT]
->If a username binding policy uses synced attributes, such as onPremisesUserPrincipalName attribute of the user object, be aware that any user with administrative access to the Azure AD Connect server can change the sync attribute mapping, and in turn change the value of the synced attribute to their needs. The user does not need to be a cloud admin.
+>If a username binding policy uses synchronized attributes, such as onPremisesUserPrincipalName attribute of the user object, be aware that any user with Active Directory Administrators privileges can make changes that impact the onPremisesUserPrincipalName value in Azure AD for any synchronized accounts, including users with delegated administrative privilege over synchronized user accounts or administrative rights over the Azure AD Connect Servers.
-1. Create the username binding by selecting one of the X.509 certificate fields to bind with one of the user attributes. The username binding order represents the priority level of the binding. The first one has the highest priority and so on.
+1. Create the username binding by selecting one of the X.509 certificate fields to bind with one of the user attributes. The username binding order represents the priority level of the binding. The first one has the highest priority, and so on.
:::image type="content" border="true" source="./media/how-to-certificate-based-authentication/username-binding-policy.png" alt-text="Screenshot of a username binding policy.":::
- If the specified X.509 certificate field is found on the certificate, but Azure AD doesnΓÇÖt find a user object using that value, the authentication fails. Azure AD doesnΓÇÖt try the next binding in the list.
+ If the specified X.509 certificate field is found on the certificate, but Azure AD doesnΓÇÖt find a user object using that value, the authentication fails. Azure AD will fall back and try the next binding in the list.
- The next priority is attempted only if the X.509 certificate field is not in the certificate.
1. Click **Save** to save the changes.
-Currently supported set of username bindings:
--- SAN Principal Name > userPrincipalName-- SAN Principal Name > onPremisesUserPrincipalName-- SAN RFC822Name > userPrincipalName-- SAN RFC822Name > onPremisesUserPrincipalName-
->[!NOTE]
->If the RFC822Name binding is evaluated and if no RFC822Name is specified in the certificate Subject Alternative Name, we will fall back on legacy Subject Name "E=user@contoso.com" if no RFC822Name is specified in the certificate we will fall back on legacy Subject Name E=user@contoso.com.
- The final configuration will look like this image: :::image type="content" border="true" source="./media/how-to-certificate-based-authentication/final.png" alt-text="Screenshot of the final configuration.":::
As a first configuration test, you should try to sign in to the [MyApps portal](
1. Click **Next**.
- :::image type="content" border="true" source="./media/how-to-certificate-based-authentication/certificate.png" alt-text="Screenshot of sign in with certificate.":::
+ :::image type="content" border="true" source="./media/how-to-certificate-based-authentication/certificate.png" alt-text="Screenshot of sign-in with certificate.":::
- If you have enabled other authentication methods like Phone sign-in or FIDO2, users may see a different sign-in screen.
+ If you enabled other authentication methods like Phone sign-in or FIDO2, users may see a different sign-in screen.
- :::image type="content" border="true" source="./media/how-to-certificate-based-authentication/alternative.png" alt-text="Screenshot of the alternative sign in.":::
+ :::image type="content" border="true" source="./media/how-to-certificate-based-authentication/alternative.png" alt-text="Screenshot of the alternative sign-in.":::
1. Select **Sign in with a certificate**. 1. Pick the correct user certificate in the client certificate picker UI and click **OK**.+ :::image type="content" border="true" source="./media/how-to-certificate-based-authentication/picker.png" alt-text="Screenshot of the certificate picker UI."::: 1. Users should be signed into [MyApps portal](https://myapps.microsoft.com/).
As a first configuration test, you should try to sign in to the [MyApps portal](
If your sign-in is successful, then you know that: - The user certificate has been provisioned into your test device.-- Azure Active Directory is configured correctly with trusted CAs.
+- Azure AD is configured correctly with trusted CAs.
- Username binding is configured correctly, and the user is found and authenticated. ### Testing custom authentication binding rules
-Let's walk through a scenario where we will validate strong authentication by creating two authentication policy rules, one via issuer subject satisfying single factor and one via policy OID satisfying multi factor.
+Let's walk through a scenario where we validate strong authentication. We'll create two authentication policy rules, one by using issuer subject to satisfy single-factor authentication, and another by using policy OID to satisfy multifactor authentication.
-1. Create an issuer Subject rule with protection level as single factor authentication and value set to your CAs Subject value. For example:
+1. Create an issuer Subject rule with protection level as single-factor authentication and value set to your CAs Subject value. For example:
- `CN=ContosoCA,DC=Contoso,DC=org`
+ `CN = WoodgroveCA`
-1. Create a policy OID rule, with protection level as multi-factor authentication and value set to one of the policy OIDΓÇÖs in your certificate. For example, 1.2.3.4.
+1. Create a policy OID rule, with protection level as multifactor authentication and value set to one of the policy OIDΓÇÖs in your certificate. For example, 1.2.3.4.
:::image type="content" border="true" source="./media/how-to-certificate-based-authentication/policy-oid-rule.png" alt-text="Screenshot of the Policy OID rule.":::
-1. Create a conditional access policy for the user to require multi-factor authentication by following steps at [Conditional Access - Require MFA](../conditional-access/howto-conditional-access-policy-all-users-mfa.md#create-a-conditional-access-policy).
+1. Create a Conditional Access policy for the user to require multifactor authentication by following steps at [Conditional Access - Require MFA](../conditional-access/howto-conditional-access-policy-all-users-mfa.md#create-a-conditional-access-policy).
1. Navigate to [MyApps portal](https://myapps.microsoft.com/). Enter your UPN and click **Next**. :::image type="content" border="true" source="./media/how-to-certificate-based-authentication/name.png" alt-text="Screenshot of the User Principal Name."::: 1. Select **Sign in with a certificate**.
- :::image type="content" border="true" source="./media/how-to-certificate-based-authentication/certificate.png" alt-text="Screenshot of sign in with certificate.":::
+ :::image type="content" border="true" source="./media/how-to-certificate-based-authentication/certificate.png" alt-text="Screenshot of sign-in with certificate.":::
- If you have enabled other authentication methods like Phone sign-in or FIDO2, users may see a different sign-in screen.
+ If you enabled other authentication methods like Phone sign-in or FIDO2, users may see a different sign-in screen.
- :::image type="content" border="true" source="./media/how-to-certificate-based-authentication/alternative.png" alt-text="Screenshot of the alternative sign in.":::
+ :::image type="content" border="true" source="./media/how-to-certificate-based-authentication/alternative.png" alt-text="Screenshot of the alternative sign-in.":::
1. Select the client certificate and click **Certificate Information**.
Let's walk through a scenario where we will validate strong authentication by cr
1. Select the client certificate and click **OK**.
-1. The policy OID in the certificate matches the configured value of **1.2.3.4** and it will satisfy multifactor authentication. Similarly, the issuer in the certificate matches the configured value of **CN=ContosoCA,DC=Contoso,DC=org** and it will satisfy single-factor authentication.
+1. The policy OID in the certificate matches the configured value of **1.2.3.4** and it will satisfy multifactor authentication. Similarly, the issuer in the certificate matches the configured value of **CN=WoodgroveCA** and it will satisfy single-factor authentication.
1. Because policy OID rule takes precedence over issuer rule, the certificate will satisfy multifactor authentication.
-1. The conditional access policy for the user requires MFA and the certificate satisfies multifactor, so the user will be authenticated into the application.
+1. The Conditional Access policy for the user requires MFA and the certificate satisfies multifactor, so the user will be authenticated into the application.
## Enable Azure AD CBA using Microsoft Graph API
-To enable the certificate-based authentication and configure username bindings using Graph API, complete the following steps.
+To enable CBA and configure username bindings using Graph API, complete the following steps.
>[!NOTE] >The following steps use Graph Explorer which is not available in the US Government cloud. US Government cloud tenants can use Postman to test the Microsoft Graph queries.
To enable the certificate-based authentication and configure username bindings u
1. GET all authentication methods: ```http
- GET https://graph.microsoft.com/beta/policies/authenticationmethodspolicy
+ GET https://graph.microsoft.com/v1.0/policies/authenticationmethodspolicy
``` 1. GET the configuration for the x509Certificate authentication method: ```http
- GET https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/X509Certificate
+ GET https://graph.microsoft.com/v1.0/policies/authenticationmethodspolicy/authenticationMethodConfigurations/X509Certificate
``` 1. By default, the x509Certificate authentication method is disabled. To allow users to sign in with a certificate, you must enable the authentication method and configure the authentication and username binding policies through an update operation. To update policy, run a PATCH request.
To enable the certificate-based authentication and configure username bindings u
```http
- PATCH https: //graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/x509Certificate
+ PATCH https: //graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/x509Certificate
Content-Type: application/json {
To enable the certificate-based authentication and configure username bindings u
"x509CertificateField": "RFC822Name", "userProperty": "userPrincipalName", "priority": 2
+ },
+ {
+ "x509CertificateField": "PrincipalName",
+ "userProperty": "certificateUserIds",
+ "priority": 3
} ], "authenticationModeConfiguration": {
To enable the certificate-based authentication and configure username bindings u
"rules": [ { "x509CertificateRuleType": "issuerSubject",
- "identifier": "CN=ContosoCA,DC=Contoso,DC=org ",
+ "identifier": "CN=WoodgroveCA ",
"x509CertificateAuthenticationMode": "x509CertificateMultiFactor" }, {
To enable the certificate-based authentication and configure username bindings u
] }
-1. You will get a `204 No content` response code. Re-run the GET request to make sure the policies are updated correctly.
+1. You'll get a `204 No content` response code. Re-run the GET request to make sure the policies are updated correctly.
1. Test the configuration by signing in with a certificate that satisfies the policy. ## Next steps
To enable the certificate-based authentication and configure username bindings u
- [Limitations with Azure AD CBA](concept-certificate-based-authentication-limitations.md) - [Windows SmartCard logon using Azure AD CBA](concept-certificate-based-authentication-smartcard.md) - [Azure AD CBA on mobile devices (Android and iOS)](concept-certificate-based-authentication-mobile.md)
+- [Certificate user IDs](concept-certificate-based-authentication-certificateuserids.md)
+- [How to migrate federated users](concept-certificate-based-authentication-migration.md)
- [FAQ](certificate-based-authentication-faq.yml)-- [Troubleshoot Azure AD CBA](troubleshoot-certificate-based-authentication.md)
active-directory How To Mfa Additional Context https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-additional-context.md
description: Learn how to use additional context in MFA notifications
Previously updated : 09/22/2022 Last updated : 10/07/2022
The additional context can be combined with [number matching](how-to-mfa-number-
### Policy schema changes
-You can enable and disable application name and geographic location separately. Under featureSettings, you can use the following name mapping for each features:
+You can enable and disable application name and geographic location separately. Under featureSettings, you can use the following name mapping for each feature:
- Application name: displayAppInformationRequiredState - Geographic location: displayLocationInformationRequiredState
You can enable and disable application name and geographic location separately.
Identify your single target group for each of the features. Then use the following API endpoint to change the displayAppInformationRequiredState or displayLocationInformationRequiredState properties under featureSettings to **enabled** and include or exclude the groups you want: ```http
-https://graph.microsoft.com/v1.0/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
+https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
``` #### MicrosoftAuthenticatorAuthenticationMethodConfiguration properties
Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
//Change the Query to PATCH and Run query {
- "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodConfigurations/$entity",
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
"@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration", "id": "MicrosoftAuthenticator", "state": "enabled",
Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
} } },
- "includeTargets@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
+ "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
"includeTargets": [ { "targetType": "group",
Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
```json {
- "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodConfigurations/$entity",
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
"@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration", "id": "MicrosoftAuthenticator", "state": "enabled",
Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
} } },
- "includeTargets@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
+ "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
"includeTargets": [ { "targetType": "group",
Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
To verify, run GET again and verify the ObjectID: ```http
-GET https://graph.microsoft.com/v1.0/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
+GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
``` #### Example of how to disable application name and only enable geographic location
Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
```json {
- "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodConfigurations/$entity",
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
"@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration", "id": "MicrosoftAuthenticator", "state": "enabled",
Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
} } },
- "includeTargets@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
+ "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
"includeTargets": [ { "targetType": "group",
Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
In **featureSettings**, change the states of **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** from **default** to **enabled.** Inside the **includeTarget** for each featureSetting, change the **id** from **all_users** to the ObjectID of the group from the Azure AD portal.
-In addition, for each of the features, you'll change the id of the excludeTarget to the ObjectID of the group from the Azure AD portal. This will exclude that group from seeing application name or geographic location.
+In addition, for each of the features, you'll change the id of the excludeTarget to the ObjectID of the group from the Azure AD portal. This change excludes that group from seeing application name or geographic location.
You need to PATCH the entire schema to prevent overwriting any previous configuration. We recommend that you do a GET first, and then update only the relevant fields and then PATCH. The following example shows an update to **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** under **featureSettings**.
Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
```json {
- "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodConfigurations/$entity",
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
"@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration", "id": "MicrosoftAuthenticator", "state": "enabled",
Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
} } },
- "includeTargets@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
+ "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
"includeTargets": [ { "targetType": "group",
Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
```json {
- "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodConfigurations/$entity",
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
"@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration", "id": "MicrosoftAuthenticator", "state": "enabled",
Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
} } },
- "includeTargets@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
+ "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
"includeTargets": [ { "targetType": "group",
To turn off additional context, you'll need to PATCH **displayAppInformationRequ
```json {
- "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodConfigurations/$entity",
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
"@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration", "id": "MicrosoftAuthenticator", "state": "enabled",
To turn off additional context, you'll need to PATCH **displayAppInformationRequ
} } },
- "includeTargets@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
+ "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
"includeTargets": [ { "targetType": "group",
active-directory How To Mfa Number Match https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-number-match.md
description: Learn how to use number matching in MFA notifications
Previously updated : 09/22/2022 Last updated : 10/07/2022
Number matching is available for the following scenarios. When enabled, all scen
>[!NOTE] >For passwordless users, enabling or disabling number matching has no impact because it's already part of the passwordless experience.
-Number matching isn't supported for Apple Watch notifications. Apple Watch users need to use their phone to approve notifications when number matching is enabled.
+Number matching will be available in Azure Government two weeks after General Availability. Number matching isn't supported for Apple Watch notifications. Apple Watch users need to use their phone to approve notifications when number matching is enabled.
### Multifactor authentication
To create the registry key that overrides push notifications:
Identify your single target group for the schema configuration. Then use the following API endpoint to change the numberMatchingRequiredState property under featureSettings to **enabled**, and include or exclude groups: ```
-https://graph.microsoft.com/v1.0/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
+https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
``` >[!NOTE]
https://graph.microsoft.com/v1.0/authenticationMethodsPolicy/authenticationMetho
| Property | Type | Description | |-||-|
-| excludeTarget | featureTarget | A single entity that is excluded from this feature. <br> Please note: You'll be able to only exclude one group for number matching. |
-| includeTarget | featureTarget | A single entity that is included in this feature. <br> Please note: You'll be able to only set one group for number matching.|
+| excludeTarget | featureTarget | A single entity that is excluded from this feature. <br>You can only exclude one group for number matching. |
+| includeTarget | featureTarget | A single entity that is included in this feature. <br>You can only include one group for number matching.|
| State | advancedConfigState | Possible values are:<br>**enabled** explicitly enables the feature for the selected group.<br>**disabled** explicitly disables the feature for the selected group.<br>**default** allows Azure AD to manage whether the feature is enabled or not for the selected group. | #### Feature target properties
https://graph.microsoft.com/v1.0/authenticationMethodsPolicy/authenticationMetho
In **featureSettings**, you'll need to change the **numberMatchingRequiredState** from **default** to **enabled**.
-Note that the value of Authentication Mode can be either **any** or **push**, depending on whether or not you also want to enable passwordless phone sign-in. In these examples, we will use **any**, but if you don't want to allow passwordless, use **push**.
+The value of Authentication Mode can be either **any** or **push**, depending on whether or not you also want to enable passwordless phone sign-in. In these examples, we will use **any**, but if you don't want to allow passwordless, use **push**.
>[!NOTE] >For passwordless users, enabling or disabling number matching has no impact because it's already part of the passwordless experience.
Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
//Change the Query to PATCH and Run query {
- "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodConfigurations/$entity",
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
"@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration", "id": "MicrosoftAuthenticator", "state": "enabled",
Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
} } },
- "includeTargets@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
+ "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
"includeTargets": [ { "targetType": "group",
Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
```
-To confirm this has applied, please run the GET request by using the following endpoint:
+To confirm the change is applied, run the GET request by using the following endpoint:
```http
-GET https://graph.microsoft.com/v1.0/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
+GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
``` #### Example of how to enable number matching for a single group
Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
```json {
- "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodConfigurations/$entity",
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
"@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration", "id": "MicrosoftAuthenticator", "state": "enabled",
Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
} } },
- "includeTargets@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
+ "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
"includeTargets": [ { "targetType": "group",
Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
To verify, run GET again and verify the ObjectID: ```http
-GET https://graph.microsoft.com/v1.0/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
+GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator
``` #### Example of removing the excluded group from number matching
Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
```json {
- "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodConfigurations/$entity",
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
"@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration", "id": "MicrosoftAuthenticator", "state": "enabled",
Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
} } },
- "includeTargets@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
+ "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
"includeTargets": [ { "targetType": "group",
To turn number matching off, you'll need to PATCH remove **numberMatchingRequire
```json {
- "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodConfigurations/$entity",
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",
"@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration", "id": "MicrosoftAuthenticator", "state": "enabled",
To turn number matching off, you'll need to PATCH remove **numberMatchingRequire
} } },
- "includeTargets@odata.context": "https://graph.microsoft.com/v1.0/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
+ "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",
"includeTargets": [ { "targetType": "group",
active-directory How To Mfa Registration Campaign https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-registration-campaign.md
description: Learn how to move your organization away from less secure authentic
+ Last updated 06/23/2022
-
-# Customer intent: As an identity administrator, I want to encourage users to use the Microsoft Authenticator app in Azure AD to improve and secure user sign-in events.
+#Customer intent: As an identity administrator, I want to encourage users to use the Microsoft Authenticator app in Azure AD to improve and secure user sign-in events.
# How to run a registration campaign to set up Microsoft Authenticator - Microsoft Authenticator
The feature aims to empower admins to get users set up with MFA using the Authen
If this user doesnΓÇÖt have the Authenticator app set up for push notifications and is enabled for it by policy, yes, the user will see the nudge.
-**Will a user who has a the Authenticator app setup only for TOTP codes see the nudge?** 
+**Will a user who has the Authenticator app setup only for TOTP codes see the nudge?** 
Yes. If the Authenticator app is not set up for push notifications and the user is enabled for it by policy, yes, the user will see the nudge.
It's the same as snoozing.
## Next steps
-[Enable passwordless sign-in with Microsoft Authenticator](howto-authentication-passwordless-phone.md)
+[Enable passwordless sign-in with Microsoft Authenticator](howto-authentication-passwordless-phone.md)
active-directory Troubleshoot Authentication Strengths https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/troubleshoot-authentication-strengths.md
+
+ Title: Troubleshoot Azure AD authentication strength (Preview)
+description: Learn how to resolve errors when using Azure AD authentication strength.
+++++ Last updated : 09/26/2022++++++++
+# Troubleshoot Azure AD authentication strength (Preview)
+
+This topic covers errors you might see when you use Azure Active Directory (Azure AD) authentication strength and how to resolve them.
+
+## A user is asked to sign in with another method, but they don't see a method they expect
+
+<!What could be a good example?>
+
+Users can sign in only by using authentication methods that they registered and are enabled by the Authentication methods policy. For more information, see [How Conditional Access Authentication strengths policies are used in combination with Authentication methods policy](concept-authentication-strengths.md#how-authentication-strength-works-with-the-authentication-methods-policy).
+
+To verify if a method can be used:
+
+1. Check which authentication strength is required. Click **Security** > **Authentication methods** > **Authentication strengths**.
+1. Check if the user is enabled for a required method:
+ 1. Check the Authentication methods policy to see if the user is enabled for any method required by the authentication strength. Click **Security** > **Authentication methods** > **Policies**.
+ 1. As needed, check if the tenant is enabled for any method required for the authentication strength. Click **Security** > **Multifactor Authentication** > **Additional cloud-based multifactor authentication settings**.
+1. Check which authentication methods are registered for the user in the Authentication methods policy. Click **Users and groups** > _username_ > **Authentication methods**.
+
+If the user is registered for an enabled method that meets the authentication strength, they might need to use another method that isn't available after primary authentication, such as Windows Hello for Business or certificate-based authentication. For more information, see [How each authentication method works](concept-authentication-methods.md#how-each-authentication-method-works). The user will need to restart the session and choose **Sign-in options** and select a method required by the authentication strength.
+
+## A user can't access a resource
+
+If an authentication strength requires a method that a user canΓÇÖt use, the user is blocked from sign-in. To check which method is required by an authentication strength, and which method the user is registered and enabled to use, follow the steps in the [previous section](#a-user-is-asked-to-sign-in-with-another-method-but-they-dont-see-a-method-they-expect).
+
+## How to check which authentication strength was enforced during sign-in
+Use the **Sign-ins** log to find additional information about the sign-in:
+
+- Under the **Authentication details** tab, the **Requirement** column shows the name of the authentication strengths policy.
+
+ :::image type="content" source="./media/troubleshoot-authentication-strengths/sign-in-logs-authentication-details.png" alt-text="Screenshot showing the authentication strength in the Sign-ins log.":::
+
+- Under the **Conditional Access** tab, you can see which Conditional Access policy was applied. Click the name of the policy, and look for **Grant controls** to see the authentication strength that was enforced.
+
+ :::image type="content" source="./media/troubleshoot-authentication-strengths/sign-in-logs-control.png" alt-text="Screenshot showing the authentication strength under Conditional Access Policy details in the Sign-ins log.":::
+
+## My users can't use their FIDO2 security key to sign in
+An admin can restrict access to specific security keys. When a user tries to sign in by using a key they can't use, this **You can't get there from here** message appears. The user has to restart the session, and sign-in with a different FIDO2 security key.
++
+## A user can't register a new method during sign-in
+
+Some methods can't be registered during sign-in, or they need more setup beyond the combined registration. For more information, see [Registering authentication methods](concept-authentication-strengths.md#registering-authentication-methods).
+
+
+## Next steps
+
+- [Azure AD Authentication Strengths overview](concept-authentication-strengths.md)
active-directory Troubleshoot Certificate Based Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/troubleshoot-certificate-based-authentication.md
- Title: Troubleshoot Azure AD certificate-based authentication without federation (Preview) - Azure Active Directory
-description: Learn how to troubleshoot Azure AD certificate-based authentication in Azure Active Directory
----- Previously updated : 06/15/2022---------
-# Troubleshoot Azure AD certificate-based authentication (Preview)
-
-This topic covers how to troubleshoot Azure AD certificate-based authentication (CBA).
-
->[!NOTE]
->Azure AD certificate-based authentication is currently in public preview. Some features might not be supported or have limited capabilities. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-
-## Why don't I see an option to sign in using certificates against Azure Active Directory after I enter my username?
-
-An administrator needs to enable CBA for the tenant to make the sign-in with certificate option available for users. For more information, see [Step 3: Configure authentication binding policy](how-to-certificate-based-authentication.md#step-3-configure-authentication-binding-policy).
-
-## User-facing sign-in error messages
-
-If the user is unable to sign in using Certificate-based Authentication, they may see one of the following user-facing errors on the Azure AD sign-in screen.
-
-### ADSTS1001000 - Unable to acquire certificate policy from tenant
-
-This is a server-side error that occurs when the server could not fetch an authentication policy for the user using the SAN Principal Name/SAN RFC822Name field of the user certificate. Make sure that the authentication policy rules are correct, a valid certificate is used, and retry.
-
-### AADSTS1001003 ΓÇô User sign-in fails with "Unable To Acquire Value Specified In Binding From Certificate"
--
-This error is returned if the user selects the wrong user certificate from the list while signing in.
-
-Make sure the certificate is valid and works for the user binding and authentication policy configuration.
-
-### AADSTS50034 - User sign-in fails with "Your account or password is incorrect. If you don't remember your password, reset it now."
--
-Make sure the user is trying to sign in with the correct username. This error happens when a unique user can't be found using the [username binding](how-to-certificate-based-authentication.md#step-4-configure-username-binding-policy) on the certificate fields.
--- Make sure user bindings are set correctly and the certificate field is mapped to the correct user Attribute.-- Make sure the user Attribute contains the correct value that matches the certificate field value.-
-For more information, see [Step 4: Configure username binding policy](how-to-certificate-based-authentication.md#step-4-configure-username-binding-policy).
-
-If the user is a federated user moving to Azure AD and if the user binding configuration is Principal Name > onPremisesUserPrincipalName:
--- Make sure the onPremisesUserPrincipalName is being synchronized, and ALT IDs are enabled in Azure AD Connect. -- Make sure the value of onPremisesUserPrincipalName is correct and synchronized in Azure AD Connect.-
->[!NOTE]
->There is a known issue that this scenario is not logged into the sign-in logs.
-
-### AADSTS130501 - User sign-in fails with "Sign in was blocked due to User Credential Policy"
--
-There is also a known issue when a user who is not in scope for CBA ties to sign in with a certificate to an [Office app](https://office.com) or any portal app, and the sign-in fails with an error:
--
-In both cases, the error can be resolved by making sure the user is in scope for Azure AD CBA. For more information, see [Step 2: Enable CBA on the tenant](how-to-certificate-based-authentication.md#step-2-enable-cba-on-the-tenant).
-
-### AADSTS90100: flowtoken parameter is empty or not valid
-
-After sign-in fails and I retry sign-in with the correct certificate, I get an error:
--
-This is a client behavior where the browser keeps using the original certificate selected. When the sign-in fails, close the existing browser session and retry sign-in from a new browser session.
-
-## User sign-in failed but not much diagnostic information
-
-There is a known issue when the authentication sometimes fails, the failure screen may not have an error message or troubleshooting information.
-
-For example, if a user certificate is revoked and is part of a Certificate Revocation List, then authentication fails correctly. However, instead of the error message, you might see the following screen:
--
-To get more diagnostic information, look in **Sign-in logs**. If a user authentication fails due to CRL validation for example, sign-in logs show the error information correctly.
--
-## Why didn't my changes to authentication policy changes take effect?
-
-The authentication policy is cached. After a policy update, it may take up to an hour for the changes to be effective. Try after an hour to make sure the policy caching is not the cause.
-
-## I get an error ΓÇÿCannot read properties of undefineΓÇÖ while trying to add a custom authentication rule
-
-This is a known issue, and we are working on graceful error handling. This error happens when there is no Certification Authority (CA) on the tenant. To resolve the error, see [Configure the certificate authorities](how-to-certificate-based-authentication.md#step-1-configure-the-certification-authorities).
---
-## I see a valid Certificate Revocation List (CRL) endpoint set, but why don't I see any CRL revocation?
--- Make sure the CRL distribution point is set to a valid HTTP URL.-- Make sure the CRL distribution point is accessible via an internet-facing URL.-- Make sure the CRL sizes are within the limit for public preview. For more information about the maximum CRL size, see [What is the maximum size for downloading a CRL?](certificate-based-authentication-faq.yml#is-there-a-limit-for-crl-size-).-
-## Next steps
--- [Overview of Azure AD CBA](concept-certificate-based-authentication.md)-- [Technical deep dive for Azure AD CBA](concept-certificate-based-authentication-technical-deep-dive.md) -- [Limitations with Azure AD CBA](concept-certificate-based-authentication-limitations.md)-- [How to configure Azure AD CBA](how-to-certificate-based-authentication.md)-- [Windows SmartCard logon using Azure AD CBA](concept-certificate-based-authentication-smartcard.md)-- [Azure AD CBA on mobile devices (Android and iOS)](concept-certificate-based-authentication-mobile.md)-- [FAQ](certificate-based-authentication-faq.yml)--
active-directory Videos https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/azuread-dev/videos.md
Title: Azure ADAL to MSAL migration videos description: Videos that help you migrate from the Azure Active Directory developer platform to the Microsoft identity platform -+ Last updated 02/12/2020-+
Learn about the new Microsoft identity platform and how to migrate to it from th
## Migrate from v1.0 to v2.0
-**Learn about migrating to the the latest version of the Microsoft identity platform**
+**Learn about migrating to the latest version of the Microsoft identity platform**
:::row::: :::column:::
active-directory Concept How It Works https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/concept-how-it-works.md
+ Last updated 12/05/2019
Cloud sync is built on top of the Azure AD services and has 2 key components:
## Initial setup
-During initial setup, the a few things are done that makes cloud sync happen. These are:
+During initial setup, a few things are done that makes cloud sync happen. These are:
- **During agent installation**: You configure the agent for the AD domains you want to provision from. This configuration registers the domains in the hybrid identity service and establishes an outbound connection to the service bus listening for requests. - **When you enable provisioning**: You select the AD domain and enable provisioning which runs every 2 mins. Optionally you may deselect password hash sync and define notification email. You can also manage attribute transformation using Microsoft Graph APIs.
active-directory Concept Conditional Access Grant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-grant.md
The control for blocking access considers any assignments and prevents access ba
Administrators can choose to enforce one or more controls when granting access. These controls include the following options: - [Require multifactor authentication (Azure AD Multi-Factor Authentication)](../authentication/concept-mfa-howitworks.md)
+- [Require authentication strength (Preview)](#require-authentication-strength-preview)
- [Require device to be marked as compliant (Microsoft Intune)](/intune/protect/device-compliance-get-started) - [Require hybrid Azure AD joined device](../devices/concept-azure-ad-join-hybrid.md) - [Require approved client app](app-based-conditional-access.md)
Selecting this checkbox requires users to perform Azure Active Directory (Azure
[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-overview) satisfies the requirement for multifactor authentication in Conditional Access policies.
+### Require authentication strength (preview)
+
+Administrators can choose to require [specific authentication strengths](../authentication/concept-authentication-strengths.md) in their Conditional Access policies. These authentication strengths are defined in the **Azure portal** > **Azure Active Directory** > **Security** > **Authentication methods** > **Authentication strengths (Preview)**. Administrators can choose to create their own or use the built-in versions.
+
+> [!NOTE]
+> Require authentication strength is currently in public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+ ### Require device to be marked as compliant Organizations that have deployed Intune can use the information returned from their devices to identify devices that meet specific policy compliance requirements. Intune sends compliance information to Azure AD so Conditional Access can decide to grant or block access to resources. For more information about compliance policies, see [Set rules on devices to allow access to resources in your organization by using Intune](/intune/protect/device-compliance-get-started).
The following client apps are confirmed to support this setting:
- Notate for Intune - Yammer (iOS and iPadOS)
-This list is not all encompassing, if your app is not in this list please check with the application vendor to confirm support.
+This list isn't all encompassing, if your app isn't in this list please check with the application vendor to confirm support.
> [!NOTE] > Kaizala, Skype for Business, and Visio don't support the **Require app protection policy** grant. If you require these apps to work, use the **Require approved apps** grant exclusively. Using the "or" clause between the two grants will not work for these three applications.
If your organization has created terms of use, other options might be visible un
### Custom controls (preview)
-Custom controls is a preview capability of Azure AD. When you use custom controls, your users are redirected to a compatible service to satisfy authentication requirements that are separate from Azure AD. For more information, check out the [Custom controls](controls.md) article.
+Custom controls are a preview capability of Azure AD. When you use custom controls, your users are redirected to a compatible service to satisfy authentication requirements that are separate from Azure AD. For more information, check out the [Custom controls](controls.md) article.
## Next steps
active-directory Concept Conditional Access Users Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-users-groups.md
Previously updated : 08/05/2022 Last updated : 10/03/2022
A Conditional Access policy must include a user assignment as one of the signals
> [!VIDEO https://www.youtube.com/embed/5DsW1hB3Jqs]
+> [!NOTE]
+> Some Conditional Access features are currently in public preview and might not be supported or have limited capabilities. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+ ## Include users This list of users typically includes all of the users an organization is targeting in a Conditional Access policy.
The following options are available to include when creating a Conditional Acces
- All users - All users that exist in the directory including B2B guests. - Select users and groups
- - All guest and external users
- - This selection includes any [B2B guests and external users](../external-identities/external-identities-overview.md) including any user with the `user type` attribute set to `guest`. This selection also applies to any external user signed-in from a different organization like a Cloud Solution Provider (CSP).
+ - Guest or external users (preview)
+ - This selection provides several choices that can be used to target Conditional Access policies to specific guest or external user types and specific tenants containing those types of users. There are [several different types of guest or external users that can be selected](../external-identities/authentication-conditional-access.md#conditional-access-for-external-users), and multiple selections can be made:
+ - B2B collaboration guest users
+ - B2B collaboration member users
+ - B2B direct connect users
+ - Local guest users, for example any user belonging to the home tenant with the user type attribute set to guest
+ - Service provider users, for example a Cloud Solution Provider (CSP)
+ - Other external users, or users not represented by the other user type selections
+ - One or more tenants can be specified for the selected user type(s), or you can specify all tenants.
- Directory roles - Allows administrators to select specific [built-in Azure AD directory roles](../roles/permissions-reference.md) used to determine policy assignment. For example, organizations may create a more restrictive policy on users assigned the Global Administrator role. Other role types aren't supported, including administrative unit-scoped roles and custom roles. - Users and groups
When organizations both include and exclude a user or group the user or group is
The following options are available to exclude when creating a Conditional Access policy. -- All guest and external users
- - This selection includes any B2B guests and external users including any user with the `user type` attribute set to `guest`. This selection also applies to any external user signed-in from a different organization like a Cloud Solution Provider (CSP).
+- Guest or external users
+ - This selection provides several choices that can be used to target Conditional Access policies to specific guest or external user types and specific tenants containing those types of users. There are [several different types of guest or external users that can be selected](../external-identities/authentication-conditional-access.md#conditional-access-for-external-users), and multiple selections can be made:
+ - B2B collaboration guest users
+ - B2B collaboration member users
+ - B2B direct connect users
+ - Local guest users, for example any user belonging to the home tenant with the user type attribute set to guest
+ - Service provider users, for example a Cloud Solution Provider (CSP)
+ - Other external users, or users not represented by the other user type selections
+ - One or more tenants can be specified for the selected user type(s), or you can specify all tenants.
- Directory roles - Allows administrators to select specific Azure AD directory roles used to determine assignment. For example, organizations may create a more restrictive policy on users assigned the Global Administrator role. - Users and groups
If you do find yourself locked out, see [What to do if you're locked out of the
### External partner access
-Conditional Access policies that target external users may interfere with service provider access, for example granular delegated admin privileges [Introduction to granular delegated admin privileges (GDAP)](/partner-center/gdap-introduction).
+Conditional Access policies that target external users may interfere with service provider access, for example granular delegated admin privileges [Introduction to granular delegated admin privileges (GDAP)](/partner-center/gdap-introduction). For policies that are intended to target service provider tenants, use the **Service provider user** external user type available in the **Guest or external users** selection options.
## Next steps - [Conditional Access: Cloud apps or actions](concept-conditional-access-cloud-apps.md)- - [Conditional Access common policies](concept-conditional-access-policy-common.md)
active-directory Howto Conditional Access Policy Authentication Strength External https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-authentication-strength-external.md
+
+ Title: Conditional Access - Authentication strength for external users - Azure Active Directory
+description: Create a custom Conditional Access policy with authentication strength to require specific multifactor authentication (MFA) methods for external users.
+++++ Last updated : 10/12/2022+++++++
+# Conditional Access: Require an authentication strength for external users
+
+Authentication strength is a Conditional Access control that lets you define a specific combination of multifactor authentication (MFA) methods that an external user must complete to access your resources. This control is especially useful for restricting external access to sensitive apps in your organization. For example, you can create a Conditional Access policy, require a phishing-resistant authentication strength in the policy, and assign it to guests and external users.
+
+Azure AD provides three [built-in authentication strengths](https://aka.ms/b2b-auth-strengths):
+
+- Multifactor authentication strength
+- Passwordless MFA strength
+- Phishing-resistant MFA strength
+
+You can use one of the built-in strengths or create a [custom authentication strength](https://aka.ms/b2b-auth-strengths) based on the authentication methods you want to require.
+
+In external user scenarios, the MFA authentication methods that a resource tenant can accept vary depending on whether the user is completing MFA in their home tenant or in the resource tenant. For details, see [Conditional Access authentication strength](https://aka.ms/b2b-auth-strengths).
+
+> [!NOTE]
+> Currently, you can only apply authentication strength policies to external users who authenticate with Azure AD. For email one-time passcode, SAML/WS-Fed, and Google federation users, use the [MFA grant control](concept-conditional-access-grant.md#require-multi-factor-authentication) to require MFA.
+## Configure cross-tenant access settings to trust MFA
+
+Authentication strength policies work together with [MFA trust settings](../external-identities/cross-tenant-access-settings-b2b-collaboration.md#to-change-inbound-trust-settings-for-mfa-and-device-claims) in your cross-tenant access settings to determine where and how the external user must perform MFA. An Azure AD user first authenticates with their own account in their home tenant. Then when this user tries to access your resource, Azure AD applies the authentication strength Conditional Access policy and checks to see if you've enabled MFA trust.
+
+- **If MFA trust is enabled**, Azure AD checks the user's authentication session for a claim indicating that MFA has been fulfilled in the user's home tenant. The table below indicates which authentication methods are acceptable for MFA fulfillment when completed in an external user's home tenant.
+- **If MFA trust is disabled**, the resource tenant presents the user with a challenge to complete MFA in the resource tenant using an acceptable authentication method. The table below shows which authentication methods are acceptable for MFA fulfillment by an external user.
+
+> [!IMPORTANT]
+> Before you create the Conditional Access policy, check your cross-tenant access settings to make sure your inbound MFA trust settings are configured as intended.
+## Choose an authentication strength
+
+Determine if one of the built-in authentication strengths will work for your scenario or if you'll need to create a custom authentication strength.
+
+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
+1. Browse to **Azure Active Directory** > **Security** > **Authentication methods** > **Authentication strengths (Preview)**.
+1. Review the built-in authentication strengths to see if one of them meets your requirements.
+1. If you want to enforce a different set of authentication methods, [create a custom authentication strength](https://aka.ms/b2b-auth-strengths).
+
+> [!NOTE]
+> The authentication methods that external users can use to satisfy MFA requirements are different depending on whether the user is completing MFA in their home tenant or the resource tenant. See the table in [Conditional Access authentication strength](https://aka.ms/b2b-auth-strengths).
+
+## Create a Conditional Access policy
+
+Use the following steps to create a Conditional Access policy that applies an authentication strength to external users.
+
+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
+1. Select **New policy**.
+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
+1. Under **Assignments**, select **Users or workload identities**.
+1. Under **Include**, choose **Select users and groups**, and then select **Guest or external users**.
+
+ <!![Screenshot showing where to select guest and external user types.](media/howto-conditional-access-policy-authentication-strength-external/assignments-external-user-types.png)>
+
+1. Select the types of [guest or external users](../external-identities/authentication-conditional-access.md#assigning-conditional-access-policies-to-external-user-types-preview) you want to apply the policy to.
+
+1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.
+1. Under **Cloud apps or actions**, under **Include** or **Exclude**, select any applications you want to include in or exclude from the authentication strength requirements.
+1. Under **Access controls** > **Grant**:
+ 1. Choose **Grant access**.
+ 1. Select **Require authentication strength**, and then select the built-in or custom authentication strength from the list.
+
+ ![Screenshot showing where to select an authentication strength.](media/howto-conditional-access-policy-authentication-strength-external/select-authentication-strength.png)
+
+1. Confirm your settings and set **Enable policy** to **Report-only**.
+2. Select **Create** to create to enable your policy.
+
+After you confirm your settings using [report-only mode](howto-conditional-access-insights-reporting.md), an administrator can move the **Enable policy** toggle from **Report-only** to **On**.
+
+## Next steps
+
+[Conditional Access common policies](concept-conditional-access-policy-common.md)
+
+[Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)
active-directory Resilience Defaults https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/resilience-defaults.md
Previously updated : 02/25/2022 Last updated : 09/13/2022
If the required controls of a policy weren't previously satisfied, the policy is
- Sign-in risk - User risk - Country location (resolving new IP or GPS coordinates)
+- Authentication strengths
+
+When active, the Backup Authentication Service doesn't evaluate authentication methods required by [authentication strengths](../authentication/concept-authentication-strengths.md). If you used a non-phishing-resistant authentication method before an outage, during an outage you aren't be prompted for multifactor authentication even if accessing a resource protected by a Conditional Access policy with a phishing-resistant authentication strength.
## Resilience defaults enabled
active-directory Active Directory Certificate Credentials https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/active-directory-certificate-credentials.md
To compute the assertion, you can use one of the many JWT libraries in the langu
| | | | `alg` | Should be **RS256** | | `typ` | Should be **JWT** |
-| `x5t` | Base64-encoded SHA-1 thumbprint of the X.509 certificate. For example, given an X.509 certificate hash of `84E05C1D98BCE3A5421D225B140B36E86A3D5534` (Hex), the `x5t` claim would be `hOBcHZi846VCHSJbFAs26Go9VTQ=` (Base64). |
+| `x5t` | Base64url-encoded SHA-1 thumbprint of the X.509 certificate's DER encoding. For example, given an X.509 certificate hash of `84E05C1D98BCE3A5421D225B140B36E86A3D5534` (Hex), the `x5t` claim would be `hOBcHZi846VCHSJbFAs26Go9VTQ` (Base64url). |
### Claims (payload)
active-directory Active Directory Claims Mapping https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/active-directory-claims-mapping.md
-+ Last updated 06/16/2021
To run this script you need:
- password for the private key (pfx file) > [!IMPORTANT]
-> The private key must be in PKCS#12 format since Azure AD does not support other format types. Using the wrong format can result in the the error "Invalid certificate: Key value is invalid certificate" when using Microsoft Graph to PATCH the service principal with a `keyCredentials` containing the certificate info.
+> The private key must be in PKCS#12 format since Azure AD does not support other format types. Using the wrong format can result in the error "Invalid certificate: Key value is invalid certificate" when using Microsoft Graph to PATCH the service principal with a `keyCredentials` containing the certificate info.
```powershell
active-directory Config Authority https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/config-authority.md
Title: Configure identity providers (MSAL iOS/macOS) description: Learn how to use different authorities such as B2C, sovereign clouds, and guest users, with MSAL for iOS and macOS. -+
Last updated 08/28/2019-+
active-directory Custom Rbac For Developers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/custom-rbac-for-developers.md
Last updated 08/19/2022-+ - #Customer intent: As a developer, I want to learn about custom RBAC and why I need to use it in my application.
Developers can also use [Azure AD groups](../fundamentals/active-directory-manag
### Custom data store
-App roles and groups both store information about user assignments in the Azure AD directory. Another option for managing user role information that is available to developers is to maintain the information outside of the directory in a custom data store. For example, in a SQL Database, Azure Table storage or Azure Cosmos DB Table API.
+App roles and groups both store information about user assignments in the Azure AD directory. Another option for managing user role information that is available to developers is to maintain the information outside of the directory in a custom data store. For example, in a SQL database, Azure Table storage, or Azure Cosmos DB for Table.
Using custom storage allows developers extra customization and control over how to assign roles to users and how to represent them. However, the extra flexibility also introduces more responsibility. For example, there's no mechanism currently available to include this information in tokens returned from Azure AD. If developers maintain role information in a custom data store, they'll need to have the applications retrieve the roles. Retrieving the roles is typically done using extensibility points defined in the middleware available to the platform that's being used to develop the application. Developers are responsible for properly securing the custom data store.
active-directory Customize Webviews https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/customize-webviews.md
Title: Customize browsers & WebViews (MSAL iOS/macOS) description: Learn how to customize the MSAL iOS/macOS browser experience to sign in users. -+
Last updated 08/28/2019-+
active-directory Developer Support Help Options https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/developer-support-help-options.md
Title: Support and help options for Microsoft identity platform developers description: Learn where to get help and find answers to your questions as you build identity and access management (IAM) solutions that integrate with Azure Active Directory (Azure AD) and other components of the Microsoft identity platform. -+
Last updated 03/09/2022-+
active-directory Howto Authenticate Service Principal Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-authenticate-service-principal-powershell.md
multiple Previously updated : 02/22/2021 Last updated : 10/11/2021
$sp = New-AzADServicePrincipal -DisplayName exampleapp `
-EndDate $cert.NotAfter ` -StartDate $cert.NotBefore Sleep 20
-New-AzRoleAssignment -RoleDefinitionName Reader -ServicePrincipalName $sp.ApplicationId
+New-AzRoleAssignment -RoleDefinitionName Reader -ServicePrincipalName $sp.AppId
``` The example sleeps for 20 seconds to allow some time for the new service principal to propagate throughout Azure AD. If your script doesn't wait long enough, you'll see an error stating: "Principal {ID} does not exist in the directory {DIR-ID}." To resolve this error, wait a moment then run the **New-AzRoleAssignment** command again.
Whenever you sign in as a service principal, provide the tenant ID of the direct
```powershell $TenantId = (Get-AzSubscription -SubscriptionName "Contoso Default").TenantId
-$ApplicationId = (Get-AzADApplication -DisplayNameStartWith exampleapp).ApplicationId
+$ApplicationId = (Get-AzADApplication -DisplayNameStartWith exampleapp).AppId
$Thumbprint = (Get-ChildItem cert:\CurrentUser\My\ | Where-Object {$_.Subject -eq "CN=exampleappScriptCert" }).Thumbprint Connect-AzAccount -ServicePrincipal `
Param (
{ # Sleep here for a few seconds to allow the service principal application to become active (should only take a couple of seconds normally) Sleep 15
- New-AzRoleAssignment -RoleDefinitionName Reader -ServicePrincipalName $ServicePrincipal.ApplicationId | Write-Verbose -ErrorAction SilentlyContinue
+ New-AzRoleAssignment -RoleDefinitionName Reader -ServicePrincipalName $ServicePrincipal.AppId | Write-Verbose -ErrorAction SilentlyContinue
$NewRole = Get-AzRoleAssignment -ObjectId $ServicePrincipal.Id -ErrorAction SilentlyContinue $Retries++; }
The application ID and tenant ID aren't sensitive, so you can embed them directl
If you need to retrieve the application ID, use: ```powershell
-(Get-AzADApplication -DisplayNameStartWith {display-name}).ApplicationId
+(Get-AzADApplication -DisplayNameStartWith {display-name}).AppId
``` ## Change credentials
active-directory Howto Create Service Principal Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-create-service-principal-portal.md
Previously updated : 08/26/2022 Last updated : 10/11/2022
This article shows you how to create a new Azure Active Directory (Azure AD) application and service principal that can be used with the role-based access control. When you have applications, hosted services, or automated tools that need to access or modify resources, you can create an identity for the app. This identity is known as a service principal. Access to resources is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.
-This article shows you how to use the portal to create the service principal in the Azure portal. It focuses on a single-tenant application where the application is intended to run within only one organization. You typically use single-tenant applications for line-of-business applications that run within your organization. You can also [use Azure PowerShell to create a service principal](howto-authenticate-service-principal-powershell.md).
+This article shows you how to use the portal to create the service principal in the Azure portal. It focuses on a single-tenant application where the application is intended to run within only one organization. You typically use single-tenant applications for line-of-business applications that run within your organization. You can also [use Azure PowerShell](howto-authenticate-service-principal-powershell.md) or the [Azure CLI](/cli/azure/create-an-azure-service-principal-azure-cli) to create a service principal.
> [!IMPORTANT] > Instead of creating a service principal, consider using managed identities for Azure resources for your application identity. If your code runs on a service that supports managed identities and accesses resources that support Azure AD authentication, managed identities are a better option for you. To learn more about managed identities for Azure resources, including which services currently support it, see [What is managed identities for Azure resources?](../managed-identities-azure-resources/overview.md).
Keep in mind, you might need to configure additional permissions on resources th
![Add access policy](./media/howto-create-service-principal-portal/add-access-policy.png) ## Next steps
-* Learn how to [use Azure PowerShell to create a service principal](howto-authenticate-service-principal-powershell.md).
+* Learn how to use [Azure PowerShell](howto-authenticate-service-principal-powershell.md) or [Azure CLI](/cli/azure/create-an-azure-service-principal-azure-cli) to create a service principal.
* To learn about specifying security policies, see [Azure role-based access control (Azure RBAC)](../../role-based-access-control/role-assignments-portal.md). * For a list of available actions that can be granted or denied to users, see [Azure Resource Manager Resource Provider operations](../../role-based-access-control/resource-provider-operations.md). * For information about working with app registrations by using **Microsoft Graph**, see the [Applications](/graph/api/resources/application) API reference.
active-directory Howto V2 Keychain Objc https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-v2-keychain-objc.md
Title: Configure keychain description: Learn how to configure keychain so that your app can cache tokens in the keychain. -+
Last updated 08/28/2019-+
active-directory Identity Videos https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/identity-videos.md
Title: Microsoft identity platform videos description: A list of videos about modern authentication and the Microsoft identity platform -+
Last updated 08/03/2020-+
active-directory Migrate Adal Msal Java https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/migrate-adal-msal-java.md
Title: ADAL to MSAL migration guide (MSAL4j) description: Learn how to migrate your Azure Active Directory Authentication Library (ADAL) Java app to the Microsoft Authentication Library (MSAL). -+
Java Last updated 11/04/2019-+ #Customer intent: As a Java application developer, I want to learn how to migrate my v1 ADAL app to v2 MSAL.
active-directory Migrate Android Adal Msal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/migrate-android-adal-msal.md
Title: ADAL to MSAL migration guide for Android description: Learn how to migrate your Azure Active Directory Authentication Library (ADAL) Android app to the Microsoft Authentication Library (MSAL). -+
Android Last updated 10/14/2020-+ # Customer intent: As an Android application developer, I want to learn how to migrate my v1 ADAL app to v2 MSAL.
active-directory Migrate Objc Adal Msal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/migrate-objc-adal-msal.md
Title: ADAL to MSAL migration guide (MSAL iOS/macOS) description: Learn the differences between MSAL for iOS/macOS and the Azure AD Authentication Library for ObjectiveC (ADAL.ObjC) and how to migrate to MSAL for iOS/macOS. -+
Last updated 08/28/2019-+ #Customer intent: As an application developer, I want to learn about the differences between the Objective-C ADAL and MSAL for iOS and macOS libraries so I can migrate my applications to MSAL for iOS and macOS.
active-directory Migrate Spa Implicit To Auth Code https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/migrate-spa-implicit-to-auth-code.md
Title: Migrate JavaScript single-page app from implicit grant to authorization code flow description: How to update a JavaScript SPA using MSAL.js 1.x and the implicit grant flow to MSAL.js 2.x and the authorization code flow with PKCE and CORS support. -+ Last updated 07/17/2020-+
active-directory Mobile App Quickstart Portal Android https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/mobile-app-quickstart-portal-android.md
Title: "Quickstart: Add sign in with Microsoft to an Android app" description: In this quickstart, learn how Android applications can call an API that requires access tokens issued by the Microsoft identity platform. -+
Last updated 02/15/2022 -+ #Customer intent: As an application developer, I want to learn how Android native apps can call protected APIs that require login and access tokens using the Microsoft identity platform.
active-directory Mobile App Quickstart Portal Ios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/mobile-app-quickstart-portal-ios.md
Title: "Quickstart: Add sign in with Microsoft to an iOS or macOS app" description: In this quickstart, learn how an iOS or macOS app can sign in users, get an access token from the Microsoft identity platform, and call the Microsoft Graph API. -+
Last updated 02/15/2022 -+ #Customer intent: As an application developer, I want to learn how to sign in users and call Microsoft Graph from my iOS or macOS application.
active-directory Msal Acquire Cache Tokens https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-acquire-cache-tokens.md
Title: Acquire and cache tokens with Microsoft Authentication Library (MSAL) description: Learn about acquiring and caching tokens using MSAL. -+
Last updated 03/22/2022-+ #Customer intent: As an application developer, I want to learn about acquiring and caching tokens so my app can support authentication and authorization.
active-directory Msal Android Handling Exceptions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-android-handling-exceptions.md
Title: Errors and exceptions (MSAL Android) description: Learn how to handle errors and exceptions, Conditional Access, and claims challenges in MSAL Android applications. -+
Last updated 08/07/2020-+
active-directory Msal Android Shared Devices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-android-shared-devices.md
Title: Shared device mode for Android devices description: Learn how to enable shared device mode to allow frontline workers to share an Android device -+
Last updated 09/30/2021-+
active-directory Msal Android Single Sign On https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-android-single-sign-on.md
Title: How to enable cross-app SSO on Android using MSAL description: How to use the Microsoft Authentication Library (MSAL) for Android to enable single sign-on across your applications. -+
android
ms.devlang: java Last updated 10/15/2020-+
active-directory Msal Authentication Flows https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-authentication-flows.md
Title: Authentication flow support in the Microsoft Authentication Library (MSAL) description: Learn about the authorization grants and authentication flows supported by MSAL. -+
Last updated 03/22/2022-+ # Customer intent: As an application developer, I want to learn about the authentication flows supported by MSAL.
active-directory Msal Client Application Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-client-application-configuration.md
Title: Client application configuration (MSAL) description: Learn about configuration options for public client and confidential client applications using the Microsoft Authentication Library (MSAL). -+
Last updated 07/15/2022-+ #Customer intent: As an application developer, I want to learn about the types of client applications so I can decide if this platform meets my app development needs.
active-directory Msal Client Applications https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-client-applications.md
Title: Public and confidential client apps (MSAL) description: Learn about public client and confidential client applications in the Microsoft Authentication Library (MSAL). -+
Last updated 10/26/2021-+ #Customer intent: As an application developer, I want to learn about the types of client apps so I can decide if this platform meets my app development requirements.
active-directory Msal Compare Msal Js And Adal Js https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-compare-msal-js-and-adal-js.md
Title: "Migrate your JavaScript application from ADAL.js to MSAL.js" description: How to update your existing JavaScript application to use the Microsoft Authentication Library (MSAL) for authentication and authorization instead of the Active Directory Authentication Library (ADAL). -+
Last updated 07/06/2021-+ #Customer intent: As an application developer, I want to learn how to change the code in my JavaScript application from using ADAL.js as its authentication library to MSAL.js.
active-directory Msal Differences Ios Macos https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-differences-ios-macos.md
Title: MSAL for iOS & macOS differences description: Describes the Microsoft Authentication Library (MSAL) usage differences between iOS and macOS. -+
Last updated 08/28/2019-+ #Customer intent: As an application developer, I want to learn about the Microsoft Authentication Library for macOS and iOS differences so I can decide if this platform meets my application development needs and requirements.
active-directory Msal Error Handling Ios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-error-handling-ios.md
Title: Handle errors and exceptions in MSAL for iOS/macOS description: Learn how to handle errors and exceptions, Conditional Access claims challenges, and retries in MSAL for iOS/macOS applications. -+
Last updated 11/26/2020-+
active-directory Msal Error Handling Java https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-error-handling-java.md
Title: Handle errors and exceptions in MSAL4J description: Learn how to handle errors and exceptions, Conditional Access claims challenges, and retries in MSAL4J applications. -+
Last updated 11/27/2020-+
active-directory Msal Error Handling Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-error-handling-python.md
Title: Handle errors and exceptions in MSAL for Python description: Learn how to handle errors and exceptions, Conditional Access claims challenges, and retries in MSAL for Python applications. -+
Last updated 11/26/2020-+
active-directory Msal Java Adfs Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-java-adfs-support.md
Title: AD FS support (MSAL for Java) description: Learn about Active Directory Federation Services (AD FS) support in the Microsoft Authentication Library for Java (MSAL4j). -+
Last updated 11/21/2019-+ #Customer intent: As an application developer, I want to learn about AD FS support in MSAL for Java so I can decide if this platform meets my application development needs and requirements.
active-directory Msal Java Get Remove Accounts Token Cache https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-java-get-remove-accounts-token-cache.md
Title: Get & remove accounts from the token cache (MSAL4j) description: Learn how to view and remove accounts from the token cache using the Microsoft Authentication Library for Java. -+
Last updated 11/07/2019-+ #Customer intent: As an application developer using the Microsoft Authentication Library for Java (MSAL4J), I want to learn how to get and remove accounts stored in the token cache.
active-directory Msal Java Token Cache Serialization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-java-token-cache-serialization.md
Title: Custom token cache serialization (MSAL4j) description: Learn how to serialize the token cache for MSAL for Java -+
Last updated 11/07/2019-+ #Customer intent: As an application developer using the Microsoft Authentication Library for Java (MSAL4J), I want to learn how to persist the token cache so that it is available to a new instance of my application.
active-directory Msal Js Avoid Page Reloads https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-js-avoid-page-reloads.md
Title: Avoid page reloads (MSAL.js) description: Learn how to avoid page reloads when acquiring and renewing tokens silently using the Microsoft Authentication Library for JavaScript (MSAL.js). -+
Last updated 05/29/2019-+ #Customer intent: As an application developer, I want to learn about avoiding page reloads so I can create more robust applications.
active-directory Msal Js Initializing Client Applications https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-js-initializing-client-applications.md
Title: Initialize MSAL.js client apps description: Learn about initializing client applications using the Microsoft Authentication Library for JavaScript (MSAL.js). -+
Last updated 10/21/2021-+ # Customer intent: As an application developer, I want to learn about initializing a client application in MSAL.js to enable support for authentication and authorization in a JavaScript single-page application (SPA).
active-directory Msal Js Known Issues Ie Edge Browsers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-js-known-issues-ie-edge-browsers.md
Title: Issues on Internet Explorer & Microsoft Edge (MSAL.js) description: Learn about know issues when using the Microsoft Authentication Library for JavaScript (MSAL.js) with Internet Explorer and Microsoft Edge browsers. -+
Last updated 05/18/2020-+ #Customer intent: As an application developer, I want to learn about issues with MSAL.js library so I can decide if this platform meets my application development needs and requirements.
active-directory Msal Js Pass Custom State Authentication Request https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-js-pass-custom-state-authentication-request.md
Title: Pass custom state in authentication requests (MSAL.js) description: Learn how to pass a custom state parameter value in authentication request using the Microsoft Authentication Library for JavaScript (MSAL.js). -+
Last updated 01/16/2020-+ #Customer intent: As an application developer, I want to learn about passing custom state in authentication requests so I can create more robust applications.
active-directory Msal Js Prompt Behavior https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-js-prompt-behavior.md
Title: Prompt behavior with MSAL.js description: Learn to customize prompt behavior using the Microsoft Authentication Library for JavaScript (MSAL.js). -+
Last updated 04/24/2019-+ #Customer intent: As an application developer, I want to learn about customizing the UI prompt behaviors in MSAL.js library so I can decide if this platform meets my application development needs and requirements.
active-directory Msal Js Sso https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-js-sso.md
Title: Single sign-on (MSAL.js) description: Learn about building single sign-on experiences using the Microsoft Authentication Library for JavaScript (MSAL.js). -+
Last updated 10/25/2021-+ #Customer intent: As an application developer, I want to learn about enabling single sign on experiences with MSAL.js library so I can decide if this platform meets my application development needs and requirements.
active-directory Msal Js Use Ie Browser https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-js-use-ie-browser.md
Title: Issues on Internet Explorer (MSAL.js) description: Use the Microsoft Authentication Library for JavaScript (MSAL.js) with Internet Explorer browser. -+
Last updated 12/01/2021-+ #Customer intent: As an application developer, I want to learn about issues with MSAL.js library so I can decide if this platform meets my application development needs and requirements.
active-directory Msal Logging Android https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-logging-android.md
Title: Logging errors and exceptions in MSAL for Android. description: Learn how to log errors and exceptions in MSAL for Android. -+
Last updated 01/25/2021-+
active-directory Msal Logging Ios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-logging-ios.md
Title: Logging errors and exceptions in MSAL for iOS/macOS description: Learn how to log errors and exceptions in MSAL for iOS/macOS -+
Last updated 01/25/2021-+
active-directory Msal Logging Java https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-logging-java.md
Title: Logging errors and exceptions in MSAL for Java description: Learn how to log errors and exceptions in MSAL for Java -+
Last updated 01/25/2021-+
active-directory Msal Logging Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-logging-python.md
Title: Logging errors and exceptions in MSAL for Python description: Learn how to log errors and exceptions in MSAL for Python -+
Last updated 01/25/2021-+
active-directory Msal Net Migration Android Broker https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-net-migration-android-broker.md
Title: Migrate Xamarin Android apps using brokers to MSAL.NET description: Learn how to migrate Xamarin Android apps that use the Microsoft Authenticator or Intune Company Portal from ADAL.NET to MSAL.NET.-+
Last updated 08/31/2020-+ #Customer intent: As an application developer, I want to learn how to migrate my Xamarin Android applications that use Microsoft Authenticator from ADAL.NET to MSAL.NET.
active-directory Msal Net System Browser Android Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-net-system-browser-android-considerations.md
Title: Xamarin Android system browser considerations (MSAL.NET) description: Learn about considerations for using system browsers on Xamarin Android with the Microsoft Authentication Library for .NET (MSAL.NET). -+
Last updated 10/30/2019-+ #Customer intent: As an application developer, I want to learn about considerations for using Xamarin Android and MSAL.NET so I can decide if this platform meets my application development needs.
We recommend that you use browsers that support custom tabs. Here are some examp
|Kiwi | com.kiwibrowser.browser| |Brave | com.brave.browser|
-In addition to identifying browsers that offer custom tabs support, our testing indicates that a few browsers that don't support custom tabs also work for authentication. These browsers include Opera, Opera Mini, InBrowser, and Maxthon.
+In addition to identifying browsers that offer custom tabs support, our testing indicates that a few browsers that don't support custom tabs also work for authentication. These browsers include Opera, Opera Mini, InBrowser, and Maxthon.
## Tested devices and browsers The following table lists the devices and browsers that have been tested for authentication compatibility.
-| Device | Browser | Result |
+| Device | Browser | Result |
| - |:-:|:--:| | Huawei/One+ | Chrome\* | Pass| | Huawei/One+ | Edge\* | Pass|
The following table lists the devices and browsers that have been tested for aut
## Known issues
-If the user has no browser enabled on the device, MSAL.NET will throw an `AndroidActivityNotFound` exception.
+If the user has no browser enabled on the device, MSAL.NET will throw an `AndroidActivityNotFound` exception.
- **Mitigation**: Ask the user to enable a browser on their device. Recommend a browser that supports custom tabs.
-If authentication fails (for example, if authentication launches with DuckDuckGo), MSAL.NET will return `AuthenticationCanceled MsalClientException`.
- - **Root problem**: A browser that supports custom tabs wasn't enabled on the device. Authentication launched with a browser that couldn't complete authentication.
+If authentication fails (for example, if authentication launches with DuckDuckGo), MSAL.NET will return `AuthenticationCanceled MsalClientException`.
+ - **Root problem**: A browser that supports custom tabs wasn't enabled on the device. Authentication launched with a browser that couldn't complete authentication.
- **Mitigation**: Ask the user to enable a browser on their device. Recommend a browser that supports custom tabs. ## Next steps
-For more information and code examples, see [Choosing between an embedded web browser and a system browser on Xamarin Android](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/MSAL.NET-uses-web-browser#choosing-between-embedded-web-browser-or-system-browser-on-xamarinandroid) and [Embedded versus system web UI](msal-net-web-browsers.md#embedded-vs-system-web-ui).
+For more information and code examples, see [Choosing between an embedded web browser and a system browser on Xamarin Android](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/MSAL.NET-uses-web-browser#choosing-between-embedded-web-browser-or-system-browser-on-xamarinandroid) and [Embedded versus system web UI](msal-net-web-browsers.md#embedded-vs-system-web-ui).
active-directory Msal Net User Gets Consent For Multiple Resources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-net-user-gets-consent-for-multiple-resources.md
Title: Get consent for several resources (MSAL.NET) description: Learn how a user can get pre-consent for several resources using the Microsoft Authentication Library for .NET (MSAL.NET). -+
Last updated 04/30/2019-+ #Customer intent: As an application developer, I want to learn how to specify additional scopes so I can get pre-consent for several resources.
active-directory Msal Net Uwp Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-net-uwp-considerations.md
Title: UWP considerations (MSAL.NET) description: Learn about considerations for using Universal Windows Platform (UWP) with the Microsoft Authentication Library for .NET (MSAL.NET). -+
Last updated 03/03/2021-+ #Customer intent: As an application developer, I want to learn about considerations for using Universal Windows Platform and MSAL.NET so that I can decide if this platform meets my application development needs.
For more information, see [Web authentication broker - Fiddler](/windows/uwp/sec
## Next steps The following samples provide more information.
-Sample | Platform | Description
+Sample | Platform | Description
| | -- | --| |[`active-directory-dotnet-native-uwp-v2`](https://github.com/azure-samples/active-directory-dotnet-native-uwp-v2) | UWP | A UWP client application that uses MSAL.NET. It accesses Microsoft Graph for a user who authenticates by using an Azure AD 2.0 endpoint. <br>![Topology](media/msal-net-uwp-considerations/topology-native-uwp.png)| |[`active-directory-xamarin-native-v2`](https://github.com/Azure-Samples/active-directory-xamarin-native-v2) | Xamarin iOS, Android, UWP | A Xamarin Forms app that shows how to use MSAL to authenticate Microsoft personal accounts and Azure AD via the Microsoft identity platform. It also shows how to access Microsoft Graph and shows the resulting token. <br>![Diagram that shows how to use MSAL to authenticate Microsoft personal accounts and Azure AD via the Microsoft identity platform.](media/msal-net-uwp-considerations/topology-xamarin-native.png)|
active-directory Msal Net Web Browsers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-net-web-browsers.md
Title: Using web browsers (MSAL.NET) description: Learn about specific considerations when using Xamarin Android with the Microsoft Authentication Library for .NET (MSAL.NET). -+
Last updated 05/18/2020-+ #Customer intent: As an application developer, I want to learn about web browsers MSAL.NET so I can decide if this platform meets my application development needs and requirements.
By default, MSAL.NET supports the system web browser on Xamarin.iOS, Xamarin.And
Using the system browser has the significant advantage of sharing the SSO state with other applications and with web applications without needing a broker (Company portal / Authenticator). The system browser was used, by default, in MSAL.NET for the Xamarin iOS and Xamarin Android platforms because, on these platforms, the system web browser occupies the whole screen, and the user experience is better. The system web view isn't distinguishable from a dialog. On iOS, though, the user might have to give consent for the browser to call back the application, which can be annoying.
-## System browser experience on .NET
+## System browser experience on .NET
On .NET Core, MSAL.NET will start the system browser as a separate process. MSAL.NET doesn't have control over this browser, but once the user finishes authentication, the web page is redirected in such a way that MSAL.NET can intercept the URI.
To enable the system browser:
IPublicClientApplication pca = PublicClientApplicationBuilder .Create("<CLIENT_ID>") // or use a known port if you wish "http://localhost:1234"
- .WithRedirectUri("http://localhost")
+ .WithRedirectUri("http://localhost")
.Build(); ```
On macOS, the browser is opened by invoking `open <url>`.
MSAL.NET can respond with an HTTP message or HTTP redirect when a token is received or an error occurs. ```csharp
-var options = new SystemWebViewOptions()
+var options = new SystemWebViewOptions()
{ HtmlMessageError = "<p> An error occurred: {0}. Details {1}</p>", BrowserRedirectSuccess = new Uri("https://www.microsoft.com");
await pca.AcquireTokenInteractive(s_scopes)
You may customize the way MSAL.NET opens the browser. For example instead of using whatever browser is the default, you can force open a specific browser: ```csharp
-var options = new SystemWebViewOptions()
+var options = new SystemWebViewOptions()
{ OpenBrowserAsync = SystemWebViewOptions.OpenWithEdgeBrowserAsync }
For desktop applications, however, launching a System Webview leads to a subpar
## Enable embedded webviews on iOS and Android
-You can also enable embedded webviews in Xamarin.iOS and Xamarin.Android apps. Starting with MSAL.NET 2.0.0-preview, MSAL.NET also supports using the **embedded** webview option.
+You can also enable embedded webviews in Xamarin.iOS and Xamarin.Android apps. Starting with MSAL.NET 2.0.0-preview, MSAL.NET also supports using the **embedded** webview option.
As a developer using MSAL.NET targeting Xamarin, you may choose to use either embedded webviews or system browsers. This is your choice depending on the user experience and security concerns you want to target.
active-directory Msal Net Xamarin Android Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-net-xamarin-android-considerations.md
Title: Xamarin Android code configuration and troubleshooting (MSAL.NET) description: Learn about considerations for using Xamarin Android with the Microsoft Authentication Library for .NET (MSAL.NET). -+
Last updated 08/28/2020-+ #Customer intent: As an application developer, I want to learn about special requirements for using Xamarin Android and MSAL.NET.
protected override void OnActivityResult(int requestCode,
} ```
-## Update the Android manifest for System WebView support
+## Update the Android manifest for System WebView support
To support System WebView, the *AndroidManifest.xml* file should contain the following values:
Xamarin.Forms 4.3.x generates code that sets the `package` attribute to `com.com
## Android 11 support
-To use the system browser and brokered authentication in Android 11, you must first declare these packages, so they are visible to the app. Apps that target Android 10 (API 29) and earlier can query the OS for a list of packages that are available on the device at any given time. To support privacy and security, Android 11 reduces package visibility to a default list of OS packages and the packages that are specified in the app's *AndroidManifest.xml* file.
+To use the system browser and brokered authentication in Android 11, you must first declare these packages, so they are visible to the app. Apps that target Android 10 (API 29) and earlier can query the OS for a list of packages that are available on the device at any given time. To support privacy and security, Android 11 reduces package visibility to a default list of OS packages and the packages that are specified in the app's *AndroidManifest.xml* file.
To enable the application to authenticate by using both the system browser and the broker, add the following section to *AndroidManifest.xml*:
To enable the application to authenticate by using both the system browser and t
<action android:name="android.support.customtabs.action.CustomTabsService" /> </intent> </queries>
-```
+```
-Replace `{Package Name}` with the application package name.
+Replace `{Package Name}` with the application package name.
Your updated manifest, which now includes support for the system browser and brokered authentication, should look similar to this example: ```xml <?xml version="1.0" encoding="utf-8"?> <manifest xmlns:android="http://schemas.android.com/apk/res/android" android:versionCode="1" android:versionName="1.0" package="com.companyname.XamarinDev">
- <uses-sdk android:minSdkVersion="21" android:targetSdkVersion="30" />
- <uses-permission android:name="android.permission.INTERNET" />
- <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
- <application android:theme="@android:style/Theme.NoTitleBar">
- <activity android:name="microsoft.identity.client.BrowserTabActivity" android:configChanges="orientation|screenSize">
- <intent-filter>
- <action android:name="android.intent.action.VIEW" />
- <category android:name="android.intent.category.DEFAULT" />
- <category android:name="android.intent.category.BROWSABLE" />
- <data android:scheme="msal4a1aa1d5-c567-49d0-ad0b-cd957a47f842" android:host="auth" />
- </intent-filter>
- <intent-filter>
- <action android:name="android.intent.action.VIEW" />
- <category android:name="android.intent.category.DEFAULT" />
- <category android:name="android.intent.category.BROWSABLE" />
- <data android:scheme="msauth" android:host="com.companyname.XamarinDev" android:path="/Fc4l/5I4mMvLnF+l+XopDuQ2gEM=" />
- </intent-filter>
- </activity>
- </application>
- <!-- Required for API Level 30 to make sure we can detect browsers and other apps we want to
+ <uses-sdk android:minSdkVersion="21" android:targetSdkVersion="30" />
+ <uses-permission android:name="android.permission.INTERNET" />
+ <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
+ <application android:theme="@android:style/Theme.NoTitleBar">
+ <activity android:name="microsoft.identity.client.BrowserTabActivity" android:configChanges="orientation|screenSize">
+ <intent-filter>
+ <action android:name="android.intent.action.VIEW" />
+ <category android:name="android.intent.category.DEFAULT" />
+ <category android:name="android.intent.category.BROWSABLE" />
+ <data android:scheme="msal4a1aa1d5-c567-49d0-ad0b-cd957a47f842" android:host="auth" />
+ </intent-filter>
+ <intent-filter>
+ <action android:name="android.intent.action.VIEW" />
+ <category android:name="android.intent.category.DEFAULT" />
+ <category android:name="android.intent.category.BROWSABLE" />
+ <data android:scheme="msauth" android:host="com.companyname.XamarinDev" android:path="/Fc4l/5I4mMvLnF+l+XopDuQ2gEM=" />
+ </intent-filter>
+ </activity>
+ </application>
+ <!-- Required for API Level 30 to make sure we can detect browsers and other apps we want to
be able to talk to.-->
- <!--https://developer.android.com/training/basics/intents/package-visibility-use-cases-->
- <queries>
- <package android:name="com.azure.authenticator" />
- <package android:name="com.companyname.xamarindev" />
- <package android:name="com.microsoft.windowsintune.companyportal" />
- <!-- Required for API Level 30 to make sure we can detect browsers
+ <!--https://developer.android.com/training/basics/intents/package-visibility-use-cases-->
+ <queries>
+ <package android:name="com.azure.authenticator" />
+ <package android:name="com.companyname.xamarindev" />
+ <package android:name="com.microsoft.windowsintune.companyportal" />
+ <!-- Required for API Level 30 to make sure we can detect browsers
(that don't support custom tabs) -->
- <intent>
- <action android:name="android.intent.action.VIEW" />
- <category android:name="android.intent.category.BROWSABLE" />
- <data android:scheme="https" />
- </intent>
- <!-- Required for API Level 30 to make sure we can detect browsers that support custom tabs -->
- <!-- https://developers.google.com/web/updates/2020/07/custom-tabs-android-11#detecting_browsers_that_support_custom_tabs -->
- <intent>
- <action android:name="android.support.customtabs.action.CustomTabsService" />
- </intent>
- </queries>
+ <intent>
+ <action android:name="android.intent.action.VIEW" />
+ <category android:name="android.intent.category.BROWSABLE" />
+ <data android:scheme="https" />
+ </intent>
+ <!-- Required for API Level 30 to make sure we can detect browsers that support custom tabs -->
+ <!-- https://developers.google.com/web/updates/2020/07/custom-tabs-android-11#detecting_browsers_that_support_custom_tabs -->
+ <intent>
+ <action android:name="android.support.customtabs.action.CustomTabsService" />
+ </intent>
+ </queries>
</manifest> ```
active-directory Msal Net Xamarin Ios Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-net-xamarin-ios-considerations.md
Title: Xamarin iOS considerations (MSAL.NET) description: Learn about considerations for using Xamarin iOS with the Microsoft Authentication Library for .NET (MSAL.NET). -+
Last updated 09/09/2020-+ #Customer intent: As an application developer, I want to learn about considerations for using Xamarin iOS and MSAL.NET.
For more information, see the [iOS entitlements documentation](https://developer
#### Troubleshooting KeyChain access
-If you get an error message similar to "The application cannot access the iOS keychain for the application publisher (the TeamId is null)", this means MSAL is not able to access the KeyChain. This is a configuration issue. To troubleshoot, try to access the KeyChain on your own, for example:
+If you get an error message similar to "The application cannot access the iOS keychain for the application publisher (the TeamId is null)", this means MSAL is not able to access the KeyChain. This is a configuration issue. To troubleshoot, try to access the KeyChain on your own, for example:
```csharp var queryRecord = new SecRecord(SecKind.GenericPassword)
active-directory Msal Node Migration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-node-migration.md
Title: "Migrate your Node.js application from ADAL to MSAL" description: How to update your existing Node.js application to use the Microsoft Authentication Library (MSAL) for authentication and authorization instead of the Active Directory Authentication Library (ADAL). -+
Last updated 04/26/2021-+ #Customer intent: As an application developer, I want to learn how to change the code in my Node.js application from using ADAL as its authentication library to MSAL.
active-directory Msal Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-overview.md
Title: Learn about MSAL description: The Microsoft Authentication Library (MSAL) enables application developers to acquire tokens in order to call secured web APIs. These web APIs can be the Microsoft Graph, other Microsoft APIs, third-party web APIs, or your own web API. MSAL supports multiple application architectures and platforms. -+
Last updated 09/20/2022-+ #Customer intent: As an application developer, I want to learn about the Microsoft Authentication Library so I can decide if this platform meets my application development needs and requirements.
active-directory Msal V1 App Scopes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-v1-app-scopes.md
Title: Scopes for v1.0 apps (MSAL) description: Learn about the scopes for a v1.0 application using the Microsoft Authentication Library (MSAL). -+
Last updated 11/25/2019-+ #Customer intent: As an application developer, I want to learn scopes for a v1.0 application so I can decide if this platform meets my application development needs and requirements.
active-directory Quickstart Configure App Access Web Apis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-configure-app-access-web-apis.md
Title: "Quickstart: Configure an app to access a web API" description: In this quickstart, you configure an app registration representing a web API in the Microsoft identity platform to enable scoped resource access (permissions) to client applications. -+ Last updated 05/05/2022-+ #Customer intent: As an application developer, I want to know how to configure my web API's app registration with permissions client applications can use to obtain scoped access to the API.
active-directory Quickstart Configure App Expose Web Apis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-configure-app-expose-web-apis.md
Title: "Quickstart: Register and expose a web API" description: In this quickstart, your register a web API with the Microsoft identity platform and configure its scopes, exposing it to clients for permissions-based access to the API's resources. -+ Last updated 03/25/2022-+ #Customer intent: As an application developer, I need learn to how to register my web API with the Microsoft identity platform and expose permissions (scopes) to make the API's resources available to users of my client application.
active-directory Quickstart Register App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-register-app.md
Title: "Quickstart: Register an app in the Microsoft identity platform" description: In this quickstart, you learn how to register an application with the Microsoft identity platform. -+ Last updated 01/13/2022-+ #Customer intent: As developer, I want to know how to register my application with the Microsoft identity platform so that the security token service can issue ID and/or access tokens to client applications that request them.
active-directory Quickstart V2 Android https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-v2-android.md
Title: "Quickstart: Add sign in with Microsoft to an Android app" description: In this quickstart, learn how Android applications can call an API that requires access tokens issued by the Microsoft identity platform. -+
Last updated 01/14/2022 -+ #Customer intent: As an application developer, I want to learn how Android native apps can call protected APIs that require login and access tokens using the Microsoft identity platform.
active-directory Quickstart V2 Ios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-v2-ios.md
Title: "Quickstart: Add sign in with Microsoft to an iOS or macOS app" description: In this quickstart, learn how an iOS or macOS app can sign in users, get an access token from the Microsoft identity platform, and call the Microsoft Graph API. -+
Last updated 01/14/2022 -+ #Customer intent: As an application developer, I want to learn how to sign in users and call Microsoft Graph from my iOS or macOS application.
active-directory Quickstart V2 Java Daemon https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-v2-java-daemon.md
Title: "Quickstart: Call Microsoft Graph from a Java daemon" description: In this quickstart, you learn how a Java app can get an access token and call an API protected by Microsoft identity platform endpoint, using the app's own identity -+
Last updated 01/10/2022 -+ #Customer intent: As an application developer, I want to learn how my Java app can get an access token and call an API that's protected by Microsoft identity platform endpoint using client credentials flow.
active-directory Quickstart V2 Java Webapp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-v2-java-webapp.md
Title: "Quickstart: Add sign-in with Microsoft to a Java web app" description: In this quickstart, you'll learn how to add sign-in with Microsoft to a Java web application by using OpenID Connect. -+
Last updated 11/22/2021 -+ # Quickstart: Add sign-in with Microsoft to a Java web app
active-directory Quickstart V2 Javascript Auth Code https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-v2-javascript-auth-code.md
Title: "Quickstart: Sign in users in JavaScript single-page apps (SPA) with auth code" description: In this quickstart, learn how a JavaScript single-page application (SPA) can sign in users of personal accounts, work accounts, and school accounts by using the authorization code flow. -+
Last updated 11/12/2021 -+ #Customer intent: As an app developer, I want to learn how to get access tokens and refresh tokens by using the Microsoft identity platform so that my JavaScript app can sign in users of personal accounts, work accounts, and school accounts.
active-directory Quickstart V2 Javascript https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-v2-javascript.md
Title: "Quickstart: Sign in users in JavaScript single-page apps" description: In this quickstart, you learn how a JavaScript app can call an API that requires access tokens issued by the Microsoft identity platform. -+ Last updated 04/11/2019-+ #Customer intent: As an app developer, I want to learn how to get access tokens by using the Microsoft identity platform so that my JavaScript app can sign in users of personal accounts, work accounts, and school accounts.
active-directory Quickstart V2 Nodejs Console https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-v2-nodejs-console.md
Title: "Quickstart: Call Microsoft Graph from a Node.js console app" description: In this quickstart, you download and run a code sample that shows how a Node.js console application can get an access token and call an API protected by a Microsoft identity platform endpoint, using the app's own identity -+ Last updated 01/10/2022 -+ #Customer intent: As an application developer, I want to learn how my Node.js app can get an access token and call an API that is protected by a Microsoft identity platform endpoint using client credentials flow.
active-directory Quickstart V2 Nodejs Desktop https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-v2-nodejs-desktop.md
Title: "Quickstart: Call Microsoft Graph from a Node.js desktop app" description: In this quickstart, you learn how a Node.js Electron desktop application can sign-in users and get an access token to call an API protected by a Microsoft identity platform endpoint -+ Last updated 01/14/2022 -+ #Customer intent: As an application developer, I want to learn how my Node.js Electron desktop application can get an access token and call an API that's protected by a Microsoft identity platform endpoint.
active-directory Quickstart V2 Nodejs Webapp Msal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-v2-nodejs-webapp-msal.md
Title: "Quickstart: Add authentication to a Node.js web app with MSAL Node" description: In this quickstart, you learn how to implement authentication with a Node.js web app and the Microsoft Authentication Library (MSAL) for Node.js. -+
Last updated 11/22/2021 -+ #Customer intent: As an application developer, I want to know how to set up authentication in a web application built using Node.js and MSAL Node.
active-directory Redirect Uris Ios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/redirect-uris-ios.md
Title: Use redirect URIs with MSAL (iOS/macOS) description: Learn about the differences between the Microsoft Authentication Library for ObjectiveC (MSAL for iOS and macOS) and Azure AD Authentication Library for ObjectiveC (ADAL.ObjC) and how to migrate between them. -+
Last updated 08/28/2019-+ #Customer intent: As an application developer, I want to learn about how to use redirect URIs.
active-directory Reference Aadsts Error Codes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/reference-aadsts-error-codes.md
Previously updated : 08/10/2022 Last updated : 10/10/2022
The `error` field has several possible values - review the protocol documentatio
| AADSTS90020 | The SAML 1.1 Assertion is missing ImmutableID of the user. Developer error - the app is attempting to sign in without the necessary or correct authentication parameters.| | AADSTS90022 | AuthenticatedInvalidPrincipalNameFormat - The principal name format isn't valid, or doesn't meet the expected `name[/host][@realm]` format. The principal name is required, host and realm are optional and may be set to null. | | AADSTS90023 | InvalidRequest - The authentication service request isn't valid. |
+| AADSTS900236| InvalidRequestSamlPropertyUnsupported- The SAML authentication request property '{propertyName}' is not supported and must not be set.
| AADSTS9002313 | InvalidRequest - Request is malformed or invalid. - The issue here is because there was something wrong with the request to a certain endpoint. The suggestion to this issue is to get a fiddler trace of the error occurring and looking to see if the request is actually properly formatted or not. | | AADSTS9002332 | Application '{principalId}'({principalName}) is configured for use by Azure Active Directory users only. Please do not use the /consumers endpoint to serve this request. | | AADSTS90024 | RequestBudgetExceededError - A transient error has occurred. Try again. |
active-directory Reference V2 Libraries https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/reference-v2-libraries.md
Title: Microsoft identity platform authentication libraries description: List of client libraries and middleware compatible with the Microsoft identity platform. Use these libraries to add support for user sign-in (authentication) and protected web API access (authorization) to your applications. -+
Last updated 03/30/2021-+ # Customer intent: As a developer, I want to know whether there's a Microsoft Authentication Library (MSAL) available for the language/framework I'm using to build my application, and whether the library is GA or in preview.
active-directory Request Custom Claims https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/request-custom-claims.md
Title: Request custom claims (MSAL iOS/macOS) description: Learn how to request custom claims. -+
Last updated 08/26/2019-+
active-directory Sample V2 Code https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/sample-v2-code.md
Title: Code samples for Microsoft identity platform authentication and authorization description: An index of Microsoft-maintained code samples demonstrating authentication and authorization in several application types, development languages, and frameworks. -+
Last updated 03/29/2022-+
active-directory Scenario Daemon Acquire Token https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-daemon-acquire-token.md
Don't call `AcquireTokenSilent` before you call `AcquireTokenForClient`, because
# [Java](#tab/java)
-This code is extracted from the [MSAL Java dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/dev/src/samples/confidential-client/).
+This code is extracted from the [MSAL Java dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-java/tree/dev/msal4j-sdk/src/samples/confidential-client/).
```Java private static IAuthenticationResult acquireToken() throws Exception {
active-directory Scenario Desktop Acquire Token Device Code Flow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-desktop-acquire-token-device-code-flow.md
Previously updated : 08/25/2021 Last updated : 10/07/2022 #Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform.
private static async Task<AuthenticationResult> AcquireByDeviceCodeAsync(IPublic
# [Java](#tab/java)
-This extract is from the [MSAL Java dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/dev/src/samples/public-client/).
+This extract is from the [MSAL Java code samples](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/dev/msal4j-sdk/src/samples/public-client/DeviceCodeFlow.java).
```java
-private static IAuthenticationResult acquireTokenDeviceCode() throws Exception {
-
- // Load token cache from file and initialize token cache aspect. The token cache will have
- // dummy data, so the acquireTokenSilently call will fail.
- TokenCacheAspect tokenCacheAspect = new TokenCacheAspect("sample_cache.json");
-
- PublicClientApplication pca = PublicClientApplication.builder(CLIENT_ID)
- .authority(AUTHORITY)
- .setTokenCacheAccessAspect(tokenCacheAspect)
- .build();
-
- Set<IAccount> accountsInCache = pca.getAccounts().join();
- // Take first account in the cache. In a production application, you would filter
- // accountsInCache to get the right account for the user authenticating.
- IAccount account = accountsInCache.iterator().next();
-
- IAuthenticationResult result;
- try {
- SilentParameters silentParameters =
- SilentParameters
- .builder(SCOPE, account)
- .build();
-
- // try to acquire token silently. This call will fail since the token cache
- // does not have any data for the user you are trying to acquire a token for
- result = pca.acquireTokenSilently(silentParameters).join();
- } catch (Exception ex) {
- if (ex.getCause() instanceof MsalException) {
-
- Consumer<DeviceCode> deviceCodeConsumer = (DeviceCode deviceCode) ->
- System.out.println(deviceCode.message());
-
- DeviceCodeFlowParameters parameters =
- DeviceCodeFlowParameters
- .builder(SCOPE, deviceCodeConsumer)
+ private static IAuthenticationResult acquireTokenDeviceCode() throws Exception {
+
+ // Load token cache from file and initialize token cache aspect. The token cache will have
+ // dummy data, so the acquireTokenSilently call will fail.
+ TokenCacheAspect tokenCacheAspect = new TokenCacheAspect("sample_cache.json");
+
+ PublicClientApplication pca = PublicClientApplication.builder(CLIENT_ID)
+ .authority(AUTHORITY)
+ .setTokenCacheAccessAspect(tokenCacheAspect)
+ .build();
+
+ Set<IAccount> accountsInCache = pca.getAccounts().join();
+ // Take first account in the cache. In a production application, you would filter
+ // accountsInCache to get the right account for the user authenticating.
+ IAccount account = accountsInCache.iterator().next();
+
+ IAuthenticationResult result;
+ try {
+ SilentParameters silentParameters =
+ SilentParameters
+ .builder(SCOPE, account)
.build();
- // Try to acquire a token via device code flow. If successful, you should see
- // the token and account information printed out to console, and the sample_cache.json
- // file should have been updated with the latest tokens.
- result = pca.acquireToken(parameters).join();
- } else {
- // Handle other exceptions accordingly
- throw ex;
+ // try to acquire token silently. This call will fail since the token cache
+ // does not have any data for the user you are trying to acquire a token for
+ result = pca.acquireTokenSilently(silentParameters).join();
+ } catch (Exception ex) {
+ if (ex.getCause() instanceof MsalException) {
+
+ Consumer<DeviceCode> deviceCodeConsumer = (DeviceCode deviceCode) ->
+ System.out.println(deviceCode.message());
+
+ DeviceCodeFlowParameters parameters =
+ DeviceCodeFlowParameters
+ .builder(SCOPE, deviceCodeConsumer)
+ .build();
+
+ // Try to acquire a token via device code flow. If successful, you should see
+ // the token and account information printed out to console, and the sample_cache.json
+ // file should have been updated with the latest tokens.
+ result = pca.acquireToken(parameters).join();
+ } else {
+ // Handle other exceptions accordingly
+ throw ex;
+ }
}
+ return result;
}
- return result;
-}
``` # [macOS](#tab/macOS)
active-directory Scenario Desktop Acquire Token Integrated Windows Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-desktop-acquire-token-integrated-windows-authentication.md
Previously updated : 08/25/2021 Last updated : 10/07/2022 #Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform.
For the list of possible modifiers on AcquireTokenByIntegratedWindowsAuthenticat
# [Java](#tab/java)
-This extract is from the [MSAL Java dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/dev/src/samples/public-client/).
+This extract is from the [MSAL Java code samples](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/dev/msal4j-sdk/src/samples/public-client/IntegratedWindowsAuthenticationFlow.java).
```java
-private static IAuthenticationResult acquireTokenIwa() throws Exception {
-
- // Load token cache from file and initialize token cache aspect. The token cache will have
- // dummy data, so the acquireTokenSilently call will fail.
- TokenCacheAspect tokenCacheAspect = new TokenCacheAspect("sample_cache.json");
-
- PublicClientApplication pca = PublicClientApplication.builder(CLIENT_ID)
- .authority(AUTHORITY)
- .setTokenCacheAccessAspect(tokenCacheAspect)
- .build();
-
- Set<IAccount> accountsInCache = pca.getAccounts().join();
- // Take first account in the cache. In a production application, you would filter
- // accountsInCache to get the right account for the user authenticating.
- IAccount account = accountsInCache.iterator().next();
-
- IAuthenticationResult result;
- try {
- SilentParameters silentParameters =
- SilentParameters
- .builder(SCOPE, account)
- .build();
-
- // try to acquire token silently. This call will fail since the token cache
- // does not have any data for the user you are trying to acquire a token for
- result = pca.acquireTokenSilently(silentParameters).join();
- } catch (Exception ex) {
- if (ex.getCause() instanceof MsalException) {
-
- IntegratedWindowsAuthenticationParameters parameters =
- IntegratedWindowsAuthenticationParameters
- .builder(SCOPE, USER_NAME)
- .build();
+ PublicClientApplication pca = PublicClientApplication.builder(clientId)
+ .authority(authority)
+ .build();
+
+ Set<IAccount> accountsInCache = pca.getAccounts().join();
+ IAccount account = getAccountByUsername(accountsInCache, username);
+
+ //Attempt to acquire token when user's account is not in the application's token cache
+ IAuthenticationResult result = acquireTokenIntegratedWindowsAuth(pca, scope, account, username);
+ System.out.println("Account username: " + result.account().username());
+ System.out.println("Access token: " + result.accessToken());
+ System.out.println("Id token: " + result.idToken());
+ System.out.println();
+
+ //Get list of accounts from the application's token cache, and search them for the configured username
+ //getAccounts() will be empty on this first call, as accounts are added to the cache when acquiring a token
+ accountsInCache = pca.getAccounts().join();
+ account = getAccountByUsername(accountsInCache, username);
+
+ //Attempt to acquire token again, now that the user's account and a token are in the application's token cache
+ result = acquireTokenIntegratedWindowsAuth(pca, scope, account, username);
+ System.out.println("Account username: " + result.account().username());
+ System.out.println("Access token: " + result.accessToken());
+ System.out.println("Id token: " + result.idToken());
+ }
- // Try to acquire a IWA. You will need to generate a Kerberos ticket.
- // If successful, you should see the token and account information printed out to
- // console
- result = pca.acquireToken(parameters).join();
- } else {
- // Handle other exceptions accordingly
- throw ex;
+ private static IAuthenticationResult acquireTokenIntegratedWindowsAuth( PublicClientApplication pca,
+ Set<String> scope,
+ IAccount account,
+ String username) throws Exception {
+
+ IAuthenticationResult result;
+ try {
+ SilentParameters silentParameters =
+ SilentParameters
+ .builder(scope)
+ .account(account)
+ .build();
+ // Try to acquire token silently. This will fail on the first acquireTokenIntegratedWindowsAuth() call
+ // because the token cache does not have any data for the user you are trying to acquire a token for
+ result = pca.acquireTokenSilently(silentParameters).join();
+ System.out.println("==acquireTokenSilently call succeeded");
+ } catch (Exception ex) {
+ if (ex.getCause() instanceof MsalException) {
+ System.out.println("==acquireTokenSilently call failed: " + ex.getCause());
+ IntegratedWindowsAuthenticationParameters parameters =
+ IntegratedWindowsAuthenticationParameters
+ .builder(scope, username)
+ .build();
+
+ // Try to acquire a token using Integrated Windows Authentication (IWA). You will need to generate a Kerberos ticket.
+ // If successful, you should see the token and account information printed out to console
+ result = pca.acquireToken(parameters).join();
+ System.out.println("==Integrated Windows Authentication flow succeeded");
+ } else {
+ // Handle other exceptions accordingly
+ throw ex;
+ }
}
+ return result;
}
- return result;
-}
``` # [macOS](#tab/macOS)
active-directory Scenario Desktop Acquire Token Username Password https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-desktop-acquire-token-username-password.md
Previously updated : 08/25/2021 Last updated : 07/10/2022 #Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform.
For more information on all the modifiers that can be applied to `AcquireTokenBy
# [Java](#tab/java)
-The following extract is from the [MSAL Java dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/dev/src/samples/public-client/).
+The following extract is from the [MSAL Java code samples](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/dev/src/samples/public-client/).
```java
-private static IAuthenticationResult acquireTokenUsernamePassword() throws Exception {
-
- // Load token cache from file and initialize token cache aspect. The token cache will have
- // dummy data, so the acquireTokenSilently call will fail.
- TokenCacheAspect tokenCacheAspect = new TokenCacheAspect("sample_cache.json");
-
- PublicClientApplication pca = PublicClientApplication.builder(CLIENT_ID)
- .authority(AUTHORITY)
- .setTokenCacheAccessAspect(tokenCacheAspect)
- .build();
-
- Set<IAccount> accountsInCache = pca.getAccounts().join();
- // Take first account in the cache. In a production application, you would filter
- // accountsInCache to get the right account for the user authenticating.
- IAccount account = accountsInCache.iterator().next();
-
- IAuthenticationResult result;
- try {
- SilentParameters silentParameters =
- SilentParameters
- .builder(SCOPE, account)
- .build();
- // try to acquire token silently. This call will fail since the token cache
- // does not have any data for the user you are trying to acquire a token for
- result = pca.acquireTokenSilently(silentParameters).join();
- } catch (Exception ex) {
- if (ex.getCause() instanceof MsalException) {
-
- UserNamePasswordParameters parameters =
- UserNamePasswordParameters
- .builder(SCOPE, USER_NAME, USER_PASSWORD.toCharArray())
+ PublicClientApplication pca = PublicClientApplication.builder(clientId)
+ .authority(authority)
+ .build();
+
+ //Get list of accounts from the application's token cache, and search them for the configured username
+ //getAccounts() will be empty on this first call, as accounts are added to the cache when acquiring a token
+ Set<IAccount> accountsInCache = pca.getAccounts().join();
+ IAccount account = getAccountByUsername(accountsInCache, username);
+
+ //Attempt to acquire token when user's account is not in the application's token cache
+ IAuthenticationResult result = acquireTokenUsernamePassword(pca, scope, account, username, password);
+ System.out.println("Account username: " + result.account().username());
+ System.out.println("Access token: " + result.accessToken());
+ System.out.println("Id token: " + result.idToken());
+ System.out.println();
+
+ accountsInCache = pca.getAccounts().join();
+ account = getAccountByUsername(accountsInCache, username);
+
+ //Attempt to acquire token again, now that the user's account and a token are in the application's token cache
+ result = acquireTokenUsernamePassword(pca, scope, account, username, password);
+ System.out.println("Account username: " + result.account().username());
+ System.out.println("Access token: " + result.accessToken());
+ System.out.println("Id token: " + result.idToken());
+ }
+
+ private static IAuthenticationResult acquireTokenUsernamePassword(PublicClientApplication pca,
+ Set<String> scope,
+ IAccount account,
+ String username,
+ String password) throws Exception {
+ IAuthenticationResult result;
+ try {
+ SilentParameters silentParameters =
+ SilentParameters
+ .builder(scope)
+ .account(account)
.build();
- // Try to acquire a token via username/password. If successful, you should see
- // the token and account information printed out to console
- result = pca.acquireToken(parameters).join();
- } else {
- // Handle other exceptions accordingly
- throw ex;
+ // Try to acquire token silently. This will fail on the first acquireTokenUsernamePassword() call
+ // because the token cache does not have any data for the user you are trying to acquire a token for
+ result = pca.acquireTokenSilently(silentParameters).join();
+ System.out.println("==acquireTokenSilently call succeeded");
+ } catch (Exception ex) {
+ if (ex.getCause() instanceof MsalException) {
+ System.out.println("==acquireTokenSilently call failed: " + ex.getCause());
+ UserNamePasswordParameters parameters =
+ UserNamePasswordParameters
+ .builder(scope, username, password.toCharArray())
+ .build();
+ // Try to acquire a token via username/password. If successful, you should see
+ // the token and account information printed out to console
+ result = pca.acquireToken(parameters).join();
+ System.out.println("==username/password flow succeeded");
+ } else {
+ // Handle other exceptions accordingly
+ throw ex;
+ }
}
+ return result;
}
- return result;
-}
``` # [macOS](#tab/macOS)
active-directory Scenario Desktop App Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-desktop-app-configuration.md
Before the call to the `.Build()` method, you can override your configuration wi
# [Java](#tab/java)
-Here's the class used in MSAL Java development samples to configure the samples: [TestData](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/dev/src/samples/public-client/).
+Here's the class used in MSAL Java development samples to configure the samples: [TestData](https://github.com/AzureAD/microsoft-authentication-library-for-java/tree/dev/msal4j-sdk/src/samples/public-client/).
```Java PublicClientApplication pca = PublicClientApplication.builder(CLIENT_ID)
active-directory Scenario Spa App Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-spa-app-configuration.md
Title: Configure single-page app description: Learn how to build a single-page application (app's code configuration) -+
Last updated 02/11/2020-+ #Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform.
active-directory Scenario Spa App Registration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-spa-app-registration.md
Title: Register single-page applications (SPA) description: Learn how to build a single-page application (app registration) -+ Last updated 05/10/2022-+ # Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform.
active-directory Scenario Spa Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-spa-overview.md
Title: JavaScript single-page app scenario description: Learn how to build a single-page application (scenario overview) by using the Microsoft identity platform. -+
Last updated 10/12/2021-+ #Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform.
active-directory Scenario Spa Production https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-spa-production.md
Title: Move single-page app to production description: Learn how to build a single-page application (move to production) -+
Last updated 05/07/2019-+ #Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform.
active-directory Scenario Spa Sign In https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-spa-sign-in.md
Title: Single-page app sign-in & sign-out description: Learn how to build a single-page application (sign-in) -+
Last updated 07/19/2022-+ #Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform.
active-directory Scenario Web App Sign User Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-web-app-sign-user-overview.md
Previously updated : 09/17/2019 Last updated : 10/12/2022 -+ #Customer intent: As an application developer, I want to know how to write a web app that signs in users by using the Microsoft identity platform.
Learn all you need to build a web app that uses the Microsoft identity platform
If you want to create your first portable (ASP.NET Core) web app that signs in users, follow this quickstart:
-[Quickstart: ASP.NET Core web app that signs in users](quickstart-v2-aspnet-core-webapp.md)
+[Quickstart: Use ASP.NET Core to add sign-in with Microsoft to a web app](web-app-quickstart.md?pivots=devlang-aspnet-core)
# [ASP.NET](#tab/aspnet) If you want to understand how to add sign-in to an existing ASP.NET web application, try the following quickstart:
-[Quickstart: ASP.NET web app that signs in users](quickstart-v2-aspnet-webapp.md)
+[Quickstart: Use ASP.NET to add sign-in with Microsoft to a web app](web-app-quickstart.md?pivots=devlang-aspnet)
# [Java](#tab/java) If you're a Java developer, try the following quickstart:
-[Quickstart: Add sign-in with Microsoft to a Java web app](quickstart-v2-java-webapp.md)
+[Quickstart: Use Java to add sign-in with Microsoft to a web app](web-app-quickstart.md?pivots=devlang-java)
# [Node.js](#tab/nodejs) If you're a Node.js developer, try the following quickstart:
-[Quickstart: Add sign-in with Microsoft to a Node.js web app](quickstart-v2-nodejs-webapp-msal.md)
+[Quickstart: Use Node.js to add sign-in with Microsoft to a web app](web-app-quickstart.md?pivots=devlang-nodejs-msal)
# [Python](#tab/python) If you develop with Python, try the following quickstart:
-[Quickstart: Add sign-in with Microsoft to a Python web app](quickstart-v2-python-webapp.md)
+[Quickstart: Use Python to add sign-in with Microsoft to a web app](web-app-quickstart.md?pivots=devlang-python)
Web apps authenticate a user in a web browser. In this scenario, the web app dir
As a second phase, you can enable your application to call web APIs on behalf of the signed-in user. This next phase is a different scenario, which you'll find in [Web app that calls web APIs](scenario-web-app-call-api-overview.md).
-> [!NOTE]
-> Adding sign-in to a web app is about protecting the web app and validating a user token, which is what **middleware** libraries do. In the case of .NET, this scenario does not yet require the Microsoft Authentication Library (MSAL), which is about acquiring a token to call protected APIs. Authentication libraries for .NET will be introduced in the follow-up scenario, when the web app needs to call web APIs.
- ## Specifics -- During the application registration, you'll need to provide one or several (if you deploy your app to several locations) reply URIs. In some cases (ASP.NET and ASP.NET Core), you'll need to enable the ID token. Finally, you'll want to set up a sign-out URI so that your application reacts to users signing out.-- In the code for your application, you'll need to provide the authority to which your web app delegates sign-in. You might want to customize token validation (in particular, in partner scenarios).
+- During the application registration, provide one or several (if you deploy your app to several locations) reply URIs. For ASP.NET, you will need to select **ID tokens** under **Implicit grant and hybrid flows**. Finally, set up a sign-out URI so that the application reacts to users signing out.
+- In the app's code, provide the authority to which the web app delegates sign-in. Consider customizing token validation for certain scenarios (in particular, in partner scenarios).
- Web applications support any account types. For more information, see [Supported account types](v2-supported-account-types.md). ## Recommended reading
active-directory Single Sign On Macos Ios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/single-sign-on-macos-ios.md
Title: Configure SSO on macOS and iOS description: Learn how to configure single sign on (SSO) on macOS and iOS. -+
Last updated 02/03/2020-+
active-directory Ssl Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/ssl-issues.md
Title: Troubleshoot TLS/SSL issues (MSAL iOS/macOS) description: Learn what to do about various problems using TLS/SSL certificates with the MSAL.Objective-C library. -+
Last updated 08/28/2019-+
active-directory Sso Between Adal Msal Apps Macos Ios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/sso-between-adal-msal-apps-macos-ios.md
Title: SSO between ADAL & MSAL apps (iOS/macOS) description: Learn how to share SSO between ADAL and MSAL apps -+
Last updated 08/28/2019-+
active-directory Tutorial V2 Android https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-android.md
Title: "Tutorial: Create an Android app that uses the Microsoft identity platform for authentication" description: In this tutorial, you build an Android app that uses the Microsoft identity platform to sign in users and get an access token to call the Microsoft Graph API on their behalf. -+
Last updated 11/26/2019-+
active-directory Tutorial V2 Ios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-ios.md
Title: "Tutorial: Create an iOS or macOS app that uses the Microsoft identity platform for authentication" description: Build an iOS or macOS app that uses the Microsoft identity platform to sign in users and get an access token to call the Microsoft Graph API on their behalf.-+ Last updated 05/28/2022-+
active-directory Tutorial V2 Javascript Auth Code https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-javascript-auth-code.md
Title: "Tutorial: Create a JavaScript single-page app that uses auth code flow" description: In this tutorial, you create a JavaScript SPA that can sign in users and use the auth code flow to obtain an access token from the Microsoft identity platform and call the Microsoft Graph API. -+ Last updated 10/12/2021-+
active-directory Tutorial V2 Javascript Spa https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-javascript-spa.md
Title: "Tutorial: Create a JavaScript single-page app that uses the Microsoft identity platform for authentication" description: In this tutorial, you build a JavaScript single-page app (SPA) that uses the Microsoft identity platform to sign in users and get an access token to call the Microsoft Graph API on their behalf. -+
Last updated 09/26/2022-+
active-directory Tutorial V2 Nodejs Console https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-nodejs-console.md
Title: "Tutorial: Call Microsoft Graph in a Node.js console app" description: In this tutorial, you build a console app for calling Microsoft Graph to a Node.js console app. -+ Last updated 12/12/2021-+ # Tutorial: Call the Microsoft Graph API in a Node.js console app
active-directory Tutorial V2 Nodejs Desktop https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-nodejs-desktop.md
Title: "Tutorial: Sign in users and call the Microsoft Graph API in an Electron desktop app" description: In this tutorial, you build an Electron desktop app that can sign in users and use the auth code flow to obtain an access token from the Microsoft identity platform and call the Microsoft Graph API. -+ Last updated 02/17/2021-+ # Tutorial: Sign in users and call the Microsoft Graph API in an Electron desktop app
active-directory Tutorial V2 Nodejs Webapp Msal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-nodejs-webapp-msal.md
Title: "Tutorial: Sign in users in a Node.js & Express web app" description: In this tutorial, you add support for signing-in users in a web app. -+ Last updated 02/17/2021-+ # Tutorial: Sign in users and acquire a token for Microsoft Graph in a Node.js & Express web app
active-directory Tutorial V2 Shared Device Mode https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-shared-device-mode.md
Title: "Tutorial: Use shared-device mode with the Microsoft Authentication Library (MSAL) for Android" description: In this tutorial, you learn how to prepare an Android device to run in shared mode and run a first-line worker app. -+
Last updated 1/15/2020-+
active-directory V2 Permissions And Consent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-permissions-and-consent.md
Title: Microsoft identity platform scopes, permissions, & consent description: Learn about authorization in the Microsoft identity platform endpoint, including scopes, permissions, and consent. -+
Last updated 04/21/2022-+
active-directory V2 Saml Bearer Assertion https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-saml-bearer-assertion.md
Title: Exchange a SAML token issued by Active Directory Federation Services (AD FS) for a Microsoft Graph access token description: Learn how to fetch data from Microsoft Graph without prompting an AD FS-federated user for credentials by using the SAML bearer assertion flow. -+ Last updated 01/11/2022-+
active-directory Whats New Docs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/whats-new-docs.md
Title: "What's new in the Microsoft identity platform docs" description: "New and updated documentation for the Microsoft identity platform." -+ Last updated 09/03/2022
-+
active-directory Workload Identity Federation Create Trust Gcp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/workload-identity-federation-create-trust-gcp.md
private string getGoogleIdToken()
} } ```+
+# [Java](#tab/java)
+HereΓÇÖs an example in Java of how to request an ID token from the Google metadata server:
+```java
+private String getGoogleIdToken() throws IOException {
+ final String endpoint = "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=api://AzureADTokenExchange";
+
+ URL url = new URL(endpoint);
+ HttpURLConnection httpUrlConnection = (HttpURLConnection) url.openConnection();
+
+ httpUrlConnection.setRequestMethod("GET");
+ httpUrlConnection.setRequestProperty("Metadata-Flavor", "Google ");
+
+ InputStream inputStream = httpUrlConnection.getInputStream();
+ InputStreamReader inputStreamReader = new InputStreamReader(inputStream);
+ BufferedReader bufferedReader = new BufferedReader(inputStreamReader);
+ StringBuffer content = new StringBuffer();
+ String inputLine;
+
+ while ((inputLine = bufferedReader.readLine()) != null)
+ content.append(inputLine);
+
+ bufferedReader.close();
+
+ return content.toString();
+}
+```
> [!IMPORTANT]
public class ClientAssertionCredential:TokenCredential
} ```
+# [Java](#tab/java)
+
+The following Java sample code snippet implements the `TokenCredential` interface, gets an ID token from Google (using the `getGoogleIDToken` method previously defined), and exchanges the ID token for an access token.
+
+```java
+import java.io.Exception;
+import java.time.Instant;
+import java.time.OffsetDateTime;
+import java.time.ZoneOffset;
+import java.util.HashSet;
+import java.util.Set;
+
+import com.azure.core.credential.AccessToken;
+import com.azure.core.credential.TokenCredential;
+import com.azure.core.credential.TokenRequestContext;
+import com.microsoft.aad.msal4j.ClientCredentialFactory;
+import com.microsoft.aad.msal4j.ClientCredentialParameters;
+import com.microsoft.aad.msal4j.ConfidentialClientApplication;
+import com.microsoft.aad.msal4j.IClientCredential;
+import com.microsoft.aad.msal4j.IAuthenticationResult;
+import reactor.core.publisher.Mono;
+
+public class ClientAssertionCredential implements TokenCredential {
+ private String clientID;
+ private String tenantID;
+ private String aadAuthority;
+
+ public ClientAssertionCredential(String clientID, String tenantID, String aadAuthority)
+ {
+ this.clientID = clientID;
+ this.tenantID = tenantID;
+ this.aadAuthority = aadAuthority; // https://login.microsoftonline.com/
+ }
+
+ @Override
+ public Mono<AccessToken> getToken(TokenRequestContext requestContext) {
+ try {
+ // Get the ID token from Google
+ String idToken = getGoogleIdToken(); // calling this directly just for clarity, this should be a callback
+
+ IClientCredential clientCredential = ClientCredentialFactory.createFromClientAssertion(idToken);
+ String authority = String.format("%s%s", aadAuthority, tenantID);
+
+ ConfidentialClientApplication app = ConfidentialClientApplication
+ .builder(clientID, clientCredential)
+ .authority(aadAuthority)
+ .build();
+
+ Set<String> scopes = new HashSet<String>(requestContext.getScopes());
+ ClientCredentialParameters clientCredentialParam = ClientCredentialParameters
+ .builder(scopes)
+ .build();
+
+ IAuthenticationResult authResult = app.acquireToken(clientCredentialParam).get();
+ Instant expiresOnInstant = authResult.expiresOnDate().toInstant();
+ OffsetDateTime expiresOn = OffsetDateTime.ofInstant(expiresOnInstant, ZoneOffset.UTC);
+
+ AccessToken accessToken = new AccessToken(authResult.accessToken(), expiresOn);
+
+ return Mono.just(accessToken);
+ } catch (Exception ex) {
+ return Mono.error(ex);
+ }
+ }
+}
+```
+ ## Access Azure AD protected resources
BlobServiceClient blobServiceClient = new BlobServiceClient(new Uri(storageUrl),
// write code to access Blob storage ```
+# [Java](#tab/java)
+
+```java
+String clientID = "<client-id>";
+String tenantID = "<tenant-id>";
+String authority = "https://login.microsoftonline.com/";
+String storageUrl = "https://<storageaccount>.blob.core.windows.net";
+
+ClientAssertionCredential credential = new ClientAssertionCredential(clientID, tenantID, authority);
+
+BlobServiceClient blobServiceClient = new BlobServiceClientBuilder()
+ .endpoint(storageUrl)
+ .credential(credential)
+ .buildClient();
+
+// write code to access Blob storage
+```
+ ## Next steps
active-directory Howto Vm Sign In Azure Ad Linux https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-vm-sign-in-azure-ad-linux.md
To improve the security of Linux virtual machines (VMs) in Azure, you can integr
This article shows you how to create and configure a Linux VM and log in with Azure AD by using OpenSSH certificate-based authentication.
-> [!IMPORTANT]
-> This capability is now generally available. The previous version that made use of device code flow was [deprecated on August 15, 2021](/azure-docs-archive-pr/virtual-machines/linux/login-using-aad). To migrate from the old version to this version, see the section [Migrate from the previous (preview) version](#migrate-from-the-previous-preview-version).
- There are many security benefits of using Azure AD with OpenSSH certificate-based authentication to log in to Linux VMs in Azure. They include: - Use your Azure AD credentials to log in to Azure Linux VMs.
active-directory Howto Vm Sign In Azure Ad Windows https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md
To configure role assignments for your Azure AD-enabled Windows Server 2019 Data
The following example uses [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) to assign the Virtual Machine Administrator Login role to the VM for your current Azure user. You obtain the username of your current Azure account by using [az account show](/cli/azure/account#az-account-show), and you set the scope to the VM created in a previous step by using [az vm show](/cli/azure/vm#az-vm-show).
-You can also assign the scope at a resource group or subscription level. Normal Azure RBAC inheritance permissions apply. For more information, see [Log in to a Linux virtual machine in Azure by using Azure Active Directory authentication](/azure-docs-archive-pr/virtual-machines/linux/login-using-aad).
+You can also assign the scope at a resource group or subscription level. Normal Azure RBAC inheritance permissions apply.
```AzureCLI $username=$(az account show --query user.name --output tsv)
active-directory Directory Delete Howto https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/directory-delete-howto.md
Title: Delete an Azure AD tenant - Azure Active Directory | Microsoft Docs
-description: Explains how to prepare an Azure AD tenant for deletion, including self-service tenants
+ Title: Delete an Azure Active Directory tenant
+description: Learn how to prepare an Azure AD tenant, including a self-service tenant, for deletion.
documentationcenter: ''
# Delete a tenant in Azure Active Directory
-When an organization (tenant) is deleted in Azure Active Directory (Azure AD), part of Microsoft Entra, all resources that are contained in the organization are also deleted. Prepare your organization by minimizing its associated resources before you delete. Only a global administrator in Azure AD can delete an Azure AD organization from the portal.
+When an organization (tenant) is deleted in Azure Active Directory (Azure AD), part of Microsoft Entra, all resources in the organization are also deleted. Prepare your organization by minimizing its associated resources before you delete. Only a global administrator in Azure AD can delete an Azure AD organization from the Azure portal.
## Prepare the organization
-You can't delete an organization in Azure AD until it passes several checks. These checks reduce risk that deleting an Azure AD organization negatively impacts user access, such as the ability to sign in to Microsoft 365 or access resources in Azure. For example, if the organization associated with a subscription is unintentionally deleted, then users can't access the Azure resources for that subscription. The following conditions should be checked:
+You can't delete an organization in Azure AD until it passes several checks. These checks reduce the risk that deleting an Azure AD organization negatively affects user access, such as the ability to sign in to Microsoft 365 or access resources in Azure. For example, if the organization associated with a subscription is unintentionally deleted, users can't access the Azure resources for that subscription.
-* You must have paid all outstanding invoices and amounts due or overdue.
-* There can be no users in the Azure AD tenant except one global administrator who is to delete the organization. Any other users must be deleted before the organization can be deleted. If users are synchronized from on-premises, then sync must first be turned off, and the users must be deleted in the cloud organization using the Azure portal or Azure PowerShell cmdlets.
-* There can be no applications in the organization. Any applications must be removed before the organization can be deleted.
-* There can be no multifactor authentication providers linked to the organization.
-* There can be no subscriptions for any Microsoft Online Services such as Microsoft Azure, Microsoft 365, or Azure AD Premium associated with the organization. For example, if a default Azure AD tenant was created for you in Azure, you can't delete this organization if your Azure subscription still relies on it for authentication. You also can't delete a tenant if another user has associated an Azure subscription with it.
+Check the following conditions:
+
+* You've paid all outstanding invoices and amounts due or overdue.
+* No users are in the Azure AD tenant, except one global administrator who will delete the organization. You must delete any other users before you can delete the organization.
+
+ If users are synchronized from on-premises, turn off the sync first. You must delete the users in the cloud organization by using the Azure portal or Azure PowerShell cmdlets.
+* No applications are in the organization. You must remove any applications before you can delete the organization.
+* No multifactor authentication providers are linked to the organization.
+* No subscriptions for any Microsoft Online Services offerings (such as Azure, Microsoft 365, or Azure AD Premium) are associated with the organization.
+
+ For example, if a default Azure AD tenant was created for you in Azure, you can't delete this organization if your Azure subscription still relies on it for authentication. You also can't delete a tenant if another user has associated an Azure subscription with it.
> [!NOTE]
-> Microsoft is aware that customers with certain tenant configurations may be unable to successfully delete their Azure AD organization. We are working to address this problem. In the meantime, if needed, you can contact Microsoft support for details about the issue.
+> Microsoft is aware that customers with certain tenant configurations might be unable to successfully delete their Azure AD organization. We're working to address this problem. If you need more information, contact Microsoft support.
## Delete the organization
-1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com) with an account that is the Global Administrator for your organization.
+1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com) with an account that is the global administrator for your organization.
1. Select **Azure Active Directory**.
-1. On a tenant Overview page, select **Manage tenants**.
+1. On a tenant's **Overview** page, select **Manage tenants**.
- ![Confirm organization before deleting](./media/directory-delete-howto/manage-tenants-command.png)
+ ![Screenshot that shows the button for managing tenants.](./media/directory-delete-howto/manage-tenants-command.png)
-1. Select the check box for the tenant you want to delete, and select **Delete**.
+1. Select the checkbox for the tenant that you want to delete, and then select **Delete**.
- ![select the command to delete the organization](./media/directory-delete-howto/manage-tenants-delete-command.png)
-1. If your organization doesn't pass one or more checks, you're provided with a link to more information on how to pass. After you pass all checks, select **Delete** to complete the process.
+ ![Screenshot that shows the button for deleting an organization.](./media/directory-delete-howto/manage-tenants-delete-command.png)
+1. If your organization doesn't pass one or more checks, you'll get a link to more information on how to pass. After you pass all checks, select **Delete** to complete the process.
-## If you can't delete the organization
+## Deprovision subscriptions to allow organization deletion
-When you configured your Azure AD organization, you may have also activated license-based subscriptions for your organization like Azure AD Premium P2, Microsoft 365 Business Standard, or Enterprise Mobility + Security E5. To avoid accidental data loss, you can't delete an organization until the subscriptions are fully deleted. The subscriptions must be in a **Deprovisioned** state to allow organization deletion. An **Expired** or **Canceled** subscription moves to the **Disabled** state, and the final stage is the **Deprovisioned** state.
+When you configured your Azure AD organization, you might have also activated license-based subscriptions for your organization, like Azure AD Premium P2, Microsoft 365 Business Standard, or Enterprise Mobility + Security E5. To avoid accidental data loss, you can't delete an organization until the subscriptions are fully deleted. The subscriptions must be in a **Deprovisioned** state to allow organization deletion. An **Expired** or **Canceled** subscription moves to the **Disabled** state, and the final stage is the **Deprovisioned** state.
For what to expect when a trial Microsoft 365 subscription expires (not including paid Partner/CSP, Enterprise Agreement, or Volume Licensing), see the following table. For more information on Microsoft 365 data retention and subscription lifecycle, see [What happens to my data and access when my Microsoft 365 for business subscription ends?](https://support.office.com/article/what-happens-to-my-data-and-access-when-my-office-365-for-business-subscription-ends-4436582f-211a-45ec-b72e-33647f97d8a3). Subscription state | Data | Access to data -- | -- | --
-Active (30 days for trial) | Data accessible to all | Users have normal access to Microsoft 365 files, or apps<br>Admins have normal access to Microsoft 365 admin center and resources
-Expired (30 days) | Data accessible to all| Users have normal access to Microsoft 365 files, or apps<br>Admins have normal access to Microsoft 365 admin center and resources
-Disabled (30 days) | Data accessible to admin only | Users canΓÇÖt access Microsoft 365 files, or apps<br>Admins can access the Microsoft 365 admin center but canΓÇÖt assign licenses to or update users
-Deprovisioned (30 days after Disabled) | Data deleted (automatically deleted if no other services are in use) | Users canΓÇÖt access Microsoft 365 files, or apps<br>Admins can access the Microsoft 365 admin center to purchase and manage other subscriptions
+**Active** (30 days for trial) | Data is accessible to all. | Users have normal access to Microsoft 365 files or apps.<br>Admins have normal access to the Microsoft 365 admin center and resources.
+**Expired** (30 days) | Data is accessible to all.| Users have normal access to Microsoft 365 files or apps.<br>Admins have normal access to the Microsoft 365 admin center and resources.
+**Disabled** (30 days) | Data is accessible to admins only. | Users can't access Microsoft 365 files or apps.<br>Admins can access the Microsoft 365 admin center but can't assign licenses to or update users.
+**Deprovisioned** (30 days after **Disabled**) | Data is deleted (automatically deleted if no other services are in use). | Users can't access Microsoft 365 files or apps.<br>Admins can access the Microsoft 365 admin center to purchase and manage other subscriptions.
-## Delete a Office/Microsoft 365 subscription
+## Delete an Office 365 or Microsoft 365 subscription
-You can put a subscription into the **Deprovisioned** state to be deleted in three days using the Microsoft 365 admin center.
+You can use the Microsoft admin center to put a subscription into the **Deprovisioned** state for deletion in three days:
-1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com) with an account that is a global administrator in your organization. If you are trying to delete the ΓÇ£ContosoΓÇ¥ organization that has the initial default domain contoso.onmicrosoft.com, sign in with a UPN such as admin@contoso.onmicrosoft.com.
+1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com) with an account that is a global administrator in your organization. If you're trying to delete the Contoso organization that has the initial default domain `contoso.onmicrosoft.com`, sign in with a User Principal Name (UPN) such as `admin@contoso.onmicrosoft.com`.
-1. Preview the new Microsoft 365 admin center by making sure the **Try the new admin center** toggle is enabled.
+1. Preview the new Microsoft 365 admin center by turning on the **Try the new admin center** toggle.
- ![Preview the new M365 admin center experience](./media/directory-delete-howto/preview-toggle.png)
+ ![Screenshot that shows the toggle for previewing the new admin center.](./media/directory-delete-howto/preview-toggle.png)
-1. Once the new admin center is enabled, you need to cancel a subscription before you can delete it. Select **Billing** and select **Your products**, then select **Cancel subscription** for the subscription you want to cancel. You'll be brought to a feedback page.
+1. You need to cancel a subscription before you can delete it. Select **Billing** > **Your products**, and then select **Cancel subscription** for the subscription that you want to cancel.
- ![Choose a subscription to cancel](./media/directory-delete-howto/cancel-choose-subscription.png)
+ ![Screenshot that shows choosing a subscription to cancel.](./media/directory-delete-howto/cancel-choose-subscription.png)
-1. Complete the feedback form and select **Cancel subscription** to cancel the subscription.
+1. Complete the feedback form, and then select **Cancel subscription**.
- ![Cancel command in the subscription preview](./media/directory-delete-howto/cancel-command.png)
+ ![Screenshot that shows feedback options and the button for canceling a subscription.](./media/directory-delete-howto/cancel-command.png)
-1. You can now delete the subscription. Select **Delete** for the subscription you want to delete. If you can't find the subscription in the **Products & services** page, make sure you have **Subscription status** set to **All**.
+1. Select **Delete** for the subscription that you want to delete. If you can't find the subscription on the **Your products** page, make sure that you have **Subscription status** set to **All**.
- ![Delete link for deleting subscription](./media/directory-delete-howto/delete-command.png)
+ ![Screenshot that shows subscription status and the delete link.](./media/directory-delete-howto/delete-command.png)
-1. Select **Delete subscription** to delete the subscription and accept the terms and conditions. All data is permanently deleted within three days. You can [reactivate the subscription](/office365/admin/subscriptions-and-billing/reactivate-your-subscription) during the three-day period if you change your mind.
+1. Select the checkbox to accept terms and conditions, and then select **Delete subscription**. All data for the subscription is permanently deleted in three days. You can [reactivate the subscription](/office365/admin/subscriptions-and-billing/reactivate-your-subscription) during the three-day period if you change your mind.
- ![carefully read terms and conditions](./media/directory-delete-howto/delete-terms.png)
+ ![Screenshot that shows the link for terms and conditions, along with the button for deleting a subscription.](./media/directory-delete-howto/delete-terms.png)
-1. Now the subscription state has changed, and the subscription is marked for deletion. The subscription enters the **Deprovisioned** state 72 hours later.
+ Now the subscription state has changed to **Disabled**, and the subscription is marked for deletion. The subscription enters the **Deprovisioned** state 72 hours later.
-1. Once you've deleted a subscription in your organization and 72 hours have elapsed, you can sign back into the Azure AD admin center again and there should be no required action and no subscriptions blocking your organization deletion. You should be able to successfully delete your Azure AD organization.
+1. After you've deleted a subscription in your organization and 72 hours have elapsed, sign in to the Azure AD admin center again. Confirm that no required actions or subscriptions are blocking your organization deletion. You should be able to successfully delete your Azure AD organization.
- ![pass subscription check at deletion screen](./media/directory-delete-howto/delete-checks-passed.png)
+ ![Screenshot that shows resources that have passed a subscription check.](./media/directory-delete-howto/delete-checks-passed.png)
## Delete an Azure subscription
-If you have an Active or canceled Azure subscription associated to your Azure AD Tenant then you wouldn't be able to delete Azure AD Tenant. After you cancel, billing is stopped immediately. However, Microsoft waits 30 - 90 days before permanently deleting your data in case you need to access it or you change your mind. We don't charge you for keeping the data.
+If you have an active or canceled Azure subscription associated with your Azure AD tenant, you can't delete the Azure AD tenant. After you cancel, billing is stopped immediately. However, Microsoft waits 30 to 90 days before permanently deleting your data in case you need to access it or you change your mind. We don't charge you for keeping the data.
-- If you have a free trial or pay-as-you-go subscription, you don't have to wait 90 days for the subscription to automatically delete. You can delete your subscription three days after you cancel it. The Delete subscription option isn't available until three days after you cancel your subscription. For more details please read through [Delete free trial or pay-as-you-go subscriptions](../../cost-management-billing/manage/cancel-azure-subscription.md#delete-subscriptions).-- All other subscription types are deleted only through the [subscription cancellation](../../cost-management-billing/manage/cancel-azure-subscription.md#cancel-subscription-in-the-azure-portal) process. In other words, you can't delete a subscription directly unless it's a free trial or pay-as-you-go subscription. However, after you cancel a subscription, you can create an [Azure support request](https://go.microsoft.com/fwlink/?linkid=2083458) to ask to have the subscription deleted immediately.-- Alternatively, you can also move/transfer the Azure subscription to another Azure AD tenant account. When you transfer billing ownership of your subscription to an account in another Azure AD tenant, you can move the subscription to the new account's tenant. Additionally, performing Switch Directory on the subscription wouldn't help as the billing would still be aligned with Azure AD Tenant which was used to sign up for the subscription. For more information review [Transfer a subscription to another Azure AD tenant account](../../cost-management-billing/manage/billing-subscription-transfer.md#transfer-a-subscription-to-another-azure-ad-tenant-account)
+If you have a free trial or pay-as-you-go subscription, you don't have to wait 90 days for the subscription to be automatically deleted. You can delete your subscription three days after you cancel it, when the **Delete subscription** option becomes available. For details, read through [Delete free trial or pay-as-you-go subscriptions](../../cost-management-billing/manage/cancel-azure-subscription.md#delete-subscriptions).
-Once you have all the Azure and Office/Microsoft 365 Subscriptions canceled and deleted, you can proceed with cleaning up rest of the things within Azure AD Tenant before actually delete it.
+All other subscription types are deleted only through the [subscription cancellation](../../cost-management-billing/manage/cancel-azure-subscription.md#cancel-subscription-in-the-azure-portal) process. In other words, you can't delete a subscription directly unless it's a free trial or pay-as-you-go subscription. However, after you cancel a subscription, you can create an [Azure support request](https://go.microsoft.com/fwlink/?linkid=2083458) and ask to have the subscription deleted immediately.
-## Enterprise apps with no way to delete
+Alternatively, you can move the Azure subscription to another Azure AD tenant account. When you transfer billing ownership of your subscription to an account in another Azure AD tenant, you can move the subscription to the new account's tenant. Performing a **Switch Directory** action on the subscription wouldn't help, because the billing would still be aligned with the Azure AD tenant that was used to sign up for the subscription. For more information, review [Transfer a subscription to another Azure AD tenant account](../../cost-management-billing/manage/billing-subscription-transfer.md#transfer-a-subscription-to-another-azure-ad-tenant-account).
-Currently, there are few enterprise applications that can't be deleted in the Azure portal. If you find that you are unable to successfully delete an Azure AD tenant from the portal, you can use the following PowerShell commands to remove any blocking enterprise applications.
+After you have all the Azure, Office 365, and Microsoft 365 subscriptions canceled and deleted, you can clean up the rest of the things within an Azure AD tenant before you delete it.
-Follow below instructions to remove blocking enterprise apps/service principals before you attempt to delete the tenant:
+## Remove enterprise apps that you can't delete
-1. Install MSOnline module for PowerShell by running the following command:
+A few enterprise applications can't be deleted in the Azure portal and might block you from deleting the tenant. Use the following PowerShell procedure to remove those applications:
- 'Install-Module -Name MSOnline'
+1. Install the MSOnline module for PowerShell by running the following command:
-2. Install Az PowerShell module by running the following command:
+ `Install-Module -Name MSOnline`
- 'Install-Module -Name Az'
+2. Install the Az PowerShell module by running the following command:
-3. Create or use a managed admin account from the tenant you would like to delete, for example, newAdmin@tenanttodelete.onmicrosoft.com
+ `Install-Module -Name Az`
-4. Open PowerShell and connect to MSODS using the admin credentials, with command
+3. Create or use a managed admin account from the tenant that you want to delete. For example: `newAdmin@tenanttodelete.onmicrosoft.com`.
- 'connect-msolservice'
+4. Open PowerShell and connect to Azure AD by using admin credentials with the following command:
+
+ `connect-msolservice`
>[!WARNING]
- > You must run PowerShell using admin credentials for the tenant that you are trying to delete. Only homed-in admins have access to manage the directory via Powershell.You can't use guest user admins, live-ids or multi-directories. Before you proceed, to verify you are connected to the tenant you intend to delete with MSOnline module. It is recommended you run the command `Get-MsolDomain` to confirm that you are connected to the correct tenantID and onmicrosoft.com domain.
+ > You must run PowerShell by using admin credentials for the tenant that you're trying to delete. Only homed-in admins have access to manage the directory via Powershell. You can't use guest user admins, Microsoft accounts, or multiple directories.
+ >
+ > Before you proceed, verify that you're connected to the tenant that you want to delete with the MSOnline module. We recommend that you run the `Get-MsolDomain` command to confirm that you're connected to the correct tenant ID and `onmicrosoft.com` domain.
-5. Run below command to set the tenant context
+5. Run the following command to set the tenant context:
- 'Connect-AzAccount -Tenant \<object id of the tenant you are attempting to delete\>'
+ `Connect-AzAccount -Tenant \<object id of the tenant you are attempting to delete\>`
>[!WARNING]
- > Before proceeding, to verify you are connected to the tenant you intend to delete with Az module, it is recommended you run the command Get-AzContext to check the connected tenant ID and onmicrosoft.com domain.
+ > Before you proceed, verify that you're connected to the tenant that you want to delete with the Az PowerShell module. We recommend that you run the `Get-AzContext` command to check the connected tenant ID and `onmicrosoft.com` domain.
+
+6. Run the following command to remove any enterprise apps that you can't delete:
-6. Run below command to remove any enterprise apps with no way to delete:
+ `Get-AzADServicePrincipal | ForEach-Object { Remove-AzADServicePrincipal -ObjectId $_.Id }`
- 'Get-AzADServicePrincipal | ForEach-Object { Remove-AzADServicePrincipal -ObjectId $_.Id }'
+7. Run the following command to remove applications and service principals:
-7. Run below command to remove application/service principals
+ `Get-MsolServicePrincipal | Remove-MsolServicePrincipal`
- 'Get-MsolServicePrincipal | Remove-MsolServicePrincipal'
+8. Run the following command to disable any blocking service principals:
-8. Lastly, run the command to disable any blocking service principals:
+ `Get-MsolServicePrincipal | Set-MsolServicePrincipal -AccountEnabled $false`
- 'Get-MsolServicePrincipal | Set-MsolServicePrincipal -AccountEnabled $false'
+9. Sign in to the Azure portal again, and remove any new admin account that you created in step 3.
-9. Sign back into the Azure portal and remove any new admin account created in step 3.
+10. Retry tenant deletion from the Azure portal.
-10. Retry tenant deletion from the Azure portal again.
+## Handle a trial subscription that blocks deletion
-## Trial subscription that blocks deletion
+There are [self-service sign-up products](/office365/admin/misc/self-service-sign-up) like Microsoft Power BI, Azure Rights Management (Azure RMS), Microsoft Power Apps, and Dynamics 365. Individual users can sign up via Microsoft 365, which also creates a guest user for authentication in your Azure AD organization.
-There are [self-service sign-up products](/office365/admin/misc/self-service-sign-up) like Microsoft Power BI, Rights Management Services, Microsoft Power Apps, or Dynamics 365, individual users can sign up via Microsoft 365, which also creates a guest user for authentication in your Azure AD organization. These self-service products block directory deletions until the products are fully deleted from the organization, to avoid data loss. They can be deleted only by the Azure AD admin whether the user signed up individually or was assigned the product.
+These self-service products block directory deletions until the products are fully deleted from the organization, to avoid data loss. Only the Azure AD admin can delete them, whether the user signed up individually or was assigned the product.
-There are two types of self-service sign-up products in how they are assigned:
+There are two types of self-service sign-up products, in terms of how they're assigned:
-* Org-level assignment: An Azure AD admin assigns the product to the entire organization and a user can be actively using the service with this org-level assignment even if they aren't licensed individually.
-* User level assignment: An individual user during self-service sign-up essentially assigns the product to themselves without an admin. Once the organization becomes managed by an admin (see [Administrator takeover of an unmanaged organization](domains-admin-takeover.md), then the admin can directly assign the product to users without self-service sign-up.
+* Organizational-level assignment: An Azure AD admin assigns the product to the entire organization. A user can actively use the service with the organizational-level assignment, even if the user isn't licensed individually.
+* User-level assignment: An individual user during self-service sign-up essentially self-assigns the product without an admin. After an admin starts managing the organization (see [Administrator takeover of an unmanaged organization](domains-admin-takeover.md)), the admin can directly assign the product to users without self-service sign-up.
-When you begin the deletion of the self-service sign-up product, the action permanently deletes the data and removes all user access to the service. Any user that was assigned the offer individually or on the organization level is then blocked from signing in or accessing any existing data. If you want to prevent data loss with the self-service sign-up product like [Microsoft Power BI dashboards](/power-bi/service-export-to-pbix) or [Rights Management Services policy configuration](/azure/information-protection/configure-policy#how-to-configure-the-azure-information-protection-policy), ensure that the data is backed up and saved elsewhere.
+When you begin the deletion of a self-service sign-up product, the action permanently deletes the data and removes all user access to the service. Any user who was assigned the offer individually or on the organization level is then blocked from signing in or accessing any existing data. If you want to prevent data loss with a self-service sign-up product like [Microsoft Power BI dashboards](/power-bi/service-export-to-pbix) or [Azure RMS policy configuration](/azure/information-protection/configure-policy#how-to-configure-the-azure-information-protection-policy), ensure that the data is backed up and saved elsewhere.
For more information about currently available self-service sign-up products and services, see [Available self-service programs](/office365/admin/misc/self-service-sign-up#available-self-service-programs).
-For what to expect when a trial Microsoft 365 subscription expires (not including paid Partner/CSP, Enterprise Agreement, or Volume Licensing), see the following table. For more information on Microsoft 365 data retention and subscription lifecycle, see [What happens to my data and access when my Microsoft 365 for business subscription ends?](/office365/admin/subscriptions-and-billing/what-if-my-subscription-expires).
+For what to expect when a trial Microsoft 365 subscription expires (not including paid Partner/CSP, Enterprise Agreement, or Volume Licensing), see the following table. For more information on Microsoft 365 data retention and subscription lifecycle, see [What happens to my data and access when my Microsoft 365 for Business subscription ends?](/office365/admin/subscriptions-and-billing/what-if-my-subscription-expires).
Product state | Data | Access to data - | - | --
-Active (30 days for trial) | Data accessible to all | Users have normal access to self-service sign up product, files, or apps<br>Admins have normal access to Microsoft 365 admin center and resources
-Deleted | Data deleted | Users canΓÇÖt access self-service sign-up product, files, or apps<br>Admins can access the Microsoft 365 admin center to purchase and manage other subscriptions
+**Active** (30 days for trial) | Data is accessible to all. | Users have normal access to self-service sign-up products, files, or apps.<br>Admins have normal access to the Microsoft 365 admin center and resources.
+**Deleted** | Data is deleted. | Users can't access self-service sign-up products, files, or apps.<br>Admins can access the Microsoft 365 admin center to purchase and manage other subscriptions.
## Delete a self-service sign-up product
-You can put a self-service sign-up product like Microsoft Power BI or Azure Rights Management Services into a **Delete** state to be immediately deleted in the Azure AD portal.
+You can put a self-service sign-up product like Microsoft Power BI or Azure RMS into a **Delete** state to be immediately deleted in the Azure AD portal:
-1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) with an account that is a Global administrator in the organization. If you are trying to delete the ΓÇ£ContosoΓÇ¥ organization that has the initial default domain contoso.onmicrosoft.com, sign on with a UPN such as admin@contoso.onmicrosoft.com.
+1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) with an account that is a global administrator in the organization. If you're trying to delete the Contoso organization that has the initial default domain `contoso.onmicrosoft.com`, sign in with a UPN such as `admin@contoso.onmicrosoft.com`.
-1. Select **Licenses**, and then select **Self-service sign-up products**. You can see all the self-service sign-up products separately from the seat-based subscriptions. Choose the product you want to permanently delete. Here's an example in Microsoft Power BI:
+1. Select **Licenses**, and then select **Self-service sign-up products**. You can see all the self-service sign-up products separately from the seat-based subscriptions. Choose the product that you want to permanently delete. Here's an example in Microsoft Power BI:
- ![Screenshot that shows the "Licenses - Self-service sign-up products" page.](./media/directory-delete-howto/licenses-page.png)
+ ![Screenshot that shows a list of self-service sign-up products.](./media/directory-delete-howto/licenses-page.png)
-1. Select **Delete** to delete the product and accept the terms that data is deleted immediately and irrevocably. This delete action will remove all users and remove organization access to the product. Select Yes to move forward with the deletion.
+1. Select **Delete** to delete the product. This action will remove all users and remove organization access to the product. A dialog warns you that deleting the product will immediately and irrevocably delete data. Select **Yes** to confirm.
- ![Screenshot that shows the "Licenses - Self-service sign-up products" page with the "Delete self-service sign-up product" window open.](./media/directory-delete-howto/delete-product.png)
+ ![Screenshot of the confirmation dialog that warns about deletion of data.](./media/directory-delete-howto/delete-product.png)
-1. When you select **Yes**, the deletion of the self-service product will be initiated. There is a notification that will tell you of the deletion in progress.
+ A notification tells you that the deletion is in progress.
- ![Screenshot that shows the "Licenses - Self-service sign-up products" page with the "deletion in progress" notification displayed.](./media/directory-delete-howto/progress-message.png)
+ ![Screenshot of a notification that a deletion is in progress.](./media/directory-delete-howto/progress-message.png)
-1. Now the self-service sign-up product state has changed to **Deleted**. When you refresh the page, the product should be removed from the **Self-service sign-up products** page.
+1. The self-service sign-up product state has changed to **Deleted**. Refresh the page, and verify that the product is removed from the **Self-service sign-up products** page.
- ![Screenshot that shows the "Licenses - Self-service sign-up products" page with the "Self-service sign-up product deleted" pane on the right-side.](./media/directory-delete-howto/product-deleted.png)
+ ![Screenshot that shows the list of self-service sign-up products and a pane that confirms the deletion of a self-service sign-up product.](./media/directory-delete-howto/product-deleted.png)
-1. Once you have deleted all the products, you can sign back into the Azure AD admin center again, and there should be no required action and no products blocking your organization deletion. You should be able to successfully delete your Azure AD organization.
+1. After you've deleted all the products, sign in to the Azure AD admin center again. Confirm that no required actions or products are blocking your organization deletion. You should be able to successfully delete your Azure AD organization.
- ![the username is mistyped or not found](./media/directory-delete-howto/delete-checks-passed.png)
+ ![Screenshot that shows status information for resources.](./media/directory-delete-howto/delete-checks-passed.png)
## Next steps
active-directory Directory Overview User Model https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/directory-overview-user-model.md
Previously updated : 06/23/2022 Last updated : 09/12/2022
This article introduces and administrator for Azure Active Directory (Azure AD), part of Microsoft Entra, to the relationship between top [identity management](../fundamentals/active-directory-whatis.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context) tasks for users in terms of their groups, licenses, deployed enterprise apps, and administrator roles. As your organization grows, you can use Azure AD groups and administrator roles to:
-* Assign licenses to groups instead of to individual users.
-* Delegate permissions to distribute the work of Azure AD management to less-privileged roles.
+* Assign licenses to groups instead of assigning licenses to individual users.
+* Grant permissions to delegate Azure AD management work to personnel in less-privileged roles.
* Assign enterprise app access to groups. ## Assign users to groups
-You can use groups in Azure AD to assign licenses to large numbers of users, or to assign user access to deployed enterprise apps. You can use groups to assign all administrator roles except for Global Administrator in Azure AD, or you can grant access to resources that are external, such as SaaS applications or SharePoint sites.
+You can use groups in Azure AD to assign licenses, or deployed enterprise apps, to large numbers of users. You can also use groups to assign all administrator roles except for Azure AD Global Administrator, or you can grant access to external resources, such as SaaS applications or SharePoint sites.
-For additional flexibility and to reduce group membership management work, you can use [dynamic groups](groups-create-rule.md) in Azure AD to expand and contract group membership automatically. You'll need an Azure AD Premium P1 license for each unique user that is a member of one or more dynamic groups.
+You can use [dynamic groups](groups-create-rule.md) in Azure AD to expand and contract group membership automatically. Dynamic groups give you greater flexibility and they reduce group membership management work. You'll need an Azure AD Premium P1 license for each unique user that is a member of one or more dynamic groups.
## Assign licenses to groups
-Assigning or removing licenses from users individually can demand time and attention. If you [assign licenses to groups](../fundamentals/license-users-groups.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context) instead, you can make your large-scale license management easier.
+Managing user license assignments individually is time consuming and error prone. If you [assign licenses to groups](../fundamentals/license-users-groups.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context) instead, you experience easier large-scale license management.
Azure AD users who join a licensed group are automatically assigned the appropriate licenses. When users leave the group, Azure AD removes their license assignments. Without Azure AD groups, you'd have to write a PowerShell script or use Graph API to bulk add or remove user licenses for users joining or leaving the organization.
-If there aren't enough licenses available, or an issue occurs like service plans that can't be assigned at the same time, you can see status of any licensing issue for the group in the Azure portal.
+If there aren't enough licenses available, or an issue occurs like service plans that can't be assigned at the same time, you can see the status of any licensing issue for the group in the Azure portal.
## Delegate administrator roles
New Azure AD administrator roles are being added. Check the Azure portal or the
## Assign app access
-You can use Azure AD to assign group access to the [enterprise apps that are deployed in your Azure AD organization](../manage-apps/assign-user-or-group-access-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context). If you combine dynamic groups with group assignment to apps, you can automate your user app access assignments as your organization grows. You'll need an Azure Active Directory Premium P1 or Premium P2 license to assign access to enterprise apps.
+You can use Azure AD to assign group access to [enterprise apps deployed in your Azure AD organization](../manage-apps/assign-user-or-group-access-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context). If you combine dynamic groups with group assignment to apps, you can automate user app access assignments as your organization grows. You'll need an Azure Active Directory Premium P1 or Premium P2 license to assign access to enterprise apps.
Azure AD also gives you granular control of the data that flows between the app and the groups to whom you assign access. In [Enterprise Applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps), open an app and select **Provisioning** to:
active-directory Groups Dynamic Membership https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-dynamic-membership.md
dirSyncEnabled |true false |user.dirSyncEnabled -eq true
| memberOf | Any string value (valid group object ID) | user.memberof -any (group.objectId -in ['value']) | | mobile |Any string value or *null* | user.mobile -eq "value" | | objectId |GUID of the user object | user.objectId -eq "11111111-1111-1111-1111-111111111111" |
-| onPremisesDistinguishedName (preview)| Any string value or *null* | user.onPremisesDistinguishedName -eq "value" |
+| onPremisesDistinguishedName | Any string value or *null* | user.onPremisesDistinguishedName -eq "value" |
| onPremisesSecurityIdentifier | On-premises security identifier (SID) for users who were synchronized from on-premises to the cloud. | user.onPremisesSecurityIdentifier -eq "S-1-1-11-1111111111-1111111111-1111111111-1111111" | | passwordPolicies |None<br>DisableStrongPassword<br>DisablePasswordExpiration<br>DisablePasswordExpiration, DisableStrongPassword | user.passwordPolicies -eq "DisableStrongPassword" | | physicalDeliveryOfficeName |Any string value or *null* | user.physicalDeliveryOfficeName -eq "value" |
active-directory Add Users Information Worker https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/add-users-information-worker.md
Previously updated : 12/19/2018 Last updated : 10/07/2022
After an app is configured for self-service, application owners can use their ow
![Screenshot showing the Manage app sub-menu for the Salesforce app](media/add-users-iw/access-panel-manage-app.png)
-3. At the top of the users list, select **+**.
-
- ![Screenshot showing the plus symbol for adding members to the app](media/add-users-iw/access-panel-manage-app-add-user.png)
+3. At the top of the users list, select **+** on the right-hand side.
+ 4. In the **Add members** search box, type the email address for the guest user. Optionally, include a welcome message.
See the following articles on Azure AD B2B collaboration:
- [What is Azure AD B2B collaboration?](what-is-b2b.md) - [How do Azure Active Directory admins add B2B collaboration users?](add-users-administrator.md) - [B2B collaboration invitation redemption](redemption-experience.md)-- [External Identities pricing](external-identities-pricing.md)
+- [External Identities pricing](external-identities-pricing.md)
active-directory Authentication Conditional Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/authentication-conditional-access.md
Previously updated : 06/30/2022 Last updated : 10/12/2022
The following diagram illustrates the flow when email one-time passcode authenti
## Conditional Access for external users
-Organizations can enforce Conditional Access policies for external B2B collaboration and B2B direct connect users in the same way that theyΓÇÖre enabled for full-time employees and members of the organization. With the introduction of cross-tenant access settings, you can also trust MFA and device claims from external Azure AD organizations. This section describes important considerations for applying Conditional Access to users outside of your organization.
+Organizations can enforce [Conditional Access](../conditional-access/overview.md) policies for external B2B collaboration and B2B direct connect users in the same way that theyΓÇÖre enabled for full-time employees and members of the organization. With the introduction of cross-tenant access settings, you can also trust MFA and device claims from external Azure AD organizations. This section describes important considerations for applying Conditional Access to users outside of your organization.
+
+### Assigning Conditional Access policies to external user types (preview)
+
+> [!NOTE]
+> This section describes a preview feature of Azure Active Directory. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+When configuring a Conditional Access policy, you have granular control over the types of external users you want to apply the policy to. External users are categorized based on how they authenticate (internally or externally) and their relationship to your organization (guest or member).
+
+- **B2B collaboration guest users** - Most users who are commonly considered guests fall into this category. This B2B collaboration user has an account in an external Azure AD organization or an external identity provider (such as a social identity), and they have guest-level permissions in your organization. The user object created in your Azure AD directory has a UserType of Guest. This category includes B2B collaboration users who have been invited and who have used self-service sign-up.
+- **B2B collaboration member users** - This B2B collaboration user has an account in an external Azure AD organization or an external identity provider (such as a social identity) and member-level access to resources in your organization. This scenario is common in organizations consisting of multiple tenants, where users are considered part of the larger organization and need member-level access to resources in the organizationΓÇÖs other tenants. The user object created in the resource Azure AD directory has a UserType of Member.
+- **B2B direct connect users** - External users who are able to access your resources via B2B direct connect, which is a mutual, two-way connection with another Azure AD organization that allows single sign-on access to certain Microsoft applications (currently, Microsoft Teams Connect shared channels). B2B direct connect users donΓÇÖt have a presence in your Azure AD organization, but are instead managed from within the application (for example, by the Teams shared channel owner).
+- **Local guest users** - Local guest users have credentials that are managed in your directory. Before Azure AD B2B collaboration was available, it was common to collaborate with distributors, suppliers, vendors, and others by setting up internal credentials for them and designating them as guests by setting the user object UserType to Guest.
+- **Service provider users** - Organizations that serve as cloud service providers for your organization (the isServiceProvider property in the Microsoft Graph [partner-specific configuration](/graph/api/resources/crosstenantaccesspolicyconfigurationpartner) is true).
+- **Other external users** - Applies to any users who don't fall into the categories above, but who are not considered internal members of your organization, meaning they don't authenticate internally via Azure AD, and the user object created in the resource Azure AD directory does not have a UserType of Member.
+
+Learn more about [Conditional Access user assignments](../conditional-access/concept-conditional-access-users-groups.md).
### MFA for Azure AD external users
The following PowerShell cmdlets are available to *proof up* or request MFA regi
Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName gsamoogle_gmail.com#EXT#@ WoodGroveAzureAD.onmicrosoft.com ```
+### Authentication strength policies for external users
+
+[Authentication strength](https://aka.ms/b2b-auth-strengths) is a Conditional Access control that lets you define a specific combination of multifactor authentication (MFA) methods that an external user must complete to access your resources. This control is especially useful for restricting external access to sensitive apps in your organization because you can enforce specific authentication methods, such as a phishing-resistant method, for external users.
+
+You also have the ability to apply authentication strength to the different types of [guest or external users](#assigning-conditional-access-policies-to-external-user-types-preview) that you collaborate or connect with. This means you can enforce authentication strength requirements that are unique to your B2B collaboration, B2B direct connect, and other external access scenarios.
+
+Azure AD provides three [built-in authentication strengths](https://aka.ms/b2b-auth-strengths):
+
+- Multifactor authentication strength
+- Passwordless MFA strength
+- Phishing-resistant MFA strength
+
+You can use one of these built-in strengths or create a custom authentication strength policy based on the authentication methods you want to require.
+
+> [!NOTE]
+> Currently, you can only apply authentication strength policies to external users who authenticate with Azure AD. For email one-time passcode, SAML/WS-Fed, and Google federation users, use the MFA grant control to require MFA.
+
+When you apply an authentication strength policy to external Azure AD users, the policy works together with [MFA trust settings](cross-tenant-access-settings-b2b-collaboration.md#to-change-inbound-trust-settings-for-mfa-and-device-claims) in your cross-tenant access settings to determine where and how the external user must perform MFA. An Azure AD user first authenticates using their own account in their home Azure AD tenant. Then when this user tries to access your resource, Azure AD applies the authentication strength Conditional Access policy and checks to see if you've enabled MFA trust.
+
+In external user scenarios, the authentication methods that are acceptable for fulfilling authentication strength vary, depending on whether the user is completing MFA in their home tenant or the resource tenant. The following table indicates the acceptable methods in each tenant. If a resource tenant has opted to trust claims from external Azure AD organizations, only those claims listed in the ΓÇ£Home tenantΓÇ¥ column below will be accepted by the resource tenant for MFA fulfillment. If the resource tenant has disabled MFA trust, the external user must complete MFA in the resource tenant using one of the methods listed in the ΓÇ£Resource tenantΓÇ¥ column.
+
+##### Table 1. Authentication strength MFA methods for external users
+
+|Authentication method |Home tenant | Resource tenant |
+||||
+|SMS as second factor | &#x2705; | &#x2705; |
+|Voice call | &#x2705; | &#x2705; |
+|Microsoft Authenticator push notification | &#x2705; | &#x2705; |
+|Microsoft Authenticator phone sign-in | &#x2705; | &#x2705; |
+|OATH software token | &#x2705; | &#x2705; |
+|OATH hardware token | &#x2705; | |
+|FIDO2 security key | &#x2705; | |
+|Windows Hello for Business | &#x2705; | |
++
+To configure a Conditional Access policy that applies authentication strength requirements to external users or guests, see [Conditional Access: Require an authentication strength for external users](../conditional-access/howto-conditional-access-policy-authentication-strength-external.md).
+
+#### User experience for external Azure AD users
+
+Authentication strength policies work together withΓÇ»[MFA trust settings](cross-tenant-access-settings-b2b-collaboration.md#to-change-inbound-trust-settings-for-mfa-and-device-claims) in your cross-tenant access settings to determine where and how the external user must perform MFA.
+
+First, an Azure AD user authenticates with their own account in their home tenant. Then when this user tries to access your resource, Azure AD applies the authentication strength Conditional Access policy and checks to see if you've enabled MFA trust.
+
+- **If MFA trust is enabled**, Azure AD checks the user's authentication session for a claim indicating that MFA has been fulfilled in the user's home tenant. (See [Table 1](#table-1-authentication-strength-mfa-methods-for-external-users) for authentication methods that are acceptable for MFA fulfillment when completed in an external user's home tenant.) If the session contains a claim indicating that MFA policies have already been met in the user's home tenant and the methods satisfy the authentication strength requirements, the user is allowed access. Otherwise, Azure AD presents the user with a challenge to complete MFA in the home tenant using an acceptable authentication method. The MFA method must be enabled in the home tenant and user must be able to register for it.
+- **If MFA trust is disabled**, Azure AD presents the user with a challenge to complete MFA in the resource tenant using an acceptable authentication method. (See [Table 1](#table-1-authentication-strength-mfa-methods-for-external-users) for authentication methods that are acceptable for MFA fulfillment by an external user.)
+
+If the user is unable to complete MFA, or if a Conditional Access policy (such as a compliant device policy) prevents them from registering, access is blocked.
+ ### Device compliance and hybrid Azure AD joined device policies Organizations can use Conditional Access policies to require users' devices to be managed by Microsoft Intune. Such policies can block external user access, because an external user can't register their unmanaged device with the resource organization. Devices can only be managed by a user's home tenant.
active-directory Azure Ad Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/azure-ad-account.md
Previously updated : 08/09/2021 Last updated : 10/06/2022
-# Azure Active Directory (Azure AD) identity provider for External Identities
+# Add Azure Active Directory (Azure AD) as an identity provider for External Identities
Azure Active Directory is available as an identity provider option for B2B collaboration by default. If an external guest user has an Azure AD account through work or school, they can redeem your B2B collaboration invitations or complete your sign-up user flows using their Azure AD account. ## Guest sign-in using Azure Active Directory accounts
-Azure Active Directory is available in the list of External Identities identity providers by default. No further configuration is needed to allow guest users to sign in with their Azure AD account using either the invitation flow or a self-service sign-up user flow.
+Azure Active Directory is available in the list of External Identities identity providers by default. No further configuration is needed to allow guest users to sign in with their Azure AD account using either the invitation flow or a [self-service sign-up user flow](self-service-sign-up-overview.md).
![Azure AD account in the identity providers list](media/azure-ad-account/azure-ad-account-identity-provider.png)
active-directory Cross Tenant Access Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/cross-tenant-access-overview.md
You can configure organization-specific settings by adding an organization and m
- For B2B collaboration with other Azure AD organizations, use cross-tenant access settings to manage inbound and outbound B2B collaboration and scope access to specific users, groups, and applications. You can set a default configuration that applies to all external organizations, and then create individual, organization-specific settings as needed. Using cross-tenant access settings, you can also trust multi-factor (MFA) and device claims (compliant claims and hybrid Azure AD joined claims) from other Azure AD organizations. > [!TIP]
- >If you intend to trust inbound MFA for external users, make sure you don't have an [Identity Protection policy](../identity-protection/howto-identity-protection-configure-mfa-policy.md) in place that requires external users to register for MFA. When both of these policies are present, external users wonΓÇÖt be able to satisfy the requirements for access. If you want to enforce the Identity Protection MFA registration policy, be sure to exclude external users.
+ >We recommend excluding external users from the [Identity Protection MFA registration policy](../identity-protection/howto-identity-protection-configure-mfa-policy.md), if you are going to [trust MFA for external users](authentication-conditional-access.md#mfa-for-azure-ad-external-users). When both policies are present, external users wonΓÇÖt be able to satisfy the requirements for access.
- For B2B direct connect, use organizational settings to set up a mutual trust relationship with another Azure AD organization. Both your organization and the external organization need to mutually enable B2B direct connect by configuring inbound and outbound cross-tenant access settings.
active-directory Microsoft Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/microsoft-account.md
Previously updated : 08/09/2021 Last updated : 09/29/2022 +
+#Customer intent: As an Azure AD administrator user, I want to set up invitation flow or a self-service sign-up user flow for guest users, so they can sign into my Azure AD apps with their Microsoft account (MSA).
-# Microsoft account (MSA) identity provider for External Identities
+# Add Microsoft account (MSA) as an identity provider for External Identities
Your B2B guest users can use their own personal Microsoft accounts for B2B collaboration without further configuration. Guest users can redeem your B2B collaboration invitations or complete your sign-up user flows using their personal Microsoft account.
-Microsoft accounts are set up by a user to get access to consumer-oriented Microsoft products and cloud services, such as Outlook, OneDrive, Xbox LIVE, or Microsoft 365. The account is created and stored in the Microsoft consumer identity account system that's run by Microsoft.
+Microsoft accounts are set up by a user to get access to consumer-oriented Microsoft products and cloud services, such as Outlook, OneDrive, Xbox LIVE, or Microsoft 365. The account is created and stored in the Microsoft consumer identity account system, run by Microsoft.
## Guest sign-in using Microsoft accounts
-Microsoft account is available in the list of External Identities identity providers by default. No further configuration is needed to allow guest users to sign in with their Microsoft account using either the invitation flow or a self-service sign-up user flow.
+Microsoft account is available by default in the list of **External Identities** > **All identity providers**. No further configuration is needed to allow guest users to sign in with their Microsoft account using either the invitation flow, or a self-service sign-up user flow.
-![Microsoft account in the identity providers list](media/microsoft-account/microsoft-account-identity-provider.png)
### Microsoft account in the invitation flow When you [invite a guest user](add-users-administrator.md) to B2B collaboration, you can specify their Microsoft account as the email address they'll use to sign in.
-![Invite using a Microsoft account](media/microsoft-account/microsoft-account-invite.png)
### Microsoft account in self-service sign-up user flows
-Microsoft account is an identity provider option for your self-service sign-up user flows. Users can sign up for your applications using their own Microsoft accounts. First, you'll need to [enable self-service sign-up](self-service-sign-up-user-flow.md) for your tenant. Then you can set up a user flow for the application and select Microsoft account as one of the sign-in options.
+Microsoft account is an identity provider option for your self-service sign-up user flows. Users can sign up for your applications using their own Microsoft accounts. First, you'll need to [enable self-service sign-up](self-service-sign-up-user-flow.md) for your tenant. Then you can set up a user flow for the application, and select Microsoft account as one of the sign-in options.
-![Microsoft account in a self-service sign-up user flow](media/microsoft-account/microsoft-account-user-flow.png)
## Verifying the application's publisher domain
-As of November 2020, new application registrations show up as unverified in the user consent prompt unless [the application's publisher domain is verified](../develop/howto-configure-publisher-domain.md) ***and*** the companyΓÇÖs identity has been verified with the Microsoft Partner Network and associated with the application. ([Learn more](../develop/publisher-verification-overview.md) about this change.) Note that for Azure AD user flows, the publisherΓÇÖs domain appears only when using a Microsoft account or other [Azure AD tenant](azure-ad-account.md) as the identity provider. To meet these new requirements, do the following:
+As of November 2020, new application registrations show up as unverified in the user consent prompt, unless [the application's publisher domain is verified](../develop/howto-configure-publisher-domain.md), ***and*** the companyΓÇÖs identity has been verified with the Microsoft Partner Network and associated with the application. ([Learn more](../develop/publisher-verification-overview.md) about this change.) For Azure AD user flows, the publisherΓÇÖs domain appears only when using a Microsoft account or other [Azure AD tenant](azure-ad-account.md) as the identity provider. To meet these new requirements, follow the steps below:
1. [Verify your company identity using your Microsoft Partner Network (MPN) account](/partner-center/verification-responses). This process verifies information about your company and your companyΓÇÖs primary contact. 1. Complete the publisher verification process to associate your MPN account with your app registration using one of the following options:
As of November 2020, new application registrations show up as unverified in the
## Next steps - [Add Azure Active Directory B2B collaboration users](add-users-administrator.md)-- [Add self-service sign-up to an app](self-service-sign-up-user-flow.md)
+- [Add self-service sign-up to an app](self-service-sign-up-user-flow.md)
active-directory Self Service Sign Up User Flow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/self-service-sign-up-user-flow.md
Previously updated : 04/26/2022 Last updated : 10/12/2022
Next, you'll create the user flow for self-service sign-up and add it to an appl
![Add a new user flow button](media/self-service-sign-up-user-flow/new-user-flow.png)
-5. On the **Create** page, enter a **Name** for the user flow. Note that the name is automatically prefixed with **B2X_1_**.
-6. In the **Identity providers** list, select one or more identity providers that your external users can use to log into your application. **Azure Active Directory Sign up** is selected by default. (See [Before you begin](#before-you-begin) earlier in this article to learn how to add identity providers.)
-7. Under **User attributes**, choose the attributes you want to collect from the user. For additional attributes, select **Show more**. For example, select **Show more**, and then choose attributes and claims for **Country/Region**, **Display Name**, and **Postal Code**. Select **OK**.
+5. Select the user flow type (for example, **Sign up and sign in**), and then select the version (**Recommended** or **Preview**).
+6. On the **Create** page, enter a **Name** for the user flow. Note that the name is automatically prefixed with **B2X_1_**.
+7. In the **Identity providers** list, select one or more identity providers that your external users can use to log into your application. **Azure Active Directory Sign up** is selected by default. (See [Before you begin](#before-you-begin) earlier in this article to learn how to add identity providers.)
+8. Under **User attributes**, choose the attributes you want to collect from the user. For additional attributes, select **Show more**. For example, select **Show more**, and then choose attributes and claims for **Country/Region**, **Display Name**, and **Postal Code**. Select **OK**.
![Create a new user flow page](media/self-service-sign-up-user-flow/create-user-flow.png)
You can choose order in which the attributes are displayed on the sign-up page.
## Add applications to the self-service sign-up user flow
-Now you can associate applications with the user flow.
+Now you'll associate applications with the user flow to enable sign-up for those applications. New users who access the associated applications will be presented with your new self-service sign-up experience.
1. Sign in to the [Azure portal](https://portal.azure.com) as an Azure AD administrator. 2. Under **Azure services**, select **Azure Active Directory**.
Now you can associate applications with the user flow.
- [Add Facebook to your list of social identity providers](facebook-federation.md) - [Use API connectors to customize and extend your user flows via web APIs](api-connectors-overview.md) - [Add custom approval workflow to your user flow](self-service-sign-up-add-approvals.md)
+- [Learn more about initiating an OAuth 2.0 authorization code flow](../develop/v2-oauth2-auth-code-flow.md#request-an-authorization-code)
active-directory 4 Secure Access Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/4-secure-access-groups.md
Both Azure AD security groups and Microsoft 365 groups can be created from the A
| What can the group contain?| Users<br>Groups<br>Service principals<br>Devices| Users only | | Where is the group created?| Azure AD portal<br>Microsoft 365 portal (if to be mail enabled)<br>PowerShell<br>Microsoft Graph<br>End user portal| Microsoft 365 portal<br>Azure AD portal<br>PowerShell<br>Microsoft Graph<br>In Microsoft 365 applications | | Who creates by default?| Administrators <br>Users| Administrators<br>Users |
-| Who can be added by default?| Internal users (tenant members)| Tenant members and guests from any organization |
+| Who can be added by default?| Internal users (tenant members) and guest users | Tenant members and guests from any organization |
| What does it grant access to?| Only resources to which it's assigned.| All group-related resources:<br>(Group mailbox, site, team, chats, and other included Microsoft 365 resources)<br>Any other resources to which group is added | | Can be used with| Conditional Access<br>Entitlement Management<br>Group licensing| Conditional Access<br>Entitlement Management<br>Sensitivity labels |
active-directory Active Directory Access Create New Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-access-create-new-tenant.md
If you don't have an Azure subscription, create a [free account](https://azure.m
## Create a new tenant for your organization After you sign in to the Azure portal, you can create a new tenant for your organization. Your new tenant represents your organization and helps you to manage a specific instance of Microsoft cloud services for your internal and external users.-
+>[!Important]
+>If users with the business need to create tenants are unable to create them, review your user settings page to ensure that **Tenant Creation** is not switched off. If it is switched off, reach out to your Global Administrator to provide those who need it with access to the Tenant Creator role.
### To create a new tenant 1. Sign in to your organization's [Azure portal](https://portal.azure.com/).
active-directory License Users Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/license-users-groups.md
There are several license plans available for the Azure AD service, including:
For specific information about each license plan and the associated licensing details, see [What license do I need?](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing). To sign up for Azure AD premium license plans see [here](./active-directory-get-started-premium.md).
-Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the **Usage location** for all members. You can set this value in the **Azure Active Directory &gt; Users &gt; Profile &gt; Settings** area in Azure AD. Any user whose usage location isn't specified inherits the location of the Azure AD organization.
+Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the **Usage location** for all members. You can set this value in the **Azure Active Directory &gt; Users &gt; Profile &gt; Settings** area in Azure AD. When assigning licenses to a group or bulk updates such as disabling the synchronization status for the organization, any user whose usage location isn't specified inherits the location of the Azure AD organization.
## View license plans and plan details
Make sure that anyone needing to use a licensed Azure AD service has the appropr
The **Assign license** page updates to show that a user is selected and that the assignments are configured. > [!NOTE]
- > Not all Microsoft services are available in all locations. Before a license can be assigned to a user, you must specify the **Usage location**. You can set this value in the **Azure Active Directory &gt; Users &gt; Profile &gt; Settings** area in Azure AD. Any user whose usage location is not specified inherits the location of the Azure AD organization.
+ > Not all Microsoft services are available in all locations. Before a license can be assigned to a user, you must specify the **Usage location**. You can set this value in the **Azure Active Directory &gt; Users &gt; Profile &gt; Settings** area in Azure AD. When assigning licenses to a group or bulk updates such as disabling the synchronization status for the organization, any user whose usage location isn't specified inherits the location of the Azure AD organization.
1. Select **Assign**.
active-directory Secure With Azure Ad Single Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/secure-with-azure-ad-single-tenant.md
Last updated 7/5/2022 -+
Azure RBAC allows you to design an administration model with granular scopes and
* **Resource group** - You can assign roles to specific resource groups so that they don't impact any other resource groups. In the example above, the Benefits engineering team can assign the Contributor role to the test lead so they can manage the test DB and the test web app, or to add more resources.
-* **Individual resources** - You can assign roles to specific resources so that they don't impact any other resources. In the example above, the Benefits engineering team can assign a data analyst the Cosmos DB Account Reader role just for the test instance of the Cosmos DB, without interfering with the test web app, or any production resource.
+* **Individual resources** - You can assign roles to specific resources so that they don't impact any other resources. In the example above, the Benefits engineering team can assign a data analyst the Cosmos DB Account Reader role just for the test instance of the Azure Cosmos DB database, without interfering with the test web app or any production resource.
For more information, see [Azure built-in roles](../../role-based-access-control/built-in-roles.md) and [What is Azure role-based access control (Azure RBAC)?](../../role-based-access-control/overview.md).
active-directory Service Accounts Managed Identities https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/service-accounts-managed-identities.md
Last updated 08/20/2022 -+
With managed identities the source system can obtain a token from Azure AD witho
The target system needs to authenticate (identify) and authorize the source system before allowing access. When the target service supports Azure AD-based authentication it accepts an access token issued by Azure AD.
-Azure has a control plane and a data plane. In the control plane, you create resources, and in the data plane you access them. For example, you create a Cosmos database in the control plane, but query it in the data plane.
+Azure has a control plane and a data plane. In the control plane, you create resources, and in the data plane you access them. For example, you create an Azure Cosmos DB database in the control plane, but query it in the data plane.
Once the target system accepts the token for authentication, it can support different mechanisms for authorization for its control plane and data plane.
There are several ways in which you can find managed identities:
You can get a list of all managed identities in your tenant with the following GET request to Microsoft Graph:
-`https://graph.microsoft.com/v1.0/servicePrincipals?$filter=(servicePrincipalType eq 'ManagedIdentity') `
+`https://graph.microsoft.com/v1.0/servicePrincipals?$filter=(servicePrincipalType eq 'ManagedIdentity')`
You can filter these requests. For more information, see the Graph documentation for [GET servicePrincipal](/graph/api/serviceprincipal-get).
You can assess the security of managed identities in the following ways:
* Examine privileges and ensure that the least privileged model is selected. Use the following PowerShell cmdlet to get the permissions assigned to your managed identities.
- ` Get-AzureADServicePrincipal | % { Get-AzureADServiceAppRoleAssignment -ObjectId $_ }`
+ `Get-AzureADServicePrincipal | % { Get-AzureADServiceAppRoleAssignment -ObjectId $_ }`
-* Ensure the managed identity is not part of any privileged groups, such as an administrators group.
-ΓÇÄYou can do this by enumerating the members of your highly privileged groups with PowerShell.
+* Ensure the managed identity is not part of any privileged groups, such as an administrators group. You can do this by enumerating the members of your highly privileged groups with PowerShell.
`Get-AzureADGroupMember -ObjectId <String> [-All <Boolean>] [-Top <Int32>] [<CommonParameters>]`
If you are using a service principal or an Azure AD user account, evaluate if y
[Governing Azure service accounts](service-accounts-governing-azure.md) [Introduction to on-premises service accounts](service-accounts-on-premises.md)-
-
-
-
-
active-directory Users Default Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/users-default-permissions.md
You can restrict default permissions for member users in the following ways:
| Permission | Setting explanation | | - | | | **Register applications** | Setting this option to **No** prevents users from creating application registrations. You can the grant the ability back to specific individuals by adding them to the application developer role. |
+| **Create tenants** | Setting this option to **No** prevents users from creating new Azure AD or Azure AD B2C tenants. You can grant the ability back to specific individuals by adding them to tenant creator role. |
| **Allow users to connect work or school account with LinkedIn** | Setting this option to **No** prevents users from connecting their work or school account with their LinkedIn account. For more information, see [LinkedIn account connections data sharing and consent](../enterprise-users/linkedin-user-consent.md). | | **Create security groups** | Setting this option to **No** prevents users from creating security groups. Global administrators and user administrators can still create security groups. To learn how, see [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-cmdlets.md). | | **Create Microsoft 365 groups** | Setting this option to **No** prevents users from creating Microsoft 365 groups. Setting this option to **Some** allows a set of users to create Microsoft 365 groups. Global administrators and user administrators can still create Microsoft 365 groups. To learn how, see [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-cmdlets.md). |
-| **Restrict access to Azure AD administration portal** | **What does this switch do?** <br>**No** lets non-administrators browse the Azure AD administration portal. <br>**Yes** Restricts non-administrators from browsing the Azure AD administration portal. Non-administrators who are owners of groups or applications are unable to use the Azure portal to manage their owned resources. </p><p></p><p>**What does it not do?** <br> It does not restrict access to Azure AD data using PowerShell, Microsoft GraphAPI, or other clients such as Visual Studio. <br>It does not restrict access as long as a user is assigned a custom role (or any role). <br>It does not restrict access to Entra Portal. </p><p></p><p>**When should I use this switch?** <br>Use this to prevent users from misconfiguring the resources that they own. </p><p></p><p>**When should I not use this switch?** <br>Do not use this switch as a security measure. Instead, create a Conditional Access policy that targets Microsoft Azure Management will block non-administrators access to [Microsoft Azure Management](../conditional-access/concept-conditional-access-cloud-apps.md#microsoft-azure-management). </p><p></p><p> **How do I grant only a specific non-administrator users the ability to use the Azure AD administration portal?** <br> Set this option to **Yes**, then assign them a role like global reader. </p><p></p><p>**Restrict access to the Entra administration portal** <br>A Conditional Access policy that targets Microsoft Azure Management will target access to all Azure management. |
+| **Restrict access to Azure AD administration portal** | **What does this switch do?** <br>**No** lets non-administrators browse the Azure AD administration portal. <br>**Yes** Restricts non-administrators from browsing the Azure AD administration portal. Non-administrators who are owners of groups or applications are unable to use the Azure portal to manage their owned resources. </p><p></p><p>**What does it not do?** <br> It does not restrict access to Azure AD data using PowerShell, Microsoft GraphAPI, or other clients such as Visual Studio. <br>It does not restrict access as long as a user is assigned a custom role (or any role). </p><p></p><p>**When should I use this switch?** <br>Use this to prevent users from misconfiguring the resources that they own. </p><p></p><p>**When should I not use this switch?** <br>Do not use this switch as a security measure. Instead, create a Conditional Access policy that targets Microsoft Azure Management will block non-administrators access to [Microsoft Azure Management](../conditional-access/concept-conditional-access-cloud-apps.md#microsoft-azure-management). </p><p></p><p> **How do I grant only a specific non-administrator users the ability to use the Azure AD administration portal?** <br> Set this option to **Yes**, then assign them a role like global reader. </p><p></p><p>**Restrict access to the Entra administration portal** <br>A Conditional Access policy that targets Microsoft Azure Management will target access to all Azure management. |
| **Read other users** | This setting is available in Microsoft Graph and PowerShell only. Setting this flag to `$false` prevents all non-admins from reading user information from the directory. This flag does not prevent reading user information in other Microsoft services like Exchange Online.</p><p>This setting is meant for special circumstances, so we don't recommend setting the flag to `$false`. | > [!NOTE]
active-directory Whats New Sovereign Clouds https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-sovereign-clouds.md
+
+ Title: What's new in Sovereign Clouds? Release notes - Azure Active Directory | Microsoft Docs
+description: Learn what is new with Azure Active Directory Sovereign Cloud.
+++++ Last updated : 08/03/2022+++++
+# What's new in Azure Active Directory Sovereign Clouds?
++
+Azure AD receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:
+
+- [Azure Government](/azure/azure-government/documentation-government-welcome)
+
+This page is updated monthly, so revisit it regularly.
+++
+## September 2022
+
+### General Availability - Azure AD certificate-based authentication
+
+**Type:** New feature
+**Service category:** Other
+**Product capability:** User Authentication
+
+
+Azure AD certificate-based authentication (CBA) enables customers to allow or require users to authenticate with X.509 certificates against their Azure Active Directory (Azure AD) for applications and browser sign-in. This feature enables customers to adopt a phishing resistant authentication and authenticate with an X.509 certificate against their Enterprise Public Key Infrastructure (PKI). For more information, see: [Overview of Azure AD certificate-based authentication (Preview)](../authentication/concept-certificate-based-authentication.md).
+
++
+### General Availability - Audited BitLocker Recovery
+
+**Type:** New feature
+**Service category:** Device Access Management
+**Product capability:** Device Lifecycle Management
+
+
+BitLocker keys are sensitive security items. Audited BitLocker recovery ensures that when BitLocker keys are read, an audit log is generated so that you can trace who accesses this information for given devices. For more information, see: [View or copy BitLocker keys](../devices/device-management-azure-portal.md#view-or-copy-bitlocker-keys).
+
++
+### General Availability - More device properties supported for Dynamic Device groups
+
+**Type:** Changed feature
+**Service category:** Group Management
+**Product capability:** Directory
+
+
+You can now create or update dynamic device groups using the following properties:
+
+- deviceManagementAppId
+- deviceTrustType
+- extensionAttribute1-15
+- profileType
+
+For more information on how to use this feature, see: [Dynamic membership rule for device groups](../enterprise-users/groups-dynamic-membership.md#rules-for-devices)
+
+++
+### General Availability - No more waiting, provision groups on demand into your SaaS applications.
+
+**Type:** New feature
+**Service category:** Provisioning
+**Product capability:** Identity Lifecycle Management
+
+
+Pick a group of up to five members and provision them into your third-party applications in seconds. Get started testing, troubleshooting, and provisioning to non-Microsoft applications such as ServiceNow, ZScaler, and Adobe. For more information, see: [On-demand provisioning in Azure Active Directory](../app-provisioning/provision-on-demand.md).
+
++
+### General Availability - Devices Overview
+
+**Type:** New feature
+**Service category:** Device Registration and Management
+**Product capability:** Device Lifecycle Management
+
+
+
+The new Device Overview in the Azure Active Directory portal provides meaningful and actionable insights about devices in your tenant.
+
+In the devices overview, you can view the number of total devices, stale devices, noncompliant devices, and unmanaged devices. You'll also find links to Intune, Conditional Access, BitLocker keys, and basic monitoring. For more information, see: [Manage device identities by using the Azure portal](../devices/device-management-azure-portal.md).
+
++
+### General Availability - Support for Linux as Device Platform in Azure AD Conditional Access
+
+**Type:** New feature
+**Service category:** Conditional Access
+**Product capability:** User Authentication
+
+
+
+Added support for ΓÇ£LinuxΓÇ¥ device platform in Azure AD Conditional Access.
+
+An admin can now require a user is on a compliant Linux device, managed by Intune, to sign-in to a selected service (for example ΓÇÿall cloud appsΓÇÖ or ΓÇÿOffice 365ΓÇÖ). For more information, see: [Device platforms](../conditional-access/concept-conditional-access-conditions.md#device-platforms)
+
++
+### General Availability - Cross-tenant access settings for B2B collaboration
+
+**Type:** Changed feature
+**Service category:** B2B
+**Product capability:** B2B/B2C
+
+
+
+Cross-tenant access settings enable you to control how users in your organization collaborate with members of external Azure AD organizations. Now youΓÇÖll have granular inbound and outbound access control settings that work on a per org, user, group, and application basis. These settings also make it possible for you to trust security claims from external Azure AD organizations like multi-factor authentication (MFA), device compliance, and hybrid Azure AD joined devices. For more information, see: [Cross-tenant access with Azure AD External Identities](../external-identities/cross-tenant-access-overview.md).
+
++
+### General Availability - Location Aware Authentication using GPS from Authenticator App
+
+**Type:** New feature
+**Service category:** Conditional Access
+**Product capability:** Identity Security & Protection
+
+
+
+Admins can now enforce Conditional Access policies based off of GPS location from Authenticator. For more information, see: [Named locations](../conditional-access/location-condition.md#named-locations).
+
++
+### General Availability - My Sign-ins now supports org switching and improved navigation
+
+**Type:** Changed feature
+**Service category:** MFA
+**Product capability:** End User Experiences
+
+
+
+We've improved the My Sign-ins experience to now support organization switching. Now users who are guests in other tenants can easily switch and sign-in to manage their security info and view activity. More improvements were made to make it easier to switch from My Sign-ins directly to other end user portals such as My Account, My Apps, My Groups, and My Access. For more information, see: [Sign-in logs in Azure Active Directory - preview](../reports-monitoring/concept-all-sign-ins.md)
+
++
+### General Availability - Temporary Access Pass is now available
+
+**Type:** New feature
+**Service category:** MFA
+**Product capability:** User Authentication
+
+
+
+Temporary Access Pass (TAP) is now generally available. TAP can be used to securely register password-less methods such as Phone Sign-in, phishing resistant methods such as FIDO2, and even help Windows onboarding (AADJ and WHFB). TAP also makes recovery easier when a user has lost or forgotten their strong authentication methods and needs to sign in to register new authentication methods. For more information, see: [Configure Temporary Access Pass in Azure AD to register Passwordless authentication methods](../authentication/howto-authentication-temporary-access-pass.md).
+
++
+### General Availability - Ability to force reauthentication on Intune enrollment, risky sign-ins, and risky users
+
+**Type:** New feature
+**Service category:** Conditional Access
+**Product capability:** Identity Security & Protection
+
+
+
+In some scenarios customers may want to require a fresh authentication, every time before a user performs specific actions. Sign-in frequency Every time support requiring a user to reauthenticate during Intune device enrollment, password change for risky users and risky sign-ins.
+
+More information: [Configure authentication session management - Azure Active Directory - Microsoft Entra | Microsoft Docs](../conditional-access/howto-conditional-access-session-lifetime.md#require-reauthentication-every-time).
+
++
+### General Availability - Non-interactive risky sign-ins
+
+**Type:** Changed feature
+**Service category:** Identity Protection
+**Product capability:** Identity Security & Protection
+
+
+
+Identity Protection now emits risk (such as unfamiliar sign-in properties) on non-interactive sign-ins. Admins can now find these non-interactive risky sign-ins using the "sign-in type" filter in the Risky sign-ins report. For more information, see: [How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md).
+++
+
+### General Availability - Workload Identity Federation with App Registrations are available now
+
+**Type:** New feature
+**Service category:** Other
+**Product capability:** Developer Experience
+
+
+
+Entra Workload Identity Federation allows developers to exchange tokens issued by another identity provider with Azure AD tokens, without needing secrets. It eliminates the need to store, and manage, credentials inside the code or secret stores to access Azure AD protected resources such as Azure and Microsoft Graph. By removing the secrets required to access Azure AD protected resources, workload identity federation can improve the security posture of your organization. This feature also reduces the burden of secret management and minimizes the risk of service downtime due to expired credentials.
+
+For more information on this capability and supported scenarios, see: [Workload identity federation](../develop/workload-identity-federation.md).
+
+++
+### General Availability - Continuous Access Evaluation
+
+**Type:** New feature
+**Service category:** Other
+**Product capability:** Access Control
+
+
+
+With Continuous access evaluation (CAE), critical security events and policies are evaluated in real time. This includes account disable, password reset, and location change. For more information, see: [Continuous access evaluation](../conditional-access/concept-continuous-access-evaluation.md)
+
+++
+### Public Preview ΓÇô Protect against by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD
+
+**Type:** New feature
+**Service category:** MS Graph
+**Product capability:** Identity Security & Protection
++
+We're delighted to announce a new security protection that prevents bypassing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD. When enabled for a federated domain in your Azure AD tenant, it ensures that a compromised federated account can't bypass Azure AD Multi-Factor Authentication by imitating that a multi factor authentication has already been performed by the identity provider. The protection can be enabled via new security setting, [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-beta#federatedidpmfabehavior-values&preserve-view=true).
+
+We highly recommend enabling this new protection when using Azure AD Multi-Factor Authentication as your multi factor authentication for your federated users. To learn more about the protection and how to enable it, visit [Enable protection to prevent by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD](/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#enable-protection-to-prevent-by-passing-of-cloud-azure-ad-multi-factor-authentication-when-federated-with-azure-ad).
+
+++
+## Next steps
+<!-- Add a context sentence for the following links -->
+- [What's new in Azure Active Directory?](whats-new.md)
+- [Archive for What's new in Azure Active Directory?](whats-new-archive.md)
active-directory Entitlement Management Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-overview.md
To better understand entitlement management and its documentation, you can refer
[!INCLUDE [Azure AD Premium P2 license](../../../includes/active-directory-p2-license.md)]
-Specialized clouds, such as Azure Germany, and Azure China 21Vianet, aren't currently available for use.
- ### How many licenses must you have? Ensure that your directory has at least as many Azure AD Premium P2 licenses as you have:
active-directory How To Lifecycle Workflow Sync Attributes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/how-to-lifecycle-workflow-sync-attributes.md
To ensure timing accuracy of scheduled workflows itΓÇÖs curial to consider:
6. Select **Add attribute**. 7. Fill in the following information: - Mapping Type: Direct
- - Source attribute: msDS-cloudExtensionAttribute1
+ - Source attribute: extensionAttribute1
- Default value: Leave blank - Target attribute: employeeHireDate - Apply this mapping: Always
For more information on attributes, see [Attribute mapping in Azure AD Connect c
## How to create a custom synch rule in Azure AD Connect for EmployeeHireDate The following example will walk you through setting up a custom synchronization rule that synchronizes the Active Directory attribute to the employeeHireDate attribute in Azure AD.
- 1. Open a PowerShell window as administrator and run `Set-ADSyncScheduler -SyncCycleEnabled $false`.
+ 1. Open a PowerShell window as administrator and run `Set-ADSyncScheduler -SyncCycleEnabled $false` to disable the scheduler.
2. Go to Start\Azure AD Connect\ and open the Synchronization Rules Editor 3. Ensure the direction at the top is set to **Inbound**. 4. Select **Add Rule.**
The following example will walk you through setting up a custom synchronization
![Screenshot of create outbound synchronization rule transformations.](media/how-to-lifecycle-workflow-sync-attributes/create-outbound-rule-transformations.png) 16. Select **Add**. 17. Close the Synchronization Rules Editor
+ 18. Enable the scheduler again by running `Set-ADSyncScheduler -SyncCycleEnabled $true`.
For more information, see [How to customize a synchronization rule](../hybrid/ho
## Next steps - [What are lifecycle workflows?](what-are-lifecycle-workflows.md) - [Create a custom workflow using the Azure portal](tutorial-onboard-custom-workflow-portal.md)-- [Create a Lifecycle workflow](create-lifecycle-workflow.md)
+- [Create a Lifecycle workflow](create-lifecycle-workflow.md)
active-directory Lifecycle Workflow Templates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/lifecycle-workflow-templates.md
The default specific parameters for the **Onboard new hire employee** template a
|||| |Category | Joiner | ❌ | |Trigger Type | Trigger and Scope Based | ❌ |
-|Days from event | 0 | ✔️ |
+|Days from event | 0 | ❌ |
|Event timing | On | ❌ | |Event User attribute | EmployeeHireDate | ❌ | |Scope type | Rule based | ❌ |
active-directory Tutorial Prepare Azure Ad User Accounts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/tutorial-prepare-azure-ad-user-accounts.md
First we'll create our employee, Melva Prince.
"displayName": "Melva Prince", "mailNickname": "mprince", "department": "sales",
- "mail": "mpricne@<your tenant name here>",
- "employeeHireDate": "2022-04-15T22:10:00Z"
+ "mail": "mprince@<your tenant name here>",
+ "employeeHireDate": "2022-04-15T22:10:00Z",
"userPrincipalName": "mprince@<your tenant name here>", "passwordProfile" : { "forceChangePasswordNextSignIn": true,
Next, we'll create Britta Simon. This is the account that will be used as our m
"mailNickname": "bsimon", "department": "sales", "mail": "bsimon@<your tenant name here>",
- "employeeHireDate": "2021-01-15T22:10:00Z"
+ "employeeHireDate": "2021-01-15T22:10:00Z",
"userPrincipalName": "bsimon@<your tenant name here>", "passwordProfile" : { "forceChangePasswordNextSignIn": true,
active-directory How To Connect Group Writeback V2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/how-to-connect-group-writeback-v2.md
Previously updated : 06/15/2022 Last updated : 10/12/2022
Group writeback allows you to write cloud groups back to your on-premises Active Directory instance by using Azure Active Directory (Azure AD) Connect sync. You can use this feature to manage groups in the cloud, while controlling access to on-premises applications and resources.
+>[NOTE]
+>The Group writeback functionality is currently in Public Preview as we are collecting customer feedback and telemetry. Please refer to [the limitations](https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-group-writeback-v2#understand-limitations-of-public-preview) before you enable this functionality.
++ There are two versions of group writeback. The original version is in general availability and is limited to writing back Microsoft 365 groups to your on-premises Active Directory instance as distribution groups. The new, expanded version of group writeback is in public preview and enables the following capabilities: - You can write back Microsoft 365 groups as distribution groups, security groups, or mail-enabled security groups.
If you plan to make changes to the default behavior, we recommend that you do so
## Understand limitations of public previewΓÇ»
-Although this release has undergone extensive testing, you might still encounter issues. One of the goals of this public preview release is to find and fix any issues before the feature moves to general availability.
-
-Microsoft provides support for this public preview release, but it might not be able to immediately fix issues that you encounter. For this reason, we recommend that you use your best judgment before deploying this release in your production environment.ΓÇ»
+Although this release has undergone extensive testing, you might still encounter issues. One of the goals of this public preview release is to find and fix any issues before the feature moves to general availability. Please also note that any public preview functionality can still receive breaking changes which may require you to make changes to you configuration to continue using this feature. We may also decide to change or remove certain functionality without prior notice.
+Microsoft provides support for this public preview release, but we might not be able to immediately fix issues that you encounter. For these reasons, we recommend that you do not deploy this release in your production environment.ΓÇ»
These limitations and known issues are specific to group writeback:
These limitations and known issues are specific to group writeback:
- Nested cloud groups that are members of writeback enabled groups must also be enabled for writeback to remain nested in AD. - Group Writeback setting to manage new security group writeback at scale is not yet available. You will need to configure writeback for each group.  - If you have a nested group like this, you'll see an export error in Azure AD Connect with the message "A universal group cannot have a local group as a member." The resolution is to remove the member with the **Domain local** scope from the Azure AD group, or update the nested group member scope in Active Directory to **Global** or **Universal**. - Group writeback supports writing back groups to only a single organizational unit (OU). After the feature is enabled, you can't change the OU that you selected. A workaround is to disable group writeback entirely in Azure AD Connect and then select a different OU when you re-enable the feature.  - Nested cloud groups that are members of writeback-enabled groups must also be enabled for writeback to remain nested in Active Directory.
active-directory Whatis Azure Ad Connect https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/whatis-azure-ad-connect.md
Integrating your on-premises directories with Azure AD makes your users more pro
## Why use Azure AD Connect Health? When authenticating with Azure AD, your users are more productive because there's a common identity to access both cloud and on-premises resources. Ensuring the environment is reliable, so that users can access these resources, becomes a challenge. Azure AD Connect Health helps monitor and gain insights into your on-premises identity infrastructure thus ensuring the reliability of this environment. It is as simple as installing an agent on each of your on-premises identity servers.
-Azure AD Connect Health for AD FS supports AD FS 2.0 on Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016. It also supports monitoring the AD FS proxy or web application proxy servers that provide authentication support for extranet access. With an easy and quick installation of the Health Agent, Azure AD Connect Health for AD FS provides you a set of key capabilities.
+Azure AD Connect Health for AD FS supports AD FS 2.0 on Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019. It also supports monitoring the AD FS proxy or web application proxy servers that provide authentication support for extranet access. With an easy and quick installation of the Health Agent, Azure AD Connect Health for AD FS provides you a set of key capabilities.
Key benefits and best practices:
active-directory Configure User Consent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/configure-user-consent.md
Previously updated : 08/10/2022 Last updated : 10/12/2022
+zone_pivot_groups: enterprise-apps-minus-aad-powershell
+ #customer intent: As an admin, I want to configure how end-users consent to applications.
To configure user consent, you need:
- A user account. If you don't already have one, you can [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). - A Global Administrator or Privileged Administrator role.
-# [The Azure portal](#tab/azure-portal)
- ## Configure user consent settings + To configure user consent settings through the Azure portal: 1. Sign in to the [Azure portal](https://portal.azure.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator).
To configure user consent settings through the Azure portal:
:::image type="content" source="media/configure-user-consent/setting-for-all-users.png" alt-text="Screenshot of the 'User consent settings' pane.":::
-# [PowerShell](#tab/azure-powershell)
+ To choose which app consent policy governs user consent for applications, you can use the [Microsoft Graph PowerShell](/powershell/microsoftgraph/get-started?view=graph-powershell-1.0&preserve-view=true) module. The cmdlets used here are included in the [Microsoft.Graph.Identity.SignIns](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.SignIns) module.
-#### Connect to Microsoft Graph PowerShell
+### Connect to Microsoft Graph PowerShell
Connect to Microsoft Graph PowerShell using the least-privilege permission needed. For reading the current user consent settings, use *Policy.Read.All*. For reading and changing the user consent settings, use *Policy.ReadWrite.Authorization*.
Connect to Microsoft Graph PowerShell using the least-privilege permission neede
Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization" ```
-#### Disable user consent
+### Disable user consent
To disable user consent, set the consent policies that govern user consent to empty:
Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions @{
"PermissionGrantPoliciesAssigned" = @() } ```
-#### Allow user consent subject to an app consent policy
+### Allow user consent subject to an app consent policy
To allow user consent, choose which app consent policy should govern users' authorization to grant consent to apps:
Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions @{
"PermissionGrantPoliciesAssigned" = @("managePermissionGrantsForSelf.microsoft-user-default-low") } ``` -++
+Use the [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) to choose which app consent policy governs user consent for applications.
+
+To disable user consent, set the consent policies that govern user consent to empty:
+
+```http
+PATCH https://graph.microsoft.com/v1.0/policies/authorizationPolicy
+{
+ "defaultUserRolePermissions": {
+ "permissionGrantPoliciesAssigned": []
+ }
+}
+```
+
+### Allow user consent subject to an app consent policy
+
+To allow user consent, choose which app consent policy should govern users' authorization to grant consent to apps:
+
+```http
+PATCH https://graph.microsoft.com/v1.0/policies/authorizationPolicy
+
+{
+ "defaultUserRolePermissions": {
+ "permissionGrantPoliciesAssigned": ["ManagePermissionGrantsForSelf.microsoft-user-default-legacy"]
+ }
+}
+```
+
+Replace `{consent-policy-id}` with the ID of the policy you want to apply. You can choose a [custom app consent policy](manage-app-consent-policies.md#create-a-custom-app-consent-policy) that you've created, or you can choose from the following built-in policies:
+
+| ID | Description |
+|:|:|
+| microsoft-user-default-low | **Allow user consent for apps from verified publishers, for selected permissions**<br/> Allow limited user consent only for apps from verified publishers and apps that are registered in your tenant, and only for permissions that you classify as *low impact*. (Remember to [classify permissions](configure-permission-classifications.md) to select which permissions users are allowed to consent to.) |
+| microsoft-user-default-legacy | **Allow user consent for apps**<br/> This option allows all users to consent to any permission that doesn't require admin consent, for any application |
+
+For example, to enable user consent subject to the built-in policy `microsoft-user-default-low`, use the following PATCH command:
+
+```http
+PATCH https://graph.microsoft.com/v1.0/policies/authorizationPolicy
+
+{
+ "defaultUserRolePermissions": {
+ "permissionGrantPoliciesAssigned": [
+ "managePermissionGrantsForSelf.microsoft-user-default-low"
+ ]
+ }
+}
+```
+ > [!TIP] > To allow users to request an administrator's review and approval of an application that the user isn't allowed to consent to, [enable the admin consent workflow](configure-admin-consent-workflow.md). For example, you might do this when user consent has been disabled or when an application is requesting permissions that the user isn't allowed to grant.- ## Next steps - [Manage app consent policies](manage-app-consent-policies.md)
active-directory Managed Identities Status https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/managed-identities-status.md
The following Azure services support managed identities for Azure resources:
| Azure Batch | [Configure customer-managed keys for your Azure Batch account with Azure Key Vault and Managed Identity](../../batch/batch-customer-managed-key.md) </BR> [Configure managed identities in Batch pools](../../batch/managed-identity-pools.md) | | Azure Blueprints | [Stages of a blueprint deployment](../../governance/blueprints/concepts/deployment-stages.md) | | Azure Cache for Redis | [Managed identity for storage accounts with Azure Cache for Redis](../../azure-cache-for-redis/cache-managed-identity.md) |
+| Azure Container Apps | [Managed identities in Azure Container Apps](../../container-apps/managed-identity.md) |
| Azure Container Instance | [How to use managed identities with Azure Container Instances](../../container-instances/container-instances-managed-identity.md) | | Azure Container Registry | [Use an Azure-managed identity in ACR Tasks](../../container-registry/container-registry-tasks-authentication-managed-identity.md) | | Azure Cognitive Services | [Configure customer-managed keys with Azure Key Vault for Cognitive Services](../../cognitive-services/encryption/cognitive-services-encryption-keys-portal.md) |
active-directory Tutorial Linux Vm Access Cosmos Db https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-cosmos-db.md
na+ Last updated 12/10/2020
This tutorial shows you how to use a system-assigned managed identity for a Linux virtual machine (VM) to access Azure Cosmos DB. You learn how to: > [!div class="checklist"]
-> * Create a Cosmos DB account
-> * Create a collection in the Cosmos DB account
+> * Create an Azure Cosmos DB account
+> * Create a collection in the Azure Cosmos DB account
> * Grant the system-assigned managed identity access to an Azure Cosmos DB instance > * Retrieve the `principalID` of the of the Linux VM's system-assigned managed identity > * Get an access token and use it to call Azure Resource Manager
-> * Get access keys from Azure Resource Manager to make Cosmos DB calls
+> * Get access keys from Azure Resource Manager to make Azure Cosmos DB calls
## Prerequisites
This tutorial shows you how to use a system-assigned managed identity for a Linu
- Use the [Azure Cloud Shell](../../cloud-shell/overview.md), which you can open using the **Try It** button on the top right corner of code blocks. - Run scripts locally by installing the latest version of the [Azure CLI](/cli/azure/install-azure-cli), then sign in to Azure using [az login](/cli/azure/reference-index#az-login). Use an account associated with the Azure subscription in which you'd like to create resources.
-## Create a Cosmos DB account
+## Create an Azure Cosmos DB account
-If you don't already have one, create a Cosmos DB account. You can skip this step and use an existing Cosmos DB account.
+If you don't already have one, create an Azure Cosmos DB account. You can skip this step and use an existing Azure Cosmos DB account.
1. Click the **+ Create a resource** button found on the upper left-hand corner of the Azure portal. 2. Click **Databases**, then **Azure Cosmos DB**, and a new "New account" panel displays.
-3. Enter an **ID** for the Cosmos DB account, which you use later.
+3. Enter an **ID** for the Azure Cosmos DB account, which you use later.
4. **API** should be set to "SQL." The approach described in this tutorial can be used with the other available API types, but the steps in this tutorial are for the SQL API.
-5. Ensure the **Subscription** and **Resource Group** match the ones you specified when you created your VM in the previous step. Select a **Location** where Cosmos DB is available.
+5. Ensure the **Subscription** and **Resource Group** match the ones you specified when you created your VM in the previous step. Select a **Location** where Azure Cosmos DB is available.
6. Click **Create**.
-### Create a collection in the Cosmos DB account
+### Create a collection in the Azure Cosmos DB account
-Next, add a data collection in the Cosmos DB account that you can query in later steps.
+Next, add a data collection in the Azure Cosmos DB account that you can query in later steps.
-1. Navigate to your newly created Cosmos DB account.
+1. Navigate to your newly created Azure Cosmos DB account.
2. On the **Overview** tab click the **+/Add Collection** button, and an "Add Collection" panel slides out. 3. Give the collection a database ID, collection ID, select a storage capacity, enter a partition key, enter a throughput value, then click **OK**. For this tutorial, it is sufficient to use "Test" as the database ID and collection ID, select a fixed storage capacity and lowest throughput (400 RU/s). ## Grant access
-To gain access to the Cosmos DB account access keys from the Resource Manager in the following section, you need to retrieve the `principalID` of the Linux VM's system-assigned managed identity. Be sure to replace the `<SUBSCRIPTION ID>`, `<RESOURCE GROUP>` (resource group in which your VM resides), and `<VM NAME>` parameter values with your own values.
+To gain access to the Azure Cosmos DB account access keys from the Resource Manager in the following section, you need to retrieve the `principalID` of the Linux VM's system-assigned managed identity. Be sure to replace the `<SUBSCRIPTION ID>`, `<RESOURCE GROUP>` (resource group in which your VM resides), and `<VM NAME>` parameter values with your own values.
```azurecli-interactive az resource show --id /subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>/providers/Microsoft.Compute/virtualMachines/<VM NAMe> --api-version 2017-12-01
The response includes the details of the system-assigned managed identity (note
} ```
-### Grant your Linux VM's system-assigned identity access to the Cosmos DB account access keys
+### Grant your Linux VM's system-assigned identity access to the Azure Cosmos DB account access keys
-Cosmos DB does not natively support Azure AD authentication. However, you can use a managed identity to retrieve a Cosmos DB access key from the Resource Manager, then use the key to access Cosmos DB. In this step, you grant your system-assigned managed identity access to the keys to the Cosmos DB account.
+Azure Cosmos DB does not natively support Azure AD authentication. However, you can use a managed identity to retrieve an Azure Cosmos DB access key from the Resource Manager, then use the key to access Azure Cosmos DB. In this step, you grant your system-assigned managed identity access to the keys to the Azure Cosmos DB account.
-To grant the system-assigned managed identity access to the Cosmos DB account in Azure Resource Manager using the Azure CLI, update the values for `<SUBSCRIPTION ID>`, `<RESOURCE GROUP>`, and `<COSMOS DB ACCOUNT NAME>` for your environment. Replace `<MI PRINCIPALID>` with the `principalId` property returned by the `az resource show` command in Retrieve the principalID of the Linux VM's MI. Cosmos DB supports two levels of granularity when using access keys: read/write access to the account, and read-only access to the account. Assign the `DocumentDB Account Contributor` role if you want to get read/write keys for the account, or assign the `Cosmos DB Account Reader Role` role if you want to get read-only keys for the account:
+To grant the system-assigned managed identity access to the Azure Cosmos DB account in Azure Resource Manager using the Azure CLI, update the values for `<SUBSCRIPTION ID>`, `<RESOURCE GROUP>`, and `<COSMOS DB ACCOUNT NAME>` for your environment. Replace `<MI PRINCIPALID>` with the `principalId` property returned by the `az resource show` command in Retrieve the principalID of the Linux VM's MI. Azure Cosmos DB supports two levels of granularity when using access keys: read/write access to the account, and read-only access to the account. Assign the `DocumentDB Account Contributor` role if you want to get read/write keys for the account, or assign the `Cosmos DB Account Reader Role` role if you want to get read-only keys for the account:
```azurecli-interactive az role assignment create --assignee <MI PRINCIPALID> --role '<ROLE NAME>' --scope "/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>/providers/Microsoft.DocumentDB/databaseAccounts/<COSMODS DB ACCOUNT NAME>"
To complete these steps, you need an SSH client. If you are using Windows, you c
"client_id":"1ef89848-e14b-465f-8780-bf541d325cd5"} ```
-### Get access keys from Azure Resource Manager to make Cosmos DB calls
+### Get access keys from Azure Resource Manager to make Azure Cosmos DB calls
-Now use CURL to call Resource Manager using the access token retrieved in the previous section to retrieve the Cosmos DB account access key. Once we have the access key, we can query Cosmos DB. Be sure to replace the `<SUBSCRIPTION ID>`, `<RESOURCE GROUP>`, and `<COSMOS DB ACCOUNT NAME>` parameter values with your own values. Replace the `<ACCESS TOKEN>` value with the access token you retrieved earlier. If you want to retrieve read/write keys, use key operation type `listKeys`. If you want to retrieve read-only keys, use the key operation type `readonlykeys`:
+Now use CURL to call Resource Manager using the access token retrieved in the previous section to retrieve the Azure Cosmos DB account access key. Once we have the access key, we can query Azure Cosmos DB. Be sure to replace the `<SUBSCRIPTION ID>`, `<RESOURCE GROUP>`, and `<COSMOS DB ACCOUNT NAME>` parameter values with your own values. Replace the `<ACCESS TOKEN>` value with the access token you retrieved earlier. If you want to retrieve read/write keys, use key operation type `listKeys`. If you want to retrieve read-only keys, use the key operation type `readonlykeys`:
```bash curl 'https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>/providers/Microsoft.DocumentDB/databaseAccounts/<COSMOS DB ACCOUNT NAME>/<KEY OPERATION TYPE>?api-version=2016-03-31' -X POST -d "" -H "Authorization: Bearer <ACCESS TOKEN>"
The CURL response gives you the list of Keys. For example, if you get the read-
"secondaryReadonlyMasterKey":"38v5ns...7bA=="} ```
-Now that you have the access key for the Cosmos DB account you can pass it to a Cosmos DB SDK and make calls to access the account.
+Now that you have the access key for the Azure Cosmos DB account, you can pass it to an Azure Cosmos DB SDK and make calls to access the account.
## Next steps
-In this tutorial, you learned how to use a system-assigned managed identity on a Linux virtual machine to access Cosmos DB. To learn more about Cosmos DB see:
+In this tutorial, you learned how to use a system-assigned managed identity on a Linux virtual machine to access Azure Cosmos DB. To learn more about Azure Cosmos DB, see:
> [!div class="nextstepaction"] >[Azure Cosmos DB overview](../../cosmos-db/introduction.md)
active-directory Tutorial Vm Managed Identities Cosmos https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-vm-managed-identities-cosmos.md
Title: Use managed identities from a virtual machine to access Cosmos DB
+ Title: Use managed identities from a virtual machine to access Azure Cosmos DB
description: Learn how to use managed identities with Windows VMs using the Azure portal, CLI, PowerShell, Azure Resource Manager template
Last updated 06/24/2022 -+ ms.tool: azure-cli, azure-powershell ms.devlang: azurecli
-#Customer intent: As an administrator, I want to know how to access Cosmos DB from a virtual machine using a managed identity
+#Customer intent: As an administrator, I want to know how to access Azure Cosmos DB from a virtual machine using a managed identity
-# How to use managed identities to connect to Cosmos DB from an Azure virtual machine
+# How to use managed identities to connect to Azure Cosmos DB from an Azure virtual machine
-In this article, we set up a virtual machine to use managed identities to connect to Cosmos. [Azure Cosmos DB](../../cosmos-db/introduction.md) is a fully managed NoSQL database for modern app development. [Managed identities for Azure resources](overview.md) allow your applications to authenticate when accessing services that support Azure AD authentication using an identity managed by Azure.
+In this article, we set up a virtual machine to use managed identities to connect to Azure Cosmos DB. [Azure Cosmos DB](../../cosmos-db/introduction.md) is a fully managed NoSQL database for modern app development. [Managed identities for Azure resources](overview.md) allow your applications to authenticate when accessing services that support Azure AD authentication using an identity managed by Azure.
## Prerequisites
Under the resources element, add the following entry to assign a user-assigned m
-## Create a Cosmos DB account
+## Create an Azure Cosmos DB account
-Now that we have a VM with either a user-assigned managed identity or a system-assigned managed identity we need a Cosmos DB account available where you have administrative rights. If you need to create a Cosmos DB account for this tutorial, the [Cosmos DB quickstart](../..//cosmos-db/sql/create-cosmosdb-resources-portal.md) provides detailed steps on how to do that.
+Now that we have a VM with either a user-assigned managed identity or a system-assigned managed identity we need an Azure Cosmos DB account available where you have administrative rights. If you need to create an Azure Cosmos DB account for this tutorial, the [Azure Cosmos DB quickstart](../..//cosmos-db/sql/create-cosmosdb-resources-portal.md) provides detailed steps on how to do that.
>[!NOTE]
-> Managed identities may be used to access any Azure resource that supports Azure Active Directory authentication. This tutorial assumes that your Cosmos DB account will be configured as shown below.
+> Managed identities may be used to access any Azure resource that supports Azure Active Directory authentication. This tutorial assumes that your Azure Cosmos DB account will be configured as shown below.
|Setting|Value|Description | ||||
- |Subscription|Subscription name|Select the Azure subscription that you want to use for this Azure Cosmos account. |
+ |Subscription|Subscription name|Select the Azure subscription that you want to use for this Azure Cosmos DB account. |
|Resource Group|Resource group name|Select **mi-test**, or select **Create new**, then enter a unique name for the new resource group. |
- |Account Name|A unique name|Enter a name to identify your Azure Cosmos account. Because *documents.azure.com* is appended to the name that you provide to create your URI, use a unique name.<br><br>The name can only contain lowercase letters, numbers, and the hyphen (-) character. It must be between 3-44 characters in length.|
- |API|The type of account to create|Select **Core (SQL)** to create a document database and query by using SQL syntax. <br><br>[Learn more about the SQL API](../../cosmos-db/introduction.md).|
+ |Account Name|A unique name|Enter a name to identify your Azure Cosmos DB account. Because *documents.azure.com* is appended to the name that you provide to create your URI, use a unique name.<br><br>The name can only contain lowercase letters, numbers, and the hyphen (-) character. It must be between 3-44 characters in length.|
+ |API|The type of account to create|Select **Azure Cosmos DB for NoSQL** to create a document database and query by using SQL syntax. <br><br>[Learn more about the SQL API](../../cosmos-db/introduction.md).|
|Location|The region closest to your users|Select a geographic location to host your Azure Cosmos DB account. Use the location that is closest to your users to give them the fastest access to the data.| > [!NOTE]
- > If you are testing you may want to apply Azure Cosmos DB free tier discount. With Azure Cosmos DB free tier, you will get the first 1000 RU/s and 25 GB of storage for free in an account. Learn more about [free tier](https://azure.microsoft.com/pricing/details/cosmos-db/). Keep in mind that for the purpose of this tutorial this choice makes no difference.
+ > If you are testing you may want to apply Azure Cosmos DB free tier discount. With the Azure Cosmos DB free tier, you will get the first 1000 RU/s and 25 GB of storage for free in an account. Learn more about [free tier](https://azure.microsoft.com/pricing/details/cosmos-db/). Keep in mind that for the purpose of this tutorial this choice makes no difference.
## Grant access
-At this point, we should have both a virtual machine configured with a managed identity and a Cosmos DB Account. Before we continue, we need to grant the managed identity a couple of different roles.
+At this point, we should have both a virtual machine configured with a managed identity and an Azure Cosmos DB account. Before we continue, we need to grant the managed identity a couple of different roles.
-- First grant access to the Cosmos management plane using [Azure RBAC](../../cosmos-db/role-based-access-control.md). The managed identity needs to have the DocumentDB Account Contributor role assigned to create Databases and containers.
+- First grant access to the Azure Cosmos DB management plane using [Azure RBAC](../../cosmos-db/role-based-access-control.md). The managed identity needs to have the DocumentDB Account Contributor role assigned to create Databases and containers.
-- You also need to grant the managed identity a contributor role using [Cosmos RBAC](../../cosmos-db/how-to-setup-rbac.md). You can see specific steps below.
+- You also need to grant the managed identity a contributor role using [Azure Cosmos DB RBAC](../../cosmos-db/how-to-setup-rbac.md). You can see specific steps below.
> [!NOTE] > We will use the **Cosmos DB Built-in Data contributor** role. To grant access, you need to associate the role definition with the identity. In our case, the managed identity associated with our virtual machine.
az cosmosdb sql role assignment create --account-name $accountName --resource-gr
## Access data
-Getting access to Cosmos using managed identities may be achieved using the Azure.identity library to enable authentication in your application. You can call [ManagedIdentityCredential](/dotnet/api/azure.identity.managedidentitycredential) directly or use [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential).
+Getting access to Azure Cosmos DB using managed identities may be achieved using the Azure.identity library to enable authentication in your application. You can call [ManagedIdentityCredential](/dotnet/api/azure.identity.managedidentitycredential) directly or use [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential).
The ManagedIdentityCredential class attempts to authentication using a managed identity assigned to the deployment environment. The [DefaultAzureCredential](/dotnet/api/overview/azure/identity-readme) class goes through different authentication options in order. The second authentication option that DefaultAzureCredential attempts is Managed identities.
Language-specific examples using ManagedIdentityCredential:
### .NET
-Initialize your Cosmos DB client:
+Initialize your Azure Cosmos DB client:
```csharp CosmosClient client = new CosmosClient("<account-endpoint>", new ManagedIdentityCredential());
Then [read and write data](../../cosmos-db/sql/sql-api-dotnet-v3sdk-samples.md).
### Java
-Initialize your Cosmos DB client:
+Initialize your Azure Cosmos DB client:
```java CosmosAsyncClient Client = new CosmosClientBuilder().endpoint("<account-endpoint>") .credential(new ManagedIdentityCredential()) .build();
Then read and write data as described in [these samples](../../cosmos-db/sql/sql
### JavaScript
-Initialize your Cosmos DB client:
+Initialize your Azure Cosmos DB client:
```javascript const client = new CosmosClient({ "<account-endpoint>", aadCredentials: new ManagedIdentityCredential() });
Learn more about managed identities for Azure resources:
- [What are managed identities for Azure resources?](overview.md) - [Azure Resource Manager templates](https://github.com/Azure/azure-quickstart-templates)
-Learn more about Azure Cosmos
+Learn more about Azure Cosmos DB:
- [Azure Cosmos DB resource model](../../cosmos-db/account-databases-containers-items.md)-- [Tutorial: Build a .NET console app to manage data in Azure Cosmos DB SQL API account](../../cosmos-db/sql/sql-api-get-started.md)
+- [Tutorial: Build a .NET console app to manage data in an Azure Cosmos DB for NoSQL account](../../cosmos-db/sql/sql-api-get-started.md)
active-directory Tutorial Windows Vm Access Cosmos Db https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-cosmos-db.md
Last updated 01/11/2022 -+
[!INCLUDE [preview-notice](../../../includes/active-directory-msi-preview-notice.md)]
-This tutorial shows you how to use a system-assigned managed identity for a Windows virtual machine (VM) to access Cosmos DB. You learn how to:
+This tutorial shows you how to use a system-assigned managed identity for a Windows virtual machine (VM) to access Azure Cosmos DB. You learn how to:
> [!div class="checklist"]
-> * Create a Cosmos DB account
-> * Grant a Windows VM system-assigned managed identity access to the Cosmos DB account access keys
+> * Create an Azure Cosmos DB account
+> * Grant a Windows VM system-assigned managed identity access to the Azure Cosmos DB account access keys
> * Get an access token using the Windows VM system-assigned managed identity to call Azure Resource Manager
-> * Get access keys from Azure Resource Manager to make Cosmos DB calls
+> * Get access keys from Azure Resource Manager to make Azure Cosmos DB calls
## Prerequisites
This tutorial shows you how to use a system-assigned managed identity for a Wind
- You also need a Windows Virtual machine that has system assigned managed identities enabled. - If you need to create a virtual machine for this tutorial, you can follow the article titled [Create a virtual machine with system-assigned identity enabled](./qs-configure-portal-windows-vm.md#system-assigned-managed-identity)
-## Create a Cosmos DB account
+## Create an Azure Cosmos DB account
-If you don't already have one, create a Cosmos DB account. You can skip this step and use an existing Cosmos DB account.
+If you don't already have one, create an Azure Cosmos DB account. You can skip this step and use an existing Azure Cosmos DB account.
1. Click the **+ Create a resource** button found on the upper left-hand corner of the Azure portal. 2. Click **Databases**, then **Azure Cosmos DB**, and a new "New account" panel displays.
-3. Enter an **ID** for the Cosmos DB account, which you use later.
+3. Enter an **ID** for the Azure Cosmos DB account, which you use later.
4. **API** should be set to "SQL." The approach described in this tutorial can be used with the other available API types, but the steps in this tutorial are for the SQL API.
-5. Ensure the **Subscription** and **Resource Group** match the ones you specified when you created your VM in the previous step. Select a **Location** where Cosmos DB is available.
+5. Ensure the **Subscription** and **Resource Group** match the ones you specified when you created your VM in the previous step. Select a **Location** where Azure Cosmos DB is available.
6. Click **Create**. ### Create a collection
-Next, add a data collection in the Cosmos DB account that you can query in later steps.
+Next, add a data collection in the Azure Cosmos DB account that you can query in later steps.
-1. Navigate to your newly created Cosmos DB account.
+1. Navigate to your newly created Azure Cosmos DB account.
2. On the **Overview** tab click the **+/Add Collection** button, and an "Add Collection" panel slides out. 3. Give the collection a database ID, collection ID, select a storage capacity, enter a partition key, enter a throughput value, then click **OK**. For this tutorial, it is sufficient to use "Test" as the database ID and collection ID, select a fixed storage capacity and lowest throughput (400 RU/s). ## Grant access
-This section shows how to grant Windows VM system-assigned managed identity access to the Cosmos DB account access keys. Cosmos DB does not natively support Azure AD authentication. However, you can use a system-assigned managed identity to retrieve a Cosmos DB access key from Resource Manager, and use the key to access Cosmos DB. In this step, you grant your Windows VM system-assigned managed identity access to the keys to the Cosmos DB account.
+This section shows how to grant Windows VM system-assigned managed identity access to the Azure Cosmos DB account access keys. Azure Cosmos DB does not natively support Azure AD authentication. However, you can use a system-assigned managed identity to retrieve an Azure Cosmos DB access key from Resource Manager, and use the key to access Azure Cosmos DB. In this step, you grant your Windows VM system-assigned managed identity access to the keys to the Azure Cosmos DB account.
-To grant the Windows VM system-assigned managed identity access to the Cosmos DB account in Azure Resource Manager using PowerShell, update the following values:
+To grant the Windows VM system-assigned managed identity access to the Azure Cosmos DB account in Azure Resource Manager using PowerShell, update the following values:
- `<SUBSCRIPTION ID>` - `<RESOURCE GROUP>` - `<COSMOS DB ACCOUNT NAME>`
-Cosmos DB supports two levels of granularity when using access keys: read/write access to the account, and read-only access to the account. Assign the `DocumentDB Account Contributor` role if you want to get read/write keys for the account, or assign the `Cosmos DB Account Reader Role` role if you want to get read-only keys for the account. For this tutorial, assign the `Cosmos DB Account Reader Role`:
+Azure Cosmos DB supports two levels of granularity when using access keys: read/write access to the account, and read-only access to the account. Assign the `DocumentDB Account Contributor` role if you want to get read/write keys for the account, or assign the `Cosmos DB Account Reader Role` role if you want to get read-only keys for the account. For this tutorial, assign the `Cosmos DB Account Reader Role`:
```azurepowershell $spID = (Get-AzVM -ResourceGroupName myRG -Name myVM).identity.principalid
You need to install the latest version of [Azure CLI](/cli/azure/install-azure-c
### Get access keys
-This section shows how to get access keys from Azure Resource Manager to make Cosmos DB calls. We are using PowerShell to call Resource Manager using the access token we got earlier to retrieve the Cosmos DB account access key. Once we have the access key, we can query Cosmos DB. Use your own values to replace the entries below:
+This section shows how to get access keys from Azure Resource Manager to make Azure Cosmos DB calls. We are using PowerShell to call Resource Manager using the access token we got earlier to retrieve the Azure Cosmos DB account access key. Once we have the access key, we can query Azure Cosmos DB. Use your own values to replace the entries below:
- `<SUBSCRIPTION ID>` - `<RESOURCE GROUP>`
The response gives you the list of Keys. For example, if you get read-only keys
"secondaryReadonlyMasterKey":"38v5ns...7bA=="} ```
-Now that you have the access key for the Cosmos DB account you can pass it to a Cosmos DB SDK and make calls to access the account.
+Now that you have the access key for the Azure Cosmos DB account you can pass it to an Azure Cosmos DB SDK and make calls to access the account.
## Disable
Now that you have the access key for the Cosmos DB account you can pass it to a
## Next steps
-In this tutorial, you learned how to use a Windows VM system-assigned identity to access Cosmos DB. To learn more about Cosmos DB see:
+In this tutorial, you learned how to use a Windows VM system-assigned identity to access Azure Cosmos DB. To learn more about Azure Cosmos DB, see:
> [!div class="nextstepaction"] >[Azure Cosmos DB overview](../../cosmos-db/introduction.md)
active-directory Cirrus Identity Bridge For Azure Ad Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/cirrus-identity-bridge-for-azure-ad-tutorial.md
Previously updated : 08/03/2021 Last updated : 10/10/2022 # Tutorial: Azure Active Directory single sign-on (SSO) integration with Cirrus Identity Bridge for Azure AD
-In this tutorial, you'll learn how to integrate Cirrus Identity Bridge for Azure AD with Azure Active Directory (Azure AD). When you integrate Cirrus Identity Bridge for Azure AD with Azure AD, you can:
+In this tutorial, you'll learn how to integrate Cirrus Identity Bridge for Azure AD with Azure Active Directory (Azure AD) using the Microsoft Graph API based integration pattern. When you integrate Cirrus Identity Bridge for Azure AD with Azure AD in this way, you can:
-* Control in Azure AD who has access to Cirrus Identity Bridge for Azure AD.
-* Enable your users to be automatically signed-in to Cirrus Identity Bridge for Azure AD with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
+* Control who has access to InCommon or other multilateral federation service providers from Azure AD.
+* Enable your users to SSO to InCommon or other multilateral federation service providers with their Azure AD accounts.
+* Enable your users to access Central Authentication Service (CAS) applications with their Azure AD accounts.
+* Manage your application access in one central location - the Azure portal.
## Prerequisites
In this tutorial, you configure and test Azure AD SSO in a test environment.
* Cirrus Identity Bridge for Azure AD supports **SP** and **IDP** initiated SSO.
+## Before adding the Cirrus Identity Bridge for Azure AD from the gallery
+
+When subscribing to the Cirrus Identity Bridge for Azure AD, you will be asked for your Azure AD TenantID. To view this:
+
+1. Sign in to the Azure portal using a Microsoft account with access to administer Azure Active Directory.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Overview** and view the Tenant ID.
+1. Copy the value and send it to the Cirrus Identity contract representative you are working with.
+
+To use the Microsoft Graph API integration, you must grant the Cirrus Identity Bridge for Azure AD access to use the API in your tenant. To do this:
+
+1. Sign in to the Azure portal as a Global Administrator for your Microsoft Azure Tenant.
+1. Edit the URL `https://login.microsoftonline.com/$TENANT_ID/adminconsent?client_id=ea71bc49-6159-422d-84d5-6c29d7287974&state=12345&redirect_uri=https://admin.cirrusidentity.com/azure-registration` replacing **$TENANT_ID** with the value for your Azure AD Tenant.
+1. Paste the URL into the browser where you are signed in as a Global Administrator.
+1. You will be asked to consent to grant access.
+1. When successful, there should be a new application called Cirrus Bridge API.
+1. Advise the Cirrus Identity contract representative you are working with that you have successfully granted API access to the Cirrus Identity Bridge for Azure AD.
++
+Once Cirrus Identity has the Tenant ID, and access has been granted, we will provision Cirrus Identity Bridge for Azure AD infrastructure and provide you with the following information unique to your subscription:
+
+- Identifier URI/ Entity ID
+- Redirect URI / Reply URL
+- Single-logout URL
+- SP Encryption Cert (if using encrypted assertions or logout)
+- A URL for testing
+- Additional instructions depending on the options included with your subscription
++
+> [!NOTE]
+> If you are unable to grant API access to the Cirrus Identity Bridge for Azure AD, the Bridge can be integrated using a traditional SAML2 integration. Advise the Cirrus Identity contract representative you are working with that you are not able to use MS Graph API integration.
+ ## Add Cirrus Identity Bridge for Azure AD from the gallery To configure the integration of Cirrus Identity Bridge for Azure AD into Azure AD, you need to add Cirrus Identity Bridge for Azure AD from the gallery to your list of managed SaaS apps.
To configure and test Azure AD SSO with Cirrus Identity Bridge for Azure AD, per
Follow these steps to enable Azure AD SSO in the Azure portal.
+1. In the Azure portal, on the **Cirrus Identity Bridge for Azure AD** application integration page, find the **Manage** section and select **Properties**.
+1. On the **Properties** page, toggle **Assignment Required** based on your access requirements. If set to **Yes**, you will need to assign the **Cirrus Identity Bridge for Azure AD** application to an access control group on the **Users and Groups** page.
+1. While still on the **Properties** page, toggle **Visible to users** to **No**. The initial integration will always represent the default integration used for multiple service providers. In this case, there will not be any one service provider to direct end users to. To make specific applications visible to end users, you will have to use linking single sign-on to give end user access in My Apps to specific service providers. [See here](../manage-apps/configure-linked-sign-on.md) for more details.
+ 1. In the Azure portal, on the **Cirrus Identity Bridge for Azure AD** application integration page, find the **Manage** section and select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**. 1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, perform the following steps: a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://<SUBDOMAIN>.cirrusidentity.com/bridge`
+ `https://<DOMAIN>/bridge`
b. In the **Reply URL** text box, type a URL using the following pattern: `https://<NAME>.proxy.cirrusidentity.com/module.php/saml/sp/saml2-acs.php/<NAME>_proxy`
Follow these steps to enable Azure AD SSO in the Azure portal.
`<CUSTOMER_LOGIN_URL>` > [!NOTE]
- > These values are not real. Update these values with the actual Identifier and Sign on URL. If you have not yet subscribed to the Cirrus Bridge, please visit the [registration page](https://info.cirrusidentity.com/cirrus-identity-azure-ad-app-gallery-registration). If you are an existing Cirrus Bridge customer, contact [Cirrus Identity Bridge for Azure AD Client support team](https://www.cirrusidentity.com/resources/service-desk) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Identifier,Reply URL and Sign on URL. If you have not yet subscribed to the Cirrus Bridge, please visit the [registration page](https://info.cirrusidentity.com/cirrus-identity-azure-ad-app-gallery-registration). If you are an existing Cirrus Bridge customer, contact [Cirrus Identity Bridge for Azure AD Client support team](https://www.cirrusidentity.com/resources/service-desk) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. Cirrus Identity Bridge for Azure AD application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. ![image](common/default-attributes.png)
-1. In addition to above, Cirrus Identity Bridge for Azure AD application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
+1. Cirrus Identity Bridge for Azure AD pre-populates **Attributes & Claims** which are typical for use with the InCommon trust federation. You can review and modify them to meet your requirements. Consult the [eduPerson schema specification](https://wiki.refeds.org/display/STAN/eduPerson) for more details.
| Name | Source Attribute| | | |
- | displayname | user.displayname |
+ | urn:oid:2.5.4.42 | user.givenname |
+ | urn:oid:2.5.4.4 | user.surname |
+ | urn:oid:0.9.2342.19200300.100.1.3 | user.mail |
+ | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | user.userprincipalname |
+ | cirrus.nameIdFormat | "urn:oasis:names:tc:SAML:2.0:nameid-format:transient" |
+
+ > [!NOTE]
+ > These defaults assume the Azure AD UPN is suitable to use as an eduPersonPrincipalName.
1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
## Configure Cirrus Identity Bridge for Azure AD SSO
-To configure single sign-on on **Cirrus Identity Bridge for Azure AD** side, you need to send the **App Federation Metadata Url** to [Cirrus Identity Bridge for Azure AD support team](https://www.cirrusidentity.com/resources/service-desk). They set this setting to have the SAML SSO connection set properly on both sides.
+More documentation on configuring the Cirrus Bridge is available [from Cirrus Identity](https://blog.cirrusidentity.com/documentation/azure-bridge-setup). To also configure the Cirrus Bridge to support access for CAS services, CAS support is also available [for the Cirrus Bridge](https://blog.cirrusidentity.com/documentation/cas-bridge-setup).
### Setup Cirrus Identity Bridge for Azure AD testing
You can also use Microsoft My Apps to test the application in any mode. When you
## Next steps Once you configure Cirrus Identity Bridge for Azure AD you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).+
+You can also create multiple App configurations for the Cirrus Identity Bridge for Azure AD, when using MS Graph API integration. These allow you to implement different claims, access controls, or Azure AD Conditional Access policies for groups of multilateral federation. See [here](https://blog.cirrusidentity.com/documentation/azure-bridge-setup) for further details. Many of these same access controls can also be applied to [CAS applications](https://blog.cirrusidentity.com/documentation/cas-bridge-setup).
active-directory Factset Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/factset-tutorial.md
Previously updated : 09/26/2022 Last updated : 10/10/2022
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Select a single sign-on method** page, select **SAML**. 1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Screenshot shows how to edit Basic SAML Configuration.](common/edit-urls.png "Basic Configuration")
-1. On the **Set up single sign-on with SAML** page, perform the following steps:
+1. On the **Basic SAML Configuration** section, perform the following steps:
a. In the **Identifier** text box, type the URL: `https://auth.factset.com`
Follow these steps to enable Azure AD SSO in the Azure portal.
b. In the **Reply URL** text box, type the URL: `https://auth.factset.com/sp/ACS.saml2`
- c. In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<SUBDOMAIN>.factset.com/services/saml2/`
-
- > [!NOTE]
- > The Sign-on URL value is not real. Update the value with the actual Sign-on URL. Contact the [FactSet Support Team](https://www.factset.com/contact-us) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
- 1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the metadata file and save it on your computer.
- ![The Certificate download link](common/metadataxml.png)
+ ![Screenshot shows the Certificate download link.](common/metadataxml.png "Certificate")
1. On the **Set up FactSet** section, copy the appropriate URL(s) based on your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Screenshot shows to copy configuration appropriate URL.](common/copy-configuration-urls.png "Metadata")
### Create an Azure AD test user
active-directory Keylight Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/keylight-tutorial.md
- Title: 'Tutorial: Azure Active Directory integration with NAVEX IRM (Lockpath/Keylight) | Microsoft Docs'
-description: Learn how to configure single sign-on between Azure Active Directory and NAVEX IRM (Lockpath/Keylight).
-------- Previously updated : 09/09/2022--
-# Tutorial: Azure Active Directory integration with NAVEX IRM (Lockpath/Keylight)
-
-In this tutorial, you'll learn how to integrate NAVEX IRM (Lockpath/Keylight) with Azure Active Directory (Azure AD). When you integrate NAVEX IRM (Lockpath/Keylight) with Azure AD, you can:
-
-* Control in Azure AD who has access to NAVEX IRM (Lockpath/Keylight).
-* Enable your users to be automatically signed-in to NAVEX IRM (Lockpath/Keylight) with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
-
-## Prerequisites
-
-To configure Azure AD integration with NAVEX IRM (Lockpath/Keylight), you need the following items:
-
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
-* NAVEX IRM (Lockpath/Keylight) single sign-on enabled subscription.
-
-## Scenario description
-
-In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-
-* NAVEX IRM (Lockpath/Keylight) supports **SP** initiated SSO.
-* NAVEX IRM (Lockpath/Keylight) supports **Just In Time** user provisioning.
-
-## Add NAVEX IRM (Lockpath/Keylight) from the gallery
-
-To configure the integration of NAVEX IRM (Lockpath/Keylight) into Azure AD, you need to add NAVEX IRM (Lockpath/Keylight) from the gallery to your list of managed SaaS apps.
-
-1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
-1. On the left navigation pane, select the **Azure Active Directory** service.
-1. Navigate to **Enterprise Applications** and then select **All Applications**.
-1. To add new application, select **New application**.
-1. In the **Add from the gallery** section, type **NAVEX IRM (Lockpath/Keylight)** in the search box.
-1. Select **NAVEX IRM (Lockpath/Keylight)** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-
- Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)
-
-## Configure and test Azure AD SSO for NAVEX IRM (Lockpath/Keylight)
-
-Configure and test Azure AD SSO with NAVEX IRM (Lockpath/Keylight) using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in NAVEX IRM (Lockpath/Keylight).
-
-To configure and test Azure AD SSO with NAVEX IRM (Lockpath/Keylight), perform the following steps:
-
-1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-1. **[Configure NAVEX IRM (Lockpath/Keylight) SSO](#configure-navex-irm-lockpathkeylight-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create NAVEX IRM (Lockpath/Keylight) test user](#create-navex-irm-lockpathkeylight-test-user)** - to have a counterpart of B.Simon in NAVEX IRM (Lockpath/Keylight) that is linked to the Azure AD representation of user.
-1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-
-## Configure Azure AD SSO
-
-In this section, you enable Azure AD single sign-on in the Azure portal.
-
-Follow these steps to enable Azure AD SSO in the Azure portal.
-
-1. In the Azure portal, on the **NAVEX IRM (Lockpath/Keylight)** application integration page, find the **Manage** section and select **single sign-on**.
-1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
-
-4. On the **Basic SAML Configuration** section, perform the following steps:
-
- a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://<COMPANY_NAME>.keylightgrc.com`
-
- b. In the **Reply URL** textbox, type a URL using the following pattern: `https://<COMPANY_NAME>.keylightgrc.com/Login.aspx`
-
- c. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<COMPANY_NAME>.keylightgrc.com/`
-
- > [!NOTE]
- > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [NAVEX IRM (Lockpath/Keylight) Client support team](https://www.lockpath.com/contact/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
-
-5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Raw)** from the given options as per your requirement and save it on your computer.
-
- ![The Certificate download link](common/certificateraw.png)
-
-6. On the **Set up NAVEX IRM (Lockpath/Keylight)** section, copy the appropriate URL(s) as per your requirement.
-
- ![Copy configuration URLs](common/copy-configuration-urls.png)
-
-### Create an Azure AD test user
-
-In this section, you'll create a test user in the Azure portal called B.Simon.
-
-1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
-1. Select **New user** at the top of the screen.
-1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
- 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
- 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
- 1. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to NAVEX IRM (Lockpath/Keylight).
-
-1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **NAVEX IRM (Lockpath/Keylight)**.
-1. In the app's overview page, find the **Manage** section and select **Users and groups**.
-1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
-1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
-1. In the **Add Assignment** dialog, click the **Assign** button.
-
-## Configure NAVEX IRM (Lockpath/Keylight) SSO
-
-1. To enable SSO in NAVEX IRM (Lockpath/Keylight), perform the following steps:
-
- a. Sign-on to your NAVEX IRM (Lockpath/Keylight) account as administrator.
-
- b. In the menu on the top, click **User Icon**, and select **Setup**.
-
- ![Screenshot that shows the "Person" icon selected, and "Keylight Setup" selected from the drop-down.](./media/keylight-tutorial/setup-icon.png)
-
- c. In the treeview on the left, click **SAML**.
-
- ![Screenshot that shows "S A M L" selected in the tree view.](./media/keylight-tutorial/tree-view.png)
-
- d. On the **SAML Settings** dialog, click **Edit**.
-
- ![Screenshot that shows the "S A M L Settings" window with the "Edit" button selected.](./media/keylight-tutorial/edit-icon.png)
-
-1. On the **Edit SAML Settings** dialog page, perform the following steps:
-
- ![Configure Single Sign-On](./media/keylight-tutorial/settings.png)
-
- a. Set **SAML authentication** to **Active**.
-
- b. In the **Identity Provider Login URL** textbox, paste the **Login URL** value which you have copied from the Azure portal.
-
- c. In the **Identity Provider Logout URL** textbox, paste the **Logout URL** value which you have copied from the Azure portal.
-
- d. Click **Choose File** to select your downloaded NAVEX IRM (Lockpath/Keylight) certificate, and then click **Open** to upload the certificate.
-
- e. Set **SAML User Id location** to **NameIdentifier element of the subject statement**.
-
- f. Provide the **Service Provider Entity Id** using the following pattern: `https://<CompanyName>.keylightgrc.com`.
-
- g. Set **Auto-provision users** to **Active**.
-
- h. Set **Auto-provision account type** to **Full User**.
-
- i. Set **Auto-provision security role**, select **Standard User with SAML**.
-
- j. Set **Auto-provision security config**, select **Standard User Configuration**.
-
- k. In the **Email attribute** textbox, type `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`.
-
- l. In the **First name attribute** textbox, type `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname`.
-
- m. In the **Last name attribute** textbox, type `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname`.
-
- n. Click **Save**.
-
-### Create NAVEX IRM (Lockpath/Keylight) test user
-
-In this section, a user called Britta Simon is created in NAVEX IRM (Lockpath/Keylight). NAVEX IRM (Lockpath/Keylight) supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in NAVEX IRM (Lockpath/Keylight), a new one is created after authentication. If you need to create a user manually, you need to contact the [NAVEX IRM (Lockpath/Keylight) Customer support team](https://www.lockpath.com/contact/).
-
-## Test SSO
-
-In this section, you test your Azure AD single sign-on configuration with following options.
-
-* Click on **Test this application** in Azure portal. This will redirect to NAVEX IRM (Lockpath/Keylight) Sign-on URL where you can initiate the login flow.
-
-* Go to NAVEX IRM (Lockpath/Keylight) Sign-on URL directly and initiate the login flow from there.
-
-* You can use Microsoft My Apps. When you click the NAVEX IRM (Lockpath/Keylight) tile in the My Apps, this will redirect to NAVEX IRM (Lockpath/Keylight) Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
-
-## Next steps
-
-Once you configure NAVEX IRM (Lockpath/Keylight) you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).
active-directory Kronos Workforce Dimensions Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/kronos-workforce-dimensions-tutorial.md
Previously updated : 01/27/2021 Last updated : 10/10/2022
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Select a single sign-on method** page, select **SAML**. 1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Screenshot shows how to edit Basic SAML Configuration.](common/edit-urls.png "Basic Configuration")
1. On the **Basic SAML Configuration** section, perform the following steps:
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
- ![The Certificate download link](common/copy-metadataurl.png)
+ ![Screenshot shows the Certificate download link.](common/copy-metadataurl.png "Certificate")
### Create an Azure AD test user
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
To configure single sign-on on **Kronos Workforce Dimensions** side, you need to send the **App Federation Metadata Url** to [Kronos Workforce Dimensions support team](mailto:support@kronos.com). They set this setting to have the SAML SSO connection set properly on both sides.
-### Create Kronos Workforce Dimensions test user
+## Create Kronos Workforce Dimensions test user
In this section, you create a user called Britta Simon in Kronos Workforce Dimensions. Work with [Kronos Workforce Dimensions support team](mailto:support@kronos.com) to add the users in the Kronos Workforce Dimensions platform. Users must be created and activated before you use single sign-on.
+> [!NOTE]
+> Original Microsoft documentation advises to contact UKG Support via email to create your Azure AD Users. While this option is available please consider the following self-service options.
+
+### Manual Process
+
+There are two ways to manually create your Azure AD users in WFD. You can either select an existing user, duplicate them and then update the necessary fields to make that user unique. This process can be time consuming and requires knowledge of the WFD User Interface. The alternative is to create the user via the WFD API which is much quicker. This option requires knowledge of using API Tools such as Postman to send the request to the API instead. The following instructions will assist with importing a prebuilt example into the Postman API Tool.
+
+#### Setup
+
+1. Open Postman tool and import the following files:
+
+ a. Workforce Dimensions - Create User.postman_collection.json
+
+ b. AAD to WFD Env Variables.json
+
+1. In the left-pane, select the **Environments** button.
+
+1. Click on **AAD_to_WFD_Env_Variables** and add the values provided by UKG Support pertaining to your WFD instance.
+
+ > [!NOTE]
+ > access_token and refresh_token should be empty as these will automatically populate as a result of the Obtain Access Token HTTP Request.
+
+1. Open the **Create Azure AD User in WFD** HTTP Request and update highlighted properties within the JSON payload:
+
+ ```
+ {
+
+ "personInformation":ΓÇ»{
+
+    "accessAssignment": {
+
+       "accessProfileName": "accessProfileName",
+
+       "notificationProfileName": "All"
+
+     },
+
+     "emailAddresses": [
+
+       {
+
+         "address": "address”
+
+         "contactTypeName": "Work"
+
+       }
+
+     ],
+
+     "employmentStatusList": [
+
+       {
+
+         "effectiveDate": "2019-08-15",
+
+         "employmentStatusName": "Active",
+
+         "expirationDate": "3000-01-01"
+
+       }
+
+     ],
+
+     "person": {
+
+       "personNumber": "personNumber",
+
+       "firstName": "firstName",
+
+       "lastName": "lastName",
+
+       "fullName": "fullName",
+
+       "hireDate": "2019-08-15",
+
+       "shortName": "shortName"
+
+     },
+
+     "personAuthenticationTypes": [
+
+       {
+
+         "activeFlag": true,
+
+         "authenticationTypeName": "Federated"
+
+       }
+
+     ],
+
+     "personLicenseTypes": [
+
+       {
+
+         "activeFlag": true,
+
+         "licenseTypeName": "Employee"
+
+       },
+
+       {
+
+         "activeFlag": true,
+
+         "licenseTypeName": "Absence"
+
+       },
+
+       {
+
+         "activeFlag": true,
+
+         "licenseTypeName": "Hourly Timekeeping"
+
+       },
+
+       {
+
+         "activeFlag": true,
+
+         "licenseTypeName": "Scheduling"
+
+       }
+
+     ],
+
+     "userAccountStatusList": [
+
+       {
+
+         "effectiveDate": "2019-08-15",
+
+         "expirationDate": "3000-01-01",
+
+         "userAccountStatusName": "Active"
+
+       }
+
+     ]
+
+   },
+
+   "jobAssignment": {
+
+     "baseWageRates": [
+
+       {
+
+         "effectiveDate": "2019-01-01",
+
+         "expirationDate": "3000-01-01",
+
+         "hourlyRate": 20.15
+
+       }
+
+     ],
+
+     "jobAssignmentDetails": {
+
+       "payRuleName": "payRuleName",
+
+       "timeZoneName": "timeZoneName"
+
+     },
+
+     "primaryLaborAccounts": [
+
+       {
+
+         "effectiveDate": "2019-08-15",
+
+         "expirationDate": "3000-01-01",
+
+         "organizationPath": "organizationPath"
+
+       }
+
+     ]
+
+   },
+
+   "user": {
+
+     "userAccount": {
+
+       "logonProfileName": "Default",
+
+       "userName": "userName"
+
+     }
+
+   }
+
+ }
+ ```
+
+ > [!NOTE]
+ > The personInformation.emailAddress.address and the user.userAccount.userName must both match the targeted Azure AD User you are trying to create in WFD.
+
+1. In the upper-righthand corner, select the **Environments** drop-down-box and select **AAD_to_WFD_Env_Variables**.
+
+1. Once the JSON payload has been updated and the correct environment variables selected, select the **Obtain Access Token** HTTP Request and click the **Send** button. This will leverage the updated environment variables to authenticate to your WFD instance and then cache your access token in the environment variables to use when calling the create user method.
+
+1. If the authentication call was successful, you should see a 200 response with an access token returned. This access token will also now show in the **CURRENT VALUE** column in the environment variables for the **access_token** entry.
+
+ > [!NOTE]
+ > If an access_token is not received, confirm that all variables in the environment variables are correct. User credentials should be a super user account.
+
+1. Once an **access_token** is obtained, select the **AAD_to_WFD_Env_Variables** HTTP Request and click the **Send** button. If the request is successful you will receive a 200 HTTP status back.
+
+1. Login to WFD with the **Super User** account and confirm the new Azure AD User was created within the WFD instance.
+
+### Automated Process
+
+The automated process consists of a flat-file in CSV format which allows the user to prespecify the highlighted values in the payload from the manual API process above. The flat-file is consumed by the accompanying PowerShell script which creates the new WFD users in bulk. The script processes new user creations in batches of 70 (default) which is configurable for optimal performance. The following instructions will walk through the setup and execution of the script.
+
+1. Save both the **AAD_To_WFD.csv** and **AAD_To_WFD.ps1** files locally to your computer.
+
+1. Open the **AAD_To_WFD.csv** file and fill in the columns.
+
+ * **personInformation.accessAssignment.accessProfileName**: Specific Access Profile Name from WFD instance.
+
+ * **personInformation.emailAddresses.address**:
+ Must match the User Principle Name in Azure Active Directory.
+
+ * **personInformation.personNumber**: Must be unique across the WFD instance.
+
+ * **personInformation.firstName**: UserΓÇÖs first name.
+
+ * **personInformation.lastName**: UserΓÇÖs last name.
+
+ * **jobAssignment.jobAssignmentDetails.payRuleName**: Specific Pay Rule Name from WFD.
+
+ * **jobAssignment.jobAssignmentDetails.timeZoneName**: Timezone format must match WFD instance (i.e. (GMT -08:00) Pacific Time)
+
+ * **jobAssignment.primaryLaborAccounts.organizationPath**: Organization Path of a specific Business structure in the WFD instance.
+
+1. Save the .csv file.
+
+1. Right-Click the **AAD_To_WFD.ps1** script and click **Edit** to modify it.
+
+1. Confirm the path specified in Line 15 is the correct name/path to the **AAD_To_WFD.csv** file.
+
+1. Update the following lines with the values provided by UKG Support pertaining to your WFD instance.
+
+ * Line 33: vanityUrl
+
+ * Line 43: appKey
+
+ * Line 48: client_id
+
+ * Line 49: client_secret
+
+1. Save and execute the script.
+
+1. Provide WFD **Super User** credentials when prompted.
+
+1. Once completed, the script will return a list of any users that failed to create.
+
+> [!Note]
+> Be sure to check the values provided in the AAD_To_WFD.csv file if it is returned as the result of typos or mismatched fields in the WFD instance. The error could also be returned by the WFD API instance if all users in the batch already exist in the instance.
+ ## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
active-directory Navex Irm Keylight Lockpath Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/navex-irm-keylight-lockpath-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory integration with NAVEX IRM (Lockpath/Keylight) | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and NAVEX IRM (Lockpath/Keylight).
++++++++ Last updated : 09/09/2022++
+# Tutorial: Azure Active Directory integration with NAVEX IRM (Lockpath/Keylight)
+
+In this tutorial, you'll learn how to integrate NAVEX IRM (Lockpath/Keylight) with Azure Active Directory (Azure AD). When you integrate NAVEX IRM (Lockpath/Keylight) with Azure AD, you can:
+
+* Control in Azure AD who has access to NAVEX IRM (Lockpath/Keylight).
+* Enable your users to be automatically signed-in to NAVEX IRM (Lockpath/Keylight) with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To configure Azure AD integration with NAVEX IRM (Lockpath/Keylight), you need the following items:
+
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* NAVEX IRM (Lockpath/Keylight) single sign-on enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD single sign-on in a test environment.
+
+* NAVEX IRM (Lockpath/Keylight) supports **SP** initiated SSO.
+* NAVEX IRM (Lockpath/Keylight) supports **Just In Time** user provisioning.
+
+## Add NAVEX IRM (Lockpath/Keylight) from the gallery
+
+To configure the integration of NAVEX IRM (Lockpath/Keylight) into Azure AD, you need to add NAVEX IRM (Lockpath/Keylight) from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **NAVEX IRM (Lockpath/Keylight)** in the search box.
+1. Select **NAVEX IRM (Lockpath/Keylight)** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+ Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)
+
+## Configure and test Azure AD SSO for NAVEX IRM (Lockpath/Keylight)
+
+Configure and test Azure AD SSO with NAVEX IRM (Lockpath/Keylight) using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in NAVEX IRM (Lockpath/Keylight).
+
+To configure and test Azure AD SSO with NAVEX IRM (Lockpath/Keylight), perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure NAVEX IRM (Lockpath/Keylight) SSO](#configure-navex-irm-lockpathkeylight-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create NAVEX IRM (Lockpath/Keylight) test user](#create-navex-irm-lockpathkeylight-test-user)** - to have a counterpart of B.Simon in NAVEX IRM (Lockpath/Keylight) that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+In this section, you enable Azure AD single sign-on in the Azure portal.
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **NAVEX IRM (Lockpath/Keylight)** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+4. On the **Basic SAML Configuration** section, perform the following steps:
+
+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ `https://<COMPANY_NAME>.keylightgrc.com`
+
+ b. In the **Reply URL** textbox, type a URL using the following pattern: `https://<COMPANY_NAME>.keylightgrc.com/Login.aspx`
+
+ c. In the **Sign on URL** text box, type a URL using the following pattern:
+ `https://<COMPANY_NAME>.keylightgrc.com/`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [NAVEX IRM (Lockpath/Keylight) Client support team](https://www.lockpath.com/contact/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Raw)** from the given options as per your requirement and save it on your computer.
+
+ ![The Certificate download link](common/certificateraw.png)
+
+6. On the **Set up NAVEX IRM (Lockpath/Keylight)** section, copy the appropriate URL(s) as per your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to NAVEX IRM (Lockpath/Keylight).
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **NAVEX IRM (Lockpath/Keylight)**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure NAVEX IRM (Lockpath/Keylight) SSO
+
+1. To enable SSO in NAVEX IRM (Lockpath/Keylight), perform the following steps:
+
+ a. Sign on to your NAVEX IRM (Lockpath/Keylight) account as administrator.
+
+ b. In the menu on the top, click **User Icon**, and select **Setup**.
+
+ ![Screenshot that shows the "Person" icon selected, and "Keylight Setup" selected from the drop-down.](./media/keylight-tutorial/setup-icon.png)
+
+ c. In the treeview on the left, click **SAML**.
+
+ ![Screenshot that shows "S A M L" selected in the tree view.](./media/keylight-tutorial/tree-view.png)
+
+ d. On the **SAML Settings** dialog, click **Edit**.
+
+ ![Screenshot that shows the "S A M L Settings" window with the "Edit" button selected.](./media/keylight-tutorial/edit-icon.png)
+
+1. On the **Edit SAML Settings** dialog page, perform the following steps:
+
+ ![Configure Single Sign-On](./media/keylight-tutorial/settings.png)
+
+ a. Set **SAML authentication** to **Active**.
+
+ b. In the **Identity Provider Login URL** textbox, paste the **Login URL** value which you have copied from the Azure portal.
+
+ c. In the **Identity Provider Logout URL** textbox, paste the **Logout URL** value which you have copied from the Azure portal.
+
+ d. Click **Choose File** to select your downloaded NAVEX IRM (Lockpath/Keylight) certificate, and then click **Open** to upload the certificate.
+
+ e. Set **SAML User Id location** to **NameIdentifier element of the subject statement**.
+
+ f. Provide the **Service Provider Entity Id** using the following pattern: `https://<CompanyName>.keylightgrc.com`.
+
+ g. Set **Auto-provision users** to **Active**.
+
+ h. Set **Auto-provision account type** to **Full User**.
+
+ i. Set **Auto-provision security role**, select **Standard User with SAML**.
+
+ j. Set **Auto-provision security config**, select **Standard User Configuration**.
+
+ k. In the **Email attribute** textbox, type `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`.
+
+ l. In the **First name attribute** textbox, type `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname`.
+
+ m. In the **Last name attribute** textbox, type `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname`.
+
+ n. Click **Save**.
+
+### Create NAVEX IRM (Lockpath/Keylight) test user
+
+In this section, a user called Britta Simon is created in NAVEX IRM (Lockpath/Keylight). NAVEX IRM (Lockpath/Keylight) supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in NAVEX IRM (Lockpath/Keylight), a new one is created after authentication. If you need to create a user manually, you need to contact the [NAVEX IRM (Lockpath/Keylight) Customer support team](https://www.lockpath.com/contact/).
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on **Test this application** in Azure portal. This will redirect to NAVEX IRM (Lockpath/Keylight) Sign-on URL where you can initiate the login flow.
+
+* Go to NAVEX IRM (Lockpath/Keylight) Sign-on URL directly and initiate the login flow from there.
+
+* You can use Microsoft My Apps. When you click the NAVEX IRM (Lockpath/Keylight) tile in the My Apps, this will redirect to NAVEX IRM (Lockpath/Keylight) Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+
+## Next steps
+
+Once you configure NAVEX IRM (Lockpath/Keylight) you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).
active-directory Nordpass Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/nordpass-provisioning-tutorial.md
# Tutorial: Configure NordPass for automatic user provisioning
-This tutorial describes the steps you need to perform in both NordPass and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [NordPass](https://nordpass.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
+This tutorial describes the steps you need to perform in both NordPass and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users to [NordPass](https://nordpass.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
## Capabilities supported
Add NordPass from the Azure AD application gallery to start managing provisionin
## Step 4. Define who will be in scope for provisioning
-The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users to the application. If you choose to scope who will be provisioned based solely on attributes of the user, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
-* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+* Start small. Test with a small set of users before rolling out to everyone. When scope for provisioning is set to assigned users , you can control this by assigning one or two users to the app. When scope is set to all users , you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
* If you need additional roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles. ## Step 5. Configure automatic user provisioning to NordPass
-This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in NordPass based on user and/or group assignments in Azure AD.
+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users in NordPass based on user assignments in Azure AD.
### To configure automatic user provisioning for NordPass in Azure AD:
This section guides you through the steps to configure the Azure AD provisioning
![Token](common/provisioning-testconnection-tenanturltoken.png)
-1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
+1. In the **Notification Email** field, enter the email address of a person who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
![Notification Email](common/provisioning-notification-email.png)
This section guides you through the steps to configure the Azure AD provisioning
![Provisioning Status Toggled On](common/provisioning-toggle-on.png)
-1. Define the users and/or groups that you would like to provision to NordPass by choosing the desired values in **Scope** in the **Settings** section.
+1. Define the users that you would like to provision to NordPass by choosing the desired values in **Scope** in the **Settings** section.
![Provisioning Scope](common/provisioning-scope.png)
This section guides you through the steps to configure the Azure AD provisioning
![Saving Provisioning Configuration](common/provisioning-configuration-save.png)
-This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.
+This operation starts the initial synchronization cycle of all users defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.
## Step 6. Monitor your deployment Once you've configured provisioning, use the following resources to monitor your deployment:
active-directory Memo 22 09 Meet Identity Requirements https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/memo-22-09-meet-identity-requirements.md
The article series features guidance that encompasses existing agency investment
* MFA must be enforced at the application layer instead of the network layer.
- * For agency staff, contractors, and partners, phishing-resistant MFA is required. For public users, phishing-resistant MFA must be an option.
-
-* Password policies must not require the use of special characters or regular rotation.
+ * For agency staff, contractors, and partners, phishing-resistant MFA is required.
+
+ * For public users, phishing-resistant MFA must be an option.
+
+ * Password policies must not require the use of special characters or regular rotation.
* When agencies are authorizing users to access resources, they must consider at least one device-level signal alongside identity information about the authenticated user.
active-directory Verifiable Credentials Configure Issuer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/verifiable-credentials-configure-issuer.md
Now that you have a new credential, you're going to gather some information abou
1. Copy your **Tenant ID**, and record it for later. The Tenant ID is the guid in the manifest URL highlighted in red above.
+ >[!NOTE]
+ > When setting up access policies for Azure Key Vault, you must add the access policies for both **Verifiable Credentials Service Request** and **Verifiable Credentials Service**.
+ ## Download the sample code The sample application is available in .NET, and the code is maintained in a GitHub repository. Download the sample code from [GitHub](https://github.com/Azure-Samples/active-directory-verifiable-credentials-dotnet), or clone the repository to your local machine:
active-directory Verifiable Credentials Configure Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/verifiable-credentials-configure-tenant.md
Title: Tutorial - Configure your tenant for Microsoft Entra Verified ID
-description: In this tutorial, you learn how to configure your tenant to support the Verifiable Credentials service.
+description: In this tutorial, you learn how to configure your tenant to support the Verified ID service.
Specifically, you learn how to:
> [!div class="checklist"] > - Create an Azure Key Vault instance.
-> - Set up the Verifiable Credentials service.
+> - Set up the Verified ID service.
> - Register an application in Azure AD. The following diagram illustrates the Verified ID architecture and the component you configure. :::image type="content" source="media/verifiable-credentials-configure-tenant/verifiable-credentials-architecture.png" alt-text="Diagram that illustrates the Microsoft Entra Verified ID architecture." border="false"::: - ## Prerequisites - You need an Azure tenant with an active subscription. If you don't have Azure subscription, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
The Verifiable credentials service request is the Request Service API, and it ne
1. For **Key permissions**, select permissions **Get** and **Sign**.
- ![screenshot of key vault granting access to a security principal](media/verifiable-credentials-configure-tenant/set-key-vault-sp-access-policy.png)
+ :::image type="content" source="media/verifiable-credentials-configure-tenant/set-key-vault-sp-access-policy.png" alt-text="screenshot of key vault granting access to a security principal":::
+
+1. To save the changes, select **Add**.
-1. To save the changes, select **Save**.
## Set up Verified ID
To set up Verified ID, follow these steps:
1. Set up your organization by providing the following information:
- 1. **Organization name**: Enter a name to reference your business within Verifiable Credentials. Your customers don't see this name.
+ 1. **Organization name**: Enter a name to reference your business within Verified IDs. Your customers don't see this name.
1. **Domain**: Enter a domain that's added to a service endpoint in your decentralized identity (DID) document. The domain is what binds your DID to something tangible that the user might know about your business. Microsoft Authenticator and other digital wallets use this information to validate that your DID is linked to your domain. If the wallet can verify the DID, it displays a verified symbol. If the wallet can't verify the DID, it informs the user that the credential was issued by an organization it couldn't validate.
-
+ >[!IMPORTANT] > The domain can't be a redirect. Otherwise, the DID and domain can't be linked. Make sure to use HTTPS for the domain. For example: `https://contoso.com`. 1. **Key vault**: Select the key vault that you created earlier. 1. Under **Advanced**, you may choose the **trust system** that you want to use for your tenant. You can choose from either **Web** or **ION**. Web means your tenant uses [did:web](https://w3c-ccg.github.io/did-method-web/) as the did method and ION means it uses [did:ion](https://identity.foundation/ion/).
-
+ >[!IMPORTANT]
- > The only way to change the trust system is to opt-out of verifiable credentials and redo the onboarding.
+ > The only way to change the trust system is to opt-out of the Verified ID service and redo the onboarding.
1. Select **Save and get started**.
-
- ![Screenshots that shows how to set up Verifiable Credentials.](media/verifiable-credentials-configure-tenant/verifiable-credentials-getting-started.png)
+
+ :::image type="content" source="media/verifiable-credentials-configure-tenant/verifiable-credentials-getting-started.png" alt-text="Screenshot that shows how to set up Verifiable Credentials.":::
## Register an application in Azure AD
Your application needs to get access tokens when it wants to call into Microsoft
1. Under **Manage**, select **App registrations** > **New registration**.
- ![Screenshot that shows how to select a new application registration.](media/verifiable-credentials-configure-tenant/register-azure-ad-app.png)
+ :::image type="content" source="media/verifiable-credentials-configure-tenant/register-azure-ad-app.png" alt-text="Screenshot that shows how to select a new application registration.":::
1. Enter a display name for your application. For example: *verifiable-credentials-app*.
Your application needs to get access tokens when it wants to call into Microsoft
1. Select **Register** to create the application.
- ![Screenshot that shows how to register the verifiable credentials app.](media/verifiable-credentials-configure-tenant/register-azure-ad-app-properties.png)
+ :::image type="content" source="media/verifiable-credentials-configure-tenant/register-azure-ad-app-properties.png" alt-text="Screenshot that shows how to register the verifiable credentials app.":::
### Grant permissions to get access tokens
In this step, you grant permissions to the **Verifiable Credentials Service Requ
To add the required permissions, follow these steps: 1. Stay in the **verifiable-credentials-app** application details page. Select **API permissions** > **Add a permission**.
-
- ![Screenshot that shows how to add permissions to the verifiable credentials app.](media/verifiable-credentials-configure-tenant/add-app-api-permissions.png)
+
+ :::image type="content" source="media/verifiable-credentials-configure-tenant/add-app-api-permissions.png" alt-text="Screenshot that shows how to add permissions to the verifiable credentials app.":::
1. Select **APIs my organization uses**. 1. Search for the **Verifiable Credentials Service Request** and **Verifiable Credentials Service** service principals, and select them.
-
- ![Screenshot that shows how to select the service principal.](media/verifiable-credentials-configure-tenant/add-app-api-permissions-select-service-principal.png)
+
+ :::image type="content" source="media/verifiable-credentials-configure-tenant/add-app-api-permissions-select-service-principal.png" alt-text="Screenshot that shows how to select the service principal.":::
1. Choose **Application Permission**, and expand **VerifiableCredential.Create.All**.
- ![Screenshot that shows how to select the required permissions.](media/verifiable-credentials-configure-tenant/add-app-api-permissions-verifiable-credentials.png)
+ :::image type="content" source="media/verifiable-credentials-configure-tenant/add-app-api-permissions-verifiable-credentials.png" alt-text="Screenshot that shows how to select the required permissions.":::
1. Select **Add permissions**. 1. Select **Grant admin consent for \<your tenant name\>**.
+You can choose to grant issuance and presentation permissions separately if you prefer to segregate the scopes to different applications.
++ ## Service endpoint configuration
-1. Navigate to the Verified ID in the Azure portal.
+
+1. Navigate to the Verified ID service in the Azure portal.
1. Select **Registration**. 1. Notice that there are two sections: 1. Website ID registration
active-directory Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/whats-new.md
This article lists the latest features, improvements, and changes in the Microsoft Entra Verified ID service.
+## September 2022
+
+- The Request Service API now have [granular app permissions](verifiable-credentials-configure-tenant.md?#grant-permissions-to-get-access-tokens) and you can grant **VerifiableCredential.Create.IssueRequest** and **VerifiableCredential.Create.PresentRequest** separately to segregate duties of issuance and presentation to separate application.
+- [IDV Partner Gallery](partner-gallery.md) now available in the documentation guiding you how to integrate with Microsoft's Identity Verification partners.
+- How-to guide for implementing the [presentation attestation flow](how-to-use-quickstart-presentation.md) that requires presenting a verifiable credential during issuance.
+ ## August 2022 Microsoft Entra Verified ID is now generally available (GA) as the new member of the Microsoft Entra portfolio! [read more](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-verified-id-now-generally-available/ba-p/3295506)
advisor Advisor Reference Cost Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/advisor/advisor-reference-cost-recommendations.md
Title: Cost recommendations description: Full list of available cost recommendations in Advisor. + Last updated 02/04/2022
Our internal telemetry shows that the PostgreSQL database server resources have
Learn more about [PostgreSQL server - OrcasPostgreSqlCpuRightSize (Right-size underutilized PostgreSQL servers)](https://aka.ms/postgresqlpricing).
-## Cosmos DB
+## Azure Cosmos DB
### Review the configuration of your Azure Cosmos DB free tier account
-Your Azure Cosmos DB free tier account is currently containing resources with a total provisioned throughput exceeding 1000 Request Units per second (RU/s). Because Azure Cosmos DB's free tier only covers the first 1000 RU/s of throughput provisioned across your account, any throughput beyond 1000 RU/s will be billed at the regular pricing. As a result, we anticipate that you will get charged for the throughput currently provisioned on your Azure Cosmos DB account.
+Your Azure Cosmos DB free tier account is currently containing resources with a total provisioned throughput exceeding 1000 Request Units per second (RU/s). Because the free tier only covers the first 1000 RU/s of throughput provisioned across your account, any throughput beyond 1000 RU/s will be billed at the regular pricing. As a result, we anticipate that you will get charged for the throughput currently provisioned on your Azure Cosmos DB account.
-Learn more about [Cosmos DB account - CosmosDBFreeTierOverage (Review the configuration of your Azure Cosmos DB free tier account)](../cosmos-db/understand-your-bill.md#azure-free-tier).
+Learn more about [Azure Cosmos DB account - CosmosDBFreeTierOverage (Review the configuration of your Azure Cosmos DB free tier account)](../cosmos-db/understand-your-bill.md#azure-free-tier).
### Consider taking action on your idle Azure Cosmos DB containers We haven't detected any activity over the past 30 days on one or more of your Azure Cosmos DB containers. Consider lowering their throughput, or deleting them if you don't plan on using them.
-Learn more about [Cosmos DB account - CosmosDBIdleContainers (Consider taking action on your idle Azure Cosmos DB containers)](/azure/cosmos-db/how-to-provision-container-throughput).
+Learn more about [Azure Cosmos DB account - CosmosDBIdleContainers (Consider taking action on your idle Azure Cosmos DB containers)](/azure/cosmos-db/how-to-provision-container-throughput).
### Enable autoscale on your Azure Cosmos DB database or container Based on your usage in the past 7 days, you can save by enabling autoscale. For each hour, we compared the RU/s provisioned to the actual utilization of the RU/s (what autoscale would have scaled to) and calculated the cost savings across the time period. Autoscale helps optimize your cost by scaling down RU/s when not in use.
-Learn more about [Cosmos DB account - CosmosDBAutoscaleRecommendations (Enable autoscale on your Azure Cosmos DB database or container)](../cosmos-db/provision-throughput-autoscale.md).
+Learn more about [Azure Cosmos DB account - CosmosDBAutoscaleRecommendations (Enable autoscale on your Azure Cosmos DB database or container)](../cosmos-db/provision-throughput-autoscale.md).
### Configure manual throughput instead of autoscale on your Azure Cosmos DB database or container Based on your usage in the past 7 days, you can save by using manual throughput instead of autoscale. Manual throughput is more cost-effective when average utilization of your max throughput (RU/s) is greater than 66% or less than or equal to 10%.
-Learn more about [Cosmos DB account - CosmosDBMigrateToManualThroughputFromAutoscale (Configure manual throughput instead of autoscale on your Azure Cosmos DB database or container)](../cosmos-db/how-to-choose-offer.md).
+Learn more about [Azure Cosmos DB account - CosmosDBMigrateToManualThroughputFromAutoscale (Configure manual throughput instead of autoscale on your Azure Cosmos DB database or container)](../cosmos-db/how-to-choose-offer.md).
## Data Explorer
Reserved instances can provide a significant discount over pay-as-you-go prices.
Learn more about [Virtual machine - ReservedInstance (Buy virtual machine reserved instances to save money over pay-as-you-go costs)](https://aka.ms/reservedinstances).
-### Consider Cosmos DB reserved instance to save over your pay-as-you-go costs
+### Consider Azure Cosmos DB reserved instance to save over your pay-as-you-go costs
-We analyzed your Cosmos DB usage pattern over last 30 days and calculate reserved instance purchase that maximizes your savings. With reserved instance you can pre-purchase Cosmos DB hourly usage and save over your pay-as-you-go costs. Reserved instance is a billing benefit and will automatically apply to new or existing deployments. Saving estimates are calculated for individual subscriptions and usage pattern over last 30 days. Shared scope recommendations are available in reservation purchase experience and can increase savings even more.
+We analyzed your Azure Cosmos DB usage pattern over last 30 days and calculate reserved instance purchase that maximizes your savings. With reserved instance you can pre-purchase Azure Cosmos DB hourly usage and save over your pay-as-you-go costs. Reserved instance is a billing benefit and will automatically apply to new or existing deployments. Saving estimates are calculated for individual subscriptions and usage pattern over last 30 days. Shared scope recommendations are available in reservation purchase experience and can increase savings even more.
-Learn more about [Subscription - CosmosDBReservedCapacity (Consider Cosmos DB reserved instance to save over your pay-as-you-go costs)](https://aka.ms/rirecommendations).
+Learn more about [Subscription - CosmosDBReservedCapacity (Consider Azure Cosmos DB reserved instance to save over your pay-as-you-go costs)](https://aka.ms/rirecommendations).
### Consider SQL PaaS DB reserved instance to save over your pay-as-you-go costs
advisor Advisor Reference Operational Excellence Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/advisor/advisor-reference-operational-excellence-recommendations.md
Title: Operational excellence recommendations description: Operational excellence recommendations + Last updated 02/02/2022
We have determined that too many of your host pools have Validation Environment
Learn more about [Host Pool - ProductionEnvHostPools (Not enough production environments enabled)](../virtual-desktop/create-host-pools-powershell.md).
-## Cosmos DB
+## Azure Cosmos DB
### Migrate Azure Cosmos DB attachments to Azure Blob Storage
-We noticed that your Azure Cosmos collection is using the legacy attachments feature. We recommend migrating attachments to Azure Blob Storage to improve the resiliency and scalability of your blob data.
+We noticed that your Azure Cosmos DB collection is using the legacy attachments feature. We recommend migrating attachments to Azure Blob Storage to improve the resiliency and scalability of your blob data.
-Learn more about [Cosmos DB account - CosmosDBAttachments (Migrate Azure Cosmos DB attachments to Azure Blob Storage)](../cosmos-db/attachments.md#migrating-attachments-to-azure-blob-storage).
+Learn more about [Azure Cosmos DB account - CosmosDBAttachments (Migrate Azure Cosmos DB attachments to Azure Blob Storage)](../cosmos-db/attachments.md#migrating-attachments-to-azure-blob-storage).
### Improve resiliency by migrating your Azure Cosmos DB accounts to continuous backup Your Azure Cosmos DB accounts are configured with periodic backup. Continuous backup with point-in-time restore is now available on these accounts. With continuous backup, you can restore your data to any point in time within the past 30 days. Continuous backup may also be more cost-effective as a single copy of your data is retained.
-Learn more about [Cosmos DB account - CosmosDBMigrateToContinuousBackup (Improve resiliency by migrating your Azure Cosmos DB accounts to continuous backup)](../cosmos-db/continuous-backup-restore-introduction.md).
+Learn more about [Azure Cosmos DB account - CosmosDBMigrateToContinuousBackup (Improve resiliency by migrating your Azure Cosmos DB accounts to continuous backup)](../cosmos-db/continuous-backup-restore-introduction.md).
## Monitor
advisor Advisor Reference Performance Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/advisor/advisor-reference-performance-recommendations.md
Title: Performance recommendations description: Full list of available performance recommendations in Advisor. + Last updated 02/03/2022
Depth first load balancing uses the max session limit to determine the maximum n
Learn more about [Host Pool - ChangeMaxSessionLimitForDepthFirstHostPool (Change the max session limit for your depth first load balanced host pool to improve VM performance )](../virtual-desktop/configure-host-pool-load-balancing.md).
-## Cosmos DB
+## Azure Cosmos DB
### Configure your Azure Cosmos DB query page size (MaxItemCount) to -1
-You are using the query page size of 100 for queries for your Azure Cosmos container. We recommend using a page size of -1 for faster scans.
+You are using the query page size of 100 for queries for your Azure Cosmos DB container. We recommend using a page size of -1 for faster scans.
-Learn more about [Cosmos DB account - CosmosDBQueryPageSize (Configure your Azure Cosmos DB query page size (MaxItemCount) to -1)](/azure/cosmos-db/sql-api-query-metrics#max-item-count).
+Learn more about [Azure Cosmos DB account - CosmosDBQueryPageSize (Configure your Azure Cosmos DB query page size (MaxItemCount) to -1)](/azure/cosmos-db/sql-api-query-metrics#max-item-count).
### Add composite indexes to your Azure Cosmos DB container Your Azure Cosmos DB containers are running ORDER BY queries incurring high Request Unit (RU) charges. It is recommended to add composite indexes to your containers' indexing policy to improve the RU consumption and decrease the latency of these queries.
-Learn more about [Cosmos DB account - CosmosDBOrderByHighRUCharge (Add composite indexes to your Azure Cosmos DB container)](../cosmos-db/index-policy.md#composite-indexes).
+Learn more about [Azure Cosmos DB account - CosmosDBOrderByHighRUCharge (Add composite indexes to your Azure Cosmos DB container)](../cosmos-db/index-policy.md#composite-indexes).
### Optimize your Azure Cosmos DB indexing policy to only index what's needed Your Azure Cosmos DB containers are using the default indexing policy, which indexes every property in your documents. Because you're storing large documents, a high number of properties get indexed, resulting in high Request Unit consumption and poor write latency. To optimize write performance, we recommend overriding the default indexing policy to only index the properties used in your queries.
-Learn more about [Cosmos DB account - CosmosDBDefaultIndexingWithManyPaths (Optimize your Azure Cosmos DB indexing policy to only index what's needed)](../cosmos-db/index-policy.md).
+Learn more about [Azure Cosmos DB account - CosmosDBDefaultIndexingWithManyPaths (Optimize your Azure Cosmos DB indexing policy to only index what's needed)](../cosmos-db/index-policy.md).
### Use hierarchical partition keys for optimal data distribution This account has a custom setting that allows the logical partition size in a container to exceed the limit of 20 GB. This setting was applied by the Azure Cosmos DB team as a temporary measure to give you time to re-architect your application with a different partition key. It is not recommended as a long-term solution, as SLA guarantees are not honored when the limit is increased. You can now use hierarchical partition keys (preview) to re-architect your application. The feature allows you to exceed the 20 GB limit by setting up to three partition keys, ideal for multi-tenant scenarios or workloads that use synthetic keys.
-Learn more about [Cosmos DB account - CosmosDBHierarchicalPartitionKey (Use hierarchical partition keys for optimal data distribution)](https://devblogs.microsoft.com/cosmosdb/hierarchical-partition-keys-private-preview/).
+Learn more about [Azure Cosmos DB account - CosmosDBHierarchicalPartitionKey (Use hierarchical partition keys for optimal data distribution)](https://devblogs.microsoft.com/cosmosdb/hierarchical-partition-keys-private-preview/).
### Configure your Azure Cosmos DB applications to use Direct connectivity in the SDK
-We noticed that your Azure Cosmos DB applications are using Gateway mode via the Cosmos DB .NET or Java SDKs. We recommend switching to Direct connectivity for lower latency and higher scalability.
+We noticed that your Azure Cosmos DB applications are using Gateway mode via the Azure Cosmos DB .NET or Java SDKs. We recommend switching to Direct connectivity for lower latency and higher scalability.
-Learn more about [Cosmos DB account - CosmosDBGatewayMode (Configure your Azure Cosmos DB applications to use Direct connectivity in the SDK)](/azure/cosmos-db/performance-tips#networking).
+Learn more about [Azure Cosmos DB account - CosmosDBGatewayMode (Configure your Azure Cosmos DB applications to use Direct connectivity in the SDK)](/azure/cosmos-db/performance-tips#networking).
## HDInsight
advisor Advisor Reference Reliability Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/advisor/advisor-reference-reliability-recommendations.md
Title: Reliability recommendations description: Full list of available reliability recommendations in Advisor. + Last updated 02/04/2022
Some or all of your devices are using outdated SDK and we recommend you upgrade
Learn more about [IoT hub - UpgradeDeviceClientSdk (Upgrade device client SDK to a supported version for IotHub)](https://aka.ms/iothubsdk).
-## Cosmos DB
+## Azure Cosmos DB
-### Configure Consistent indexing mode on your Azure Cosmos container
+### Configure Consistent indexing mode on your Azure Cosmos DB container
-We noticed that your Azure Cosmos container is configured with the Lazy indexing mode, which may impact the freshness of query results. We recommend switching to Consistent mode.
+We noticed that your Azure Cosmos DB container is configured with the Lazy indexing mode, which may impact the freshness of query results. We recommend switching to Consistent mode.
-Learn more about [Cosmos DB account - CosmosDBLazyIndexing (Configure Consistent indexing mode on your Azure Cosmos container)](/azure/cosmos-db/how-to-manage-indexing-policy).
+Learn more about [Azure Cosmos DB account - CosmosDBLazyIndexing (Configure Consistent indexing mode on your Azure Cosmos DB container)](/azure/cosmos-db/how-to-manage-indexing-policy).
### Upgrade your old Azure Cosmos DB SDK to the latest version Your Azure Cosmos DB account is using an old version of the SDK. We recommend upgrading to the latest version for the latest fixes, performance improvements, and new feature capabilities.
-Learn more about [Cosmos DB account - CosmosDBUpgradeOldSDK (Upgrade your old Azure Cosmos DB SDK to the latest version)](../cosmos-db/index.yml).
+Learn more about [Azure Cosmos DB account - CosmosDBUpgradeOldSDK (Upgrade your old Azure Cosmos DB SDK to the latest version)](../cosmos-db/index.yml).
### Upgrade your outdated Azure Cosmos DB SDK to the latest version Your Azure Cosmos DB account is using an outdated version of the SDK. We recommend upgrading to the latest version for the latest fixes, performance improvements, and new feature capabilities.
-Learn more about [Cosmos DB account - CosmosDBUpgradeOutdatedSDK (Upgrade your outdated Azure Cosmos DB SDK to the latest version)](../cosmos-db/index.yml).
+Learn more about [Azure Cosmos DB account - CosmosDBUpgradeOutdatedSDK (Upgrade your outdated Azure Cosmos DB SDK to the latest version)](../cosmos-db/index.yml).
### Configure your Azure Cosmos DB containers with a partition key Your Azure Cosmos DB non-partitioned collections are approaching their provisioned storage quota. Migrate these collections to new collections with a partition key definition so that they can automatically be scaled out by the service.
-Learn more about [Cosmos DB account - CosmosDBFixedCollections (Configure your Azure Cosmos DB containers with a partition key)](../cosmos-db/partitioning-overview.md#choose-partitionkey).
+Learn more about [Azure Cosmos DB account - CosmosDBFixedCollections (Configure your Azure Cosmos DB containers with a partition key)](../cosmos-db/partitioning-overview.md#choose-partitionkey).
-### Upgrade your Azure Cosmos DB API for MongoDB account to v4.0 to save on query/storage costs and utilize new features
+### Upgrade your Azure Cosmos DB for MongoDB account to v4.0 to save on query/storage costs and utilize new features
-Your Azure Cosmos DB API for MongoDB account is eligible to upgrade to version 4.0. Upgrading to v4.0 can reduce your storage costs by up to 55% and your query costs by up to 45% by leveraging a new storage format. Numerous additional features such as multi-document transactions are also included in v4.0.
+Your Azure Cosmos DB for MongoDB account is eligible to upgrade to version 4.0. Upgrading to v4.0 can reduce your storage costs by up to 55% and your query costs by up to 45% by leveraging a new storage format. Numerous additional features such as multi-document transactions are also included in v4.0.
-Learn more about [Cosmos DB account - CosmosDBMongoSelfServeUpgrade (Upgrade your Azure Cosmos DB API for MongoDB account to v4.0 to save on query/storage costs and utilize new features)](/azure/cosmos-db/mongodb-version-upgrade).
+Learn more about [Azure Cosmos DB account - CosmosDBMongoSelfServeUpgrade (Upgrade your Azure Cosmos DB for MongoDB account to v4.0 to save on query/storage costs and utilize new features)](/azure/cosmos-db/mongodb-version-upgrade).
### Add a second region to your production workloads on Azure Cosmos DB
Based on their names and configuration, we have detected the Azure Cosmos DB acc
> [!NOTE] > Additional regions will incur extra costs.
-Learn more about [Cosmos DB account - CosmosDBSingleRegionProdAccounts (Add a second region to your production workloads on Azure Cosmos DB)](../cosmos-db/high-availability.md).
+Learn more about [Azure Cosmos DB account - CosmosDBSingleRegionProdAccounts (Add a second region to your production workloads on Azure Cosmos DB)](../cosmos-db/high-availability.md).
-### Enable Server Side Retry (SSR) on your Azure Cosmos DB's API for MongoDB account
+### Enable Server Side Retry (SSR) on your Azure Cosmos DB for MongoDB account
We observed your account is throwing a TooManyRequests error with the 16500 error code. Enabling Server Side Retry (SSR) can help mitigate this issue for you.
-Learn more about [Cosmos DB account - CosmosDBMongoServerSideRetries (Enable Server Side Retry (SSR) on your Azure Cosmos DB's API for MongoDB account)](/azure/cosmos-db/cassandra/prevent-rate-limiting-errors).
+Learn more about [Azure Cosmos DB account - CosmosDBMongoServerSideRetries (Enable Server Side Retry (SSR) on your Azure Cosmos DB for MongoDB account)](/azure/cosmos-db/cassandra/prevent-rate-limiting-errors).
-### Migrate your Azure Cosmos DB API for MongoDB account to v4.0 to save on query/storage costs and utilize new features
+### Migrate your Azure Cosmos DB for MongoDB account to v4.0 to save on query/storage costs and utilize new features
-Migrate your database account to a new database account to take advantage of Azure Cosmos DB's API for MongoDB v4.0. Upgrading to v4.0 can reduce your storage costs by up to 55% and your query costs by up to 45% by leveraging a new storage format. Numerous additional features such as multi-document transactions are also included in v4.0. When upgrading, you must also migrate the data in your existing account to a new account created using version 4.0. Azure Data Factory or Studio 3T can assist you in migrating your data.
+Migrate your database account to a new database account to take advantage of Azure Cosmos DB for MongoDB v4.0. Upgrading to v4.0 can reduce your storage costs by up to 55% and your query costs by up to 45% by leveraging a new storage format. Numerous additional features such as multi-document transactions are also included in v4.0. When upgrading, you must also migrate the data in your existing account to a new account created using version 4.0. Azure Data Factory or Studio 3T can assist you in migrating your data.
-Learn more about [Cosmos DB account - CosmosDBMongoMigrationUpgrade (Migrate your Azure Cosmos DB API for MongoDB account to v4.0 to save on query/storage costs and utilize new features)](/azure/cosmos-db/mongodb-feature-support-40).
+Learn more about [Azure Cosmos DB account - CosmosDBMongoMigrationUpgrade (Migrate your Azure Cosmos DB for MongoDB account to v4.0 to save on query/storage costs and utilize new features)](/azure/cosmos-db/mongodb-feature-support-40).
-### Your Cosmos DB account is unable to access its linked Azure Key Vault hosting your encryption key
+### Your Azure Cosmos DB account is unable to access its linked Azure Key Vault hosting your encryption key
-It appears that your key vault's configuration is preventing your Cosmos DB account from contacting the key vault to access your managed encryption keys. If you've recently performed a key rotation, make sure that the previous key or key version remains enabled and available until Cosmos DB has completed the rotation. The previous key or key version can be disabled after 24 hours, or after the Azure Key Vault audit logs don't show activity from Azure Cosmos DB on that key or key version anymore.
+It appears that your key vault's configuration is preventing your Azure Cosmos DB account from contacting the key vault to access your managed encryption keys. If you've recently performed a key rotation, make sure that the previous key or key version remains enabled and available until Azure Cosmos DB has completed the rotation. The previous key or key version can be disabled after 24 hours, or after the Azure Key Vault audit logs don't show activity from Azure Cosmos DB on that key or key version anymore.
-Learn more about [Cosmos DB account - CosmosDBKeyVaultWrap (Your Cosmos DB account is unable to access its linked Azure Key Vault hosting your encryption key)](../cosmos-db/how-to-setup-cmk.md).
+Learn more about [Azure Cosmos DB account - CosmosDBKeyVaultWrap (Your Azure Cosmos DB account is unable to access its linked Azure Key Vault hosting your encryption key)](../cosmos-db/how-to-setup-cmk.md).
### Avoid being rate limited from metadata operations
-We found a high number of metadata operations on your account. Your data in Cosmos DB, including metadata about your databases and collections is distributed across partitions. Metadata operations have a system-reserved request unit (RU) limit. Avoid being rate limited from metadata operations by using static Cosmos DB client instances in your code and caching the names of databases and collections.
+We found a high number of metadata operations on your account. Your data in Azure Cosmos DB, including metadata about your databases and collections is distributed across partitions. Metadata operations have a system-reserved request unit (RU) limit. Avoid being rate limited from metadata operations by using static Azure Cosmos DB client instances in your code and caching the names of databases and collections.
-Learn more about [Cosmos DB account - CosmosDBHighMetadataOperations (Avoid being rate limited from metadata operations)](/azure/cosmos-db/performance-tips).
+Learn more about [Azure Cosmos DB account - CosmosDBHighMetadataOperations (Avoid being rate limited from metadata operations)](/azure/cosmos-db/performance-tips).
-### Use the new 3.6+ endpoint to connect to your upgraded Azure Cosmos DB's API for MongoDB account
+### Use the new 3.6+ endpoint to connect to your upgraded Azure Cosmos DB for MongoDB account
-We observed some of your applications are connecting to your upgraded Azure Cosmos DB's API for MongoDB account using the legacy 3.2 endpoint - [accountname].documents.azure.com. Use the new endpoint - [accountname].mongo.cosmos.azure.com (or its equivalent in sovereign, government, or restricted clouds).
+We observed some of your applications are connecting to your upgraded Azure Cosmos DB for MongoDB account using the legacy 3.2 endpoint `[accountname].documents.azure.com`. Use the new endpoint `[accountname].mongo.cosmos.azure.com` (or its equivalent in sovereign, government, or restricted clouds).
-Learn more about [Cosmos DB account - CosmosDBMongoNudge36AwayFrom32 (Use the new 3.6+ endpoint to connect to your upgraded Azure Cosmos DB's API for MongoDB account)](/azure/cosmos-db/mongodb-feature-support-40).
+Learn more about [Azure Cosmos DB account - CosmosDBMongoNudge36AwayFrom32 (Use the new 3.6+ endpoint to connect to your upgraded Azure Cosmos DB for MongoDB account)](/azure/cosmos-db/mongodb-feature-support-40).
### Upgrade to 2.6.14 version of the Async Java SDK v2 to avoid a critical issue or upgrade to Java SDK v4 as Async Java SDK v2 is being deprecated There is a critical bug in version 2.6.13 and lower of the Azure Cosmos DB Async Java SDK v2 causing errors when a Global logical sequence number (LSN) greater than the Max Integer value is reached. This happens transparent to you by the service after a large volume of transactions occur in the lifetime of an Azure Cosmos DB container. Note: This is a critical hotfix for the Async Java SDK v2, however it is still highly recommended you migrate to the [Java SDK v4](../cosmos-db/sql/sql-api-sdk-java-v4.md).
-Learn more about [Cosmos DB account - CosmosDBMaxGlobalLSNReachedV2 (Upgrade to 2.6.14 version of the Async Java SDK v2 to avoid a critical issue or upgrade to Java SDK v4 as Async Java SDK v2 is being deprecated)](../cosmos-db/sql/sql-api-sdk-async-java.md).
+Learn more about [Azure Cosmos DB account - CosmosDBMaxGlobalLSNReachedV2 (Upgrade to 2.6.14 version of the Async Java SDK v2 to avoid a critical issue or upgrade to Java SDK v4 as Async Java SDK v2 is being deprecated)](../cosmos-db/sql/sql-api-sdk-async-java.md).
### Upgrade to the current recommended version of the Java SDK v4 to avoid a critical issue There is a critical bug in version 4.15 and lower of the Azure Cosmos DB Java SDK v4 causing errors when a Global logical sequence number (LSN) greater than the Max Integer value is reached. This happens transparent to you by the service after a large volume of transactions occur in the lifetime of an Azure Cosmos DB container.
-Learn more about [Cosmos DB account - CosmosDBMaxGlobalLSNReachedV4 (Upgrade to the current recommended version of the Java SDK v4 to avoid a critical issue)](../cosmos-db/sql/sql-api-sdk-java-v4.md).
+Learn more about [Azure Cosmos DB account - CosmosDBMaxGlobalLSNReachedV4 (Upgrade to the current recommended version of the Java SDK v4 to avoid a critical issue)](../cosmos-db/sql/sql-api-sdk-java-v4.md).
## Fluid Relay
Learn more about [ExpressRoute circuit - ExpressRouteGatewayE2EMonitoring (Imple
### Avoid hostname override to ensure site integrity
-Try to avoid overriding the hostname when configuring Application Gateway. Having a different domain on the frontend of Application Gateway than the one which is used to access the backend can potentially lead to cookies or redirect urls being broken. Note that this might not be the case in all situations and that certain categories of backends (like REST API's) in general are less sensitive to this. Make sure the backend is able to deal with this or update the Application Gateway configuration so the hostname does not need to be overwritten towards the backend. When used with App Service, attach a custom domain name to the Web App and avoid use of the *.azurewebsites.net host name towards the backend.
+Try to avoid overriding the hostname when configuring Application Gateway. Having a different domain on the frontend of Application Gateway than the one which is used to access the backend can potentially lead to cookies or redirect urls being broken. Note that this might not be the case in all situations and that certain categories of backends (like REST API's) in general are less sensitive to this. Make sure the backend is able to deal with this or update the Application Gateway configuration so the hostname does not need to be overwritten towards the backend. When used with App Service, attach a custom domain name to the Web App and avoid use of the `*.azurewebsites.net` host name towards the backend.
Learn more about [Application gateway - AppGatewayHostOverride (Avoid hostname override to ensure site integrity)](https://aka.ms/appgw-advisor-usecustomdomain).
advisor Advisor Sovereign Clouds https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/advisor/advisor-sovereign-clouds.md
Title: Sovereign cloud feature variations description: List of feature variations and usage limitations for Advisor in sovereign clouds. + Last updated 09/19/2022
The following Azure Advisor recommendation **features aren't currently available
- (Preview) Consider Blob storage reserved capacity to save on Blob v2 and Data Lake Storage Gen2 costs. - (Preview) Consider Blob storage reserved instance to save on Blob v2 and Data Lake Storage Gen2 costs. - (Preview) Consider Cache for Redis reserved capacity to save over your pay-as-you-go costs.-- (Preview) Consider Cosmos DB reserved capacity to save over your pay-as-you-go costs.
+- (Preview) Consider Azure Cosmos DB reserved capacity to save over your pay-as-you-go costs.
- (Preview) Consider Database for MariaDB reserved capacity to save over your pay-as-you-go costs. - (Preview) Consider Database for MySQL reserved capacity to save over your pay-as-you-go costs. - (Preview) Consider Database for PostgreSQL reserved capacity to save over your pay-as-you-go costs.
The following Azure Advisor recommendation **features aren't currently available
- Consider App Service stamp fee reserved instance to save over your on-demand costs. - Consider Azure Synapse Analytics (formerly SQL DW) reserved instance to save over your pay-as-you-go costs. - Consider Cache for Redis reserved instance to save over your pay-as-you-go costs.-- Consider Cosmos DB reserved instance to save over your pay-as-you-go costs.
+- Consider Azure Cosmos DB reserved instance to save over your pay-as-you-go costs.
- Consider Database for MariaDB reserved instance to save over your pay-as-you-go costs. - Consider Database for MySQL reserved instance to save over your pay-as-you-go costs. - Consider Database for PostgreSQL reserved instance to save over your pay-as-you-go costs.
aks Cluster Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cluster-configuration.md
Title: Cluster configuration in Azure Kubernetes Services (AKS)
description: Learn how to configure a cluster in Azure Kubernetes Service (AKS) + Last updated 10/04/2022
az aks nodepool add --name ephemeral --cluster-name myAKSCluster --resource-grou
If you want to create node pools with network-attached OS disks, you can do so by specifying `--node-osdisk-type Managed`.
+## Mariner OS
+
+Mariner can be deployed on AKS through Azure CLI or ARM templates.
+
+### Prerequisites
+
+1. You need the latest version of Azure CLI. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].
+2. You need the `aks-preview` Azure CLI extension for the ability to select the Mariner 2.0 operating system SKU. Run `az extension remove --name aks-preview` to clear any previous versions, then run `az extension add --name aks-preview`.
+3. If you don't already have kubectl installed, install it through Azure CLI using `az aks install-cli` or follow the [upstream instructions](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/).
+
+### Deploy an AKS Mariner cluster with Azure CLI
+
+Use the following example commands to create a Mariner cluster.
+
+```azurecli
+az group create --name MarinerTest --location eastus
+
+az aks create --name testMarinerCluster --resource-group MarinerTest --os-sku mariner
+
+az aks get-credentials --resource-group MarinerTest --name testMarinerCluster
+
+kubectl get pods --all-namespaces
+```
+
+### Deploy an AKS Mariner cluster with an ARM template
+
+To add Mariner to an existing ARM template, you need to add `"osSKU": "mariner"` and `"mode": "System"` to `agentPoolProfiles` and set the apiVersion to 2021-03-01 or newer (`"apiVersion": "2021-03-01"`). The following deployment uses the ARM template "marineraksarm.yml".
+
+```yml
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.1",
+ "parameters": {
+ "clusterName": {
+ "type": "string",
+ "defaultValue": "marinerakscluster",
+ "metadata": {
+ "description": "The name of the Managed Cluster resource."
+ }
+ },
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "The location of the Managed Cluster resource."
+ }
+ },
+ "dnsPrefix": {
+ "type": "string",
+ "metadata": {
+ "description": "Optional DNS prefix to use with hosted Kubernetes API server FQDN."
+ }
+ },
+ "osDiskSizeGB": {
+ "type": "int",
+ "defaultValue": 0,
+ "minValue": 0,
+ "maxValue": 1023,
+ "metadata": {
+ "description": "Disk size (in GB) to provision for each of the agent pool nodes. This value ranges from 0 to 1023. Specifying 0 will apply the default disk size for that agentVMSize."
+ }
+ },
+ "agentCount": {
+ "type": "int",
+ "defaultValue": 3,
+ "minValue": 1,
+ "maxValue": 50,
+ "metadata": {
+ "description": "The number of nodes for the cluster."
+ }
+ },
+ "agentVMSize": {
+ "type": "string",
+ "defaultValue": "Standard_DS2_v2",
+ "metadata": {
+ "description": "The size of the Virtual Machine."
+ }
+ },
+ "linuxAdminUsername": {
+ "type": "string",
+ "metadata": {
+ "description": "User name for the Linux Virtual Machines."
+ }
+ },
+ "sshRSAPublicKey": {
+ "type": "string",
+ "metadata": {
+ "description": "Configure all linux machines with the SSH RSA public key string. Your key should include three parts, for example 'ssh-rsa AAAAB...snip...UcyupgH azureuser@linuxvm'"
+ }
+ },
+ "osType": {
+ "type": "string",
+ "defaultValue": "Linux",
+ "allowedValues": [
+ "Linux"
+ ],
+ "metadata": {
+ "description": "The type of operating system."
+ }
+ },
+ "osSKU": {
+ "type": "string",
+ "defaultValue": "mariner",
+ "allowedValues": [
+ "mariner",
+ "Ubuntu",
+ ],
+ "metadata": {
+ "description": "The Linux SKU to use."
+ }
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.ContainerService/managedClusters",
+ "apiVersion": "2021-03-01",
+ "name": "[parameters('clusterName')]",
+ "location": "[parameters('location')]",
+ "properties": {
+ "dnsPrefix": "[parameters('dnsPrefix')]",
+ "agentPoolProfiles": [
+ {
+ "name": "agentpool",
+ "mode": "System",
+ "osDiskSizeGB": "[parameters('osDiskSizeGB')]",
+ "count": "[parameters('agentCount')]",
+ "vmSize": "[parameters('agentVMSize')]",
+ "osType": "[parameters('osType')]",
+ "osSKU": "[parameters('osSKU')]",
+ "storageProfile": "ManagedDisks"
+ }
+ ],
+ "linuxProfile": {
+ "adminUsername": "[parameters('linuxAdminUsername')]",
+ "ssh": {
+ "publicKeys": [
+ {
+ "keyData": "[parameters('sshRSAPublicKey')]"
+ }
+ ]
+ }
+ }
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ }
+ }
+ ],
+ "outputs": {
+ "controlPlaneFQDN": {
+ "type": "string",
+ "value": "[reference(parameters('clusterName')).fqdn]"
+ }
+ }
+}
+```
+
+Create this file on your system and fill it with the contents of the Mariner AKS YAML file.
+
+```azurecli
+az group create --name MarinerTest --location eastus
+
+az deployment group create --resource-group MarinerTest --template-file marineraksarm.yml --parameters clusterName=testMarinerCluster dnsPrefix=marineraks1 linuxAdminUsername=azureuser sshRSAPublicKey=`<contents of your id_rsa.pub>`
+
+az aks get-credentials --resource-group MarinerTest --name testMarinerCluster
+
+kubectl get pods --all-namespaces
+```
+ ## Custom resource group name When you deploy an Azure Kubernetes Service cluster in Azure, a second resource group gets created for the worker nodes. By default, AKS will name the node resource group `MC_resourcegroupname_clustername_location`, but you can also provide your own name.
This enables an OIDC Issuer URL of the provider which allows the API server to d
### Prerequisites
-* The Azure CLI version 2.42.0 or higher. Run `az --version` to find your version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].
+* The Azure CLI version 2.40.0 or higher. Run `az --version` to find your version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].
* AKS version 1.22 and higher. If your cluster is running version 1.21 and the OIDC Issuer preview is enabled, we recommend you upgrade the cluster to the minimum required version supported. ### Create an AKS cluster with OIDC Issuer
aks Dapr Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/dapr-overview.md
- Title: Dapr extension for Azure Kubernetes Service (AKS) overview
-description: Learn more about using Dapr on your Azure Kubernetes Service (AKS) cluster to develop applications.
--- Previously updated : 07/21/2022---
-# Dapr
-
-Distributed Application Runtime (Dapr) offers APIs that simplify microservice development and implementation. Running as a sidecar process in tandem with your applications, Dapr APIs abstract away common complexities developers regularly encounter when building distributed applications, such as service discovery, message broker integration, encryption, observability, and secret management. Whether your inter-application communication is direct service-to-service, or pub/sub messaging, Dapr helps you write simple, portable, resilient, and secured microservices.
-
-Dapr is incrementally adoptable ΓÇô the API building blocks can be used as the need arises. Use one, several, or all to develop your application faster.
--
-## Capabilities and features
-
-Dapr provides the following set of capabilities to help with your microservice development on AKS:
-
-* Easy provisioning of Dapr on AKS through [cluster extensions][cluster-extensions].
-* Portability enabled through HTTP and gRPC APIs which abstract underlying technologies choices
-* Reliable, secure, and resilient service-to-service calls through HTTP and gRPC APIs
-* Publish and subscribe messaging made easy with support for CloudEvent filtering and ΓÇ£at-least-onceΓÇ¥ semantics for message delivery
-* Pluggable observability and monitoring through Open Telemetry API collector
-* Works independent of language, while also offering language specific SDKs
-* Integration with VS Code through the Dapr extension
-* [More APIs for solving distributed application challenges][dapr-blocks]
-
-## Frequently asked questions
-
-### How do Dapr and Service meshes compare?
-
-A: Where a service mesh is defined as a networking service mesh, Dapr is not a service mesh. While Dapr and service meshes do offer some overlapping capabilities, a service mesh is focused on networking concerns, whereas Dapr is focused on providing building blocks that make it easier for developers to build applications as microservices. Dapr is developer-centric, while service meshes are infrastructure-centric.
-
-Some common capabilities that Dapr shares with service meshes include:
-
-* Secure service-to-service communication with mTLS encryption
-* Service-to-service metric collection
-* Service-to-service distributed tracing
-* Resiliency through retries
-
-In addition, Dapr provides other application-level building blocks for state management, pub/sub messaging, actors, and more. However, Dapr does not provide capabilities for traffic behavior such as routing or traffic splitting. If your solution would benefit from the traffic splitting a service mesh provides, consider using [Open Service Mesh][osm-docs].
-
-For more information on Dapr and service meshes, and how they can be used together, visit the [Dapr documentation][dapr-docs].
-
-### How does the Dapr secrets API compare to the Secrets Store CSI driver?
-
-Both the Dapr secrets API and the managed Secrets Store CSI driver allow for the integration of secrets held in an external store, abstracting secret store technology from application code. The Secrets Store CSI driver mounts secrets held in Azure Key Vault as a CSI volume for consumption by an application. Dapr exposes secrets via a RESTful API that can be called by application code and can be configured with assorted secret stores. The following table lists the capabilities of each offering:
-
-| | Dapr secrets API | Secrets Store CSI driver |
-| | | |
-| **Supported secrets stores** | Local environment variables (for Development); Local file (for Development); Kubernetes Secrets; AWS Secrets Manager; Azure Key Vault secret store; Azure Key Vault with Managed Identities on Kubernetes; GCP Secret Manager; HashiCorp Vault | Azure Key Vault secret store|
-| **Accessing secrets in application code** | Call the Dapr secrets API | Access the mounted volume or sync mounted content as a Kubernetes secret and set an environment variable |
-| **Secret rotation** | New API calls obtain the updated secrets | Polls for secrets and updates the mount at a configurable interval |
-| **Logging and metrics** | The Dapr sidecar generates logs, which can be configured with collectors such as Azure Monitor, emits metrics via Prometheus, and exposes an HTTP endpoint for health checks | Emits driver and Azure Key Vault provider metrics via Prometheus |
-
-For more information on the secret management in Dapr, see the [secrets management building block overview][dapr-secrets-block].
-
-For more information on the Secrets Store CSI driver and Azure Key Vault provider, see the [Secrets Store CSI driver overview][csi-secrets-store].
-
-### How does the managed Dapr cluster extension compare to the open source Dapr offering?
-
-The managed Dapr cluster extension is the easiest method to provision Dapr on an AKS cluster. With the extension, you're able to offload management of the Dapr runtime version by opting into automatic upgrades. Additionally, the extension installs Dapr with smart defaults (for example, provisioning the Dapr control plane in high availability mode).
-
-When installing Dapr OSS via helm or the Dapr CLI, runtime versions and configuration options are the responsibility of developers and cluster maintainers.
-
-Lastly, the Dapr extension is an extension of AKS, therefore you can expect the same support policy as other AKS features.
-
-[Learn more about migrating from Dapr OSS to the Dapr extension for AKS][dapr-migration].
-
-### How can I switch to using the Dapr extension if IΓÇÖve already installed Dapr via a method, such as Helm?
-
-Recommended guidance is to completely uninstall Dapr from the AKS cluster and reinstall it via the cluster extension.
-
-If you install Dapr through the AKS extension, our recommendation is to continue using the extension for future management of Dapr instead of the Dapr CLI. Combining the two tools can cause conflicts and result in undesired behavior.
-
-## Next Steps
-
-After learning about Dapr and some of the challenges it solves, try [Deploying an application with the Dapr cluster extension][dapr-quickstart].
-
-<!-- Links Internal -->
-[csi-secrets-store]: ./csi-secrets-store-driver.md
-[osm-docs]: ./open-service-mesh-about.md
-[cluster-extensions]: ./cluster-extensions.md
-[dapr-quickstart]: ./quickstart-dapr.md
-[dapr-migration]: ./dapr-migration.md
-
-<!-- Links External -->
-[dapr-docs]: https://docs.dapr.io/
-[dapr-blocks]: https://docs.dapr.io/concepts/building-blocks-concept/
-[dapr-secrets-block]: https://docs.dapr.io/developing-applications/building-blocks/secrets/secrets-overview/
+
+ Title: Dapr extension for Azure Kubernetes Service (AKS) overview
+description: Learn more about using Dapr on your Azure Kubernetes Service (AKS) cluster to develop applications.
+++ Last updated : 07/21/2022+++
+# Dapr
+
+Distributed Application Runtime (Dapr) offers APIs that simplify microservice development and implementation. Running as a sidecar process in tandem with your applications, Dapr APIs abstract away common complexities developers regularly encounter when building distributed applications, such as service discovery, message broker integration, encryption, observability, and secret management. Whether your inter-application communication is direct service-to-service, or pub/sub messaging, Dapr helps you write simple, portable, resilient, and secured microservices.
+
+Dapr is incrementally adoptable ΓÇô the API building blocks can be used as the need arises. Use one, several, or all to develop your application faster.
++
+## Capabilities and features
+
+Dapr provides the following set of capabilities to help with your microservice development on AKS:
+
+* Easy provisioning of Dapr on AKS through [cluster extensions][cluster-extensions].
+* Portability enabled through HTTP and gRPC APIs which abstract underlying technologies choices
+* Reliable, secure, and resilient service-to-service calls through HTTP and gRPC APIs
+* Publish and subscribe messaging made easy with support for CloudEvent filtering and ΓÇ£at-least-onceΓÇ¥ semantics for message delivery
+* Pluggable observability and monitoring through Open Telemetry API collector
+* Works independent of language, while also offering language specific SDKs
+* Integration with VS Code through the Dapr extension
+* [More APIs for solving distributed application challenges][dapr-blocks]
+
+## Frequently asked questions
+
+### How do Dapr and Service meshes compare?
+
+A: Where a service mesh is defined as a networking service mesh, Dapr is not a service mesh. While Dapr and service meshes do offer some overlapping capabilities, a service mesh is focused on networking concerns, whereas Dapr is focused on providing building blocks that make it easier for developers to build applications as microservices. Dapr is developer-centric, while service meshes are infrastructure-centric.
+
+Some common capabilities that Dapr shares with service meshes include:
+
+* Secure service-to-service communication with mTLS encryption
+* Service-to-service metric collection
+* Service-to-service distributed tracing
+* Resiliency through retries
+
+In addition, Dapr provides other application-level building blocks for state management, pub/sub messaging, actors, and more. However, Dapr does not provide capabilities for traffic behavior such as routing or traffic splitting. If your solution would benefit from the traffic splitting a service mesh provides, consider using [Open Service Mesh][osm-docs].
+
+For more information on Dapr and service meshes, and how they can be used together, visit the [Dapr documentation][dapr-docs].
+
+### How does the Dapr secrets API compare to the Secrets Store CSI driver?
+
+Both the Dapr secrets API and the managed Secrets Store CSI driver allow for the integration of secrets held in an external store, abstracting secret store technology from application code. The Secrets Store CSI driver mounts secrets held in Azure Key Vault as a CSI volume for consumption by an application. Dapr exposes secrets via a RESTful API that can be called by application code and can be configured with assorted secret stores. The following table lists the capabilities of each offering:
+
+| | Dapr secrets API | Secrets Store CSI driver |
+| | | |
+| **Supported secrets stores** | Local environment variables (for Development); Local file (for Development); Kubernetes Secrets; AWS Secrets Manager; Azure Key Vault secret store; Azure Key Vault with Managed Identities on Kubernetes; GCP Secret Manager; HashiCorp Vault | Azure Key Vault secret store|
+| **Accessing secrets in application code** | Call the Dapr secrets API | Access the mounted volume or sync mounted content as a Kubernetes secret and set an environment variable |
+| **Secret rotation** | New API calls obtain the updated secrets | Polls for secrets and updates the mount at a configurable interval |
+| **Logging and metrics** | The Dapr sidecar generates logs, which can be configured with collectors such as Azure Monitor, emits metrics via Prometheus, and exposes an HTTP endpoint for health checks | Emits driver and Azure Key Vault provider metrics via Prometheus |
+
+For more information on the secret management in Dapr, see the [secrets management building block overview][dapr-secrets-block].
+
+For more information on the Secrets Store CSI driver and Azure Key Vault provider, see the [Secrets Store CSI driver overview][csi-secrets-store].
+
+### How does the managed Dapr cluster extension compare to the open source Dapr offering?
+
+The managed Dapr cluster extension is the easiest method to provision Dapr on an AKS cluster. With the extension, you're able to offload management of the Dapr runtime version by opting into automatic upgrades. Additionally, the extension installs Dapr with smart defaults (for example, provisioning the Dapr control plane in high availability mode).
+
+When installing Dapr OSS via helm or the Dapr CLI, runtime versions and configuration options are the responsibility of developers and cluster maintainers.
+
+Lastly, the Dapr extension is an extension of AKS, therefore you can expect the same support policy as other AKS features.
+
+[Learn more about migrating from Dapr OSS to the Dapr extension for AKS][dapr-migration].
+
+### How can I switch to using the Dapr extension if IΓÇÖve already installed Dapr via a method, such as Helm?
+
+Recommended guidance is to completely uninstall Dapr from the AKS cluster and reinstall it via the cluster extension.
+
+If you install Dapr through the AKS extension, our recommendation is to continue using the extension for future management of Dapr instead of the Dapr CLI. Combining the two tools can cause conflicts and result in undesired behavior.
+
+## Next Steps
+
+After learning about Dapr and some of the challenges it solves, try [installing the dapr extension][dapr-extension].
+
+<!-- Links Internal -->
+[csi-secrets-store]: ./csi-secrets-store-driver.md
+[osm-docs]: ./open-service-mesh-about.md
+[cluster-extensions]: ./cluster-extensions.md
+[dapr-quickstart]: ./quickstart-dapr.md
+[dapr-migration]: ./dapr-migration.md
+[dapr-extension]: ./dapr.md
+
+<!-- Links External -->
+[dapr-docs]: https://docs.dapr.io/
+[dapr-blocks]: https://docs.dapr.io/concepts/building-blocks-concept/
+[dapr-secrets-block]: https://docs.dapr.io/developing-applications/building-blocks/secrets/secrets-overview/
aks Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/faq.md
No, AKS is a managed service, and manipulation of the IaaS resources isn't suppo
## Does AKS store any customer data outside of the cluster's region?
-The feature to enable storing customer data in a single region is currently only available in the Southeast Asia Region (Singapore) of the Asia Pacific Geo and Brazil South (Sao Paulo State) Region of Brazil Geo. For all other regions, customer data is stored in Geo.
+No, all data is stored in the cluster's region.
## Are AKS images required to run as root?
aks Intro Kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/intro-kubernetes.md
description: Learn the features and benefits of Azure Kubernetes Service to depl
Last updated 02/24/2021--+ # Azure Kubernetes Service
AKS supports the creation of Intel SGX-based, confidential computing node pools
For more information, see [Confidential computing nodes on AKS][conf-com-node].
+### Mariner nodes
+
+Mariner is an open-source Linux distribution created by Microsoft, and itΓÇÖs now available for preview as a container host on Azure Kubernetes Service (AKS). The Mariner container host provides reliability and consistency from cloud to edge across the AKS, AKS-HCI, and Arc products. You can deploy Mariner node pools in a new cluster, add Mariner node pools to your existing Ubuntu clusters, or migrate your Ubuntu nodes to Mariner nodes.
+
+For more information, see [Use the Mariner container host on Azure Kubernetes Service (AKS)](use-mariner.md)
+ ### Storage volume support To support application workloads, you can mount static or dynamic storage volumes for persistent data. Depending on the number of connected pods expected to share the storage volumes, you can use storage backed by either:
aks Keda About https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/keda-about.md
For general KEDA questions, we recommend [visiting the FAQ overview][keda-faq].
[keda-azure-cli]: keda-deploy-addon-az-cli.md [keda-cli]: keda-deploy-add-on-cli.md [keda-arm]: keda-deploy-add-on-arm.md
-[keda-troubleshoot]: keda-troubleshoot.md
+[keda-troubleshoot]: /troubleshoot/azure/azure-kubernetes/troubleshoot-kubernetes-event-driven-autoscaling-add-on?context=/azure/aks/context/aks-context
<!-- LINKS - external --> [keda]: https://keda.sh/
aks Keda Deploy Add On Arm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/keda-deploy-add-on-arm.md
description: Use an ARM template to deploy the Kubernetes Event-driven Autoscali
Previously updated : 05/24/2022 Last updated : 10/10/2022
az group delete --name MyResourceGroup
This article showed you how to install the KEDA add-on on an AKS cluster, and then verify that it's installed and running. With the KEDA add-on installed on your cluster, you can [deploy a sample application][keda-sample] to start scaling apps.
-You can troubleshoot troubleshoot KEDA add-on problems in [this article][keda-troubleshoot].
+You can troubleshoot KEDA add-on problems in [this article][keda-troubleshoot].
<!-- LINKS - internal --> [az-aks-create]: /cli/azure/aks#az-aks-create
You can troubleshoot troubleshoot KEDA add-on problems in [this article][keda-tr
[az aks get-credentials]: /cli/azure/aks#az-aks-get-credentials [az aks update]: /cli/azure/aks#az-aks-update [az-group-delete]: /cli/azure/group#az-group-delete
-[keda-troubleshoot]: keda-troubleshoot.md
+[keda-troubleshoot]: /troubleshoot/azure/azure-kubernetes/troubleshoot-kubernetes-event-driven-autoscaling-add-on?context=/azure/aks/context/aks-context
[aks-firewall-requirements]: limit-egress-traffic.md#azure-global-required-network-rules <!-- LINKS - external -->
aks Keda Deploy Add On Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/keda-deploy-add-on-cli.md
Previously updated : 06/08/2022 Last updated : 10/10/2022
az aks update \
## Next steps This article showed you how to install the KEDA add-on on an AKS cluster using Azure CLI. The steps to verify that KEDA add-on is installed and running are included. With the KEDA add-on installed on your cluster, you can [deploy a sample application][keda-sample] to start scaling apps.
-You can troubleshoot troubleshoot KEDA add-on problems in [this article][keda-troubleshoot].
+You can troubleshoot KEDA add-on problems in [this article][keda-troubleshoot].
[az-aks-create]: /cli/azure/aks#az-aks-create [az aks install-cli]: /cli/azure/aks#az-aks-install-cli [az aks get-credentials]: /cli/azure/aks#az-aks-get-credentials [az aks update]: /cli/azure/aks#az-aks-update [az-group-delete]: /cli/azure/group#az-group-delete
-[keda-troubleshoot]: keda-troubleshoot.md
+[keda-troubleshoot]: /troubleshoot/azure/azure-kubernetes/troubleshoot-kubernetes-event-driven-autoscaling-add-on?context=/azure/aks/context/aks-context
[aks-firewall-requirements]: limit-egress-traffic.md#azure-global-required-network-rules [kubectl]: https://kubernetes.io/docs/user-guide/kubectl [keda]: https://keda.sh/ [keda-scalers]: https://keda.sh/docs/scalers/ [keda-sample]: https://github.com/kedacore/sample-dotnet-worker-servicebus-queue-
aks Keda Integrations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/keda-integrations.md
However, these external scalers aren't supported as part of the add-on and rely
[aks-support-policy]: support-policies.md [keda-cli]: keda-deploy-add-on-cli.md [keda-arm]: keda-deploy-add-on-arm.md
-[keda-troubleshoot]: keda-troubleshoot.md
+[keda-troubleshoot]: /troubleshoot/azure/azure-kubernetes/troubleshoot-kubernetes-event-driven-autoscaling-add-on?context=/azure/aks/context/aks-context
<!-- LINKS - external --> [keda-scalers]: https://keda.sh/docs/latest/scalers/
aks Keda Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/keda-troubleshoot.md
- Title: Troubleshooting Kubernetes Event-driven Autoscaling (KEDA) add-on
-description: How to troubleshoot Kubernetes Event-driven Autoscaling add-on
-- Previously updated : 8/26/2021---
-# Kubernetes Event-driven Autoscaling (KEDA) AKS add-on Troubleshooting Guides
-
-When you deploy the KEDA AKS add-on, you could possibly experience problems associated with configuration of the application autoscaler.
-
-The following guide will assist you on how to troubleshoot errors and resolve common problems with the add-on, in addition to the official KEDA [FAQ][keda-faq] & [troubleshooting guide][keda-troubleshooting].
-
-## Verifying and Troubleshooting KEDA components
-
-### Check available KEDA version
-
-You can check the available KEDA version by using the `kubectl` command:
-
-```azurecli-interactive
-kubectl get crd/scaledobjects.keda.sh -o custom-columns='APP:.metadata.labels.app\.kubernetes\.io/version'
-```
-
-An overview will be provided with the installed KEDA version:
-
-```Output
-APP
-2.7.0
-```
-
-### Ensuring the cluster firewall is configured correctly
-
-It might happen that KEDA isn't scaling applications because it can't start up.
-
-When checking the operator logs, you might find errors similar to the following:
-
-```output
-1.6545953013458195e+09 ERROR Failed to get API Group-Resources {"error": "Get \"https://10.0.0.1:443/api?timeout=32s\": EOF"}
-sigs.k8s.io/controller-runtime/pkg/cluster.New
-/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.2/pkg/cluster/cluster.go:160
-sigs.k8s.io/controller-runtime/pkg/manager.New
-/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.2/pkg/manager/manager.go:313
-main.main
-/workspace/main.go:87
-runtime.main
-/usr/local/go/src/runtime/proc.go:255
-1.6545953013459463e+09 ERROR setup unable to start manager {"error": "Get \"https://10.0.0.1:443/api?timeout=32s\": EOF"}
-main.main
-/workspace/main.go:97
-runtime.main
-/usr/local/go/src/runtime/proc.go:255
-```
-
-While in the metric server you might notice that it's not able to start up:
-
-```output
-I0607 09:53:05.297924 1 main.go:147] keda_metrics_adapter "msg"="KEDA Version: 2.7.1"
-I0607 09:53:05.297979 1 main.go:148] keda_metrics_adapter "msg"="KEDA Commit: "
-I0607 09:53:05.297996 1 main.go:149] keda_metrics_adapter "msg"="Go Version: go1.17.9"
-I0607 09:53:05.298006 1 main.go:150] keda_metrics_adapter "msg"="Go OS/Arch: linux/amd64"
-E0607 09:53:15.344324 1 logr.go:279] keda_metrics_adapter "msg"="Failed to get API Group-Resources" "error"="Get \"https://10.0.0.1:443/api?timeout=32s\": EOF"
-E0607 09:53:15.344360 1 main.go:104] keda_metrics_adapter "msg"="failed to setup manager" "error"="Get \"https://10.0.0.1:443/api?timeout=32s\": EOF"
-E0607 09:53:15.344378 1 main.go:209] keda_metrics_adapter "msg"="making provider" "error"="Get \"https://10.0.0.1:443/api?timeout=32s\": EOF"
-E0607 09:53:15.344399 1 main.go:168] keda_metrics_adapter "msg"="unable to run external metrics adapter" "error"="Get \"https://10.0.0.1:443/api?timeout=32s\": EOF"
-```
-
-This most likely means that the KEDA add-on isn't able to start up due to a misconfigured firewall.
-
-In order to make sure it runs correctly, make sure to configure the firewall to meet [the requirements][aks-firewall-requirements].
-
-### Enabling add-on on clusters with self-managed open-source KEDA installations
-
-While Kubernetes only allows one metric server to be installed, you can in theory install KEDA multiple times. However, it isn't recommended given only one installation will work.
-
-When the KEDA add-on is installed in an AKS cluster, the previous installation of open-source KEDA will be overridden and the add-on will take over.
-
-This means that the customization and configuration of the self-installed KEDA deployment will get lost and no longer be applied.
-
-While there's a possibility that the existing autoscaling will keep on working, it introduces a risk given it will be configured differently and won't support features such as managed identity.
-
-It's recommended to uninstall existing KEDA installations before enabling the KEDA add-on given the installation will succeed without any error.
-
-In order to determine which metrics adapter is being used by KEDA, use the `kubectl` command:
-
-```azurecli-interactive
-kubectl get APIService/v1beta1.external.metrics.k8s.io -o custom-columns='NAME:.spec.service.name,NAMESPACE:.spec.service.namespace'
-```
-
-An overview will be provided showing the service and namespace that Kubernetes will use to get metrics:
-
-```Output
-NAME NAMESPACE
-keda-operator-metrics-apiserver kube-system
-```
-
-> [!WARNING]
-> If the namespace is not `kube-system`, then the AKS add-on is being ignored and another metric server is being used.
-
-[aks-firewall-requirements]: limit-egress-traffic.md#azure-global-required-network-rules
-[keda-troubleshooting]: https://keda.sh/docs/latest/troubleshooting/
-[keda-faq]: https://keda.sh/docs/latest/faq/
aks Monitor Aks Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/monitor-aks-reference.md
Title: Monitoring AKS data reference description: Important reference material needed when you monitor AKS -+ Last updated 07/18/2022-+ # Monitoring AKS data reference
The following table lists the platform metrics collected for AKS. Follow each l
For more information, see a list of [all platform metrics supported in Azure Monitor](../azure-monitor/essentials/metrics-supported.md).
-In addition to the above platform metrics, Azure Monitor container insights collects [these custom metrics](../azure-monitor/containers/container-insights-metric-alerts.md#metrics-collected) for nodes, pods, containers, and persistent volumes.
+In addition to the above platform metrics, Azure Monitor container insights collects [these custom metrics](../azure-monitor/containers/container-insights-custom-metrics.md) for nodes, pods, containers, and persistent volumes.
## Metric dimensions
For more information on the schema of Activity Log entries, see [Activity Log s
## See also - See [Monitoring Azure AKS](monitor-aks.md) for a description of monitoring Azure AKS.-- See [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md) for details on monitoring Azure resources.
+- See [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md) for details on monitoring Azure resources.
aks Monitor Aks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/monitor-aks.md
Title: Monitor Azure Kubernetes Service (AKS) with Azure Monitor description: Describes how to use Azure Monitor monitor the health and performance of AKS clusters and their workloads. + Last updated 07/29/2021- # Monitoring Azure Kubernetes Service (AKS) with Azure Monitor
This scenario is intended for customers using Azure Monitor to monitor AKS. It d
## Container insights AKS generates [platform metrics and resource logs](monitor-aks-reference.md), like any other Azure resource, that you can use to monitor its basic health and performance. Enable [Container insights](../azure-monitor/containers/container-insights-overview.md) to expand on this monitoring. Container insights is a feature in Azure Monitor that monitors the health and performance of managed Kubernetes clusters hosted on AKS in addition to other cluster configurations. Container insights provides interactive views and workbooks that analyze collected data for a variety of monitoring scenarios.
-[Prometheus](https://prometheus.io/) and [Grafana](https://www.prometheus.io/docs/visualization/grafan) has native integration with AKS, collecting critical metrics and logs, alerting on identified issues, and providing visualization with workbooks. It also collects certain Prometheus metrics, and many native Azure Monitor insights are built-up on top of Prometheus metrics. Container insights complements and completes E2E monitoring of AKS including log collection which Prometheus as stand-alone tool doesnΓÇÖt provide. Many customers use Prometheus integration and Azure Monitor together for E2E monitoring.
+[Prometheus](https://aka.ms/azureprometheus-promio) and [Grafana](https://aka.ms/azureprometheus-promio-grafana) are CNCF backed widely popular open source tools for kubernetes monitoring. AKS exposes many metrics in Prometheus format which makes Prometheus a popular choice for monitoring. [Container insights](../azure-monitor/containers/container-insights-overview.md) has native integration with AKS, collecting critical metrics and logs, alerting on identified issues, and providing visualization with workbooks. It also collects certain Prometheus metrics, and many native Azure Monitor insights are built-up on top of Prometheus metrics. Container insights complements and completes E2E monitoring of AKS including log collection which Prometheus as stand-alone tool doesnΓÇÖt provide. Many customers use Prometheus integration and Azure Monitor together for E2E monitoring.
Learn more about using Container insights at [Container insights overview](../azure-monitor/containers/container-insights-overview.md). [Monitor layers of AKS with Container insights](#monitor-layers-of-aks-with-container-insights) below introduces various features of Container insights and the monitoring scenarios that they support.
When you enable Container insights for your AKS cluster, it deploys a containeri
### Configure collection from Prometheus
-Container insights allows you to collect certain Prometheus metrics in your Log Analytics workspace without requiring a Prometheus server. You can analyze this data using Azure Monitor features along with other data collected by Container insights. See [Configure scraping of Prometheus metrics with Container insights](../azure-monitor/containers/container-insights-prometheus-integration.md) for details on this configuration.
+Container insights allows you to send Prometheus metrics to [Azure Monitor managed service for Prometheus](../azure-monitor/essentials/prometheus-metrics-overview.md) or to your Log Analytics workspace without requiring a local Prometheus server. You can analyze this data using Azure Monitor features along with other data collected by Container insights. See [Collect Prometheus metrics with Container insights](../azure-monitor/containers/container-insights-prometheus.md) for details on this configuration.
### Collect resource logs
The logs for AKS control plane components are implemented in Azure as [resource
You need to create a diagnostic setting to collect resource logs. Create multiple diagnostic settings to send different sets of logs to different locations. See [Create diagnostic settings to send platform logs and metrics to different destinations](../azure-monitor/essentials/diagnostic-settings.md) to create diagnostic settings for your AKS cluster.
-There is a cost for sending resource logs to a workspace, so you should only collect those log categories that you intend to use. Send logs to an Azure storage account to reduce costs if you need to retain the information but don't require it to be readily available for analysis. See [Resource logs](monitor-aks-reference.md#resource-logs) for a description of the categories that are available for AKS and See [Azure Monitor Logs pricing details](../azure-monitor/logs/cost-logs.md) for details for details on the cost of ingesting and retaining log data. Start by collecting a minimal number of categories and then modify the diagnostic setting to collect additional categories as your needs increase and as you understand your associated costs.
+There is a cost for sending resource logs to a workspace, so you should only collect those log categories that you intend to use. Send logs to an Azure storage account to reduce costs if you need to retain the information but don't require it to be readily available for analysis. See [Resource logs](monitor-aks-reference.md#resource-logs) for a description of the categories that are available for AKS and See [Azure Monitor Logs pricing details](../azure-monitor/logs/cost-logs.md) for details on the cost of ingesting and retaining log data. Start by collecting a minimal number of categories and then modify the diagnostic setting to collect additional categories as your needs increase and as you understand your associated costs.
If you're unsure about which resource logs to initially enable, use the recommendations in the following table which are based on the most common customer requirements. Enable the other categories if you later find that you require this information.
Access Azure Monitor features for all AKS clusters in your subscription from the
| Alerts | Views alerts for the current cluster. | | Metrics | Open metrics explorer with the scope set to the current cluster. | | Diagnostic settings | Create diagnostic settings for the cluster to collect resource logs. |
-| Advisor | recommendations Recommendations for the current cluster from Azure Advisor. |
+| Advisor | Recommendations for the current cluster from Azure Advisor. |
| Logs | Open Log Analytics with the scope set to the current cluster to analyze log data and access prebuilt queries. | | Workbooks | Open workbook gallery for Kubernetes service. |
Azure Monitor and container insights don't yet provide full monitoring for the A
:::image type="content" source="media/monitor-aks/grafana-api-server.png" alt-text="Grafana API server" lightbox="media/monitor-aks/grafana-api-server.png":::
-Use the **Kubelet** workbook to view the health and performance of each kubelet. See [Resource Monitoring workbooks](../azure-monitor/containers/container-insights-reports.md#resource-monitoring-workbooks) for details on this workbooks. For troubleshooting scenarios, you can access kubelet logs using the process described at [Get kubelet logs from Azure Kubernetes Service (AKS) cluster nodes](kubelet-logs.md).
+Use the **Kubelet** workbook to view the health and performance of each kubelet. See [Resource Monitoring workbooks](../azure-monitor/containers/container-insights-reports.md#resource-monitoring-workbooks) for details on this workbook. For troubleshooting scenarios, you can access kubelet logs using the process described at [Get kubelet logs from Azure Kubernetes Service (AKS) cluster nodes](kubelet-logs.md).
:::image type="content" source="media/monitor-aks/container-insights-kubelet-workbook.png" alt-text="Container insights kubelet workbook" lightbox="media/monitor-aks/container-insights-kubelet-workbook.png":::
aks Openfaas https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/openfaas.md
Last updated 03/05/2018 -+ # Using OpenFaaS on AKS
Output:
## Create second function
-Now create a second function. This example will be deployed using the OpenFaaS CLI and includes a custom container image and retrieving data from a Cosmos DB. Several items need to be configured before creating the function.
+Now create a second function. This example will be deployed using the OpenFaaS CLI and includes a custom container image and retrieving data from an Azure Cosmos DB instance. Several items need to be configured before creating the function.
-First, create a new resource group for the Cosmos DB.
+First, create a new resource group for the Azure Cosmos DB instance.
```azurecli-interactive az group create --name serverless-backing --location eastus ```
-Deploy a CosmosDB instance of kind `MongoDB`. The instance needs a unique name, update `openfaas-cosmos` to something unique to your environment.
+Deploy an Azure Cosmos DB instance of kind `MongoDB`. The instance needs a unique name, update `openfaas-cosmos` to something unique to your environment.
```azurecli-interactive az cosmosdb create --resource-group serverless-backing --name openfaas-cosmos --kind MongoDB ```
-Get the Cosmos database connection string and store it in a variable.
+Get the Azure Cosmos DB database connection string and store it in a variable.
-Update the value for the `--resource-group` argument to the name of your resource group, and the `--name` argument to the name of your Cosmos DB.
+Update the value for the `--resource-group` argument to the name of your resource group, and the `--name` argument to the name of your Azure Cosmos DB instance.
```azurecli-interactive COSMOS=$(az cosmosdb list-connection-strings \
COSMOS=$(az cosmosdb list-connection-strings \
--output tsv) ```
-Now populate the Cosmos DB with test data. Create a file named `plans.json` and copy in the following json.
+Now populate the Azure Cosmos DB with test data. Create a file named `plans.json` and copy in the following json.
```json {
Now populate the Cosmos DB with test data. Create a file named `plans.json` and
} ```
-Use the *mongoimport* tool to load the CosmosDB instance with data.
+Use the *mongoimport* tool to load the Azure Cosmos DB instance with data.
If needed, install the MongoDB tools. The following example installs these tools using brew, see the [MongoDB documentation][install-mongo] for other options.
aks Operator Best Practices Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/operator-best-practices-identity.md
description: Learn the cluster operator best practices for how to manage authentication and authorization for clusters in Azure Kubernetes Service (AKS) + Last updated 09/29/2022
There are two levels of access needed to fully operate an AKS cluster:
> [!NOTE] > Pod identities are intended for use with Linux pods and container images only. Pod-managed identities support for Windows containers is coming soon.
-To access other Azure resources, like Cosmos DB, Key Vault, or Blob Storage, the pod needs authentication credentials. You could define authentication credentials with the container image or inject them as a Kubernetes secret. Either way, you would need to manually create and assign them. Usually, these credentials are reused across pods and aren't regularly rotated.
+To access other Azure resources, like Azure Cosmos DB, Key Vault, or Blob storage, the pod needs authentication credentials. You could define authentication credentials with the container image or inject them as a Kubernetes secret. Either way, you would need to manually create and assign them. Usually, these credentials are reused across pods and aren't regularly rotated.
With pod-managed identities (preview) for Azure resources, you automatically request access to services through Azure AD. Pod-managed identities is currently in preview for AKS. Refer to the [Use Azure Active Directory pod-managed identities in Azure Kubernetes Service (Preview)](./use-azure-ad-pod-identity.md) documentation to get started.
For more information about cluster operations in AKS, see the following best pra
[azure-ad-rbac]: azure-ad-rbac.md [aad-pod-identity]: ./use-azure-ad-pod-identity.md [use-azure-ad-pod-identity]: ./use-azure-ad-pod-identity.md#create-an-identity
-[workload-identity-overview]: workload-identity-overview.md
+[workload-identity-overview]: workload-identity-overview.md
aks Operator Best Practices Run At Scale https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/operator-best-practices-run-at-scale.md
+
+ Title: Best practices for running AKS at scale
+
+description: Learn the cluster operator best practices and special considerations for running large clusters at 500 node scale and beyond
++ Last updated : 10/04/2022
+
++
+# Best practices for creating and running Azure Kubernetes Service (AKS) clusters at scale
+
+AKS clusters that satisfy any of the below criteria should use the [Uptime SLA][Uptime SLA] feature for higher reliability and scalability of the Kubernetes control plan:
+* Clusters running greater than 10 nodes on average
+* Clusters that need to scale beyond 1000 nodes
+* Clusters running production workloads or availability sensitive mission critical workloads
+
+To scale AKS clusters beyond 1000 nodes, you need to request a node limit quota increase by raising a support ticket via the [portal][Azure Portal] up-to a maximum of 5000 nodes per cluster.
+
+To increase the node limit beyond 1000, you must have the following pre-requisites:
+- An existing AKS cluster that needs the node limit increase. This cluster shouldn't be deleted as that will remove the limit increase.
+- Uptime SLA enabled on your cluster.
+
+> [!NOTE]
+> It may take up to a week to enable your clusters with the larger node limit.
+
+> [!IMPORTANT]
+> Raising the node limit does not increase other AKS service quota limits, such as the number of pods per node. For more details, [Limits for resources, SKUs, regions][quotas-skus-regions].
+
+## Networking considerations and best practices
+
+* Use Managed NAT for cluster egress with at least 2 public IPs on the NAT Gateway. For more information, see [Managed NAT Gateway - Azure Kubernetes Service][Managed NAT Gateway - Azure Kubernetes Service].
+* Use Azure CNI with Dynamic IP allocation for optimum IP utilization and scale up to 50k application pods per cluster with one routable IP per pod. For more information, see [Configure Azure CNI networking in Azure Kubernetes Service (AKS)][Configure Azure CNI networking in Azure Kubernetes Service (AKS)].
+* When using internal Kubernetes services behind an internal load balancer, it's recommended to create an internal load balancer or internal service below 750 node scale for best scaling performance and load balancer elasticity.
+
+> [!NOTE]
+> You can't use NPM with clusters greater than 500 Nodes
++
+## Node pool scaling considerations and best practices
+
+* For system node pools, use the *Standard_D16ds_v5* SKU or equivalent core/memory VM SKUs to provide sufficient compute resources for *kube-system* pods.
+* Create at-least five user node pools to scale up to 5,000 nodes since there's a 1000 nodes per node pool limit.
+* Use cluster autoscaler wherever possible when running at-scale AKS clusters to ensure dynamic scaling of node pools based on the demand for compute resources.
+* When scaling beyond 1000 nodes without cluster autoscaler, it's recommended to scale in batches of a maximum 500 to 700 nodes at a time. These scaling operations should also have 2 mins to 5-mins sleep time between consecutive scale-ups to prevent Azure API throttling.
+
+## Cluster upgrade best practices
+
+* AKS clusters have a hard limit of 5000 nodes. This limit prevents clusters from upgrading that are running at this limit since there's no more capacity do a rolling update with the max surge property. We recommend scaling the cluster down below 3000 nodes before doing cluster upgrades to provide extra capacity for node churn and minimize control plane load.
+* By default, AKS configures upgrades to surge with one extra node through the max surge settings. This default value allows AKS to minimize workload disruption by creating an extra node before the cordon/drain of existing applications to replace an older versioned node. When you are upgrading clusters with a large number of nodes, using the default max surge settings can force an upgrade to take several hours to complete as the upgrade churns through a large number of nodes. You can customize the max surge settings per node pool to enable a trade-off between upgrade speed and upgrade disruption. By increasing the max surge settings, the upgrade process completes faster but may cause disruptions during the upgrade process.
+* It isn't recommended to upgrade a cluster with greater than 500 nodes with the default max-surge configuration of one node. We suggest increasing the max surge settings to between 10 to 20 percent with up to a maximum of 500 nodes max-surge based on your workload disruption tolerance.
+* For more information, see [Upgrade an Azure Kubernetes Service (AKS) cluster][cluster upgrades].
+
+<!-- Links - External -->
+[Managed NAT Gateway - Azure Kubernetes Service]: nat-gateway.md
+[Configure Azure CNI networking in Azure Kubernetes Service (AKS)]: configure-azure-cni.md#dynamic-allocation-of-ips-and-enhanced-subnet-support
+[max surge]: upgrade-cluster.md?tabs=azure-cli#customize-node-surge-upgrade
+[Azure Portal]: https://ms.portal.azure.com/#create/Microsoft.Support/Parameters/%7B%0D%0A%09%22subId%22%3A+%22%22%2C%0D%0A%09%22pesId%22%3A+%225a3a423f-8667-9095-1770-0a554a934512%22%2C%0D%0A%09%22supportTopicId%22%3A+%2280ea0df7-5108-8e37-2b0e-9737517f0b96%22%2C%0D%0A%09%22contextInfo%22%3A+%22AksLabelDeprecationMarch22%22%2C%0D%0A%09%22caller%22%3A+%22Microsoft_Azure_ContainerService+%2B+AksLabelDeprecationMarch22%22%2C%0D%0A%09%22severity%22%3A+%223%22%0D%0A%7D
+[uptime SLA]: uptime-sla.md
+
+<!-- LINKS - Internal -->
+[quotas-skus-regions]: quotas-skus-regions.md
+[cluster upgrades]: upgrade-cluster.md
aks Quickstart Dapr https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/quickstart-dapr.md
Last updated 05/03/2022-+ # Quickstart: Deploy an application using the Dapr cluster extension for Azure Kubernetes Service (AKS) or Arc-enabled Kubernetes
cd quickstarts/hello-kubernetes
## Create and configure a state store
-Dapr can use a number of different state stores (Redis, Cosmos DB, DynamoDB, Cassandra, etc.) to persist and retrieve state. For this example, we will use Redis.
+Dapr can use a number of different state stores (Redis, Azure Cosmos DB, DynamoDB, Cassandra, etc.) to persist and retrieve state. For this example, we will use Redis.
### Create a Redis store
aks Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Kubernetes Service (AKS) description: Lists Azure Policy Regulatory Compliance controls available for Azure Kubernetes Service (AKS). These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 10/03/2022 Last updated : 10/10/2022
aks Use Cvm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-cvm.md
Title: Use Confidential Virtual Machines (CVM) in Azure Kubernetes Service (AKS) (Preview)
+ Title: Use Confidential Virtual Machines (CVM) in Azure Kubernetes Service (AKS)
description: Learn how to create Confidential Virtual Machines (CVM) node pools with Azure Kubernetes Service (AKS) Previously updated : 08/01/2022-+ Last updated : 10/04/2022
-# Use Confidential Virtual Machines (CVM) in Azure Kubernetes Service (AKS) cluster (Preview)
+# Use Confidential Virtual Machines (CVM) in Azure Kubernetes Service (AKS) cluster
-You can use the generally available [confidential VM sizes (DCav5/ECav5)][cvm-announce] to add a node pool to your AKS cluster with CVM. Confidential VMs with AMD SEV-SNP support bring a new set of security features to protect date-in-use with full VM memory encryption. These features enable node pools with CVM to target the migration of highly sensitive container workloads to AKS without any code refactoring while benefiting from the features of AKS. The nodes in a node pool created with CVM use a customized Ubuntu 20.04 image specially configured for CVM. For more details on CVM, see [Confidential VM node pools support on AKS with AMD SEV-SNP confidential VMs][cvm].
+You can use the generally available [confidential VM sizes (DCav5/ECav5)][cvm-announce] to add a node pool to your AKS cluster with CVM. Confidential VMs with AMD SEV-SNP support bring a new set of security features to protect data-in-use with full VM memory encryption. These features enable node pools with CVM to target the migration of highly sensitive container workloads to AKS without any code refactoring while benefiting from the features of AKS. The nodes in a node pool created with CVM use a customized Ubuntu 20.04 image specially configured for CVM. For more details on CVM, see [Confidential VM node pools support on AKS with AMD SEV-SNP confidential VMs][cvm].
Adding a node pool with CVM to your AKS cluster is currently in preview. ## Before you begin
aks Use Kms Etcd Encryption https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-kms-etcd-encryption.md
Title: Use Key Management Service (KMS) etcd encryption in Azure Kubernetes Serv
description: Learn how to use the Key Management Service (KMS) etcd encryption with Azure Kubernetes Service (AKS) Previously updated : 08/19/2022 Last updated : 10/03/2022 # Add Key Management Service (KMS) etcd encryption to an Azure Kubernetes Service (AKS) cluster
For more information on using the KMS plugin, see [Encrypting Secret Data at Res
* Azure CLI version 2.39.0 or later. Run `az --version` to find your version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install]. > [!WARNING]
-> KMS only supports Konnectivity. You can use `kubectl get po -n kube-system` to check if a 'konnectivity-agent-xxx' pod is running.
+> KMS only supports Konnectivity and Vnet Integration.
+> You can use `kubectl get po -n kube-system` to verify the results show that a konnectivity-agent-xxx pod is running. If there is, it means the AKS cluster is using Konnectivity. When using VNet integration, you can run the command `az aks cluster show -g -n` to verify the setting `enableVnetIntegration` is set to **true**.
## Limitations
aks Use Mariner https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-mariner.md
++
+ Title: Use the Mariner container host on Azure Kubernetes Service (AKS)
+description: Learn how to use the Mariner container host on Azure Kubernetes Service (AKS)
+++ Last updated : 09/22/2022++
+# Use the Mariner container host on Azure Kubernetes Service (AKS)
+
+Mariner is an open-source Linux distribution created by Microsoft, and itΓÇÖs now available for preview as a container host on Azure Kubernetes Service (AKS). The Mariner container host provides reliability and consistency from cloud to edge across the AKS, AKS-HCI, and Arc products. You can deploy Mariner node pools in a new cluster, add Mariner node pools to your existing Ubuntu clusters, or migrate your Ubuntu nodes to Mariner nodes. To learn more about Mariner, see the [Mariner documentation][mariner-doc].
+
+## Why use Mariner
+
+The Mariner container host on AKS uses a native AKS image that provides one place to do all Linux development. Every package is built from source and validated, ensuring your services run on proven components. Mariner is lightweight, only including the necessary set of packages needed to run container workloads. It provides a reduced attack surface and eliminates patching and maintenance of unnecessary packages. At Mariner's base layer, it has a Microsoft hardened kernel tuned for Azure. Learn more about the [key capabilities of Mariner][mariner-capabilities].
+
+## How to use Mariner on AKS
+
+To get started using Mariner on AKS, see:
+
+* [Creating a cluster with Mariner][mariner-cluster-config]
+* [Add a Mariner node pool to your existing cluster][mariner-node-pool]
+* [Ubuntu to Mariner migration][ubuntu-to-mariner]
+
+## How to upgrade Mariner nodes
+
+We recommend keeping your clusters up to date and secured by enabling automatic upgrades for your cluster. To enable automatic upgrades, see:
+
+* [Automatically upgrade an Azure Kubernetes Service (AKS) cluster][auto-upgrade-aks]
+* [Deploy kured in an AKS cluster][kured]
+
+To manually upgrade the node-image on a cluster, you can run `az aks nodepool upgrade`:
+
+```azurecli
+az aks nodepool upgrade \
+ --resource-group myResourceGroup \
+ --cluster-name myAKSCluster \
+ --name myNodePool \
+ --node-image-only
+```
+
+## Regional availability
+
+Mariner is available for use in the same regions as AKS.
+
+## Limitations
+
+Mariner currently has the following limitations:
+
+* Mariner does not yet have image SKUs for GPU, ARM64, SGX, or FIPS.
+* Mariner does not yet have FedRAMP, FIPS, or CIS certification.
+* Mariner cannot yet be deployed through Azure portal or Terraform.
+* Qualys and Trivy are the only vulnerability scanning tools that support Mariner today.
+* The Mariner container host is a Gen 2 image. Mariner does not plan to offer a Gen 1 SKU.
+* Node configurations are not yet supported.
+* Mariner is not yet supported in GitHub actions.
+* Mariner does not support AppArmor. Support for SELinux can be manually configured.
+* Some addons, extensions, and open-source integrations may not be supported yet on Mariner. Azure Monitor, Grafana, Helm, Key Vault, and Container Insights are confirmed to be supported.
+* AKS diagnostics does not yet support Mariner.
+
+<!-- LINKS - Internal -->
+[mariner-doc]: https://microsoft.github.io/CBL-Mariner/docs/#cbl-mariner-linux
+[mariner-capabilities]: https://microsoft.github.io/CBL-Mariner/docs/#key-capabilities-of-cbl-mariner-linux
+[mariner-cluster-config]: cluster-configuration.md
+[mariner-node-pool]: use-multiple-node-pools.md
+[ubuntu-to-mariner]: use-multiple-node-pools.md
+[auto-upgrade-aks]: auto-upgrade-cluster.md
+[kured]: node-updates-kured.md
aks Use Multiple Node Pools https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-multiple-node-pools.md
Title: Use multiple node pools in Azure Kubernetes Service (AKS)
description: Learn how to create and manage multiple node pools for a cluster in Azure Kubernetes Service (AKS) -+ Last updated 05/16/2022
az aks nodepool add \
--node-vm-size Standard_Dpds_v5 ```
+### Add a Mariner node pool
+
+Mariner is an open-source Linux distribution available as an AKS container host. It provides high reliability, security, and consistency. Mariner only includes the minimal set of packages needed for running container workloads, which improves boot times and overall performance.
+
+You can add a Mariner node pool into your existing cluster using the `az aks nodepool add` command and specifying `--os-sku mariner`.
+
+```azurecli
+az aks nodepool add \
+ --resource-group myResourceGroup \
+ --cluster-name myAKSCluster \
+ --os-sku mariner
+```
+
+### Migrate Ubuntu nodes to Mariner
+
+Use the following instructions to migrate your Ubuntu nodes to Mariner nodes.
+
+1. Add a Mariner node pool into your existing cluster using the `az aks nodepool add` command and specifying `--os-sku mariner`.
+
+> [!NOTE]
+> When adding a new Mariner node pool, you need to add at least one as `--mode System`. Otherwise, AKS won't allow you to delete your existing Ubuntu node pool.
+2. [Cordon the existing Ubuntu nodes][cordon-and-drain].
+3. [Drain the existing Ubuntu nodes][drain-nodes].
+4. Remove the existing Ubuntu nodes using the `az aks delete` command.
+
+```azurecli
+az aks nodepool delete \
+ --resource-group myResourceGroup \
+ --cluster-name myAKSCluster \
+ --name myNodePool
+```
+ ### Add a node pool with a unique subnet A workload may require splitting a cluster's nodes into separate pools for logical isolation. This isolation can be supported with separate subnets dedicated to each node pool in the cluster. This can address requirements such as having non-contiguous virtual network address space to split across node pools.
az group delete --name myResourceGroup2 --yes --no-wait
[use-labels]: use-labels.md [cordon-and-drain]: resize-node-pool.md#cordon-the-existing-nodes [internal-lb-different-subnet]: internal-lb.md#specify-a-different-subnet
+[drain-nodes]: resize-node-pool.md#drain-the-existing-nodes
aks Virtual Nodes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/virtual-nodes.md
Virtual Nodes functionality is heavily dependent on ACI's feature set. In additi
* Virtual nodes support scheduling Linux pods. You can manually install the open source [Virtual Kubelet ACI](https://github.com/virtual-kubelet/azure-aci) provider to schedule Windows Server containers to ACI. * Virtual nodes require AKS clusters with Azure CNI networking. * Using api server authorized ip ranges for AKS.
-* Volume mounting Azure Files share support [General-purpose V1](../storage/common/storage-account-overview.md#types-of-storage-accounts). Follow the instructions for mounting [a volume with Azure Files share](azure-files-volume.md)
+* Volume mounting Azure Files share support [General-purpose V2](../storage/common/storage-account-overview.md#types-of-storage-accounts) and [General-purpose V1](../storage/common/storage-account-overview.md#types-of-storage-accounts). Follow the instructions for mounting [a volume with Azure Files share](azure-files-volume.md).
* Using IPv6 is not supported. * Virtual nodes don't support the [Container hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/) feature.
api-management Api Management Advanced Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-advanced-policies.md
In the following example, the policy fragment named *myFragment* is added in the
[...] ```
-## Elements
+### Elements
| Element | Description | Required | | -- | - | -- |
api-management Api Management Howto Api Inspector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-api-inspector.md
To trace request processing, you must enable the **Allow tracing** setting for t
1. On the **Message** tab, the **ocp-apim-trace-location** header shows the location of the trace data stored in Azure blob storage. If needed, go to this location to retrieve the trace. Trace data can be accessed for up to 24 hours. :::image type="content" source="media/api-management-howto-api-inspector/response-message-1.png" alt-text="Trace location in Azure Storage":::+
+## Enable tracing using Ocp-Apim-Trace header
+
+When making requests to API Management using `curl`, a REST client such as Postman, or a client app, enable tracing by adding the following request headers:
+
+* **Ocp-Apim-Trace** - set value to `true`
+* **Ocp-Apim-Subscription-Key** - set value to the key for a tracing-enabled subscription that allows access to the API
+
+The response includes the **Ocp-Apim-Trace-Location** header, with a URL to the location of the trace data in Azure blob storage.
+
+For information about customizing trace information, see the [trace](api-management-advanced-policies.md#Trace) policy.
+ ## Next steps In this tutorial, you learned how to:
api-management Developer Portal Use Community Widgets https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-use-community-widgets.md
-
Title: Use community widgets in developer portal-
-description: Learn about community widgets for the API Management developer portal and how to inject and use them in your code.
-- Previously updated : 08/18/2022----
-# Use community widgets in the developer portal
-
-All developers place their community-contributed widgets in the `/community/widgets/` folder of the API Management developer portal [GitHub repository](https://github.com/Azure/api-management-developer-portal). Each has been accepted by the developer portal team. You can use the widgets by injecting them into your managed developer portal or a [self-hosted version](developer-portal-self-host.md) of the portal.
-
-> [!NOTE]
-> The developer portal team thoroughly inspects contributed widgets and their dependencies. However, the team canΓÇÖt guarantee itΓÇÖs safe to load the widgets. Use your own judgment when deciding to use a widget contributed by the community. Refer to our [widget contribution guidelines](developer-portal-widget-contribution-guidelines.md#contribution-guidelines) to learn about our preventive measures.
-
-## Inject and use external widget - managed portal
-
-For guidance to create and use a development environment to scaffold and upload a custom widget, see [Create and upload custom widget](developer-portal-extend-custom-functionality.md#create-and-upload-custom-widget).
-
-## Inject and use external widget - self-hosted portal
-
-1. Set up a [local environment](developer-portal-self-host.md#step-1-set-up-local-environment) for the latest release of the developer portal.
-
-1. Go to the widget's folder in the `/community/widgets` directory. Read the widget's description in the `readme.md` file.
-
-1. Register the widget in the portal's modules:
-
- 1. `src/apim.design.module.ts` - a module that registers design-time dependencies.
-
- ```typescript
- import { WidgetNameDesignModule } from "../community/widgets/<widget-name>/widget.design.module";
-
- ...
-
- injector.bindModule(new WidgetNameDesignModule());
- ```
-
- 1. `src/apim.publish.module.ts` - a module that registers publish-time dependencies.
-
- ```typescript
- import { WidgetNamePublishModule } from "../community/widgets/<widget-name>/widget.publish.module";
-
- ...
-
- injector.bindModule(new WidgetNamePublishModule());
- ```
-
- 1. `src/apim.runtime.module.ts` - a module that registers run-time dependencies.
-
- ```typescript
- import { WidgetNameRuntimeModule } from "../community/widgets/<widget-name>/widget.runtime.module";
-
- ...
-
- injector.bindModule(new WidgetNameRuntimeModule());
- ```
-
-1. Check if the widget has an `npm_dependencies` file.
-
-1. If so, copy the commands from the file and run them in the repository's top directory.
-
- Doing so will install the widget's dependencies.
-
-1. Run `npm start`.
-
-You can see the widget in the **Community** category in the widget selector.
---
-## Next steps
--
-Learn more about the developer portal:
--- [Azure API Management developer portal overview](api-management-howto-developer-portal.md)--- [Contribute widgets](developer-portal-widget-contribution-guidelines.md)
api-management Developer Portal Widget Contribution Guidelines https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/developer-portal-widget-contribution-guidelines.md
- Title: How to contribute widgets for developer portal-
-description: Learn about recommended guidelines to follow when you contribute a widget to the API Management developer portal repository.
-- Previously updated : 08/18/2022----
-# How to contribute widgets to the API Management developer portal
-
-If you'd like to contribute a widget to the API Management developer portal [GitHub repository](https://github.com/Azure/api-management-developer-portal), follow this three-step process:
-
-1. Fork the repository.
-
-1. Implement the widget.
-
-1. Open a pull request to include your widget in the official repository.
-
-Your widget will inherit the repository's license. It will be available for [opt-in installation](developer-portal-use-community-widgets.md) in either the managed developer portal or a [self-hosted version](developer-portal-self-host.md) of the portal. The developer portal team may decide to also include it in the managed version of the portal.
-
-For an example of how to develop your own widget and upload it to your developer portal, see [Create and upload custom widget](developer-portal-extend-custom-functionality.md#create-and-upload-custom-widget).
-
-## Contribution guidelines
-
-This guidance is intended to ensure the safety and privacy of our customers and the visitors to their portals. Follow these guidelines to ensure your contribution is accepted:
-
-1. Place your widget in the `community/widgets/<your-widget-name>` folder.
-
-1. Your widget's name must be lowercase and alphanumeric with dashes separating the words. For example, `my-new-widget`.
-
-1. The folder must contain a screenshot of your widget in a published portal.
-
-1. The folder must contain a `readme.md` file, which follows the template from the `/scaffolds/widget/readme.md` file.
-
-1. The folder can contain an `npm_dependencies` file with npm commands to install or manage the widget's dependencies.
-
- Explicitly specify the version of every dependency. For example:
-
- ```console
- npm install azure-storage@2.10.3 axios@0.19.1
- ```
-
- Your widget should require minimal dependencies. Every dependency will be carefully inspected by the reviewers. In particular, the core logic of your widget should be open-sourced in your widget's folder. Don't wrap it in an npm package.
-
-1. Changes to any files outside your widget's folder aren't allowed as part of a widget contribution. That includes, but isn't limited to, the `/package.json` file.
-
-1. Injecting tracking scripts or sending customer-authored data to custom services isn't allowed.
-
- > [!NOTE]
- > You can only collect customer-authored data through the `Logger` interface.
-
-## Next steps
--- For more information about contributions, see the API Management developer portal [GitHub repository](https://github.com/Azure/api-management-developer-portal/).--- See [Extend the developer portal with custom features](developer-portal-extend-custom-functionality.md) to learn about options to add custom functionality to the developer portal.--- See [Use community widgets](developer-portal-use-community-widgets.md) to learn how to use widgets contributed by the community.
api-management Export Api Postman https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/export-api-postman.md
+
+ Title: Export API from Azure API Management to Postman for testing and monitoring | Microsoft Docs
+description: Learn how to export an API definition from API Management to Postman and use Postman for API testing and monitoring
+++++ Last updated : 10/11/2022++
+# Export API definition to Postman for API testing and monitoring
+
+To enhance development of your APIs, you can export an API fronted in API Management to [Postman](https://www.postman.com/product/what-is-postman/). Export an API definition from API Management as a Postman [collection](https://learning.postman.com/docs/getting-started/creating-the-first-collection/) so that you can use Postman's tools to design, document, test, monitor, and collaborate on APIs.
+
+## Prerequisites
+++ Complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md).++ Make sure that your instance manages an API that you'd like to export to Postman. +
+ > [!NOTE]
+ > Currently, you can only export HTTP APIs from API Management directly to Postman.
+
+ For testing authorization in Postman as outlined later in this article, the API should require a subscription.
+++ A [Postman](https://www.postman.com) account, which you can use to access Postman for Web.
+ * Optionally, [download and install](https://learning.postman.com/docs/getting-started/installation-and-updates/) the Postman desktop app locally.
+++
+## Export an API to Postman
+
+1. In the portal, under **APIs**, select an API.
+1. In the context menu (**...**), select **Export** > **Postman**.
+
+ :::image type="content" source="media/export-api-postman/export-to-postman.png" alt-text="Screenshot of exporting an API to Postman in the Azure portal.":::
+
+1. In the **Run in** dialog, select the Postman location to export to. You can select the option for the desktop app if you've installed it locally.
+1. In Postman, select a Postman workspace to import the API to. The default is *My Workspace*.
+1. In Postman, select **Generate collection from this API** to automatically generate a collection from the API definition. If needed, configure advanced import options, or accept default values. Select **Import**.
+
+ The collection and documentation are imported to Postman.
+
+ :::image type="content" source="media/export-api-postman/postman-collection-documentation.png" alt-text="Screenshot of collection imported to Postman.":::
+
+## Authorize requests in Postman
+
+If the API you exported requires a subscription, you'll need to configure a valid subscription key from your API Management instance to send requests from Postman.
+
+Use the following steps to configure a subscription key as a secret variable for the collection.
+
+1. In your Postman workspace, select **Environments** > **Create environment**.
+1. Enter a name for the environment such as *Azure API Management*.
+1. Add a variable with the following values:
+ 1. Name - *apiKey*
+ 1. Type - **secret**
+ 1. Initial value - a valid API Management subscription key for the API
+1. Select **Save**.
+1. Select **Collections** and the name of the collection that you imported.
+1. Select the **Authorization** tab.
+1. In the upper right, select the name of the environment you created, such as *Azure API Management*.
+1. For the key **Ocp-Apim-Subscription-Key**, enter the variable name `{{apiKey}}`. Select **Save**.
+
+ :::image type="content" source="media/export-api-postman/postman-api-authorization.png" alt-text="Screenshot of configuring secret API key in Postman.":::
+1. Test your configuration by selecting an operation in your API such as a `GET` operation, and select **Send**.
+
+ If correctly configured, the operation returns a `200 OK` status and some output.
+
+## Next steps
+
+* Learn more about [importing APIs to Postman](https://learning.postman.com/docs/designing-and-developing-your-api/importing-an-api/).
+* Learn more about [authorizing requests in Postman](https://learning.postman.com/docs/sending-requests/authorization/).
api-management Front Door Api Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/front-door-api-management.md
Use API Management policies to ensure that your API Management instance accepts
### Restrict incoming IP addresses
-You can configure an inbound [ip-filter](/api-management-access-restriction-policies.md#CheckHTTPHeader) policy in API Management to allow only Front Door-related traffic, which includes:
+You can configure an inbound [ip-filter](api-management-access-restriction-policies.md#RestrictCallerIPs) policy in API Management to allow only Front Door-related traffic, which includes:
* **Front Door's backend IP address space** - Allow IP addresses corresponding to the *AzureFrontDoor.Backend* section in [Azure IP Ranges and Service Tags](https://www.microsoft.com/download/details.aspx?id=56519).
You can configure an inbound [ip-filter](/api-management-access-restriction-poli
### Check Front Door header
-Requests routed through Front Door include headers specific to your Front Door configuration. You can configure the [check-header](/api-management-access-restriction-policies.md#CheckHTTPHeader) policy to filter incoming requests based on the unique value of the `X-Azure-FDID` HTTP request header that is sent to API Management. This header value is the **Front Door ID**, which is shown in the portal on the **Overview** page of the Front Door profile.
+Requests routed through Front Door include headers specific to your Front Door configuration. You can configure the [check-header](api-management-access-restriction-policies.md#CheckHTTPHeader) policy to filter incoming requests based on the unique value of the `X-Azure-FDID` HTTP request header that is sent to API Management. This header value is the **Front Door ID**, which is shown in the portal on the **Overview** page of the Front Door profile.
In the following policy example, the Front Door ID is specified using a [named value](api-management-howto-properties.md) named `FrontDoorId`.
api-management Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure API Management description: Lists Azure Policy Regulatory Compliance controls available for Azure API Management. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 10/03/2022 Last updated : 10/10/2022
api-management Virtual Network Concepts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/virtual-network-concepts.md
The following are virtual network resource requirements for API Management. Some
### Subnet size
-The minimum size of the subnet in which API Management can be deployed is /29, which gives three usable IP addresses. Each extra scale [unit](api-management-capacity.md) of API Management requires two more IP addresses. The minimum size requirement is based on the following considerations:
+The minimum size of the subnet in which API Management can be deployed is /29, which provides three usable IP addresses. Each extra scale [unit](api-management-capacity.md) of API Management requires two more IP addresses. The minimum size requirement is based on the following considerations:
* Azure reserves five IP addresses within each subnet that can't be used. The first and last IP addresses of the subnets are reserved for protocol conformance. Three more addresses are used for Azure services. For more information, see [Are there any restrictions on using IP addresses within these subnets?](../virtual-network/virtual-networks-faq.md#are-there-any-restrictions-on-using-ip-addresses-within-these-subnets).
The minimum size of the subnet in which API Management can be deployed is /29, w
* For Basic, Standard, or Premium SKUs:
- * **/29 subnet**: 8 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP for internal load balancer, if used in internal mode = 0 remaining IP addresses left for scaling units.
+ * **/29 subnet**: 8 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 0 remaining IP addresses left for scale-out units.
- * **/28 subnet**: 16 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP for internal load balancer, if used in internal mode = 8 remaining IP addresses left for four scale-out units (2 IP addresses/scale-out unit) for a total of five units. **This subnet efficiently maximizes Basic and Standard SKU scale-out limits.**
+ * **/28 subnet**: 16 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 8 remaining IP addresses left for four scale-out units (2 IP addresses/scale-out unit) for a total of five units. **This subnet efficiently maximizes Basic and Standard SKU scale-out limits.**
- * **/27 subnet**: 32 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP for internal load balancer, if used in internal mode = 24 remaining IP addresses left for twelve scale-out units (2 IP addresses/scale-out unit) for a total of thirteen units. **This subnet efficiently maximizes the soft-limit Premium SKU scale-out limit.**
+ * **/27 subnet**: 32 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 24 remaining IP addresses left for twelve scale-out units (2 IP addresses/scale-out unit) for a total of thirteen units. **This subnet efficiently maximizes the soft-limit Premium SKU scale-out limit.**
- * **/26 subnet**: 64 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP for internal load balancer, if used in internal mode = 56 remaining IP addresses left for twenty-eight scale-out units (2 IP addresses/scale-out unit) for a total of twenty-nine units. It is possible, with an Azure Support ticket, to scale the Premium SKU past twelve units. If you foresee such high demand, consider the /26 subnet.
+ * **/26 subnet**: 64 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 56 remaining IP addresses left for twenty-eight scale-out units (2 IP addresses/scale-out unit) for a total of twenty-nine units. It is possible, with an Azure Support ticket, to scale the Premium SKU past twelve units. If you foresee such high demand, consider the /26 subnet.
- * **/25 subnet**: 128 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP for internal load balancer, if used in internal mode = 120 remaining IP addresses left for sixty scale-out units (2 IP addresses/scale-out unit) for a total of sixty-one units. This is an extremely large, theoretical number of scale-out units.
+ * **/25 subnet**: 128 possible IP addresses - 5 reserved Azure IP addresses - 2 API Management IP addresses for one instance - 1 IP address for internal load balancer, if used in internal mode = 120 remaining IP addresses left for sixty scale-out units (2 IP addresses/scale-out unit) for a total of sixty-one units. This is an extremely large, theoretical number of scale-out units.
### Routing
api-management Virtual Network Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/virtual-network-reference.md
When an API Management service instance is hosted in a VNet, the ports in the fo
| * / [80], 443 | Inbound | TCP | Internet / VirtualNetwork | **Client communication to API Management** | External only | | * / 3443 | Inbound | TCP | ApiManagement / VirtualNetwork | **Management endpoint for Azure portal and PowerShell** | External & Internal | | * / 443 | Outbound | TCP | VirtualNetwork / Storage | **Dependency on Azure Storage** | External & Internal |
-| * / 443 | Outbound | TCP | VirtualNetwork / AzureActiveDirectory | [Azure Active Directory](api-management-howto-aad.md) dependency (optional) | External & Internal |
+| * / 443 | Outbound | TCP | VirtualNetwork / AzureActiveDirectory | [Azure Active Directory](api-management-howto-aad.md) and Azure Key Vault dependency (optional) | External & Internal |
+| * / 443 | Outbound | TCP | VirtualNetwork / AzureKeyVault | Access to Azure Key Vault for [named values](api-management-howto-properties.md) integration (optional) | External & Internal |
| * / 1433 | Outbound | TCP | VirtualNetwork / SQL | **Access to Azure SQL endpoints** | External & Internal | | * / 5671, 5672, 443 | Outbound | TCP | VirtualNetwork / Azure Event Hubs | Dependency for [Log to Azure Event Hubs policy](api-management-howto-log-event-hubs.md) and monitoring agent (optional)| External & Internal | | * / 445 | Outbound | TCP | VirtualNetwork / Storage | Dependency on Azure File Share for [GIT](api-management-configuration-repository-git.md) (optional) | External & Internal |
app-service Deploy Content Sync https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/deploy-content-sync.md
Invoke-AzureRmResourceAction -ResourceGroupName <group-name> -ResourceType Micro
[!INCLUDE [What happens to my app during deployment?](../../includes/app-service-deploy-atomicity.md)]
+## OneDrive and Dropbox integration retirements
+
+On September 30th, 2023 the integrations for Microsoft OneDrive and Dropbox for Azure App Service and Azure Functions will be retired. If you are using OneDrive or Dropbox, you should [disable content sync deployments](#disable-content-sync-deployment) from OneDrive and Dropbox. Then, you can set up deployments from any of the following alternatives
+
+- [GitHub Actions](deploy-github-actions.md)
+- [Azure DevOps Pipelines](https://docs.microsoft.com/azure/devops/pipelines/targets/webapp?view=azure-devops)
+- [Azure CLI](https://docs.microsoft.com/azure/app-service/deploy-zip?tabs=cli)
+- [VS Code](https://docs.microsoft.com/azure/app-service/deploy-zip?tabs=cli)
+- [Local Git Repository](https://docs.microsoft.com/azure/app-service/deploy-local-git?tabs=cli)
+ ## Next steps > [!div class="nextstepaction"]
app-service Overview Authentication Authorization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/overview-authentication-authorization.md
If you don't need to work with tokens in your app, you can disable the token sto
If you [enable application logging](troubleshoot-diagnostic-logs.md), you will see authentication and authorization traces directly in your log files. If you see an authentication error that you didn't expect, you can conveniently find all the details by looking in your existing application logs. If you enable [failed request tracing](troubleshoot-diagnostic-logs.md), you can see exactly what role the authentication and authorization module may have played in a failed request. In the trace logs, look for references to a module named `EasyAuthModule_32/64`.
+### Considerations when using Azure Front Door
+
+When using Azure App Service with Easy Auth behind Azure Front Door or other reverse proxies, a few additional things have to be taken into consideration.
+
+1) Disable Caching for the authentication workflow
+
+ See [Disable cache for auth workflow](/azure/static-web-apps/front-door-manual#disable-cache-for-auth-workflow) to learn more on how to configure rules in Azure Front Door to disable caching for authentication and authorization-related pages.
+
+2) Use the Front Door endpoint for redirects
+
+ App Service is usually not accessible directly when exposed via Azure Front Door. This can be prevented, for example, by exposing App Service via Private Link in Azure Front Door Premium. To prevent the authentication workflow to redirect traffic back to App Service directly, it is important to configure the application to redirect back to `https://<front-door-endpoint>/.auth/login/<provider>/callback`.
+
+3) Ensure that App Service is using the right redirect URI
+
+ In some configurations, the App Service is using the App Service FQDN as the redirect URI instead of the Front Door FQDN. This will lead to an issue when the client is being redirected to App Service instead of Front Door. To change that, the `forwardProxy` setting needs to be set to `Standard` to make App Service respect the `X-Forwarded-Host` header set by Azure Front Door.
+
+ Other reverse proxies like Azure Application Gateway or 3rd-party products might use different headers and need a different forwardProxy setting.
+
+ This configuration cannot be done via the Azure portal today and needs to be done via `az rest`:
+
+ **Export settings**
+
+ `az rest --uri /subscriptions/REPLACE-ME-SUBSCRIPTIONID/resourceGroups/REPLACE-ME-RESOURCEGROUP/providers/Microsoft.Web/sites/REPLACE-ME-APPNAME?api-version=2020-09-01 --method get > auth.json`
+
+ **Update settings**
+
+ Search for
+ ```json
+ "httpSettings": {
+ "forwardProxy": {
+ "convention": "Standard"
+ }
+ }
+ ```
+ and ensure that `convention` is set to `Standard` to respect the `X-Forwarded-Host` header used by Azure Front Door.
+
+ **Import settings**
+
+ `az rest --uri /subscriptions/REPLACE-ME-SUBSCRIPTIONID/resourceGroups/REPLACE-ME-RESOURCEGROUP/providers/Microsoft.Web/sites/REPLACE-ME-APPNAME?api-version=2020-09-01 --method put --body @auth.json`
+
## More resources - [How-To: Configure your App Service or Azure Functions app to use Azure AD login](configure-authentication-provider-aad.md)
Samples:
- [Tutorial: Add authentication to your web app running on Azure App Service](scenario-secure-app-authentication-app-service.md) - [Tutorial: Authenticate and authorize users end-to-end in Azure App Service (Windows or Linux)](tutorial-auth-aad.md) - [.NET Core integration of Azure AppService EasyAuth (3rd party)](https://github.com/MaximRouiller/MaximeRouiller.Azure.AppService.EasyAuth)-- [Getting Azure App Service authentication working with .NET Core (3rd party)](https://github.com/kirkone/KK.AspNetCore.EasyAuthAuthentication)
+- [Getting Azure App Service authentication working with .NET Core (3rd party)](https://github.com/kirkone/KK.AspNetCore.EasyAuthAuthentication)
app-service Quickstart Nodejs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/quickstart-nodejs.md
Title: 'Quickstart: Create a Node.js web app'
description: Deploy your first Node.js Hello World to Azure App Service in minutes. ms.assetid: 582bb3c2-164b-42f5-b081-95bfcb7a502a -
-#zone_pivot_groups: app-service-platform-windows-linux
+ Last updated 03/22/2022 ms.devlang: javascript #zone_pivot_groups: app-service-ide-oss
Congratulations, you've successfully completed this quickstart!
Check out the other Azure extensions.
-* [Cosmos DB](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-cosmosdb)
+* [Azure Cosmos DB](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-cosmosdb)
* [Azure Functions](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azurefunctions) * [Docker Tools](https://marketplace.visualstudio.com/items?itemName=PeterJausovec.vscode-docker) * [Azure CLI Tools](https://marketplace.visualstudio.com/items?itemName=ms-vscode.azurecli)
app-service Samples Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/samples-cli.md
tags: azure-service-management
ms.assetid: 53e6a15a-370a-48df-8618-c6737e26acec Last updated 04/21/2022-+ keywords: azure cli samples, azure cli examples, azure cli code samples- # CLI samples for Azure App Service
The following table includes links to bash scripts built using the Azure CLI.
| [Connect an app to a SQL Database](./scripts/cli-connect-to-sql.md)| Creates an App Service app and a database in Azure SQL Database, then adds the database connection string to the app settings. | | [Connect an app to a storage account](./scripts/cli-connect-to-storage.md)| Creates an App Service app and a storage account, then adds the storage connection string to the app settings. | | [Connect an app to an Azure Cache for Redis](./scripts/cli-connect-to-redis.md) | Creates an App Service app and an Azure Cache for Redis, then adds the redis connection details to the app settings.) |
-| [Connect an app to Cosmos DB](./scripts/cli-connect-to-documentdb.md) | Creates an App Service app and a Cosmos DB, then adds the Cosmos DB connection details to the app settings. |
+| [Connect an app to Azure Cosmos DB](./scripts/cli-connect-to-documentdb.md) | Creates an App Service app and an Azure Cosmos DB, then adds the Azure Cosmos DB connection details to the app settings. |
|**Backup and restore app**|| | [Backup and restore app](./scripts/cli-backup-schedule-restore.md) | Creates an App Service app and creates a one-time backup for it, creates a backup schedule for it, and then restores an App Service app from a backup. | |**Monitor app**||
app-service Cli Connect To Documentdb https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/scripts/cli-connect-to-documentdb.md
Title: 'CLI: Connect an app to Cosmos DB'
-description: Learn how to use the Azure CLI to automate deployment and management of your App Service app. This sample shows how to connect an app to MongoDB (Cosmos DB).
+ Title: 'CLI: Connect an app to Azure Cosmos DB'
+description: Learn how to use the Azure CLI to automate deployment and management of your App Service app. This sample shows how to connect an app to Azure Cosmos DB.
tags: azure-service-management
ms.devlang: azurecli
Last updated 04/21/2022 -+
-# Connect an App Service app to Cosmos DB using CLI
+# Connect an App Service app to Azure Cosmos DB via the Azure CLI
-This sample script creates an Azure Cosmos DB account using the Azure Cosmos DB's API for MongoDB and an App Service app. It then links a MongoDB connection string to the web app using app settings.
+This sample script creates an Azure Cosmos DB account using Azure Cosmos DB for MongoDB and an App Service app. It then links a MongoDB connection string to the web app using app settings.
[!INCLUDE [quickstarts-free-trial-note](../../../includes/quickstarts-free-trial-note.md)]
az group delete --name $resourceGroup
## Sample reference
-This script uses the following commands to create a resource group, App Service app, Cosmos DB, and all related resources. Each command in the table links to command specific documentation.
+This script uses the following commands to create a resource group, App Service app, Azure Cosmos DB, and all related resources. Each command in the table links to command specific documentation.
| Command | Notes | ||| | [`az group create`](/cli/azure/group#az-group-create) | Creates a resource group in which all resources are stored. | | [`az appservice plan create`](/cli/azure/appservice/plan#az-appservice-plan-create) | Creates an App Service plan. | | [`az webapp create`](/cli/azure/webapp#az-webapp-create) | Creates an App Service app. |
-| [`az cosmosdb create`](/cli/azure/cosmosdb#az-cosmosdb-create) | Creates a Cosmos DB account. |
-| [`az cosmosdb list-connection-strings`](/cli/azure/cosmosdb#az-cosmosdb-list-connection-strings) | Lists connection strings for the specified Cosmos DB account. |
+| [`az cosmosdb create`](/cli/azure/cosmosdb#az-cosmosdb-create) | Creates an Azure Cosmos DB account. |
+| [`az cosmosdb list-connection-strings`](/cli/azure/cosmosdb#az-cosmosdb-list-connection-strings) | Lists connection strings for the specified Azure Cosmos DB account. |
| [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az-webapp-config-appsettings-set) | Creates or updates an app setting for an App Service app. App settings are exposed as environment variables for your app (see [Environment variables and app settings reference](../reference-app-settings.md)). | ## Next steps
app-service Cli Integrate App Service With Application Gateway https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/scripts/cli-integrate-app-service-with-application-gateway.md
na
Last updated 04/15/2022 -+ # Integrate App Service with Application Gateway using CLI
az group delete --name $resourceGroup
## Sample reference
-This script uses the following commands to create a resource group, App Service app, Cosmos DB, and all related resources. Each command in the table links to command specific documentation.
+This script uses the following commands to create a resource group, an App Service app, an Azure Cosmos DB instance, and all related resources. Each command in the table links to command specific documentation.
| Command | Notes | |||
app-service Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure App Service description: Lists Azure Policy Regulatory Compliance controls available for Azure App Service. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 10/03/2022 Last updated : 10/10/2022
app-service Tutorial Connect Msi Azure Database https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-connect-msi-azure-database.md
keywords: azure app service, web app, security, msi, managed service identity, m
ms.devlang: csharp,java,javascript,python Last updated 04/12/2022-+ # Tutorial: Connect to Azure databases from App Service without secrets using a managed identity
- [Azure Database for PostgreSQL](../postgresql/index.yml) > [!NOTE]
-> This tutorial doesn't include guidance for [Azure Cosmos DB](../cosmos-db/index.yml), which supports Azure Active Directory authentication differently. For information, see Cosmos DB documentation. For example: [Use system-assigned managed identities to access Azure Cosmos DB data](../cosmos-db/managed-identity-based-authentication.md).
+> This tutorial doesn't include guidance for [Azure Cosmos DB](../cosmos-db/index.yml), which supports Azure Active Directory authentication differently. For more information, see the Azure Cosmos DB documentation, such as [Use system-assigned managed identities to access Azure Cosmos DB data](../cosmos-db/managed-identity-based-authentication.md).
Managed identities in App Service make your app more secure by eliminating secrets from your app, such as credentials in the connection strings. This tutorial shows you how to connect to the above-mentioned databases from App Service using managed identities.
app-service Tutorial Java Spring Cosmosdb https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-java-spring-cosmosdb.md
Title: 'Tutorial: Linux Java app with MongoDB'
-description: Learn how to get a data-driven Linux Java app working in Azure App Service, with connection to a MongoDB running in Azure (Cosmos DB).
+description: Learn how to get a data-driven Linux Java app working in Azure App Service, with connection to a MongoDB running in Azure Cosmos DB.
ms.devlang: java Last updated 12/10/2018-+ # Tutorial: Build a Java Spring Boot web app with Azure App Service on Linux and Azure Cosmos DB
When you are finished, you will have a [Spring Boot](https://spring.io/projects/
In this tutorial, you learn how to: > [!div class="checklist"]
-> * Create a Cosmos DB database.
+> * Create an Azure Cosmos DB database.
> * Connect a sample app to the database and test it locally > * Deploy the sample app to Azure > * Stream diagnostic logs from App Service
In this tutorial, you learn how to:
## Clone the sample TODO app and prepare the repo
-This tutorial uses a sample TODO list app with a web UI that calls a Spring REST API backed by [Spring Data Azure Cosmos DB](https://github.com/Microsoft/spring-data-cosmosdb). The code for the app is available [on GitHub](https://github.com/Microsoft/spring-todo-app). To learn more about writing Java apps using Spring and Cosmos DB, see the [Spring Boot Starter with the Azure Cosmos DB SQL API tutorial](/java/azure/spring-framework/configure-spring-boot-starter-java-app-with-cosmos-db) and the [Spring Data Azure Cosmos DB quick start](https://github.com/Microsoft/spring-data-cosmosdb#quick-start).
-
+This tutorial uses a sample TODO list app with a web UI that calls a Spring REST API backed by [Spring Data for Azure Cosmos DB](https://github.com/Microsoft/spring-data-cosmosdb). The code for the app is available [on GitHub](https://github.com/Microsoft/spring-todo-app). To learn more about writing Java apps using Spring and Azure Cosmos DB, see the [Spring Boot Starter with the Azure Cosmos DB for NoSQL tutorial](/java/azure/spring-framework/configure-spring-boot-starter-java-app-with-cosmos-db) and the [Spring Data for Azure Cosmos DB quick start](https://github.com/Microsoft/spring-data-cosmosdb#quick-start).
Run the following commands in your terminal to clone the sample repo and set up the sample app environment.
Follow these steps to create an Azure Cosmos DB database in your subscription. T
``` 3. Create Azure Cosmos DB with the `GlobalDocumentDB` kind.
-The name of Cosmos DB must use only lower case letters. Note down the `documentEndpoint` field in the response from the command.
+The name of the Azure Cosmos DB instance must use only lower case letters. Note down the `documentEndpoint` field in the response from the command.
```azurecli az cosmosdb create --kind GlobalDocumentDB \
The name of Cosmos DB must use only lower case letters. Note down the `documentE
## Configure the TODO app properties
-Open a terminal on your computer. Copy the sample script file in the cloned repo so you can customize it for your Cosmos DB database you just created.
+Open a terminal on your computer. Copy the sample script file in the cloned repo so you can customize it for the Azure Cosmos DB database you just created.
```bash cd initial/spring-todo-app
cp set-env-variables-template.sh .scripts/set-env-variables.sh
``` Edit `.scripts/set-env-variables.sh` in your favorite editor and supply Azure
-Cosmos DB connection info. For the App Service Linux configuration, use the same region as before (`your-resource-group-region`) and resource group (`your-azure-group-name`) used when creating the Cosmos DB database. Choose a WEBAPP_NAME that is unique since it cannot duplicate any web app name in any Azure deployment.
+Azure Cosmos DB connection info. For the App Service Linux configuration, use the same region as before (`your-resource-group-region`) and resource group (`your-azure-group-name`) used when creating the Azure Cosmos DB database. Choose a WEBAPP_NAME that is unique since it cannot duplicate any web app name in any Azure deployment.
```bash export COSMOSDB_URI=<put-your-COSMOS-DB-documentEndpoint-URI-here>
public interface TodoItemRepository extends DocumentDbRepository<TodoItem, Strin
} ```
-Then the sample app uses the `@Document` annotation imported from `com.microsoft.azure.spring.data.cosmosdb.core.mapping.Document` to set up an entity type to be stored and managed by Cosmos DB:
+Then the sample app uses the `@Document` annotation imported from `com.microsoft.azure.spring.data.cosmosdb.core.mapping.Document` to set up an entity type to be stored and managed by Azure Cosmos DB:
```java @Document
az group delete --name <your-azure-group-name> --yes
[Azure for Java Developers](/java/azure/) [Spring Boot](https://spring.io/projects/spring-boot),
-[Spring Data for Cosmos DB](/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-cosmos-db),
+[Spring Data for Azure Cosmos DB](/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-cosmos-db),
[Azure Cosmos DB](../cosmos-db/introduction.md) and [App Service Linux](overview.md).
app-service Tutorial Nodejs Mongodb App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-nodejs-mongodb-app.md
Title: Deploy a Node.js web app using MongoDB to Azure
-description: This article shows you have to deploy a Node.js app using Express.js and a MongoDB database to Azure. Azure App Service is used to host the web application and Azure Cosmos DB to host the database using the 100% compatible MongoDB API built into Cosmos DB.
+description: This article shows you have to deploy a Node.js app using Express.js and a MongoDB database to Azure. Azure App Service is used to host the web application and Azure Cosmos DB to host the database using the 100% compatible MongoDB API built into Azure Cosmos DB.
Last updated 09/06/2022 ms.role: developer ms.devlang: javascript-+ # Deploy a Node.js + MongoDB web app to Azure
-[Azure App Service](overview.md) provides a highly scalable, self-patching web hosting service using the Linux operating system. This tutorial shows how to create a secure Node.js app in Azure App Service that's connected to a MongoDB database (using [Azure Cosmos DB with MongoDB API](../cosmos-db/mongodb/mongodb-introduction.md)). When you're finished, you'll have an Express.js app running on Azure App Service on Linux.
+[Azure App Service](overview.md) provides a highly scalable, self-patching web hosting service using the Linux operating system. This tutorial shows how to create a secure Node.js app in Azure App Service that's connected to a [Azure Cosmos DB for MongoDB](../cosmos-db/mongodb/mongodb-introduction.md) database. When you're finished, you'll have an Express.js app running on Azure App Service on Linux.
:::image type="content" source="./media/tutorial-nodejs-mongodb-app/app-diagram.png" alt-text="A diagram showing how the Express.js app will be deployed to Azure App Service and the MongoDB data will be hosted inside of Azure Cosmos DB." lightbox="./media/tutorial-nodejs-mongodb-app/app-diagram-large.png":::
If you want to run the application locally, do the following:
* Start the application using `npm start`. * To view the app, browse to `http://localhost:3000`.
-## 1. Create App Service and Cosmos DB
+## 1. Create App Service and Azure Cosmos DB
-In this step, you create the Azure resources. The steps used in this tutorial create a set of secure-by-default resources that include App Service and Azure Cosmos DB API for MongoDB that's. For the creation process, you'll specify:
+In this step, you create the Azure resources. The steps used in this tutorial create a set of secure-by-default resources that include App Service and Azure Cosmos DB for MongoDB. For the creation process, you'll specify:
* The **Name** for the web app. It's the name used as part of the DNS name for your webapp in the form of `https://<app-name>.azurewebsites.net`. * The **Region** to run the app physically in the world.
Sign in to the [Azure portal](https://portal.azure.com/) and follow these steps
1. *Name* &rarr; **msdocs-expressjs-mongodb-XYZ** where *XYZ* is any three random characters. This name must be unique across Azure. 1. *Runtime stack* &rarr; **Node 16 LTS**. 1. *Hosting plan* &rarr; **Basic**. When you're ready, you can [scale up](manage-scale-up.md) to a production pricing tier later.
- 1. **Cosmos DB API for MongoDB** is selected by default as the database engine. Azure Cosmos DB is a cloud native database offering a 100% MongoDB compatible API. Note the database name that's generated for you (*\<app-name>-database*). You'll need it later.
+ 1. **Azure Cosmos DB for MongoDB** is selected by default as the database engine. Azure Cosmos DB is a cloud native database offering a 100% MongoDB compatible API. Note the database name that's generated for you (*\<app-name>-database*). You'll need it later.
1. Select **Review + create**. 1. After validation completes, select **Create**. :::column-end:::
Sign in to the [Azure portal](https://portal.azure.com/) and follow these steps
- **Virtual network** &rarr; Integrated with the App Service app and isolates back-end network traffic. - **Private endpoint** &rarr; Access endpoint for the database resource in the virtual network. - **Network interface** &rarr; Represents a private IP address for the private endpoint.
- - **Cosmos DB API for MongoDB** &rarr; Accessible only from behind the private endpoint. A database and a user are created for you on the server.
- - **Private DNS zone** &rarr; Enables DNS resolution of the Cosmos DB server in the virtual network.
+ - **Azure Cosmos DB for MongoDB** &rarr; Accessible only from behind the private endpoint. A database and a user are created for you on the server.
+ - **Private DNS zone** &rarr; Enables DNS resolution of the Azure Cosmos DB server in the virtual network.
:::column-end::: :::column:::
When you're finished, you can delete all of the resources from your Azure subscr
## Frequently asked questions - [How much does this setup cost?](#how-much-does-this-setup-cost)-- [How do I connect to the Cosmos DB server that's secured behind the virtual network with other tools?](#how-do-i-connect-to-the-cosmos-db-server-thats-secured-behind-the-virtual-network-with-other-tools)
+- [How do I connect to the Azure Cosmos DB server that's secured behind the virtual network with other tools?](#how-do-i-connect-to-the-azure-cosmos-db-server-thats-secured-behind-the-virtual-network-with-other-tools)
- [How does local app development work with GitHub Actions?](#how-does-local-app-development-work-with-github-actions) - [Why is the GitHub Actions deployment so slow?](#why-is-the-github-actions-deployment-so-slow)
When you're finished, you can delete all of the resources from your Azure subscr
Pricing for the create resources is as follows: - The App Service plan is created in **Basic** tier and can be scaled up or down. See [App Service pricing](https://azure.microsoft.com/pricing/details/app-service/linux/).-- The Cosmos DB server is create in a single region and can be distributed to other regions. See [Azure Cosmos DB pricing](https://azure.microsoft.com/pricing/details/cosmos-db/).
+- The Azure Cosmos DB server is created in a single region and can be distributed to other regions. See [Azure Cosmos DB pricing](https://azure.microsoft.com/pricing/details/cosmos-db/).
- The virtual network doesn't incur a charge unless you configure extra functionality, such as peering. See [Azure Virtual Network pricing](https://azure.microsoft.com/pricing/details/virtual-network/). - The private DNS zone incurs a small charge. See [Azure DNS pricing](https://azure.microsoft.com/pricing/details/dns/).
-#### How do I connect to the Cosmos DB server that's secured behind the virtual network with other tools?
+#### How do I connect to the Azure Cosmos DB server that's secured behind the virtual network with other tools?
-- For basic access from a commmand-line tool, you can run `mongosh` from the app's SSH terminal. The app's container doesn't come with `mongosh`, so you must [install it manually](https://www.mongodb.com/docs/mongodb-shell/install/). Remember that the installed client doesn't persist across app restarts.
+- For basic access from a command-line tool, you can run `mongosh` from the app's SSH terminal. The app's container doesn't come with `mongosh`, so you must [install it manually](https://www.mongodb.com/docs/mongodb-shell/install/). Remember that the installed client doesn't persist across app restarts.
- To connect from a MongoDB GUI client, your machine must be within the virtual network. For example, it could be an Azure VM that's connected to one of the subnets, or a machine in an on-premises network that has a [site-to-site VPN](../vpn-gateway/vpn-gateway-about-vpngateways.md) connection with the Azure virtual network.-- To connect from the Mongo shell from the Cosmos DB management page in the portal, your machine must also be within the virtual network. You could instead open the Cosmos DB server's firewall for your local machine's IP address, but it increases the attack surface for your configuration.
+- To connect from the MongoDB shell from the Azure Cosmos DB management page in the portal, your machine must also be within the virtual network. You could instead open the Azure Cosmos DB server's firewall for your local machine's IP address, but it increases the attack surface for your configuration.
#### How does local app development work with GitHub Actions?
app-service Webjobs Sdk How To https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/webjobs-sdk-how-to.md
description: Learn more about how to write code for the WebJobs SDK. Create even
ms.devlang: csharp-+ Last updated 06/24/2021
These binding-specific settings are equivalent to settings in the [host.json pro
You can configure the following bindings:
-* [Azure CosmosDB trigger](#azure-cosmosdb-trigger-configuration-version-3x)
+* [Azure Cosmos DB trigger](#azure-cosmos-db-trigger-configuration-version-3x)
* [Event Hubs trigger](#event-hubs-trigger-configuration-version-3x) * [Queue storage trigger](#queue-storage-trigger-configuration) * [SendGrid binding](#sendgrid-binding-configuration-version-3x) * [Service Bus trigger](#service-bus-trigger-configuration-version-3x)
-#### Azure CosmosDB trigger configuration (version 3.*x*)
+#### Azure Cosmos DB trigger configuration (version 3.*x*)
This example shows how to configure the Azure Cosmos DB trigger:
static async Task Main()
} ```
-For more information, see the [Azure CosmosDB binding](../azure-functions/functions-bindings-cosmosdb-v2.md#hostjson-settings) article.
+For more information, see the [Azure Cosmos DB binding](../azure-functions/functions-bindings-cosmosdb-v2.md#hostjson-settings) article.
#### Event Hubs trigger configuration (version 3.*x*)
application-gateway Key Vault Certs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/key-vault-certs.md
After Application Gateway is configured to use Key Vault certificates, its insta
> [!TIP] > Any change to Application Gateway will force a check against Key Vault to see if any new versions of certificates are available. This includes, but not limited to, changes to Frontend IP Configurations, Listeners, Rules, Backend Pools, Resource Tags, and more. If an updated certificate is found, the new certificate will immediately be presented.
-Application Gateway uses a secret identifier in Key Vault to reference the certificates. For Azure PowerShell, the Azure CLI, or Azure Resource Manager, we strongly recommend that you use a secret identifier that doesn't specify a version. This way, Application Gateway will automatically rotate the certificate if a newer version is available in your Key Vault. An example of a secret URI without a version is `https://myvault.vault.azure.net/secrets/mysecret/`.
+Application Gateway uses a secret identifier in Key Vault to reference the certificates. For Azure PowerShell, the Azure CLI, or Azure Resource Manager, we strongly recommend that you use a secret identifier that doesn't specify a version. This way, Application Gateway will automatically rotate the certificate if a newer version is available in your Key Vault. An example of a secret URI without a version is `https://myvault.vault.azure.net/secrets/mysecret/`. You may refer to the PowerShell steps provided in the [section below](#key-vault-azure-role-based-access-control-permission-model).
The Azure portal supports only Key Vault certificates, not secrets. Application Gateway still supports referencing secrets from Key Vault, but only through non-portal resources like PowerShell, the Azure CLI, APIs, and Azure Resource Manager templates (ARM templates).
applied-ai-services Build Training Data Set https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/build-training-data-set.md
- Title: "How to build a training data set for a custom model - Form Recognizer"-
-description: Learn how to ensure your training data set is optimized for training a Form Recognizer model.
----- Previously updated : 11/02/2021-
-#Customer intent: As a user of the Form Recognizer custom model service, I want to ensure I'm training my model in the best way.
---
-# Build a training data set for a custom model
-
-When you use the Form Recognizer custom model, you provide your own training data to the [Train Custom Model](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/TrainCustomModelAsync) operation, so that the model can train to your industry-specific forms. Follow this guide to learn how to collect and prepare data to train the model effectively.
-
-You need at least five filled-in forms of the same type.
-
-If you want to use manually labeled training data, you must start with at least five filled-in forms of the same type. You can still use unlabeled forms in addition to the required data set.
-
-## Custom model input requirements
-
-First, make sure your training data set follows the input requirements for Form Recognizer.
--
-## Training data tips
-
-Follow these additional tips to further optimize your data set for training.
-
-* If possible, use text-based PDF documents instead of image-based documents. Scanned PDFs are handled as images.
-* For filled-in forms, use examples that have all of their fields filled in.
-* Use forms with different values in each field.
-* If your form images are of lower quality, use a larger data set (10-15 images, for example).
-
-## Upload your training data
-
-When you've put together the set of form documents that you'll use for training, you need to upload it to an Azure blob storage container. If you don't know how to create an Azure storage account with a container, follow the [Azure Storage quickstart for Azure portal](../../storage/blobs/storage-quickstart-blobs-portal.md). Use the standard performance tier.
-
-If you want to use manually labeled data, you'll also have to upload the *.labels.json* and *.ocr.json* files that correspond to your training documents. You can use the [Sample Labeling tool](label-tool.md) (or your own UI) to generate these files.
-
-### Organize your data in subfolders (optional)
-
-By default, the [Train Custom Model](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/TrainCustomModelAsync) API will only use form documents that are located at the root of your storage container. However, you can train with data in subfolders if you specify it in the API call. Normally, the body of the [Train Custom Model](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/TrainCustomModelAsync) call has the following format, where `<SAS URL>` is the Shared access signature URL of your container:
-
-```json
-{
- "source":"<SAS URL>"
-}
-```
-
-If you add the following content to the request body, the API will train with documents located in subfolders. The `"prefix"` field is optional and will limit the training data set to files whose paths begin with the given string. So a value of `"Test"`, for example, will cause the API to look at only the files or folders that begin with the word "Test".
-
-```json
-{
- "source": "<SAS URL>",
- "sourceFilter": {
- "prefix": "<prefix string>",
- "includeSubFolders": true
- },
- "useLabelFile": false
-}
-```
-
-## Next steps
-
-Now that you've learned how to build a training data set, follow a quickstart to train a custom Form Recognizer model and start using it on your forms.
-
-* [Train a model and extract form data using the client library or REST API](quickstarts/try-sdk-rest-api.md)
-* [Train with labels using the sample labeling tool](label-tool.md)
-
-## See also
-
-* [What is Form Recognizer?](./overview.md)
applied-ai-services Compose Custom Models V2 1 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/compose-custom-models-v2-1.md
- Title: "How to guide: create and compose custom models with Form Recognizer v2.1"-
-description: Learn how to create, compose use, and manage custom models with Form Recognizer v2.1
----- Previously updated : 08/22/2022-
-recommendations: false
--
-# Compose custom models v2.1
-
-> [!NOTE]
-> This how-to guide references Form Recognizer v2.1 . To try Form Recognizer v3.0 , see [Compose custom models v3.0](compose-custom-models-v3.md).
-
-Form Recognizer uses advanced machine-learning technology to detect and extract information from document images and return the extracted data in a structured JSON output. With Form Recognizer, you can train standalone custom models or combine custom models to create composed models.
-
-* **Custom models**. Form Recognizer custom models enable you to analyze and extract data from forms and documents specific to your business. Custom models are trained for your distinct data and use cases.
-
-* **Composed models**. A composed model is created by taking a collection of custom models and assigning them to a single model that encompasses your form types. When a document is submitted to a composed model, the service performs a classification step to decide which custom model accurately represents the form presented for analysis.
-
-In this article, you'll learn how to create Form Recognizer custom and composed models using our [Form Recognizer Sample Labeling tool](label-tool.md), [REST APIs](quickstarts/client-library.md?branch=main&pivots=programming-language-rest-api#train-a-custom-model), or [client-library SDKs](quickstarts/client-library.md?branch=main&pivots=programming-language-csharp#train-a-custom-model).
-
-## Sample Labeling tool
-
-Try extracting data from custom forms using our Sample Labeling tool. You'll need the following resources:
-
-* An Azure subscriptionΓÇöyou can [create one for free](https://azure.microsoft.com/free/cognitive-services/)
-
-* A [Form Recognizer instance](https://portal.azure.com/#create/Microsoft.CognitiveServicesFormRecognizer) in the Azure portal. You can use the free pricing tier (`F0`) to try the service. After your resource deploys, select **Go to resource** to get your key and endpoint.
-
- :::image type="content" source="media/containers/keys-and-endpoint.png" alt-text="Screenshot: keys and endpoint location in the Azure portal.":::
-
-> [!div class="nextstepaction"]
-> [Try it](https://fott-2-1.azurewebsites.net/projects/create)
-
-In the Form Recognizer UI:
-
-1. Select **Use Custom to train a model with labels and get key value pairs**.
-
- :::image type="content" source="media/label-tool/fott-use-custom.png" alt-text="Screenshot of the FOTT tool select custom model option.":::
-
-1. In the next window, select **New project**:
-
- :::image type="content" source="media/label-tool/fott-new-project.png" alt-text="Screenshot of the FOTT tool select new project option.":::
-
-## Create your models
-
-The steps for building, training, and using custom and composed models are as follows:
-
-* [**Assemble your training dataset**](#assemble-your-training-dataset)
-* [**Upload your training set to Azure blob storage**](#upload-your-training-dataset)
-* [**Train your custom model**](#train-your-custom-model)
-* [**Compose custom models**](#create-a-composed-model)
-* [**Analyze documents**](#analyze-documents-with-your-custom-or-composed-model)
-* [**Manage your custom models**](#manage-your-custom-models)
-
-## Assemble your training dataset
-
-Building a custom model begins with establishing your training dataset. You'll need a minimum of five completed forms of the same type for your sample dataset. They can be of different file types (jpg, png, pdf, tiff) and contain both text and handwriting. Your forms must follow the [input requirements](build-training-data-set.md#custom-model-input-requirements) for Form Recognizer.
-
-## Upload your training dataset
-
-You'll need to [upload your training data](build-training-data-set.md#upload-your-training-data)
-to an Azure blob storage container. If you don't know how to create an Azure storage account with a container, *see* [Azure Storage quickstart for Azure portal](../../storage/blobs/storage-quickstart-blobs-portal.md). You can use the free pricing tier (F0) to try the service, and upgrade later to a paid tier for production.
-
-## Train your custom model
-
-You [train your model](./quickstarts/try-sdk-rest-api.md#train-a-custom-model) with labeled data sets. Labeled datasets rely on the prebuilt-layout API, but supplementary human input is included such as your specific labels and field locations. Start with at least five completed forms of the same type for your labeled training data.
-
-When you train with labeled data, the model uses supervised learning to extract values of interest, using the labeled forms you provide. Labeled data results in better-performing models and can produce models that work with complex forms or forms containing values without keys.
-
-Form Recognizer uses the [Layout](concept-layout.md) API to learn the expected sizes and positions of typeface and handwritten text elements and extract tables. Then it uses user-specified labels to learn the key/value associations and tables in the documents. We recommend that you use five manually labeled forms of the same type (same structure) to get started when training a new model. Add more labeled data as needed to improve the model accuracy. Form Recognizer enables training a model to extract key value pairs and tables using supervised learning capabilities.
-
-[Get started with Train with labels](label-tool.md)
-
-> [!VIDEO https://learn.microsoft.com/Shows/Docs-Azure/Azure-Form-Recognizer/player]
-
-## Create a composed model
-
-> [!NOTE]
-> **Model Compose is only available for custom models trained _with_ labels.** Attempting to compose unlabeled models will produce an error.
-
-With the Model Compose operation, you can assign up to 100 trained custom models to a single model ID. When you call Analyze with the composed model ID, Form Recognizer will first classify the form you submitted, choose the best matching assigned model, and then return results for that model. This operation is useful when incoming forms may belong to one of several templates.
-
-Using the Form Recognizer Sample Labeling tool, the REST API, or the Client-library SDKs, follow the steps below to set up a composed model:
-
-1. [**Gather your custom model IDs**](#gather-your-custom-model-ids)
-1. [**Compose your custom models**](#compose-your-custom-models)
-
-#### Gather your custom model IDs
-
-Once the training process has successfully completed, your custom model will be assigned a model ID. You can retrieve a model ID as follows:
-
-### [**Form Recognizer Sample Labeling tool**](#tab/fott)
-
-When you train models using the [**Form Recognizer Sample Labeling tool**](https://fott-2-1.azurewebsites.net/), the model ID is located in the Train Result window:
--
-### [**REST API**](#tab/rest-api)
-
-The [**REST API**](./quickstarts/try-sdk-rest-api.md?pivots=programming-language-rest-api#train-a-custom-model) will return a `201 (Success)` response with a **Location** header. The value of the last parameter in this header is the model ID for the newly trained model:
--
-### [**Client-library SDKs**](#tab/sdks)
-
- The [**client-library SDKs**](./quickstarts/try-sdk-rest-api.md?pivots=programming-language-csharp#train-a-custom-model) return a model object that can be queried to return the trained model ID:
-
-* C\# | [CustomFormModel Class](/dotnet/api/azure.ai.formrecognizer.training.customformmodel?view=azure-dotnet&preserve-view=true#properties "Azure SDK for .NET")
-
-* Java | [CustomFormModelInfo Class](/java/api/com.azure.ai.formrecognizer.training.models.customformmodelinfo?view=azure-java-stable&preserve-view=true#methods "Azure SDK for Java")
-
-* JavaScript | CustomFormModelInfo interface
-
-* Python | [CustomFormModelInfo Class](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.customformmodelinfo?view=azure-python&preserve-view=true&branch=main#variables "Azure SDK for Python")
---
-#### Compose your custom models
-
-After you've gathered your custom models corresponding to a single form type, you can compose them into a single model.
-
-### [**Form Recognizer Sample Labeling tool**](#tab/fott)
-
-The **Sample Labeling tool** enables you to quickly get started training models and composing them to a single model ID.
-
-After you have completed training, compose your models as follows:
-
-1. On the left rail menu, select the **Model Compose** icon (merging arrow).
-
-1. In the main window, select the models you wish to assign to a single model ID. Models with the arrows icon are already composed models.
-
-1. Choose the **Compose button** from the upper-left corner.
-
-1. In the pop-up window, name your newly composed model and select **Compose**.
-
-When the operation completes, your newly composed model will appear in the list.
-
- :::image type="content" source="media/custom-model-compose.png" alt-text="Screenshot of the model compose window." lightbox="media/custom-model-compose-expanded.png":::
-
-### [**REST API**](#tab/rest-api)
-
-Using the **REST API**, you can make a [**Compose Custom Model**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/ComposeDocumentModel) request to create a single composed model from existing models. The request body requires a string array of your `modelIds` to compose and you can optionally define the `modelName`.
-
-### [**Client-library SDKs**](#tab/sdks)
-
-Use the programming language code of your choice to create a composed model that will be called with a single model ID. Below are links to code samples that demonstrate how to create a composed model from existing custom models:
-
-* [**C#/.NET**](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/formrecognizer/Azure.AI.FormRecognizer/samples/Sample_ModelCompose.md).
-
-* [**Java**](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/formrecognizer/azure-ai-formrecognizer/src/samples/java/com/azure/ai/formrecognizer/administration/ComposeDocumentModel.java).
-
-* [**JavaScript**](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/formrecognizer/ai-form-recognizer/samples/v3/javascript/createComposedModel.js).
-
-* [**Python**](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/formrecognizer/azure-ai-formrecognizer/samples/v3.2/sample_compose_model.py)
---
-## Analyze documents with your custom or composed model
-
- The custom form **Analyze** operation requires you to provide the `modelID` in the call to Form Recognizer. You can provide a single custom model ID or a composed model ID for the `modelID` parameter.
-
-### [**Form Recognizer Sample Labeling tool**](#tab/fott)
-
-1. On the tool's left-pane menu, select the **Analyze icon** (light bulb).
-
-1. Choose a local file or image URL to analyze.
-
-1. Select the **Run Analysis** button.
-
-1. The tool will apply tags in bounding boxes and report the confidence percentage for each tag.
--
-### [**REST API**](#tab/rest-api)
-
-Using the REST API, you can make an [Analyze Document](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument) request to analyze a document and extract key-value pairs and table data.
-
-### [**Client-library SDKs**](#tab/sdks)
-
-Using the programming language of your choice to analyze a form or document with a custom or composed model. You'll need your Form Recognizer endpoint, key, and model ID.
-
-* [**C#/.NET**](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/formrecognizer/Azure.AI.FormRecognizer/samples/Sample_ModelCompose.md)
-
-* [**Java**](https://github.com/Azure/azure-sdk-for-javocumentFromUrl.java)
-
-* [**JavaScript**](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/formrecognizer/ai-form-recognizer/samples/v3/javascript/recognizeCustomForm.js)
-
-* [**Python**](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/formrecognizer/azure-ai-formrecognizer/samples/v3.1/sample_recognize_custom_forms.py)
---
-Test your newly trained models by [analyzing forms](./quickstarts/try-sdk-rest-api.md#analyze-forms-with-a-custom-model) that weren't part of the training dataset. Depending on the reported accuracy, you may want to do further training to improve the model. You can continue further training to [improve results](label-tool.md#improve-results).
-
-## Manage your custom models
-
-You can [manage your custom models](./quickstarts/try-sdk-rest-api.md#manage-custom-models) throughout their lifecycle by viewing a [list of all custom models](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/GetModels) under your subscription, retrieving information about [a specific custom model](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/GetModel), and [deleting custom models](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/DeleteModel) from your account.
-
-Great! You've learned the steps to create custom and composed models and use them in your Form Recognizer projects and applications.
-
-## Next steps
-
-Learn more about the Form Recognizer client library by exploring our API reference documentation.
-
-> [!div class="nextstepaction"]
-> [Form Recognizer API reference](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)
->
applied-ai-services Compose Custom Models V3 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/compose-custom-models-v3.md
- Title: "How to guide: create and compose custom models with Form Recognizer v2.0"-
-description: Learn how to create, use, and manage Form Recognizer v2.0 custom and composed models
----- Previously updated : 08/22/2022-
-recommendations: false
--
-# Compose custom models v3.0
-
-> [!NOTE]
-> This how-to guide references Form Recognizer v3.0 . To use Form Recognizer v2.1 , see [Compose custom models v2.1](compose-custom-models-v2-1.md).
-
-A composed model is created by taking a collection of custom models and assigning them to a single model ID. You can assign up to 100 trained custom models to a single composed model ID. When a document is submitted to a composed model, the service performs a classification step to decide which custom model accurately represents the form presented for analysis. Composed models are useful when you've trained several models and want to group them to analyze similar form types. For example, your composed model might include custom models trained to analyze your supply, equipment, and furniture purchase orders. Instead of manually trying to select the appropriate model, you can use a composed model to determine the appropriate custom model for each analysis and extraction.
-
-To learn more, see [Composed custom models](concept-composed-models.md).
-
-In this article, you'll learn how to create and use composed custom models to analyze your forms and documents.
-
-## Prerequisites
-
-To get started, you'll need the following resources:
-
-* **An Azure subscription**. You can [create a free Azure subscription](https://azure.microsoft.com/free/cognitive-services/).
-
-* **A Form Recognizer instance**. Once you have your Azure subscription, [create a Form Recognizer resource](https://portal.azure.com/#create/Microsoft.CognitiveServicesFormRecognizer) in the Azure portal to get your key and endpoint. If you have an existing Form Recognizer resource, navigate directly to your resource page. You can use the free pricing tier (F0) to try the service, and upgrade later to a paid tier for production.
-
- 1. After the resource deploys, select **Go to resource**.
-
- 1. Copy the **Keys and Endpoint** values from the Azure portal and paste them in a convenient location, such as *Microsoft Notepad*. You'll need the key and endpoint values to connect your application to the Form Recognizer API.
-
- :::image border="true" type="content" source="media/containers/keys-and-endpoint.png" alt-text="Still photo showing how to access resource key and endpoint URL.":::
-
- > [!TIP]
- > For more information, see [**create a Form Recognizer resource**](create-a-form-recognizer-resource.md).
-
-* **An Azure storage account.** If you don't know how to create an Azure storage account, follow the [Azure Storage quickstart for Azure portal](../../storage/blobs/storage-quickstart-blobs-portal.md). You can use the free pricing tier (F0) to try the service, and upgrade later to a paid tier for production.
-
-## Create your custom models
-
-First, you'll need a set of custom models to compose. You can use the Form Recognizer Studio, REST API, or client-library SDKs. The steps are as follows:
-
-* [**Assemble your training dataset**](#assemble-your-training-dataset)
-* [**Upload your training set to Azure blob storage**](#upload-your-training-dataset)
-* [**Train your custom models**](#train-your-custom-model)
-
-## Assemble your training dataset
-
-Building a custom model begins with establishing your training dataset. You'll need a minimum of five completed forms of the same type for your sample dataset. They can be of different file types (jpg, png, pdf, tiff) and contain both text and handwriting. Your forms must follow the [input requirements](build-training-data-set.md#custom-model-input-requirements) for Form Recognizer.
-
->[!TIP]
-> Follow these tips to optimize your data set for training:
->
-> * If possible, use text-based PDF documents instead of image-based documents. Scanned PDFs are handled as images.
-> * For filled-in forms, use examples that have all of their fields filled in.
-> * Use forms with different values in each field.
-> * If your form images are of lower quality, use a larger data set (10-15 images, for example).
-
-See [Build a training data set](./build-training-data-set.md) for tips on how to collect your training documents.
-
-## Upload your training dataset
-
-When you've gathered a set of training documents, you'll need to [upload your training data](build-training-data-set.md#upload-your-training-data) to an Azure blob storage container.
-
-If you want to use manually labeled data, you'll also have to upload the *.labels.json* and *.ocr.json* files that correspond to your training documents.
-
-## Train your custom model
-
-When you [train your model](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects) with labeled data, the model uses supervised learning to extract values of interest, using the labeled forms you provide. Labeled data results in better-performing models and can produce models that work with complex forms or forms containing values without keys.
-
-Form Recognizer uses the [prebuilt-layout model](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument) API to learn the expected sizes and positions of typeface and handwritten text elements and extract tables. Then it uses user-specified labels to learn the key/value associations and tables in the documents. We recommend that you use five manually labeled forms of the same type (same structure) to get started with training a new model. Then, add more labeled data, as needed, to improve the model accuracy. Form Recognizer enables training a model to extract key-value pairs and tables using supervised learning capabilities.
-
-### [Form Recognizer Studio](#tab/studio)
-
-To create custom models, start with configuring your project:
-
-1. From the Studio homepage, select [**Create new**](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects) from the Custom model card.
-
-1. Use the Γ₧ò **Create a project** command to start the new project configuration wizard.
-
-1. Enter project details, select the Azure subscription and resource, and the Azure Blob storage container that contains your data.
-
-1. Review and submit your settings to create the project.
--
-While creating your custom models, you may need to extract data collections from your documents. The collections may appear one of two formats. Using tables as the visual pattern:
-
-* Dynamic or variable count of values (rows) for a given set of fields (columns)
-
-* Specific collection of values for a given set of fields (columns and/or rows)
-
-See [Form Recognizer Studio: labeling as tables](quickstarts/try-v3-form-recognizer-studio.md#labeling-as-tables)
-
-### [REST API](#tab/rest)
-
-Training with labels leads to better performance in some scenarios. To train with labels, you need to have special label information files (*\<filename\>.pdf.labels.json*) in your blob storage container alongside the training documents.
-
-Label files contain key-value associations that a user has entered manually. They're needed for labeled data training, but not every source file needs to have a corresponding label file. Source files without labels will be treated as ordinary training documents. We recommend five or more labeled files for reliable training. You can use a UI tool like [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio/customform/projects) to generate these files.
-
-Once you have your label files, you can include them with by calling the training method with the *useLabelFile* parameter set to `true`.
--
-### [Client-libraries](#tab/sdks)
-
-Training with labels leads to better performance in some scenarios. To train with labels, you need to have special label information files (*\<filename\>.pdf.labels.json*) in your blob storage container alongside the training documents. Once you've them, you can call the training method with the *useTrainingLabels* parameter set to `true`.
-
-|Language |Method|
-|--|--|
-|**C#**|**StartBuildModel**|
-|**Java**| [**beginBuildModel**](/java/api/com.azure.ai.formrecognizer.documentanalysis.administration.documentmodeladministrationclient.beginbuildmodel)|
-|**JavaScript** | [**beginBuildModel**](/javascript/api/@azure/ai-form-recognizer/documentmodeladministrationclient?view=azure-node-latest#@azure-ai-form-recognizer-documentmodeladministrationclient-beginbuildmodel&preserve-view=true)|
-| **Python** | [**begin_build_model**](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.aio.documentmodeladministrationclient?view=azure-python#azure-ai-formrecognizer-aio-documentmodeladministrationclient-begin-build-model&preserve-view=true)
---
-## Create a composed model
-
-> [!NOTE]
-> **the `create compose model` operation is only available for custom models trained _with_ labels.** Attempting to compose unlabeled models will produce an error.
-
-With the [**create compose model**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/ComposeDocumentModel) operation, you can assign up to 100 trained custom models to a single model ID. When analyze documents with a composed model, Form Recognizer first classifies the form you submitted, then chooses the best matching assigned model, and returns results for that model. This operation is useful when incoming forms may belong to one of several templates.
-
-### [Form Recognizer Studio](#tab/studio)
-
-Once the training process has successfully completed, you can begin to build your composed model. Here are the steps for creating and using composed models:
-
-* [**Gather your custom model IDs**](#gather-your-model-ids)
-* [**Compose your custom models**](#compose-your-custom-models)
-* [**Analyze documents**](#analyze-documents)
-* [**Manage your composed models**](#manage-your-composed-models)
-
-#### Gather your model IDs
-
-When you train models using the [**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/), the model ID is located in the models menu under a project:
--
-#### Compose your custom models
-
-1. Select a custom models project.
-
-1. In the project, select the ```Models``` menu item.
-
-1. From the resulting list of models, select the models you wish to compose.
-
-1. Choose the **Compose button** from the upper-left corner.
-
-1. In the pop-up window, name your newly composed model and select **Compose**.
-
-1. When the operation completes, your newly composed model will appear in the list.
-
-1. Once the model is ready, use the **Test** command to validate it with your test documents and observe the results.
-
-#### Analyze documents
-
-The custom model **Analyze** operation requires you to provide the `modelID` in the call to Form Recognizer. You should provide the composed model ID for the `modelID` parameter in your applications.
--
-#### Manage your composed models
-
-You can manage your custom models throughout life cycles:
-
-* Test and validate new documents.
-* Download your model to use in your applications.
-* Delete your model when its lifecycle is complete.
--
-### [REST API](#tab/rest)
-
-Once the training process has successfully completed, you can begin to build your composed model. Here are the steps for creating and using composed models:
-
-* [**Compose your custom models**](#compose-your-custom-models)
-* [**Analyze documents**](#analyze-documents)
-* [**Manage your composed models**](#manage-your-composed-models)
--
-#### Compose your custom models
-
-The [compose model API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/ComposeDocumentModel) accepts a list of model IDs to be composed.
--
-#### Analyze documents
-
-To make an [**Analyze document**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument) request, use a unique model name in the request parameters.
--
-#### Manage your composed models
-
-You can manage custom models throughout your development needs including [**copying**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/CopyDocumentModelTo), [**listing**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/GetModels), and [**deleting**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/DeleteModel) your models.
-
-### [Client-libraries](#tab/sdks)
-
-Once the training process has successfully completed, you can begin to build your composed model. Here are the steps for creating and using composed models:
-
-* [**Create a composed model**](#create-a-composed-model)
-* [**Analyze documents**](#analyze-documents)
-* [**Manage your composed models**](#manage-your-composed-models)
-
-#### Create a composed model
-
-You can use the programming language of your choice to create a composed model:
-
-| Programming language| Code sample |
-|--|--|
-|**C#** | [Model compose](https://github.com/Azure/azure-sdk-for-net/blob/Azure.AI.FormRecognizer_4.0.0/sdk/formrecognizer/Azure.AI.FormRecognizer/samples/Sample_ModelCompose.md)
-|**Java** | [Model compose](https://github.com/Azure/azure-sdk-for-java/blob/afa0d44fa42979ae9ad9b92b23cdba493a562127/sdk/formrecognizer/azure-ai-formrecognizer/src/samples/java/com/azure/ai/formrecognizer/administration/ComposeDocumentModel.java)
-|**JavaScript** | [Compose model](https://github.com/witemple-msft/azure-sdk-for-js/blob/7e3196f7e529212a6bc329f5f06b0831bf4cc174/sdk/formrecognizer/ai-form-recognizer/samples/v4/javascript/composeModel.js)
-|**Python** | [Create composed model](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/formrecognizer/azure-ai-formrecognizer/samples/v3.2/sample_compose_model.py)
-
-#### Analyze documents
-
-Once you've built your composed model, you can use it to analyze forms and documents. Use your composed `model ID` and let the service decide which of your aggregated custom models fits best according to the document provided.
-
-|Programming language| Code sample |
-|--|--|
-|**C#** | [Analyze a document with a custom/composed model using model ID](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/formrecognizer/Azure.AI.FormRecognizer/samples/Sample_AnalyzeWithCustomModel.md)
-|**Java** | [Analyze a document with a custom/composed model using model ID](https://github.com/Azure/azure-sdk-for-javocumentFromUrl.java)
-|**JavaScript** | [Analyze a document with a custom/composed model using model ID](https://github.com/witemple-msft/azure-sdk-for-js/blob/7e3196f7e529212a6bc329f5f06b0831bf4cc174/sdk/formrecognizer/ai-form-recognizer/samples/v4/javascript/analyzeDocumentByModelId.js)
-|**Python** | [Analyze a document with a custom/composed model using model ID](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/formrecognizer/azure-ai-formrecognizer/samples/v3.2/sample_analyze_custom_documents.py)
-
-## Manage your composed models
-
-You can manage a custom model at each stage in its life cycles. You can copy a custom model between resources, view a list of all custom models under your subscription, retrieve information about a specific custom model, and delete custom models from your account.
-
-|Programming language| Code sample |
-|--|--|
-|**C#** | [Copy a custom model between Form Recognizer resources](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/formrecognizer/Azure.AI.FormRecognizer/samples/Sample_CopyCustomModel.md#copy-a-custom-model-between-form-recognizer-resources)|
-|**Java** | [Copy a custom model between Form Recognizer resources](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/formrecognizer/azure-ai-formrecognizer/src/samples/java/com/azure/ai/formrecognizer/administration/CopyDocumentModel.java)|
-|**JavaScript** | [Copy a custom model between Form Recognizer resources](https://github.com/witemple-msft/azure-sdk-for-js/blob/7e3196f7e529212a6bc329f5f06b0831bf4cc174/sdk/formrecognizer/ai-form-recognizer/samples/v4/javascript/copyModel.js)|
-|**Python** | [Copy a custom model between Form Recognizer resources](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/formrecognizer/azure-ai-formrecognizer/samples/v3.2/sample_copy_model_to.py)|
---
-## Next steps
-
-Try one of our Form Recognizer quickstarts:
-
-> [!div class="nextstepaction"]
-> [Form Recognizer Studio](quickstarts/try-v3-form-recognizer-studio.md)
-
-> [!div class="nextstepaction"]
-> [REST API](quickstarts/get-started-v3-sdk-rest-api.md)
-
-> [!div class="nextstepaction"]
-> [C#](quickstarts/get-started-v3-sdk-rest-api.md#prerequisites)
-
-> [!div class="nextstepaction"]
-> [Java](quickstarts/get-started-v3-sdk-rest-api.md)
-
-> [!div class="nextstepaction"]
-> [JavaScript](quickstarts/get-started-v3-sdk-rest-api.md)
-
-> [!div class="nextstepaction"]
-> [Python](quickstarts/get-started-v3-sdk-rest-api.md)
applied-ai-services Concept Accuracy Confidence https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/concept-accuracy-confidence.md
Previously updated : 02/15/2022 Last updated : 10/10/2022
The accuracy of your model is affected by variances in the visual structure of y
* Separate visually distinct document types to train different models. * As a general rule, if you remove all user entered values and the documents look similar, you need to add more training data to the existing model.
- * If the documents are dissimilar, split your training data into different folders and train a model for each variation. You can then [compose](compose-custom-models-v2-1.md#create-a-composed-model) the different variations into a single model.
+ * If the documents are dissimilar, split your training data into different folders and train a model for each variation. You can then [compose](how-to-guides/compose-custom-models.md?view=form-recog-2.1.0&preserve-view=true#create-a-composed-model) the different variations into a single model.
* Make sure that you don't have any extraneous labels.
applied-ai-services Concept Business Card https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/concept-business-card.md
Previously updated : 08/22/2022 Last updated : 10/10/2022 recommendations: false
The following tools are supported by Form Recognizer v3.0:
| Feature | Resources | Model ID | |-|-|--|
-|**Business card model**| <ul><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com)</li><li>[**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)</li><li>[**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**Java SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**JavaScript SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li></ul>|**prebuilt-businessCard**|
+|**Business card model**| <ul><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com)</li><li>[**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)</li><li>[**C# SDK**](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true)</li><li>[**Python SDK**](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true)</li><li>[**Java SDK**](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true)</li><li>[**JavaScript SDK**](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true)</li></ul>|**prebuilt-businessCard**|
The following tools are supported by Form Recognizer v2.1:
applied-ai-services Concept Composed Models https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/concept-composed-models.md
Previously updated : 08/22/2022 Last updated : 10/10/2022 recommendations: false
With composed models, you can assign multiple custom models to a composed model
### Composed model compatibility
-|Custom model type |Models trained with version 2.1 and v2.0 | Custom template models (3.0) preview | Custom neural models 3.0 Preview |Custom neural models 3.0 GA|
+|Custom model type|Models trained with v2.1 and v2.0| Custom template models v3.0 (preview)|Custom neural models v3.0 (preview)|Custom neural models 3.0 (GA)|
|--|--|--|--|--|
-| Models trained with version 2.1 and v2.0 | Supported | Supported | Not Supported | Not Supported |
-| Custom template models (3.0) preview | Supported |Supported | Not Supported | Not Supported |
-| Custom template models 3.0 GA | Not Supported |Not Supported | Supported | Not Supported |
-| Custom neural models 3.0 Preview | Not Supported | NotSupported | Supported | Not Supported |
-|Custom Neural models 3.0 GA| Not Supported | NotSupported |NotSupported |Supported |
-
+|**Models trained with version 2.1 and v2.0** |Supported|Supported|Not Supported|Not Supported|
+|**Custom template models v3.0 (preview)** |Supported|Supported|Not Supported|NotSupported|
+|**Custom template models v3.0 (GA)** |Not Supported|Not Supported|Supported|Not Supported|
+|**Custom neural models v3.0 (preview)**|Not Supported|Not Supported|Supported|Not Supported|
+|**Custom Neural models v3.0 (GA)**|Not Supported|Not Supported|Not Supported|Supported|
* To compose a model trained with a prior version of the API (v2.1 or earlier), train a model with the v3.0 API using the same labeled dataset. That addition will ensure that the v2.1 model can be composed with other models.
With composed models, you can assign multiple custom models to a composed model
## Development options The following resources are supported by Form Recognizer **v3.0** : | Feature | Resources | |-|-|
-|_**Custom model**_| <ul><li>[Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects)</li><li>[REST API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)</li><li>[C# SDK](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[Java SDK](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[JavaScript SDK](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[Python SDK](quickstarts/get-started-v3-sdk-rest-api.md)</li></ul>|
+|_**Custom model**_| <ul><li>[Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects)</li><li>[REST API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)</li><li>[C# SDK](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true)</li><li>[Java SDK](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true)</li><li>[JavaScript SDK](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true)</li><li>[Python SDK](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true)</li></ul>|
| _**Composed model**_| <ul><li>[Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects)</li><li>[REST API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/ComposeDocumentModel)</li><li>[C# SDK](/dotnet/api/azure.ai.formrecognizer.training.formtrainingclient.startcreatecomposedmodel)</li><li>[Java SDK](/java/api/com.azure.ai.formrecognizer.training.formtrainingclient.begincreatecomposedmodel)</li><li>[JavaScript SDK](/javascript/api/@azure/ai-form-recognizer/documentmodeladministrationclient?view=azure-node-latest#@azure-ai-form-recognizer-documentmodeladministrationclient-begincomposemodel&preserve-view=true)</li><li>[Python SDK](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.formtrainingclient?view=azure-python#azure-ai-formrecognizer-formtrainingclient-begin-create-composed-model&preserve-view=true)</li></ul>|+ The following resources are supported by Form Recognizer v2.1:
The following resources are supported by Form Recognizer v2.1:
|-|-| |_**Custom model**_| <ul><li>[Form Recognizer labeling tool](https://fott-2-1.azurewebsites.net)</li><li>[REST API](quickstarts/try-sdk-rest-api.md?pivots=programming-language-rest-api#analyze-forms-with-a-custom-model)</li><li>[Client library SDK](quickstarts/try-sdk-rest-api.md)</li><li>[Form Recognizer Docker container](containers/form-recognizer-container-install-run.md?tabs=custom#run-the-container-with-the-docker-compose-up-command)</li></ul>| | _**Composed model**_ |<ul><li>[Form Recognizer labeling tool](https://fott-2-1.azurewebsites.net/)</li><li>[REST API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/Compose)</li><li>[C# SDK](/dotnet/api/azure.ai.formrecognizer.training.createcomposedmodeloperation?view=azure-dotnet&preserve-view=true)</li><li>[Java SDK](/java/api/com.azure.ai.formrecognizer.models.createcomposedmodeloptions?view=azure-java-stable&preserve-view=true)</li><li>JavaScript SDK</li><li>[Python SDK](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.formtrainingclient?view=azure-python#azure-ai-formrecognizer-formtrainingclient-begin-create-composed-model&preserve-view=true)</li></ul>|- ## Next steps Learn to create and compose custom models: > [!div class="nextstepaction"]
-> [**Form Recognizer v2.1**](compose-custom-models-v2-1.md)
+> [**Build a custom model**](how-to-guides/build-a-custom-model.md)
+> [**Compose custom models**](how-to-guides/compose-custom-models.md)
applied-ai-services Concept Custom Neural https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/concept-custom-neural.md
Previously updated : 08/02/2022 Last updated : 10/10/2022 recommendations: false
Custom neural models are only available in the [v3 API](v3-migration-guide.md).
| Document Type | REST API | SDK | Label and Test Models| |--|--|--|--|
-| Custom document | [Form Recognizer 3.0 ](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)| [Form Recognizer SDK](quickstarts/get-started-v3-sdk-rest-api.md)| [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio)
+| Custom document | [Form Recognizer 3.0 ](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)| [Form Recognizer SDK](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true)| [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio)
The build operation to train model supports a new ```buildMode``` property, to train a custom neural model, set the ```buildMode``` to ```neural```.
https://{endpoint}/formrecognizer/documentModels:build?api-version=2022-08-31
## Next steps
-* Train a custom model:
+Learn to create and compose custom models:
- > [!div class="nextstepaction"]
- > [How to train a model](how-to-guides/build-custom-model-v3.md)
-
-* Learn more about custom template models:
-
- > [!div class="nextstepaction"]
- > [Custom template models](concept-custom-template.md )
-
-* View the REST API:
-
- > [!div class="nextstepaction"]
- > [Form Recognizer API v3.0](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)
+> [!div class="nextstepaction"]
+> [**Build a custom model**](how-to-guides/build-a-custom-model.md)
+> [**Compose custom models**](how-to-guides/compose-custom-models.md)
applied-ai-services Concept Custom Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/concept-custom-template.md
Previously updated : 08/22/2022 Last updated : 10/10/2022 recommendations: false
Template models are available generally [v3.0 API](https://westus.dev.cognitive.
| Model | REST API | SDK | Label and Test Models| |--|--|--|--|
-| Custom template | [Form Recognizer 3.0 ](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)| [Form Recognizer SDK](quickstarts/get-started-v3-sdk-rest-api.md)| [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio)|
+| Custom template | [Form Recognizer 3.0 ](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)| [Form Recognizer SDK](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true)| [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio)|
| Custom template | [Form Recognizer 2.1 ](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/AnalyzeWithCustomForm)| [Form Recognizer SDK](quickstarts/get-started-v2-1-sdk-rest-api.md?pivots=programming-language-python)| [Form Recognizer Sample labeling tool](https://fott-2-1.azurewebsites.net/)| On the v3 API, the build operation to train model supports a new ```buildMode``` property, to train a custom template model, set the ```buildMode``` to ```template```.
https://{endpoint}/formrecognizer/documentModels:build?api-version=2022-08-31
} ``` - ## Next steps
-* * Train a custom model:
-
- > [!div class="nextstepaction"]
- > [How to train a model](how-to-guides/build-custom-model-v3.md)
-
-* Learn more about custom neural models:
-
- > [!div class="nextstepaction"]
- > [Custom neural models](concept-custom-neural.md )
-
-* View the REST API:
+Learn to create and compose custom models:
- > [!div class="nextstepaction"]
- > [Form Recognizer API v2.1](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/AnalyzeWithCustomForm)
+> [!div class="nextstepaction"]
+> [**Build a custom model**](how-to-guides/build-a-custom-model.md)
+> [**Compose custom models**](how-to-guides/compose-custom-models.md)
applied-ai-services Concept Custom https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/concept-custom.md
The following tools are supported by Form Recognizer v3.0:
| Feature | Resources | Model ID| |||:|
-|Custom model| <ul><li>[Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio/customform/projects)</li><li>[REST API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)</li><li>[C# SDK](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[Python SDK](quickstarts/get-started-v3-sdk-rest-api.md)</li></ul>|***custom-model-id***|
+|Custom model| <ul><li>[Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio/customform/projects)</li><li>[REST API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)</li><li>[C# SDK](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true)</li><li>[Python SDK](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true)</li></ul>|***custom-model-id***|
The following tools are supported by Form Recognizer v2.1:
The following table describes the features available with the associated tools a
| Document type | REST API | SDK | Label and Test Models| |--|--|--|--| | Custom form 2.1 | [Form Recognizer 2.1 GA API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/AnalyzeWithCustomForm) | [Form Recognizer SDK](quickstarts/get-started-v2-1-sdk-rest-api.md?pivots=programming-language-python)| [Sample labeling tool](https://fott-2-1.azurewebsites.net/)|
-| Custom template 3.0 | [Form Recognizer 3.0 ](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)| [Form Recognizer SDK](quickstarts/get-started-v3-sdk-rest-api.md)| [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio)|
-| Custom neural | [Form Recognizer 3.0 ](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)| [Form Recognizer SDK](quickstarts/get-started-v3-sdk-rest-api.md)| [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio)
+| Custom template 3.0 | [Form Recognizer 3.0 ](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)| [Form Recognizer SDK](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true)| [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio)|
+| Custom neural | [Form Recognizer 3.0 ](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)| [Form Recognizer SDK](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true)| [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio)
> [!NOTE] > Custom template models trained with the 3.0 API will have a few improvements over the 2.1 API stemming from improvements to the OCR engine. Datasets used to train a custom template model using the 2.1 API can still be used to train a new model using the 3.0 API.
applied-ai-services Concept Form Recognizer Studio https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/applied-ai-services/form-recognizer/concept-form-recognizer-studio.md
Previously updated : 08/22/2022 Last updated : 10/10/2022
+monikerRange: 'form-recog-3.0.0'
+recommendations: false
# Form Recognizer Studio
-[Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/) is an online tool for visually exploring, understanding, and integrating features from the Form Recognizer service into your applications. Use the [Form Recognizer Studio quickstart](quickstarts/try-v3-form-recognizer-studio.md) to get started analyzing documents with pre-trained models. Build custom template models and reference the models in your applications using the [Python SDK v3.0](quickstarts/get-started-v3-sdk-rest-api.md) and other quickstarts.
+[Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/) is an online tool for visually exploring, understanding, and integrating features from the Form Recognizer service into your applications. Use the [Form Recognizer Studio quickstart](quickstarts/try-v3-form-recognizer-studio.md) to get started analyzing documents with pre-trained models. Build custom template models and reference the models in your applications using the [Python SDK v3.0](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true) and other quickstarts.
The following image shows the Invoice prebuilt model feature at work.
The following image shows the Invoice prebuilt model feature at work.
The following Form Recognizer service features are available in the Studio.
-* **Read**: Try out Form Recognizer's Read feature to extract text lines, words, detected languages, and handwritten style if detected. Start with the [Studio Read feature](https://formrecognizer.appliedai.azure.com/studio/read). Explore with sample documents and your documents. Use the interactive visualization and JSON output to understand how the feature works. See the [Read overview](concept-read.md) to learn more and get started with the [Python SDK quickstart for Layout](quickstarts/get-started-v3-sdk-rest-api.md).
+* **Read**: Try out Form Recognizer's Read feature to extract text lines, words, detected languages, and handwritten style if detected. Start with the [Studio Read feature](https://formrecognizer.appliedai.azure.com/studio/read). Explore with sample documents and your documents. Use the interactive visualization and JSON output to understand how the feature works. See the [Read overview](concept-read.md) to learn more and get started with the [Python SDK quickstart for Layout](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true).
-* **Layout**: Try out Form Recognizer's Layout feature to extract text, tables, selection marks, and structure information. Start with the [Studio Layout feature](https://formrecognizer.appliedai.azure.com/studio/layout). Explore with sample documents and your documents. Use the interactive visualization and JSON output to understand how the feature works. See the [Layout overview](concept-layout.md) to learn more and get started with the [Python SDK quickstart for Layout](quickstarts/get-started-v3-sdk-rest-api.md#layout-model).
+* **Layout**: Try out Form Recognizer's Layout feature to extract text, tables, selection marks, and structure information. Start with the [Studio Layout feature](https://formrecognizer.appliedai.azure.com/studio/layout). Explore with sample documents and your documents. Use the interactive visualization and JSON output to understand how the feature works. See the [Layout overview](concept-layout.md) to learn more and get started with the [Python SDK quickstart for Layout](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true#layout-model).
-* **General Documents**: Try out Form Recognizer's General Documents feature to extract key-value pairs and entities. Start with the [Studio General Documents feature](https://formrecognizer.appliedai.azure.com/studio/document). Explore with sample documents and your documents. Use the interactive visualization and JSON output to understand how the feature works. See the [General Documents overview](concept-general-document.md) to learn more and get started with the [Python SDK quickstart for Layout](quickstarts/get-started-v3-sdk-rest-api.md#general-document-model).
+* **General Documents**: Try out Form Recognizer's General Documents feature to extract key-value pairs and entities. Start with the [Studio General Documents feature](https://formrecognizer.appliedai.azure.com/studio/document). Explore with sample documents and your documents. Use the interactive visualization and JSON output to understand how the feature works. See the [General Documents overview](concept-general-document.md) to learn more and get started with the [Python SDK quickstart for Layout](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true#general-document-model).
-* **Prebuilt models**: Form Recognizer's pre-built models enable you to add intelligent document processing to your apps and flows without having to train and build your own models. As an example, start with the [Studio Invoice feature](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=invoice). Explore with sample documents and your documents. Use the interactive visualization, extracted fields list, and JSON output to understand how the feature works. See the [Models overview](concept-model-overview.md) to learn more and get started with the [Python SDK quickstart for Prebuilt Invoice](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model).
+* **Prebuilt models**: Form Recognizer's pre-built models enable you to add intelligent document processing to your apps and flows without having to train and build your own models. As an example, start with the [Studio Invoice feature](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=invoice). Explore with sample documents and your documents. Use the interactive visualization, extracted fields list, and JSON output to understand how the feature works. See the [Models overview](concept-model-overview.md) to learn more and get started with the [Python SDK quickstart for Prebuilt Invoice](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true#prebuilt-model).
* **Custom models**: Form Recognizer's custom models enable you to extract fields and values from models trained with your data, tailored to your forms and documents. Create standalone custom models or combine two or more custom models to create a composed model to extract data from multiple form types. Start with the [Studio Custom models feature](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects). Use the online wizard, labeling interface, training step, and visualizations to understand how the feature works. Test the custom model with your sample documents and iterate to improve the model. See the [Custom models overview](concept-custom.md) to learn more and use the [Form Recognizer v3.0 migration guide](v3-migration-guide.md) to start integrating the new models with your applications. ## Next steps * Follow our [**Form Recognizer v3.0 migration guide**](v3-migration-guide.md) to learn the differences from the previous version of the REST API.
-* Explore our [**v3.0 SDK quickstarts**](quickstarts/get-started-v3-sdk-rest-api.md) to try the v3.0 features in your applications using the new SDKs.
-* Refer to our [**v3.0 REST API quickstarts**](quickstarts/get-started-v3-sdk-rest-api.md) to try the v3.0features using the new REST API.
+* Explore our [**v3.0 SDK quickstarts**](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true) to try the v3.0 features in your applications using the new SDKs.
+* Refer to our [**v3.0 REST API quickstarts**](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true) to try the v3.0features using the new REST API.
> [!div class="nextstepaction"] > [Form Recognizer Studio quickstart](qu