Updates from: 10/19/2023 01:20:50
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Analytics With Application Insights https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/analytics-with-application-insights.md
To disable Application Insights logs, change the `DisableTelemetry` metadata to
## Next steps
-Learn how to [create custom KPI dashboards using Azure Application Insights](../azure-monitor/app/tutorial-app-dashboards.md).
+Learn how to [create custom KPI dashboards using Azure Application Insights](../azure-monitor/app/overview-dashboard.md#create-custom-kpi-dashboards-using-application-insights).
::: zone-end
active-directory-b2c Partner Saviynt https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-saviynt.md
Learn to integrate Azure Active Directory B2C (Azure AD B2C) with the Saviynt Security Manager platform, which has visibility, security, and governance. Saviynt incorporates application risk and governance, infrastructure management, privileged account management, and customer risk analysis.
-Learn more: [Saviynt for Azure AD B2C](https://saviynt.com/integrations/azure-ad/for-b2c/)
+Learn more: [Saviynt for Azure AD B2C](https://saviynt.com/integrations/old-version-azure-ad/for-b2c/)
Use the following instructions to set up access control delegated administration for Azure AD B2C users. Saviynt determines if a user is authorized to manage Azure AD B2C users with:
The Saviynt integration includes the following components:
* **Azure AD B2C** ΓÇô identity as a service for custom control of customer sign-up, sign-in, and profile management * See, [Azure AD B2C, Get started](https://azure.microsoft.com/services/active-directory/external-identities/b2c/) * **Saviynt for Azure AD B2C** ΓÇô identity governance for delegated administration of user life-cycle management and access governance
- * See, [Saviynt for Azure AD B2C](https://saviynt.com/integrations/azure-ad/for-b2c/)
+ * See, [Saviynt for Azure AD B2C](https://saviynt.com/integrations/old-version-azure-ad/for-b2c/)
* **Microsoft Graph API** ΓÇô interface for Saviynt to manage Azure AD B2C users and their access * See, [Use the Microsoft Graph API](/graph/use-the-api)
active-directory Resilience With Monitoring Alerting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/resilience-with-monitoring-alerting.md
For example, track the following metrics, since a sudden drop in either will lea
- **Previous period**: Create temporal charts to show changes in the Total requests and Success rate (%) over some previous period for reference purposes, for example, last week. -- **Alerting**: Using log analytics define [alerts](/azure/azure-monitor/alerts/alerts-create-new-alert-rule) that get triggered when there are sudden changes in the key indicators. These changes may negatively impact the SLOs. Alerts use various forms of notification methods including email, SMS, and webhooks. Start by defining a criterion that acts as a threshold against which alert will be triggered. For example:
+- **Alerting**: Using log analytics define [alerts](/azure/azure-monitor/alerts/alerts-create-new-alert-rule) that get triggered when there are sudden changes in the key indicators. These changes might negatively impact the SLOs. Alerts use various forms of notification methods including email, SMS, and webhooks. Start by defining a criterion that acts as a threshold against which alert will be triggered. For example:
- Alert against abrupt drop in Total requests: Trigger an alert when number of total requests drop abruptly. For example, when there's a 25% drop in the total number of requests compared to previous period, raise an alert. - Alert against significant drop in Success rate (%): Trigger an alert when success rate of the selected policy significantly drops. - Upon receiving an alert, troubleshoot the issue using [Log Analytics](/azure/azure-monitor/visualize/workbooks-view-designer-conversion-overview), [Application Insights](/azure/active-directory-b2c/troubleshoot-with-application-insights), and [VS Code extension](https://marketplace.visualstudio.com/items?itemName=AzureADB2CTools.aadb2c) for Azure AD B2C. After you resolve the issue and deploy an updated application or policy, it continues to monitor the key indicators until they return back to normal range.
For example, track the following metrics, since a sudden drop in either will lea
- **Service alerts**: Use the [Azure AD B2C service level alerts](/azure/service-health/service-health-overview) to get notified of service issues, planned maintenance, health advisory, and security advisory. - **Reporting**: [By using log analytics](../reports-monitoring/howto-integrate-activity-logs-with-azure-monitor-logs.md), build reports that help you gain understanding about user insights, technical challenges, and growth opportunities.
- - **Health Dashboard**: Create [custom dashboards using Azure Dashboard](/azure/azure-monitor/app/tutorial-app-dashboards) feature, which supports adding charts using Log Analytics queries. For example, identify pattern of successful and failed sign-ins, failure reasons and telemetry about devices used to make the requests.
+ - **Health Dashboard**: Create [custom dashboards using Azure Dashboard](../../azure-monitor/app/overview-dashboard.md#create-custom-kpi-dashboards-using-application-insights) feature, which supports adding charts using Log Analytics queries. For example, identify pattern of successful and failed sign-ins, failure reasons and telemetry about devices used to make the requests.
- **Abandon Azure AD B2C journeys**: Use the [workbook](https://github.com/azure-ad-b2c/siem#list-of-abandon-journeys) to track the list of abandoned Azure AD B2C journeys where user started the sign-in or sign-up journey but never finished it. It provides you details about policy ID and breakdown of steps that are taken by the user before abandoning the journey.
- - **Azure AD B2C monitoring workbooks**: Use the [monitoring workbooks](https://github.com/azure-ad-b2c/siem) that include Azure AD B2C dashboard, Multi-factor authentication (MFA) operations, Conditional Access report, and Search logs by correlationId. This practice provides better insights into the health of your Azure AD B2C environment.
+ - **Azure AD B2C monitoring workbooks**: Use the [monitoring workbooks](https://github.com/azure-ad-b2c/siem) that include Azure AD B2C dashboard, Multifactor authentication (MFA) operations, Conditional Access report, and Search logs by correlationId. This practice provides better insights into the health of your Azure AD B2C environment.
## Next steps
active-directory Concept Authentication Passwordless https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-passwordless.md
Previously updated : 09/15/2022 Last updated : 10/18/2023
Features like multifactor authentication (MFA) are a great way to secure your or
| | | | | Passwordless | Windows 10 Device, phone, or security key | Biometric or PIN |
-Each organization has different needs when it comes to authentication. Microsoft global Azure and Azure Government offer the following three passwordless authentication options that integrate with Microsoft Entra ID:
+Each organization has different needs when it comes to authentication. Microsoft Global Azure and Azure Government offer the following three passwordless authentication options that integrate with Microsoft Entra ID:
- Windows Hello for Business - Microsoft Authenticator
Users can register and then select a FIDO2 security key at the sign-in interface
FIDO2 security keys can be used to sign in to their Microsoft Entra ID or Microsoft Entra hybrid joined Windows 10 devices and get single-sign on to their cloud and on-premises resources. Users can also sign in to supported browsers. FIDO2 security keys are a great option for enterprises who are very security sensitive or have scenarios or employees who aren't willing or able to use their phone as a second factor.
-We have a reference document for which [browsers support FIDO2 authentication with Microsoft Entra ID](fido2-compatibility.md), as well as best practices for developers wanting to [support FIDO2 auth in the applications they develop](../develop/support-fido2-authentication.md).
+We have a reference document for which [browsers support FIDO2 authentication with Microsoft Entra ID](fido2-compatibility.md), and best practices for developers wanting to [support FIDO2 auth in the applications they develop](../develop/support-fido2-authentication.md).
![Sign in to Microsoft Edge with a security key](./media/concept-authentication-passwordless/concept-web-sign-in-security-key.png)
The following considerations apply:
- Users may not register passwordless credentials within a tenant where they are a guest, the same way that they do not have a password managed in that tenant.
+## Unsupported scenarios
+
+We recommend no more than 20 sets of keys for each passwordless method for any user account. As more keys are added, the user object size increases, and you may notice degradation for some operations. In that case, you should remove unnecessary keys. For more information and the PowerShell cmdlets to query and remove keys, see
+[Using WHfBTools PowerShell module for cleaning up orphaned Windows Hello for Business Keys](https://support.microsoft.com/topic/using-whfbtools-powershell-module-for-cleaning-up-orphaned-windows-hello-for-business-keys-779d1f3f-bb2d-c495-0f6b-9aeb940eeafb). The topic uses **/UserPrincipalName** optional parameter to query only keys for a specific user. The permissions required are to run as an administrator or the specified user.
+
+When you use PowerShell to create a CSV file with all of the existing keys, carefully identify the keys that you need to keep, and remove those rows from the CSV. Then use the modified CSV with PowerShell to delete the remaining keys to bring the account key count under the limit.
+
+It is safe to delete any key reported as "Orphaned"="True" in the CSV. An orphaned key is one for a device that is not longer registered in Entra ID. If removing all Orphans still doesn't bring the User account below the limit it is necessary to look at the "DeviceId" and "CreationTime" columns to identify which keys to target for deletion. Be careful to remove any row in the CSV for keys you want to keep. Keys for any DeviceID corresponding to devices the user actively uses should be removed from the CSV before the deletion step.
## Choose a passwordless method
active-directory How To Mfa Registration Campaign https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-registration-campaign.md
A nudge won't appear if a user is presented with the [terms of use (ToU)](../con
A nudge won't appear if a user is redirected during sign-in due to [Conditional Access custom controls](../conditional-access/controls.md) settings.
+**Are there any plans to discontinue SMS and Voice as methods usable for MFA?**
+
+No, there are no such plans.
+ ## Next steps [Enable passwordless sign-in with Microsoft Authenticator](howto-authentication-passwordless-phone.md)+
active-directory Msal Acquire Cache Tokens https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-acquire-cache-tokens.md
In public client applications like desktop and mobile apps, you can:
For confidential client applications (web app, web API, or a daemon application like a Windows service), you can; - Acquire tokens **for the application itself** and not for a user, using the [client credentials flow](msal-authentication-flows.md#client-credentials). This technique can be used for syncing tools, or tools that process users in general and not a specific user.-- Use the [on-behalf-of (OBO) flow](msal-authentication-flows.md#on-behalf-of-obo) for a web API to call an API on behalf of the user. The application is identified with client credentials in order to acquire a token based on a user assertion (SAML, for example, or a JWT token). This flow is used by applications that need to access resources of a particular user in service-to-service calls.-- Acquire tokens using the [authorization code flow](msal-authentication-flows.md#authorization-code) in web apps after the user signs in through the authorization request URL. OpenID Connect application typically use this mechanism, which lets the user sign in using OpenID Connect and then access web APIs on behalf of the user.
+- Use the [on-behalf-of (OBO) flow](msal-authentication-flows.md#on-behalf-of-obo) for a web API to call an API on behalf of the user. The application is identified with client credentials in order to acquire a token based on a user assertion (SAML, for example, or a JWT token). This flow is used by applications that need to access resources of a particular user in service-to-service calls. Tokens should be cached on a session basis, not on a user basis.
+- Acquire tokens using the [authorization code flow](msal-authentication-flows.md#authorization-code) in web apps after the user signs in through the authorization request URL. OpenID Connect application typically use this mechanism, which lets the user sign in using OpenID Connect and then access web APIs on behalf of the user. Tokens may be cached on a user or on a session basis. If caching tokens on a user basis, we recommend to limit the session lifetime, so that Microsoft Entra ID may check the state of the Conditional Access policies frequently.
## Authentication results
active-directory Reference Saml Tokens https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/reference-saml-tokens.md
The Microsoft identity platform emits several types of security tokens in the pr
> |Authentication Method | `amr` |Identifies how the subject of the token was authenticated. | `<AuthnContextClassRef>`<br>`http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod/password`<br>`</AuthnContextClassRef>` | > |First Name | `given_name` |Provides the first or "given" name of the user, as set on the Microsoft Entra user object. | `<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">`<br>`<AttributeValue>Frank<AttributeValue>` | > |Groups | `groups` |Provides object IDs that represent the subject's group memberships. These values are unique (see Object ID) and can be safely used for managing access, such as enforcing authorization to access a resource. The groups included in the groups claim are configured on a per-application basis, through the "groupMembershipClaims" property of the application manifest. A value of null will exclude all groups, a value of "SecurityGroup" will include only Active Directory Security Group memberships, and a value of "All" will include both Security Groups and Microsoft 365 Distribution Lists. <br><br> **Notes**: <br> If the number of groups the user is in goes over a limit (150 for SAML, 200 for JWT) then an overage claim will be added the claim sources pointing at the Graph endpoint containing the list of groups for the user. | `<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">`<br>`<AttributeValue>07dd8a60-bf6d-4e17-8844-230b77145381</AttributeValue>` |
-> | Groups Overage Indicator | `groups:src1` | For token requests that are not length-limited but still too large for the token, a link to the full groups list for the user will be included. For SAML this is added as a new claim in place of the `groups` claim. <br><br> **Notes**: <br> The Azure AD Graph API is being replaced by the Microsoft Graph API. To learn more about the equivalent endpoint, see [user: getMemberObjects](/graph/api/user-getmemberobjects). | `<Attribute Name=" http://schemas.microsoft.com/claims/groups.link">`<br>`<AttributeValue>https://graph.windows.net/{tenantID}/users/{userID}/getMemberObjects<AttributeValue>` |
+> | Groups Overage Indicator | `groups:src1` | For token requests that are not length-limited but still too large for the token, a link to the full groups list for the user will be included. For SAML this is added as a new claim in place of the `groups` claim. <br><br> **Notes**: <br> The Azure AD Graph API is being replaced by the Microsoft Graph API. To learn more about the equivalent endpoint, see [user: getMemberObjects](/graph/api/directoryobject-getmemberobjects). | `<Attribute Name=" http://schemas.microsoft.com/claims/groups.link">`<br>`<AttributeValue>https://graph.windows.net/{tenantID}/users/{userID}/getMemberObjects<AttributeValue>` |
> |Identity Provider | `idp` |Records the identity provider that authenticated the subject of the token. This value is identical to the value of the Issuer claim unless the user account is in a different tenant than the issuer. | `<Attribute Name=" http://schemas.microsoft.com/identity/claims/identityprovider">`<br>`<AttributeValue>https://sts.windows.net/cbb1a5ac-f33b-45fa-9bf5-f37db0fed422/<AttributeValue>` | > |IssuedAt | `iat` |Stores the time at which the token was issued. It is often used to measure token freshness. | `<Assertion ID="_d5ec7a9b-8d8f-4b44-8c94-9812612142be" IssueInstant="2014-01-06T20:20:23.085Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">` | > |Issuer | `iss` |Identifies the security token service (STS) that constructs and returns the token. In the tokens that Microsoft Entra ID returns, the issuer is sts.windows.net. The GUID in the Issuer claim value is the tenant ID of the Microsoft Entra directory. The tenant ID is an immutable and reliable identifier of the directory. | `<Issuer>https://sts.windows.net/cbb1a5ac-f33b-45fa-9bf5-f37db0fed422/</Issuer>` |
active-directory Saml Claims Customization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/saml-claims-customization.md
Any constant (static) value can be assigned to any claim. Use the following step
1. On the **Attributes & Claims** blade, select the required claim that you want to modify. 1. Enter the constant value without quotes in the **Source attribute** as per your organization and select **Save**. The constant value is displayed.
-### Directory Schema extensions
+### Directory Schema extensions (Preview)
You can also configure directory schema extension attributes as non-conditional/conditional attributes. Use the following steps to configure the single or multi-valued directory schema extension attribute as a claim:
To apply a transformation to a user attribute:
1. In **Manage claim**, select *Transformation* as the claim source to open the **Manage transformation** page. 1. Select the function from the transformation dropdown. Depending on the function selected, provide parameters and a constant value to evaluate in the transformation.
-1. Select the source of the attribute by clicking on the appropriate radio button.
+1. Select the source of the attribute by clicking on the appropriate radio button. Directory schema extension source is in preview currently.
1. Select the attribute name from the dropdown. 1. **Treat source as multivalued** is a checkbox indicating whether the transform should be applied to all values or just the first. By default, transformations are only applied to the first element in a multi-value claim, by checking this box it ensures it's applied to all. This checkbox is only be enabled for multi-valued attributes, for example `user.proxyaddresses`. 1. To apply multiple transformations, select **Add transformation**. You can apply a maximum of two transformations to a claim. For example, you could first extract the email prefix of the `user.mail`. Then, make the string upper case.
To add a claim condition:
1. In **Manage claim**, expand the Claim conditions. 1. Select the user type. 1. Select the group(s) to which the user should belong. You can select up to 50 unique groups across all claims for a given application.
-1. Select the **Source** where the claim is going to retrieve its value. You can either select a user attribute from the dropdown for the source attribute or apply a transformation to the user attribute. You can also select a directory schema extension before emitting it as a claim.
+1. Select the **Source** where the claim is going to retrieve its value. You can either select a user attribute from the dropdown for the source attribute or apply a transformation to the user attribute. You can also select a directory schema extension (preview) before emitting it as a claim.
The order in which you add the conditions are important. Microsoft Entra first evaluates all conditions with source `Attribute` and then evaluates all conditions with source `Transformation` to decide which value to emit in the claim. Conditions with the same source are evaluated from top to bottom. The last value, which matches the expression is emitted in the claim. Transformations such as `IsNotEmpty` and `Contains` act like restrictions.
active-directory Sample V2 Code https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/sample-v2-code.md
The following samples show how to build applications for the Java language and p
> | Web API | [Sign in users](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4-spring-web-app/3-Authorization-II/protect-web-api) | [MSAL Java](/java/api/com.microsoft.aad.msal4j) | On-Behalf-Of (OBO) | > | Desktop | [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/2-client-side/Integrated-Windows-Auth-Flow) | [MSAL Java](/java/api/com.microsoft.aad.msal4j) | Integrated Windows authentication | > | Mobile | [Sign in users and call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-android-java) | [MSAL Android](https://github.com/AzureAD/microsoft-authentication-library-for-android) | Authorization code with PKCE |
-> | Headless | [Sign in users and invoke protected API from text-only device](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/2.%20Client-Side%20Scenarios/Device-Code-Flow) | [MSAL Java](/java/api/com.microsoft.aad.msal4j) | Device code |
+> | Headless | Sign in users and invoke protected API from text-only device | [MSAL Java](/java/api/com.microsoft.aad.msal4j) | Device code |
> | Service/</br>daemon | &#8226; [Call Microsoft Graph with Secret](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/1-server-side/msal-client-credential-secret) <br/> &#8226; [Call Microsoft Graph with Certificate](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/1-server-side/msal-client-credential-certificate)| [MSAL Java](/java/api/com.microsoft.aad.msal4j) | Client credentials grant| #### Java Spring
active-directory Scenario Desktop Acquire Token Wam https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-desktop-acquire-token-wam.md
The Microsoft Authentication Library (MSAL) calls Web Account Manager (WAM), a W
Using an authentication broker such as WAM has numerous benefits: -- Enhanced security. See [Token protection](/azure/active-directory/conditional-access/concept-token-protection).
+- Enhanced security. See [Token protection](../conditional-access/concept-token-protection.md).
- Support for Windows Hello, Conditional Access, and FIDO keys. - Integration with the Windows **Email & accounts** view. - Fast single sign-on.
ms-appx-web://microsoft.aad.brokerplugin/{client_id}
### Token cache persistence
-It's important to persist the MSAL token cache because MSAL continues to store ID tokens and account metadata there. For more information, see [Token cache serialization in MSAL.NET](/azure/active-directory/develop/msal-net-token-cache-serialization?tabs=desktop).
+It's important to persist the MSAL token cache because MSAL continues to store ID tokens and account metadata there. For more information, see [Token cache serialization in MSAL.NET](/entra/msal/dotnet/how-to/token-cache-serialization?tabs=desktop).
### Account for silent login
active-directory Scenario Mobile Acquire Token https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-mobile-acquire-token.md
The class defines the following constants:
- `ForceLogin` enables the service to prompt the user for credentials even if the prompt isn't needed. This option can be useful if the token acquisition fails and you want to let the user sign in again. In this case, MSAL sends `prompt=login` to the identity provider. You might want to use this option in security-focused applications where the organization governance requires the user to sign in each time they access specific parts of the application.-- `Never` is for only .NET 4.5 and Windows Runtime (WinRT). This constant won't prompt the user, but it will try to use the cookie that's stored in the hidden embedded web view. For more information, see [Using web browsers with MSAL.NET](./msal-net-web-browsers.md).
+- `Never` is for only .NET 4.5 and Windows Runtime (WinRT). This constant won't prompt the user, but it will try to use the cookie that's stored in the hidden embedded web view. For more information, see [Using web browsers with MSAL.NET](/entra/msal/dotnet/acquiring-tokens/using-web-browsers).
If this option fails, then `AcquireTokenInteractive` throws an exception to notify you that a UI interaction is needed. Then use another `Prompt` parameter. - `NoPrompt` doesn't send a prompt to the identity provider.
client_id=<CLIENT_ID>
## Next steps Move on to the next article in this scenario,
-[Calling a web API](scenario-mobile-call-api.md).
+[Calling a web API](scenario-mobile-call-api.md).
active-directory Scenario Spa Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-spa-overview.md
# Scenario: Single-page application
-Learn all you need to build a single-page application (SPA). For instructions regarding Azure Static Web Apps, see [Authentication and Authorization for Static Web Apps](../../static-web-apps/authentication-authorization.md) instead.
+Learn all you need to build a single-page application (SPA). For instructions regarding Azure Static Web Apps, see [Authentication and Authorization for Static Web Apps](/azure/static-web-apps/authentication-authorization) instead.
## Getting started
active-directory Scenario Spa Sign In https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-spa-sign-in.md
The choice between a pop-up or redirect experience depends on your application f
- If you don't want users to move away from your main application page during authentication, we recommend the pop-up method. Because the authentication redirect happens in a pop-up window, the state of the main application is preserved. -- If users have browser constraints or policies where pop-up windows are disabled, you can use the redirect method. Use the redirect method with the Internet Explorer browser, because there are [known issues with pop-up windows on Internet Explorer](/azure/active-directory/develop/msal-js-use-ie-browser).
+- If users have browser constraints or policies where pop-up windows are disabled, you can use the redirect method. Use the redirect method with the Internet Explorer browser, because there are [known issues with pop-up windows on Internet Explorer](./msal-js-use-ie-browser.md).
## Sign-in with a pop-up window
active-directory Scenario Token Exchange Saml Oauth https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-token-exchange-saml-oauth.md
Many apps are implemented with SAML. However, the Graph API uses the OIDC/OAuth
The general strategy is to add the OIDC/OAuth stack to your app. With your app that implements both standards you can use a session cookie. You aren't exchanging a token explicitly. You're logging a user in with SAML, which generates a session cookie. When the Graph API invokes an OAuth flow, you use the session cookie to authenticate. This strategy assumes the Conditional Access checks pass and the user is authorized. > [!NOTE]
-> The recommended library for adding OIDC/OAuth behavior to your applications is the [Microsoft Authentication Library (MSAL)](/entra/msal).
+> The recommended library for adding OIDC/OAuth behavior to your applications is the [Microsoft Authentication Library (MSAL)](/entra/msal/).
## Next steps - [Authentication flows and application scenarios](authentication-flows-app-scenarios.md)
active-directory Scenario Web Api Call Api App Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-web-api-call-api-app-configuration.md
The following image shows the possibilities of *Microsoft.Identity.Web* and the
:::image type="content" source="media/scenarios/microsoft-identity-web-startup-cs.svg" alt-text="Block diagram showing service configuration options in startup dot C S for calling a web API and specifying a token cache implementation"::: > [!NOTE]
-> To fully understand the code examples here, be familiar with [ASP.NET Core fundamentals](/aspnet/core/fundamentals), and in particular with [dependency injection](/aspnet/core/fundamentals/dependency-injection) and [options](/aspnet/core/fundamentals/configuration/options).
+> To fully understand the code examples here, be familiar with [ASP.NET Core fundamentals](/aspnet/core/fundamentals/), and in particular with [dependency injection](/aspnet/core/fundamentals/dependency-injection) and [options](/aspnet/core/fundamentals/configuration/options).
# [ASP.NET](#tab/aspnet)
active-directory Scenario Web App Sign User Production https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-web-app-sign-user-production.md
This progressive tutorial has production-ready code for a web app, including how
- Your organization - Multiple organizations - Work or school accounts, or personal Microsoft accounts-- [Azure AD B2C](../../active-directory-b2c/overview.md)
+- [Azure AD B2C](/azure/active-directory-b2c/overview)
- National clouds ## Tutorial: Node.js web app
active-directory Security Best Practices For App Registration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/security-best-practices-for-app-registration.md
Consider the following guidance related to certificates and secrets:
- If an application is used only as a Public Client App (allows users to sign in using a public endpoint), make sure that there are no credentials specified on the application object. - Review the credentials used in applications for freshness of use and their expiration. An unused credential on an application can result in a security breach. Rollover credentials frequently and don't share credentials across applications. Don't have many credentials on one application. - Monitor your production pipelines to prevent credentials of any kind from being committed into code repositories.-- [Credential Scanner](../../security/develop/security-code-analysis-overview.md#credential-scanner) is a static analysis tool that can be used to detect credentials (and other sensitive content) in source code and build output.
+- [Credential Scanner](/previous-versions/azure/security/develop/security-code-analysis-overview#credential-scanner) is a static analysis tool that can be used to detect credentials (and other sensitive content) in source code and build output.
## Application ID URI
active-directory Test Automate Integration Testing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/test-automate-integration-testing.md
Using the ROPC authentication flow is risky in a production environment, so [cre
## Create and configure a key vault
-We recommend you securely store the test usernames and passwords as [secrets](../../key-vault/secrets/about-secrets.md) in Azure Key Vault. When you run the tests later, the tests run in the context of a security principal. The security principal is a Microsoft Entra user if you're running tests locally (for example, in Visual Studio or Visual Studio Code), or a service principal or managed identity if you're running tests in Azure Pipelines or another Azure resource. The security principal must have **Read** and **List** secrets permissions so the test runner can get the test usernames and passwords from your key vault. For more information, read [Authentication in Azure Key Vault](../../key-vault/general/authentication.md).
+We recommend you securely store the test usernames and passwords as [secrets](/azure/key-vault/secrets/about-secrets) in Azure Key Vault. When you run the tests later, the tests run in the context of a security principal. The security principal is a Microsoft Entra user if you're running tests locally (for example, in Visual Studio or Visual Studio Code), or a service principal or managed identity if you're running tests in Azure Pipelines or another Azure resource. The security principal must have **Read** and **List** secrets permissions so the test runner can get the test usernames and passwords from your key vault. For more information, read [Authentication in Azure Key Vault](/azure/key-vault/general/authentication).
-1. [Create a new key vault](../../key-vault/general/quick-create-portal.md) if you don't have one already.
+1. [Create a new key vault](/azure/key-vault/general/quick-create-portal) if you don't have one already.
1. Take note of the **Vault URI** property value (similar to `https://<your-unique-keyvault-name>.vault.azure.net/`) which is used in the example test later in this article.
-1. [Assign an access policy](../../key-vault/general/assign-access-policy.md) for the security principal running the tests. Grant the user, service principal, or managed identity **Get** and **List** secrets permissions in the key vault.
+1. [Assign an access policy](/azure/key-vault/general/assign-access-policy) for the security principal running the tests. Grant the user, service principal, or managed identity **Get** and **List** secrets permissions in the key vault.
## Create test users [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-Create some test users in your tenant for testing. Since the test users are not actual humans, we recommend you assign complex passwords and securely store these passwords as [secrets](../../key-vault/secrets/about-secrets.md) in Azure Key Vault.
+Create some test users in your tenant for testing. Since the test users are not actual humans, we recommend you assign complex passwords and securely store these passwords as [secrets](/azure/key-vault/secrets/about-secrets) in Azure Key Vault.
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). 1. Browse to **Identity** > **Users** > **All users**. 1. Select **New user** and create one or more test user accounts in your directory.
-1. The example test later in this article uses a single test user. [Add the test username and password as secrets](../../key-vault/secrets/quick-create-portal.md) in the key vault you created previously. Add the username as a secret named "TestUserName" and the password as a secret named "TestPassword".
+1. The example test later in this article uses a single test user. [Add the test username and password as secrets](/azure/key-vault/secrets/quick-create-portal) in the key vault you created previously. Add the username as a secret named "TestUserName" and the password as a secret named "TestPassword".
## Create and configure an app registration Register an application that acts as your client app when calling APIs during testing. This should *not* be the same application you may already have in production. You should have a separate app to use only for testing purposes.
export const keyVaultConfig = {
### Initialize MSAL.js and fetch the user credentials from Key Vault
-Initialize the MSAL.js authentication context by instantiating a [PublicClientApplication](/javascript/api/@azure/msal-node/publicclientapplication) with a [Configuration](/javascript/api/@azure/msal-node/publicclientapplication#@azure-msal-node-publicclientapplication-constructor) object. The minimum required configuration property is the `clientID` of the application.
+Initialize the MSAL.js authentication context by instantiating a [PublicClientApplication](/javascript/api/%40azure/msal-node/publicclientapplication) with a [Configuration](/javascript/api/%40azure/msal-node/publicclientapplication#@azure-msal-node-publicclientapplication-constructor) object. The minimum required configuration property is the `clientID` of the application.
-Use [SecretClient()](/javascript/api/@azure/keyvault-secrets/secretclient) to get the test username and password secrets from Azure Key Vault.
+Use [SecretClient()](/javascript/api/%40azure/keyvault-secrets/secretclient) to get the test username and password secrets from Azure Key Vault.
-[DefaultAzureCredential()](/javascript/api/@azure/identity/defaultazurecredential) authenticates with Azure Key Vault by getting an access token from a service principal configured by environment variables or a managed identity (if the code is running on an Azure resource with a managed identity). If the code is running locally, `DefaultAzureCredential` uses the local user's credentials. Read more in the [Azure Identity client library](/javascript/api/@azure/identity/defaultazurecredential) content.
+[DefaultAzureCredential()](/javascript/api/@azure/identity/defaultazurecredential) authenticates with Azure Key Vault by getting an access token from a service principal configured by environment variables or a managed identity (if the code is running on an Azure resource with a managed identity). If the code is running locally, `DefaultAzureCredential` uses the local user's credentials. Read more in the [Azure Identity client library](/javascript/api/%40azure/identity/defaultazurecredential) content.
Use Microsoft Authentication Library (MSAL) to authenticate using the ROPC flow and get an access token. The access token is passed along as a bearer token in the HTTP request.
active-directory Test Throttle Service Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/test-throttle-service-limits.md
Microsoft Entra ID, Microsoft Graph, and other Azure services also limit the num
<a name='azure-ad-service-limits-relevant-to-testing'></a> ## Microsoft Entra service limits relevant to testing
-General Microsoft Entra usage constraints and service limits can be found [here](../enterprise-users/directory-service-limits-restrictions.md). General Azure subscription and service limits, quotas, and constraints can be found [here](../../azure-resource-manager/management/azure-subscription-service-limits.md).
+General Microsoft Entra usage constraints and service limits can be found [here](../enterprise-users/directory-service-limits-restrictions.md). General Azure subscription and service limits, quotas, and constraints can be found [here](/azure/azure-resource-manager/management/azure-subscription-service-limits).
The following table lists Microsoft Entra service limits to consider when setting up a test environment or running tests.
active-directory Troubleshoot Required Resource Access Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/troubleshoot-required-resource-access-limits.md
In general, all applications with more than 400 permissions have exceeded the co
## Resolution steps
-If the application isn't needed anymore, the first option you should consider is to delete the app registration entirely. (You can [restore recently deleted applications](/azure/active-directory/fundamentals/recover-from-deletions#applications-and-service-principals), in case you discover soon afterwards that it was still needed.)
+If the application isn't needed anymore, the first option you should consider is to delete the app registration entirely. (You can [restore recently deleted applications](../architecture/recover-from-deletions.md#applications-and-service-principals), in case you discover soon afterwards that it was still needed.)
If you still need the application or are unsure, the following steps will help you resolve this issue:
active-directory Tutorial Blazor Webassembly https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-blazor-webassembly.md
dotnet run
In your browser, navigate to `https://localhost:<port number>`, and log in using a Microsoft Entra user account to see the app running and logging users in with the Microsoft identity platform.
-The components of this template that enable logins with Microsoft Entra ID using the Microsoft identity platform are explained in the [ASP.NET doc on this article](/aspnet/core/blazor/security/webassembly/standalone-with-azure-active-directory#authentication-package).
+The components of this template that enable logins with Microsoft Entra ID using the Microsoft identity platform are explained in the [ASP.NET doc on this article](/aspnet/core/blazor/security/webassembly/standalone-with-microsoft-entra-id#authentication-package).
## Retrieving data from a protected API (Microsoft Graph)
active-directory V2 Conditional Access Dev Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-conditional-access-dev-guide.md
To try out this scenario, see our [React SPA calling Node.js web API using on-be
* For more Microsoft Entra code samples, see [samples](sample-v2-code.md). * For more info on the MSAL SDK's and access the reference documentation, see the [Microsoft Authentication Library overview](msal-overview.md). * To learn more about multi-tenant scenarios, see [How to sign in users using the multi-tenant pattern](howto-convert-app-to-be-multi-tenant.md).
-* Learn more about [Conditional Access and securing access to IoT apps](/azure/architecture/example-scenario/iot-aad/iot-aad).
+* Learn more about [Conditional Access and securing access to IoT apps](/azure/architecture/reference-architectures/iot).
active-directory V2 Howto Get Appsource Certified https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-howto-get-appsource-certified.md
For more information about multi-tenancy, see [How to sign in any Microsoft Entr
A *single-tenant application* is an application that only accepts sign-ins from users of a defined Microsoft Entra instance. External users (including work or school accounts from other organizations, or personal accounts) can sign in to a single-tenant application after adding each user as a guest account to the Microsoft Entra instance that the application is registered.
-You can add users as guest accounts to Microsoft Entra ID through the [Microsoft Entra B2B collaboration](../external-identities/what-is-b2b.md) and you can do this [programmatically](../../active-directory-b2c/integrate-with-app-code-samples.md). When using B2B, users can create a self-service portal that does not require an invitation to sign in. For more info, see [Self-service portal for Microsoft Entra B2B collaboration sign-up](../external-identities/self-service-portal.md).
+You can add users as guest accounts to Microsoft Entra ID through the [Microsoft Entra B2B collaboration](../external-identities/what-is-b2b.md) and you can do this [programmatically](/azure/active-directory-b2c/integrate-with-app-code-samples). When using B2B, users can create a self-service portal that does not require an invitation to sign in. For more info, see [Self-service portal for Microsoft Entra B2B collaboration sign-up](../external-identities/self-service-portal.md).
Single-tenant applications can enable the *Contact Me* experience, but if you want to enable the single-click/free trial experience that AppSource recommends, enable multi-tenancy on your application instead.
active-directory V2 Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-overview.md
Learn how core authentication and Microsoft Entra concepts apply to the Microsof
## More identity and access management options
-[Azure AD B2C](../../active-directory-b2c/overview.md) - Build customer-facing applications your users can sign in to using their social accounts like Facebook or Google, or by using an email address and password.
+[Azure AD B2C](/azure/active-directory-b2c/overview) - Build customer-facing applications your users can sign in to using their social accounts like Facebook or Google, or by using an email address and password.
[Microsoft Entra B2B](../external-identities/what-is-b2b.md) - Invite external users into your Microsoft Entra tenant as "guest" users, and assign permissions for authorization while they use their existing credentials for authentication.
active-directory V2 Saml Bearer Assertion https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-saml-bearer-assertion.md
You'll enable the SAML bearer assertion flow to exchange a SAMLv1 token issued b
## Prerequisites - AD FS federated as an identity provider for single sign-on; see [Setting up AD FS and Enabling Single Sign-On to Office 365](/archive/blogs/canitpro/step-by-step-setting-up-ad-fs-and-enabling-single-sign-on-to-office-365) for an example.-- [Postman](https://www.getpostman.com/) for testing requests.
+- [Postman](https://www.postman.com/) for testing requests.
## Scenario overview
active-directory Web App Quickstart Portal Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-app-quickstart-portal-python.md
> ## Prerequisites > > - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-> - [Python 2.7+](https://www.python.org/downloads/release/python-2713) or [Python 3+](https://www.python.org/downloads/release/python-364/)
-> - [Flask](http://flask.pocoo.org/), [Flask-Session](https://pypi.org/project/Flask-Session/), [requests](https://github.com/psf/requests/graphs/contributors)
+> - [Python 2.7+](https://www.python.org/downloads/release/python-2713/) or [Python 3+](https://www.python.org/downloads/release/python-364/)
+> - [Flask](https://flask.palletsprojects.com/en/3.0.x/), [Flask-Session](https://pypi.org/project/Flask-Session/), [requests](https://github.com/psf/requests/graphs/contributors)
> - [MSAL Python](https://github.com/AzureAD/microsoft-authentication-library-for-python) > > #### Step 1: Configure your application in Azure portal
active-directory Manage Device Identities https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/manage-device-identities.md
To view or copy BitLocker keys, you need to be the owner of the device or have o
- Intune Service Administrator - Security Administrator - Security Reader
+
+> [!NOTE]
+> When devices that utilize [Windows Autopilot](/mem/autopilot/windows-autopilot) are reused, **and there is a new device owner**, that new device owner must contact an administrator to acquire the BitLocker recovery key for that device. Administrative unit scoped administrators will lose access to BitLocker recovery keys after device ownership changes. These scoped administrators will need to contact a non-scoped administrator for the recovery keys.
## View and filter your devices
active-directory Directory Delete Howto https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/directory-delete-howto.md
You can use the Microsoft admin center to put a subscription into the **Deprovis
![Screenshot that shows subscription status and the delete link.](./media/directory-delete-howto/delete-command.png)
-1. Select the checkbox to accept terms and conditions, and then select **Delete subscription**. All data for the subscription is permanently deleted in three days. You can [reactivate the subscription](/office365/admin/subscriptions-and-billing/reactivate-your-subscription) during the three-day period if you change your mind.
+1. Select the checkbox to accept terms and conditions, and then select **Delete subscription**. All data for the subscription is permanently deleted in three days. You can [reactivate the subscription](/microsoft-365/commerce/subscriptions/reactivate-your-subscription) during the three-day period if you change your mind.
![Screenshot that shows the link for terms and conditions, along with the button for deleting a subscription.](./media/directory-delete-howto/delete-terms.png)
You can use the Microsoft admin center to put a subscription into the **Deprovis
If you have an active or canceled Azure subscription associated with your Microsoft Entra tenant, you can't delete the tenant. After you cancel, billing is stopped immediately. However, Microsoft waits 30 to 90 days before permanently deleting your data in case you need to access it or you change your mind. We don't charge you for keeping the data.
-If you have a free trial or pay-as-you-go subscription, you don't have to wait 90 days for the subscription to be automatically deleted. You can delete your subscription three days after you cancel it, when the **Delete subscription** option becomes available. For details, read through [Delete free trial or pay-as-you-go subscriptions](../../cost-management-billing/manage/cancel-azure-subscription.md#delete-subscriptions).
+If you have a free trial or pay-as-you-go subscription, you don't have to wait 90 days for the subscription to be automatically deleted. You can delete your subscription three days after you cancel it, when the **Delete subscription** option becomes available. For details, read through [Delete free trial or pay-as-you-go subscriptions](/azure/cost-management-billing/manage/cancel-azure-subscription#delete-subscriptions).
-All other subscription types are deleted only through the [subscription cancellation](../../cost-management-billing/manage/cancel-azure-subscription.md#cancel-a-subscription-in-the-azure-portal) process. In other words, you can't delete a subscription directly unless it's a free trial or pay-as-you-go subscription. However, after you cancel a subscription, you can create an [Azure support request](https://go.microsoft.com/fwlink/?linkid=2083458) and ask to have the subscription deleted immediately.
+All other subscription types are deleted only through the [subscription cancellation](/azure/cost-management-billing/manage/cancel-azure-subscription#cancel-a-subscription-in-the-azure-portal) process. In other words, you can't delete a subscription directly unless it's a free trial or pay-as-you-go subscription. However, after you cancel a subscription, you can create an [Azure support request](https://go.microsoft.com/fwlink/?linkid=2083458) and ask to have the subscription deleted immediately.
-Alternatively, you can move the Azure subscription to another tenant. When you transfer billing ownership of your subscription to an account in another tenant, you can move the subscription to the new account's tenant. Performing a **Switch Directory** action on the subscription wouldn't help, because the billing would still be aligned with the Microsoft Entra tenant that was used to sign up for the subscription. For more information, review [Transfer a subscription to another Microsoft Entra tenant account](../../cost-management-billing/manage/billing-subscription-transfer.md#transfer-a-subscription-to-another-azure-ad-tenant-account).
+Alternatively, you can move the Azure subscription to another tenant. When you transfer billing ownership of your subscription to an account in another tenant, you can move the subscription to the new account's tenant. Performing a **Switch Directory** action on the subscription wouldn't help, because the billing would still be aligned with the Microsoft Entra tenant that was used to sign up for the subscription. For more information, review [Transfer a subscription to another Microsoft Entra tenant account](/azure/cost-management-billing/manage/billing-subscription-transfer#transfer-a-subscription-to-another-azure-ad-tenant-account).
After you have all the Azure, Office 365, and Microsoft 365 subscriptions canceled and deleted, you can clean up the rest of the things within a Microsoft Entra tenant before you delete it.
A few enterprise applications can't be deleted in the Microsoft Entra admin cent
## Handle a trial subscription that blocks deletion
-There are [self-service sign-up products](/office365/admin/misc/self-service-sign-up) like Microsoft Power BI, Azure Rights Management (Azure RMS), Microsoft Power Apps, and Dynamics 365. Individual users can sign up via Microsoft 365, which also creates a guest user for authentication in your Microsoft Entra organization.
+There are [self-service sign-up products](/microsoft-365/admin/misc/self-service-sign-up) like Microsoft Power BI, Azure Rights Management (Azure RMS), Microsoft Power Apps, and Dynamics 365. Individual users can sign up via Microsoft 365, which also creates a guest user for authentication in your Microsoft Entra organization.
These self-service products block directory deletions until the products are fully deleted from the organization, to avoid data loss. Only the Microsoft Entra admin can delete them, whether the user signed up individually or was assigned the product.
There are two types of self-service sign-up products, in terms of how they're as
* Organizational-level assignment: a Microsoft Entra administrator assigns the product to the entire organization. A user can actively use the service with the organizational-level assignment, even if the user isn't licensed individually. * User-level assignment: An individual user during self-service sign-up essentially self-assigns the product without an admin. After an admin starts managing the organization (see [Administrator takeover of an unmanaged organization](domains-admin-takeover.md)), the admin can directly assign the product to users without self-service sign-up.
-When you begin the deletion of a self-service sign-up product, the action permanently deletes the data and removes all user access to the service. Any user who was assigned the offer individually or on the organization level is then blocked from signing in or accessing any existing data. If you want to prevent data loss with a self-service sign-up product like [Microsoft Power BI dashboards](/power-bi/service-export-to-pbix) or [Azure RMS policy configuration](/azure/information-protection/configure-policy#how-to-configure-the-azure-information-protection-policy), ensure that the data is backed up and saved elsewhere.
+When you begin the deletion of a self-service sign-up product, the action permanently deletes the data and removes all user access to the service. Any user who was assigned the offer individually or on the organization level is then blocked from signing in or accessing any existing data. If you want to prevent data loss with a self-service sign-up product like [Microsoft Power BI dashboards](/power-bi/create-reports/service-export-to-pbix) or [Azure RMS policy configuration](/previous-versions/azure/information-protection/configure-policy#how-to-configure-the-azure-information-protection-policy), ensure that the data is backed up and saved elsewhere.
-For more information about currently available self-service sign-up products and services, see [Available self-service programs](/office365/admin/misc/self-service-sign-up#available-self-service-programs).
+For more information about currently available self-service sign-up products and services, see [Available self-service programs](/microsoft-365/admin/misc/self-service-sign-up#available-self-service-programs).
-For what to expect when a trial Microsoft 365 subscription expires (not including paid Partner/CSP, Enterprise Agreement, or Volume Licensing), see the following table. For more information on Microsoft 365 data retention and subscription lifecycle, see [What happens to my data and access when my Microsoft 365 for Business subscription ends?](/office365/admin/subscriptions-and-billing/what-if-my-subscription-expires).
+For what to expect when a trial Microsoft 365 subscription expires (not including paid Partner/CSP, Enterprise Agreement, or Volume Licensing), see the following table. For more information on Microsoft 365 data retention and subscription lifecycle, see [What happens to my data and access when my Microsoft 365 for Business subscription ends?](/microsoft-365/commerce/subscriptions/what-if-my-subscription-expires).
Product state | Data | Access to data - | - | --
active-directory Directory Service Limits Restrictions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/directory-service-limits-restrictions.md
# Microsoft Entra service limits and restrictions
-This article contains the usage constraints and other service limits for the Microsoft Entra ID, part of Microsoft Entra, service. If youΓÇÖre looking for the full set of Microsoft Azure service limits, see [Azure Subscription and Service Limits, Quotas, and Constraints](../../azure-resource-manager/management/azure-subscription-service-limits.md).
+This article contains the usage constraints and other service limits for the Microsoft Entra ID, part of Microsoft Entra, service. If youΓÇÖre looking for the full set of Microsoft Azure service limits, see [Azure Subscription and Service Limits, Quotas, and Constraints](/azure/azure-resource-manager/management/azure-subscription-service-limits).
[!INCLUDE [AAD-service-limits](../../../includes/active-directory-service-limits-include.md)]
active-directory Groups Assign Sensitivity Labels https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-assign-sensitivity-labels.md
# Assign sensitivity labels to Microsoft 365 groups in Microsoft Entra ID
-Microsoft Entra ID, part of Microsoft Entra, supports applying sensitivity labels published by the [Microsoft Purview compliance portal](https://compliance.microsoft.com) to Microsoft 365 groups. Sensitivity labels apply to group across services like Outlook, Microsoft Teams, and SharePoint. For more information about Microsoft 365 apps support, see [Microsoft 365 support for sensitivity labels](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites#support-for-the-sensitivity-labels).
+Microsoft Entra ID, part of Microsoft Entra, supports applying sensitivity labels published by the [Microsoft Purview compliance portal](https://compliance.microsoft.com) to Microsoft 365 groups. Sensitivity labels apply to group across services like Outlook, Microsoft Teams, and SharePoint. For more information about Microsoft 365 apps support, see [Microsoft 365 support for sensitivity labels](/purview/sensitivity-labels-teams-groups-sites#support-for-the-sensitivity-labels).
> [!IMPORTANT] > To configure this feature, there must be at least one active Microsoft Entra ID P1 license in your Microsoft Entra organization.
If youΓÇÖre receiving a Request_BadRequest error, it's because the settings alre
1. Issue the `Set-AzureADDirectorySetting -DirectorySetting $Setting -ID` cmdlet, using the ID that you retrieved in step 2. 1. Ensure that the value is now correctly updated by issuing `$Setting.Values` again.
-You will also need to synchronize your sensitivity labels to Microsoft Entra ID. For instructions, see [How to enable sensitivity labels for containers and synchronize labels](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites#how-to-enable-sensitivity-labels-for-containers-and-synchronize-labels).
+You will also need to synchronize your sensitivity labels to Microsoft Entra ID. For instructions, see [How to enable sensitivity labels for containers and synchronize labels](/purview/sensitivity-labels-teams-groups-sites#how-to-enable-sensitivity-labels-for-containers-and-synchronize-labels).
## Assign a label to a new group in Azure portal
The sensitivity label option is only displayed for groups when all of the follow
1. The feature is enabled, EnableMIPLabels is set to True in from the Azure AD PowerShell module. 1. In addition, the sensitivity labels are published in the Microsoft Purview compliance portal for this Microsoft Entra organization. 1. Labels are synchronized to Microsoft Entra ID with the Execute-AzureAdLabelSync cmdlet in the Security & Compliance PowerShell module. It can take up to 24 hours after synchronization for the label to be available to Microsoft Entra ID.
-1. The [sensitivity label scope](/microsoft-365/compliance/sensitivity-labels?preserve-view=true&view=o365-worldwide#label-scopes) must be configured for Groups & Sites.
+1. The [sensitivity label scope](/purview/sensitivity-labels?preserve-view=true&view=o365-worldwide#label-scopes) must be configured for Groups & Sites.
3. The group is a Microsoft 365 group. 4. The current signed-in user: 1. has sufficient privileges to assign sensitivity labels. The user must be a Global Administrator, Group Administrator, or the group owner
- 1. and must be within the scope of the [sensitivity label publishing policy](/microsoft-365/compliance/sensitivity-labels?preserve-view=true&view=o365-worldwide#what-label-policies-can-do)
+ 1. and must be within the scope of the [sensitivity label publishing policy](/purview/sensitivity-labels?preserve-view=true&view=o365-worldwide#what-label-policies-can-do)
Please make sure all the conditions above are met in order to assign labels to a group.
If you must make a change, use an [Azure AD PowerShell script](https://github.co
## Next steps -- [Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites)
+- [Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites](/purview/sensitivity-labels-teams-groups-sites)
- [Update groups after label policy change manually with Azure AD PowerShell script](https://github.com/microsoftgraph/powershell-aad-samples/blob/master/ReassignSensitivityLabelToO365Groups.ps1) - [Edit your group settings](../fundamentals/how-to-manage-groups.md) - [Manage groups using PowerShell commands](../enterprise-users/groups-settings-v2-cmdlets.md)
active-directory Groups Create Rule https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-create-rule.md
If the rule you entered isn't valid, an explanation of why the rule couldn't be
## Turn on or off welcome email
-When a new Microsoft 365 group is created, a welcome email notification is sent the users who are added to the group. Later, if any attributes of a user or device(only in case of security groups) change, all dynamic group rules in the organization are processed for membership changes. Users who are added then also receive the welcome notification. You can turn off this behavior in [Exchange PowerShell](/powershell/module/exchange/users-and-groups/Set-UnifiedGroup).
+When a new Microsoft 365 group is created, a welcome email notification is sent the users who are added to the group. Later, if any attributes of a user or device(only in case of security groups) change, all dynamic group rules in the organization are processed for membership changes. Users who are added then also receive the welcome notification. You can turn off this behavior in [Exchange PowerShell](/powershell/module/exchange/set-unifiedgroup).
## Check processing status for a rule
active-directory Groups Dynamic Membership https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-dynamic-membership.md
The following device attributes can be used.
<!-- docutune:enable --> > [!NOTE]
-> When using `deviceOwnership` to create Dynamic Groups for devices, you need to set the value equal to `Company`. On Intune the device ownership is represented instead as Corporate. For more information, see [OwnerTypes](/intune/reports-ref-devices#ownertypes) for more details.
+> When using `deviceOwnership` to create Dynamic Groups for devices, you need to set the value equal to `Company`. On Intune the device ownership is represented instead as Corporate. For more information, see [OwnerTypes](/mem/intune/developer/reports-ref-devices#ownertypes) for more details.
> When using `deviceTrustType` to create Dynamic Groups for devices, you need to set the value equal to `AzureAD` to represent Microsoft Entra joined devices, `ServerAD` to represent Microsoft Entra hybrid joined devices or `Workplace` to represent Microsoft Entra registered devices. > When using `extensionAttribute1-15` to create Dynamic Groups for devices you need to set the value for `extensionAttribute1-15` on the device. Learn more on [how to write `extensionAttributes` on a Microsoft Entra device object](/graph/api/device-update?view=graph-rest-1.0&tabs=http#example-2--write-extensionattributes-on-a-device&preserve-view=true)
active-directory Groups Dynamic Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-dynamic-tutorial.md
In this tutorial, you learned how to:
Advance to the next article to learn more group-based licensing basics > [!div class="nextstepaction"]
-> [Group licensing basics](../fundamentals/licensing-whatis-azure-portal.md)
+> [Group licensing basics](../fundamentals/concept-group-based-licensing.md)
active-directory Licensing Admin Center https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-admin-center.md
When assign licenses to a group, Microsoft Entra ID processes all existing membe
To learn more about the feature set for license assignment using groups, see the following articles: -- [What is group-based licensing in Microsoft Entra ID?](../fundamentals/licensing-whatis-azure-portal.md?context=azure/active-directory/users-groups-roles/context/ugr-context)
+- [What is group-based licensing in Microsoft Entra ID?](../fundamentals/concept-group-based-licensing.md?context=azure/active-directory/users-groups-roles/context/ugr-context)
- [Identifying and resolving license problems for a group in Microsoft Entra ID](licensing-groups-resolve-problems.md)
active-directory Licensing Directory Independence https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-directory-independence.md
You can configure each Microsoft Entra organization independently to get data sy
## Next steps
-For Microsoft Entra ID licensing considerations and best practices, see [What is Microsoft Entra ID licensing?](../fundamentals/licensing-whatis-azure-portal.md).
+For Microsoft Entra ID licensing considerations and best practices, see [What is Microsoft Entra ID licensing?](../fundamentals/concept-group-based-licensing.md).
active-directory Licensing Group Advanced https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-group-advanced.md
If you use group-based licensing, it's a good idea to familiarize yourself with
To learn more about other scenarios for license management through group-based licensing, see:
-* [What is group-based licensing in Microsoft Entra ID?](../fundamentals/licensing-whatis-azure-portal.md)
+* [What is group-based licensing in Microsoft Entra ID?](../fundamentals/concept-group-based-licensing.md)
* [Assigning licenses to a group in Microsoft Entra ID](licensing-groups-assign.md) * [Identifying and resolving license problems for a group in Microsoft Entra ID](licensing-groups-resolve-problems.md) * [How to migrate individual licensed users to group-based licensing in Microsoft Entra ID](licensing-groups-migrate-users.md)
active-directory Licensing Groups Assign https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-groups-assign.md
When assign licenses to a group, Microsoft Entra ID processes all existing membe
To learn more about the feature set for license assignment using groups, see the following articles: -- [What is group-based licensing in Microsoft Entra ID?](../fundamentals/licensing-whatis-azure-portal.md?context=azure/active-directory/users-groups-roles/context/ugr-context)
+- [What is group-based licensing in Microsoft Entra ID?](../fundamentals/concept-group-based-licensing.md?context=azure/active-directory/users-groups-roles/context/ugr-context)
- [Identifying and resolving license problems for a group in Microsoft Entra ID](licensing-groups-resolve-problems.md) - [How to migrate individual licensed users to group-based licensing in Microsoft Entra ID](licensing-groups-migrate-users.md) - [How to migrate users between product licenses using group-based licensing in Microsoft Entra ID](licensing-groups-change-licenses.md)
active-directory Licensing Groups Migrate Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-groups-migrate-users.md
Here is what the migration process could look like:
Learn more about other scenarios for group license management: -- [What is group-based licensing in Microsoft Entra ID?](../fundamentals/licensing-whatis-azure-portal.md)
+- [What is group-based licensing in Microsoft Entra ID?](../fundamentals/concept-group-based-licensing.md)
- [Assigning licenses to a group in Microsoft Entra ID](licensing-groups-assign.md) - [Identifying and resolving license problems for a group in Microsoft Entra ID](licensing-groups-resolve-problems.md) - [How to migrate users between product licenses using group-based licensing in Microsoft Entra ID](licensing-groups-change-licenses.md)
active-directory Licensing Groups Resolve Problems https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-groups-resolve-problems.md
For example, after you resolve duplicate proxy address problem for an affected u
To learn more about other scenarios for license management through groups, see the following:
-* [What is group-based licensing in Microsoft Entra ID?](../fundamentals/licensing-whatis-azure-portal.md)
+* [What is group-based licensing in Microsoft Entra ID?](../fundamentals/concept-group-based-licensing.md)
* [Assigning licenses to a group in Microsoft Entra ID](./licensing-groups-assign.md) * [How to migrate individual licensed users to group-based licensing in Microsoft Entra ID](licensing-groups-migrate-users.md) * [How to migrate users between product licenses using group-based licensing in Microsoft Entra ID](licensing-groups-change-licenses.md)
active-directory Licensing Powershell Graph Examples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-powershell-graph-examples.md
Group-based licensing in Microsoft Entra ID, part of Microsoft Entra, is availab
## Assign licenses to a group
-[Group based licensing](../fundamentals/licensing-whatis-azure-portal.md) provides a convenient way to manage license assignment. You can assign one or more product licenses to a group and those licenses are assigned to all members of the group.
+[Group based licensing](../fundamentals/concept-group-based-licensing.md) provides a convenient way to manage license assignment. You can assign one or more product licenses to a group and those licenses are assigned to all members of the group.
```powershell # Import the Microsoft.Graph.Groups module
else {
To learn more about the feature set for license management through groups, see the following articles:
-* [What is group-based licensing in Microsoft Entra ID?](../fundamentals/licensing-whatis-azure-portal.md)
+* [What is group-based licensing in Microsoft Entra ID?](../fundamentals/concept-group-based-licensing.md)
* [Assigning licenses to a group in Microsoft Entra ID](./licensing-groups-assign.md) * [Identifying and resolving license problems for a group in Microsoft Entra ID](licensing-groups-resolve-problems.md)
active-directory Licensing Ps Examples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-ps-examples.md
# PowerShell and Microsoft Graph examples for group-based licensing in Microsoft Entra ID Full functionality for group-based licensing in Microsoft Entra ID, part of Microsoft Entra, is available through the [Azure portal](https://portal.azure.com), and currently there are some useful tasks that can be performed using the existing [MSOnline PowerShell
-cmdlets](/powershell/module/msonline) and Microsoft Graph. This document provides examples of what is possible.
+cmdlets](/powershell/module/msonline/) and Microsoft Graph. This document provides examples of what is possible.
> [!NOTE] > Before you begin running cmdlets, make sure you connect to your organization first, by running the `Connect-MsolService` cmdlet.
aadbe4da-c4b5-4d84-800a-9400f31d7371 User has no direct license to remove. Skipp
To learn more about the feature set for license management through groups, see the following articles:
-* [What is group-based licensing in Microsoft Entra ID?](../fundamentals/licensing-whatis-azure-portal.md)
+* [What is group-based licensing in Microsoft Entra ID?](../fundamentals/concept-group-based-licensing.md)
* [Assigning licenses to a group in Microsoft Entra ID](./licensing-groups-assign.md) * [Identifying and resolving license problems for a group in Microsoft Entra ID](licensing-groups-resolve-problems.md) * [How to migrate individual licensed users to group-based licensing in Microsoft Entra ID](licensing-groups-migrate-users.md)
active-directory Licensing Service Plan Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-service-plan-reference.md
The following service plans cannot be assigned together:
To learn more about the feature set for license management through groups, see the following:
-* [What is group-based licensing in Microsoft Entra ID?](../fundamentals/licensing-whatis-azure-portal.md)
+* [What is group-based licensing in Microsoft Entra ID?](../fundamentals/concept-group-based-licensing.md)
* [Assigning licenses to a group in Microsoft Entra ID](licensing-groups-assign.md) * [Identifying and resolving license problems for a group in Microsoft Entra ID](licensing-groups-resolve-problems.md) * [How to migrate individual licensed users to group-based licensing in Microsoft Entra ID](licensing-groups-migrate-users.md)
active-directory Users Close Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-close-account.md
To close an unmanaged work or school account, follow these steps:
## Next steps - [What is self-service sign-up for Microsoft Entra ID?](directory-self-service-signup.md)-- [Delete the user from Unmanaged Tenant](/power-automate/gdpr-dsr-delete#delete-the-user-from-unmanaged-tenant)-- [Accessing and exporting system-generated logs for Unmanaged Tenants](/power-platform/admin/powerapps-gdpr-dsr-guide-systemlogs#accessing-and-exporting-system-generated-logs-for-unmanaged-tenants)
+- [Delete the user from Unmanaged Tenant](/power-automate/privacy-dsr-delete#delete-the-user-from-unmanaged-tenant)
+- [Accessing and exporting system-generated logs for Unmanaged Tenants](/power-platform/admin/powerapps-privacy-dsr-guide-systemlogs#accessing-and-exporting-system-generated-logs-for-unmanaged-tenants)
active-directory Users Revoke Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-revoke-access.md
As an admin in the Active Directory, connect to your on-premises network, open P
As an administrator in Microsoft Entra ID, open PowerShell, run ``Connect-AzureAD``, and take the following actions:
-1. Disable the user in Microsoft Entra ID. Refer to [Set-AzureADUser](/powershell/module/azuread/Set-AzureADUser).
+1. Disable the user in Microsoft Entra ID. Refer to [Set-AzureADUser](/powershell/module/azuread/set-azureaduser).
```PowerShell Set-AzureADUser -ObjectId johndoe@contoso.com -AccountEnabled $false
Once admins have taken the above steps, the user can't gain new tokens for any a
> [!NOTE] > Data on the device cannot be recovered after a wipe. -- Use [Microsoft Defender for Cloud Apps to block data download](/cloud-app-security/use-case-proxy-block-session-aad) when appropriate. If the data can only be accessed online, organizations can monitor sessions and achieve real-time policy enforcement.
+- Use [Microsoft Defender for Cloud Apps to block data download](/defender-cloud-apps/use-case-proxy-block-session-aad) when appropriate. If the data can only be accessed online, organizations can monitor sessions and achieve real-time policy enforcement.
- Enable [Continuous Access Evaluation (CAE) in Microsoft Entra ID](../conditional-access/concept-continuous-access-evaluation.md). CAE allows admins to revoke the session tokens and access tokens for applications that are CAE capable.
active-directory Users Sharing Accounts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-sharing-accounts.md
You can also make your shared account more secure with Multi-Factor Authenticati
## Next steps * [Application Management in Microsoft Entra ID](../manage-apps/what-is-application-management.md)
-* [Protecting apps with Conditional Access](../../active-directory-b2c/overview.md)
+* [Protecting apps with Conditional Access](/azure/active-directory-b2c/overview)
* [Self-service group management/SSAA](groups-self-service-management.md)
active-directory B2b Direct Connect Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/b2b-direct-connect-overview.md
The Microsoft Teams admin center displays reporting for shared channels, includi
- **Current limitations**: An access review can detect internal users and external B2B direct connect users, but not other teams that have been added to a shared channel. To view and remove teams that have been added to a shared channel, the shared channel owner can manage membership from within Teams.
-For more information about Microsoft Teams audit logs, see the [Microsoft Teams auditing documentation](/microsoftteams/audit-log-events).
+For more information about Microsoft Teams audit logs, see the [Microsoft Teams auditing documentation](/purview/audit-teams-audit-log-events).
## Privacy and data handling
You might want to consider using cross-tenant access settings to restrict B2B di
## Next steps - [Configure cross-tenant access settings](cross-tenant-access-settings-b2b-collaboration.md)-- See the Microsoft Teams documentation for details about [data loss prevention](/microsoft-365/compliance), [retention policies](/microsoftteams/retention-policies), and [eDiscovery](/microsoftteams/ediscovery-investigation).
+- See the Microsoft Teams documentation for details about [data loss prevention](/purview/), [retention policies](/microsoftteams/retention-policies), and [eDiscovery](/purview/ediscovery-teams-investigation).
active-directory B2b Government National Clouds https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/b2b-government-national-clouds.md
To set up B2B collaboration between tenants in different clouds, both tenants ne
## B2B collaboration within the Microsoft Azure Government cloud
-Within the Azure US Government cloud, B2B collaboration is enabled between tenants that are both within Azure US Government cloud and that both support B2B collaboration. Azure US Government tenants that support B2B collaboration can also collaborate with social users using Microsoft, Google accounts, or email one-time passcode accounts. If you invite a user outside of these groups (for example, if the user is in a tenant that isn't part of the Azure US Government cloud or doesn't yet support B2B collaboration), the invitation will fail or the user won't be able to redeem the invitation. For Microsoft accounts (MSAs), there are known limitations with accessing the Microsoft Entra admin center: newly invited MSA guests are unable to redeem direct link invitations to the Microsoft Entra admin center, and existing MSA guests are unable to sign in to the Microsoft Entra admin center. For details about other limitations, see [Microsoft Entra ID P1 and P2 Variations](../../azure-government/compare-azure-government-global-azure.md#azure-active-directory-premium-p1-and-p2).
+Within the Azure US Government cloud, B2B collaboration is enabled between tenants that are both within Azure US Government cloud and that both support B2B collaboration. Azure US Government tenants that support B2B collaboration can also collaborate with social users using Microsoft, Google accounts, or email one-time passcode accounts. If you invite a user outside of these groups (for example, if the user is in a tenant that isn't part of the Azure US Government cloud or doesn't yet support B2B collaboration), the invitation will fail or the user won't be able to redeem the invitation. For Microsoft accounts (MSAs), there are known limitations with accessing the Microsoft Entra admin center: newly invited MSA guests are unable to redeem direct link invitations to the Microsoft Entra admin center, and existing MSA guests are unable to sign in to the Microsoft Entra admin center. For details about other limitations, see [Microsoft Entra ID P1 and P2 Variations](/azure/azure-government/compare-azure-government-global-azure#azure-active-directory-premium-p1-and-p2).
### How can I tell if B2B collaboration is available in my Azure US Government tenant? To find out if your Azure US Government cloud tenant supports B2B collaboration, do the following:
active-directory B2b Quickstart Invite Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/b2b-quickstart-invite-powershell.md
If you donΓÇÖt have an Azure subscription, create a [free account](https://azure
To complete the scenario in this quickstart, you need: - A role that allows you to create users in your tenant directory, such as at least a [Guest Inviter role](../roles/permissions-reference.md#guest-inviter) or a [User administrator](../roles/permissions-reference.md#user-administrator).-- Install the [Microsoft Graph Identity Sign-ins module](/powershell/module/microsoft.graph.identity.signins/?view=graph-powershell-beta&preserve-view=true) (Microsoft.Graph.Identity.SignIns) and the [Microsoft Graph Users module](/powershell/module/microsoft.graph.users/?view=graph-powershell-beta&preserve-view=true) (Microsoft.Graph.Users). You can use the `#Requires` statement to prevent running a script unless the required PowerShell modules are met.
+- Install the [Microsoft Graph Identity Sign-ins module](/powershell/module/microsoft.graph.identity.signins/?viewFallbackFrom=graph-powershell-beta&preserve-view=true&view=graph-powershell-1.0) (Microsoft.Graph.Identity.SignIns) and the [Microsoft Graph Users module](/powershell/module/microsoft.graph.users/?viewFallbackFrom=graph-powershell-beta&preserve-view=true&view=graph-powershell-1.0) (Microsoft.Graph.Users). You can use the `#Requires` statement to prevent running a script unless the required PowerShell modules are met.
```powershell #Requires -Modules Microsoft.Graph.Identity.SignIns, Microsoft.Graph.Users
active-directory B2b Sponsors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/b2b-sponsors.md
When you invite a guest user, you became their sponsor by default. If you need t
## Next steps - [Add and invite guest users](add-users-administrator.md)-- [Create a new access package](/azure/active-directory/governance/entitlement-management-access-package-create#approval)-- [Manage user profile info](/azure/active-directory/fundamentals/how-to-manage-user-profile-info)
+- [Create a new access package](../governance/entitlement-management-access-package-create.md)
+- [Manage user profile info](../fundamentals/how-to-manage-user-profile-info.md)
active-directory Cross Tenant Access Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/cross-tenant-access-overview.md
Microsoft Entra organizations can use External ID cross-tenant access settings t
This article describes cross-tenant access settings, which are used to manage B2B collaboration and B2B direct connect with external Microsoft Entra organizations, including across Microsoft clouds. More settings are available for B2B collaboration with non-Azure AD identities (for example, social identities or non-IT managed external accounts). These [external collaboration settings](external-collaboration-settings-configure.md) include options for restricting guest user access, specifying who can invite guests, and allowing or blocking domains. > [!IMPORTANT]
-> Microsoft started to move customers using cross-tenant access settings to a new storage model on August 30, 2023. You may notice an entry in your audit logs informing you that your cross-tenant access settings were updated as our automated task migrates your settings. For a brief window while the migration processes, you'll be unable to make changes to your settings. If you're unable to make a change, wait a few moments and try the change again. Once the migration completes, [you'll no longer be capped with 25kb of storage space](/azure/active-directory/external-identities/faq#how-many-organizations-can-i-add-in-cross-tenant-access-settings-) and there will be no more limits on the number of partners you can add.
+> Microsoft started to move customers using cross-tenant access settings to a new storage model on August 30, 2023. You may notice an entry in your audit logs informing you that your cross-tenant access settings were updated as our automated task migrates your settings. For a brief window while the migration processes, you'll be unable to make changes to your settings. If you're unable to make a change, wait a few moments and try the change again. Once the migration completes, [you'll no longer be capped with 25kb of storage space](./faq.yml#how-many-organizations-can-i-add-in-cross-tenant-access-settings-) and there will be no more limits on the number of partners you can add.
## Manage external access with inbound and outbound settings
active-directory Cross Tenant Access Settings B2b Collaboration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration.md
Use External Identities cross-tenant access settings to manage how you collaborate with other Microsoft Entra organizations through B2B collaboration. These settings determine both the level of *inbound* access users in external Microsoft Entra organizations have to your resources, and the level of *outbound* access your users have to external organizations. They also let you trust multi-factor authentication (MFA) and device claims ([compliant claims and Microsoft Entra hybrid joined claims](../conditional-access/howto-conditional-access-policy-compliant-device.md)) from other Microsoft Entra organizations. For details and planning considerations, see [Cross-tenant access in Microsoft Entra External ID](cross-tenant-access-overview.md). > [!IMPORTANT]
-> Microsoft is beginning to move customers using cross-tenant access settings to a new storage model on August 30, 2023. You may notice an entry in your audit logs informing you that your cross-tenant access settings were updated as our automated task migrates your settings. For a brief window while the migration processes, you will be unable to make changes to your settings. If you are unable to make a change, you should wait a few moments and try the change again. Once the migration completes, [you will no longer be capped with 25kb of storage space](/azure/active-directory/external-identities/faq#how-many-organizations-can-i-add-in-cross-tenant-access-settings-) and there will be no more limits on the number of partners you can add.
+> Microsoft is beginning to move customers using cross-tenant access settings to a new storage model on August 30, 2023. You may notice an entry in your audit logs informing you that your cross-tenant access settings were updated as our automated task migrates your settings. For a brief window while the migration processes, you will be unable to make changes to your settings. If you are unable to make a change, you should wait a few moments and try the change again. Once the migration completes, [you will no longer be capped with 25kb of storage space](./faq.yml#how-many-organizations-can-i-add-in-cross-tenant-access-settings-) and there will be no more limits on the number of partners you can add.
## Before you begin
active-directory Cross Tenant Access Settings B2b Direct Connect https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/cross-tenant-access-settings-b2b-direct-connect.md
Use cross-tenant access settings to manage how you collaborate with other Micros
Learn more about using cross-tenant access settings to [manage B2B direct connect](b2b-direct-connect-overview.md#managing-cross-tenant-access-for-b2b-direct-connect). > [!IMPORTANT]
-> Microsoft is beginning to move customers using cross-tenant access settings to a new storage model on August 30, 2023. You may notice an entry in your audit logs informing you that your cross-tenant access settings were updated as our automated task migrates your settings. For a brief window while the migration processes, you will be unable to make changes to your settings. If you are unable to make a change, you should wait a few moments and try the change again. Once the migration completes, [you will no longer be capped with 25kb of storage space](/azure/active-directory/external-identities/faq#how-many-organizations-can-i-add-in-cross-tenant-access-settings-) and there will be no more limits on the number of partners you can add.
+> Microsoft is beginning to move customers using cross-tenant access settings to a new storage model on August 30, 2023. You may notice an entry in your audit logs informing you that your cross-tenant access settings were updated as our automated task migrates your settings. For a brief window while the migration processes, you will be unable to make changes to your settings. If you are unable to make a change, you should wait a few moments and try the change again. Once the migration completes, [you will no longer be capped with 25kb of storage space](./faq.yml#how-many-organizations-can-i-add-in-cross-tenant-access-settings-) and there will be no more limits on the number of partners you can add.
## Before you begin
active-directory Concept Branding Customers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/concept-branding-customers.md
After creating a new customer tenant, you can customize the appearance of your web-based applications for customers who sign in or sign up, to personalize their end-user experience. In Microsoft Entra ID, the default Microsoft branding will appear in your sign-in pages before you customize any settings. This branding represents the global look and feel that applies across all sign-ins to your tenant.
-Your Microsoft Entra ID for customers tenant supports Microsoft look and feel as a default state for authentication experience. You can [customize the default Microsoft sign-in experience](/azure/active-directory/fundamentals/how-to-customize-branding) with a custom background image or color, favicon, layout, header, and footer. You can also upload a custom CSS. If the custom company branding fails to load for any reason, the sign-in page will revert to the default Microsoft branding.
+Your Microsoft Entra ID for customers tenant supports Microsoft look and feel as a default state for authentication experience. You can [customize the default Microsoft sign-in experience](../../fundamentals/how-to-customize-branding.md) with a custom background image or color, favicon, layout, header, and footer. You can also upload a custom CSS. If the custom company branding fails to load for any reason, the sign-in page will revert to the default Microsoft branding.
The customer tenant is unique in that it doesn't have any default branding, but instead has a neutral one. It is neutral, because it doesn't contain any existing Microsoft branding. This neutral default branding can be customized to meet the specific needs of your company. If the custom company branding fails to load for any reason, the sign-in page will revert to this neutral branding. It's also possible to add each custom branding property to the custom sign-in page individually.
active-directory How To Browserless App Node Sign In Sign Out https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-browserless-app-node-sign-in-sign-out.md
const msalInstance = new msal.PublicClientApplication(msalConfig);
## Create an instance of a PublicClientApplication object
-To use MSAL Node, you must first create an instance of a [`PublicClientApplication`](/javascript/api/@azure/msal-node/publicclientapplication) object using the `msalConfig` object. The initialized `PublicClientApplication` object is used to authenticate the user and obtain an access token.
+To use MSAL Node, you must first create an instance of a [`PublicClientApplication`](/javascript/api/%40azure/msal-node/publicclientapplication) object using the `msalConfig` object. The initialized `PublicClientApplication` object is used to authenticate the user and obtain an access token.
In *index.js*, add the following code to initialize the public client application:
const msalInstance = new msal.PublicClientApplication(msalConfig);
## Create the device code request
-To create the [`deviceCodeRequest`](/javascript/api/@azure/msal-node/devicecoderequest) that the application uses to obtain access tokens using the Oauth2 device code flow, add the following code to *index.js*
+To create the [`deviceCodeRequest`](/javascript/api/%40azure/msal-node/devicecoderequest) that the application uses to obtain access tokens using the Oauth2 device code flow, add the following code to *index.js*
```javascript const getTokenDeviceCode = (clientApplication) => {
const getTokenDeviceCode = (clientApplication) => {
``` The `getTokenDeviceCode` function takes a single parameter, `clientApplication`, which is an instance of the `PublicClientApplication` object we created previously. The function creates a new object named `deviceCodeRequest`, which includes the `loginRequest` object imported from the *authConfig.js* file. It also contains a `deviceCodeCallback` function that logs the device code message to the console.
-The `clientApplication` object is then used to call the [`acquireTokenByDeviceCode`](/javascript/api/@azure/msal-node/publicclientapplication#@azure-msal-node-publicclientapplication-acquiretokenbydevicecode) API, passing in the `deviceCodeRequest` object. Once the device code request is executed, the application will display a URL that the user should visit. Upon visiting the URL, the user inputs the code displayed in the console. After entering the code, the promise resolves with either an access token or an error.
+The `clientApplication` object is then used to call the [`acquireTokenByDeviceCode`](/javascript/api/%40azure/msal-node/publicclientapplication#@azure-msal-node-publicclientapplication-acquiretokenbydevicecode) API, passing in the `deviceCodeRequest` object. Once the device code request is executed, the application will display a URL that the user should visit. Upon visiting the URL, the user inputs the code displayed in the console. After entering the code, the promise resolves with either an access token or an error.
## Initiate the device code flow
active-directory How To Customize Languages Customers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-customize-languages-customers.md
You can create a personalized sign-in experience for users who sign in using a s
## Add browser language under Company branding
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](../../roles/permissions-reference.md#global-administrator).
1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the customer tenant you created earlier. 1. Browse to **Company branding** > **Browser language customizations** > **Add browser language**.
The following languages are supported in the customer tenant:
Language customization in the customer tenant allows your user flow to accommodate different languages to suit your customer's needs. You can use languages to modify the strings displayed to your customers as part of the attribute collection process during sign-up.
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](../../roles/permissions-reference.md#global-administrator).
2. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the customer tenant you created earlier. 3. Browse to **Identity** > **External Identities** > **User flows**. 4. Select the user flow that you want to enable for translations.
You can modify any or all of these attributes in the downloaded file. For exampl
:::image type="content" source="media/how-to-customize-languages-customers/customized-attributes.png" alt-text="Screenshot of the modified sign-up page attributes."::: > [!IMPORTANT]
-> In the customer tenant, we have two options to add custom text to the sign-up and sign-in experience. The function is available under each user flow during language customization and under [Company Branding](/azure/active-directory/external-identities/customers/how-to-customize-branding-customers). Although we have to ways to customize strings (via Company branding and via User flows), both ways modify the same JSON file. The most recent change made either via User flows or via Company branding will always override the previous one.
+> In the customer tenant, we have two options to add custom text to the sign-up and sign-in experience. The function is available under each user flow during language customization and under [Company Branding](./how-to-customize-branding-customers.md). Although we have to ways to customize strings (via Company branding and via User flows), both ways modify the same JSON file. The most recent change made either via User flows or via Company branding will always override the previous one.
## Right-to-left language support
active-directory How To Register Ciam App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-register-ciam-app.md
External ID for customers supports authentication for Single-page apps (SPAs).
The following steps show you how to register your SPA in the Microsoft Entra admin center:
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](/azure/active-directory/roles/permissions-reference#application-developer).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../../roles/permissions-reference.md#application-developer).
1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant.
External ID for customers supports authentication for web apps.
The following steps show you how to register your web app in the Microsoft Entra admin center:
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](/azure/active-directory/roles/permissions-reference#application-developer).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../../roles/permissions-reference.md#application-developer).
1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant.
If your web app needs to call an API, you must grant your web app API permission
The following steps show you how to register your app in the Microsoft Entra admin center:
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](/azure/active-directory/roles/permissions-reference#application-developer).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../../roles/permissions-reference.md#application-developer).
1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant.
If your mobile app needs to call an API, you must grant your mobile app API perm
### Grant API permissions
-A daemon app signs-in as itself using the [OAuth 2.0 client credentials flow](/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow). You grant application permissions (app roles), which is required by apps that authenticate as themselves. You must also [register the web API](how-to-register-ciam-app.md?tabs=webapi) that your daemon app needs to call.
+A daemon app signs-in as itself using the [OAuth 2.0 client credentials flow](../../develop/v2-oauth2-client-creds-grant-flow.md). You grant application permissions (app roles), which is required by apps that authenticate as themselves. You must also [register the web API](how-to-register-ciam-app.md?tabs=webapi) that your daemon app needs to call.
[!INCLUDE [register daemon app](../customers/includes/register-app/grant-api-permissions-app-permissions.md)]
active-directory How To User Flow Sign Up Sign In Customers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-user-flow-sign-up-sign-in-customers.md
If you want your customer users to only sign in and not sign up, you can disable
1. In the left menu, under **Use**, select **Applications**. 1. From the list, under **Application (client) ID** column, copy the Application (client) ID.
-1. Identify the ID of the user flow whose sign-up you want to disable. To do so, [List the user flow associated with the specific application](/graph/api/identitycontainer-list-authenticationeventsflows?#example-4-list-user-flow-associated-with-specific-application-id). This's a Microsoft Graph API, which requires you to know the application ID you obtained from the previous step.
+1. Identify the ID of the user flow whose sign-up you want to disable. To do so, [List the user flow associated with the specific application](/graph/api/identitycontainer-list-authenticationeventsflows#example-4-list-user-flow-associated-with-specific-application-id). This's a Microsoft Graph API, which requires you to know the application ID you obtained from the previous step.
1. [Update your user flow](/graph/api/authenticationeventsflow-update) to disable sign-up.
active-directory How To Web App Node Sign In Call Api Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-web-app-node-sign-in-call-api-overview.md
In this article, you learn how to create your Node.js web app that calls your web API. You build the web API by using ASP.NET. You secure the web API by using Microsoft Entra ID for customers. To authorize access to the web API, you must serve requests that include a valid access token, which is issued by External ID for customers itself.
-To simplify adding authentication and authorization, the Node.js client web app and .NET web API use [Microsoft Authentication Library for Node (MSAL Node)](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node) and [Microsoft Identity Web](../../develop/microsoft-identity-web.md) respectively.
+To simplify adding authentication and authorization, the Node.js client web app and .NET web API use [Microsoft Authentication Library for Node (MSAL Node)](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node) and [Microsoft Identity Web](/entra/msal/dotnet/microsoft-identity-web/) respectively.
We've organized the content into four separate articles so it's easy for you to follow:
active-directory How To Web App Node Sign In Call Api Sign In Acquire Access Token https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-web-app-node-sign-in-call-api-sign-in-acquire-access-token.md
The `/signin`, `/signout` and `/redirect` routes are defined in the *routes/auth
} ```
- Notice how we use MSALs [getAuthCodeUrl](/javascript/api/@azure/msal-node/confidentialclientapplication#@azure-msal-node-confidentialclientapplication-getauthcodeurl) method to generate authorization code URL:
+ Notice how we use MSALs [getAuthCodeUrl](/javascript/api/%40azure/msal-node/confidentialclientapplication#@azure-msal-node-confidentialclientapplication-getauthcodeurl) method to generate authorization code URL:
```javascript //...
The `/signin`, `/signout` and `/redirect` routes are defined in the *routes/auth
- You set this route as Redirect URI for the web app in the Microsoft Entra admin center earlier in [Register the web app](./sample-web-app-node-sign-in-call-api.md#register-the-web-app).
- - This endpoint implements the second leg of auth code flow uses. It uses the authorization code to request an ID token by using MSAL's [acquireTokenByCode](/javascript/api/@azure/msal-node/confidentialclientapplication#@azure-msal-node-confidentialclientapplication-acquiretokenbycode) method.
+ - This endpoint implements the second leg of auth code flow uses. It uses the authorization code to request an ID token by using MSAL's [acquireTokenByCode](/javascript/api/%40azure/msal-node/confidentialclientapplication#@azure-msal-node-confidentialclientapplication-acquiretokenbycode) method.
```javascript //...
active-directory How To Web App Node Use Certificate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-web-app-node-use-certificate.md
If you have an existing self-signed certificate in Azure Key Vault, and you want
# [Windows PowerShell](#tab/windows-powershell)
-1. Use the steps in [Create a self-signed public certificate to authenticate your application](/azure/active-directory/develop/howto-create-self-signed-certificate). Make sure you export your public certificate with its private key. For the `certificateName`, use *ciam-client-app-cert*.
+1. Use the steps in [Create a self-signed public certificate to authenticate your application](../../develop/howto-create-self-signed-certificate.md). Make sure you export your public certificate with its private key. For the `certificateName`, use *ciam-client-app-cert*.
1. In your terminal, run the following command to extract the private key from the *.pfx* file. When prompted to type in your pass phrase, type a pass phrase of your choice:
active-directory Overview Customers Ciam https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/overview-customers-ciam.md
Learn more about the [security and governance](concept-security-customers.md) fe
## About Azure AD B2C
-If you're a new customer, you might be wondering which solution is a better fit, [Azure AD B2C](../../../active-directory-b2c/index.yml) or Microsoft Entra External ID (preview). Opt for the current Azure AD B2C product if:
+If you're a new customer, you might be wondering which solution is a better fit, [Azure AD B2C](/azure/active-directory-b2c/) or Microsoft Entra External ID (preview). Opt for the current Azure AD B2C product if:
- You have an immediate need to deploy a production ready build for customer-facing apps.
active-directory Overview Solutions Customers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/overview-solutions-customers.md
One of the most common ways for users to sign up for an app is by creating an ac
:::image type="content" source="media/overview-solutions-customers/use-case-common.png" alt-text="Screenshot of the common use case demo.":::
-When you enter an email address to create an account, your email is verified through a one-time passcode. Then you can create a new password and provide more details, such as your name, country or region, and other information. Once your account is create, your email becomes your sign-in ID.
+When you enter an email address to create an account, your email is verified through a one-time passcode. Then you can create a new password and provide more details, such as your name, country or region, and other information. Once your account is created, your email becomes your sign-in ID.
### Self-service password reset
When users authenticate to your application with Microsoft Entra ID, a security
In this use case, you can sign in or sign up with your credentials. Then after you're successfully authenticated, from the top bar select your name and check your profile. It contains information that return by the Microsoft Entra custom extension REST API.
-If you want to understand how custom extensions work, you can refer to the [Custom extension overview](/azure/active-directory/develop/custom-extension-overview) article. For information on custom claims providers, you can check out the [Custom claims provider](/azure/active-directory/develop/custom-claims-provider-overview) article.
+If you want to understand how custom extensions work, you can refer to the [Custom extension overview](../../develop/custom-extension-overview.md) article. For information on custom claims providers, you can check out the [Custom claims provider](../../develop/custom-claims-provider-overview.md) article.
### Edit your account
active-directory Quickstart Trial Setup https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/quickstart-trial-setup.md
Get started with Microsoft Entra ID for customers (Preview) that lets you create
In this quickstart, you'll learn how to set up a customer tenant free trial. If you already have an Azure subscription, you can create a tenant with customer configurations in the Microsoft Entra admin center. For more information about how to create a tenant see [Set up a tenant](quickstart-tenant-setup.md).
-Your free trial of a tenant with customer configurations provides you with the opportunity to try new features and build applications and processes during the free trial period. Organization (tenant) admins can invite other users. Each user account can only have one active free trial tenant at a time. The free trial isn't designed for scale testing. Trial tenant will support up to 10K resources, learn more about Microsoft Entra service limits [here](/azure/active-directory/enterprise-users/directory-service-limits-restrictions). During your free trial, you'll have the option to unlock the full set of features by upgrading to [Azure free account](https://azure.microsoft.com/free/).
+Your free trial of a tenant with customer configurations provides you with the opportunity to try new features and build applications and processes during the free trial period. Organization (tenant) admins can invite other users. Each user account can only have one active free trial tenant at a time. The free trial isn't designed for scale testing. Trial tenant will support up to 10K resources, learn more about Microsoft Entra service limits [here](../../enterprise-users/directory-service-limits-restrictions.md). During your free trial, you'll have the option to unlock the full set of features by upgrading to [Azure free account](https://azure.microsoft.com/free/).
> [!NOTE] > At the end of the free trial period, your free trial tenant will be disabled and deleted.
active-directory Sample Cli App Node Sign In Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/sample-cli-app-node-sign-in-users.md
# Sign in users in a sample Node.js CLI application.
-This guide uses a sample Node Command Line Interface (CLI) application to sign in users in a Microsoft Entra ID for customers tenant. The sample application uses the [Microsoft Authentication Library for Node](/javascript/api/%40azure/msal-node) (MSAL Node) to handle authentication.
+This guide uses a sample Node Command Line Interface (CLI) application to sign in users in a Microsoft Entra ID for customers tenant. The sample application uses the [Microsoft Authentication Library for Node](/javascript/api/%40azure/msal-node/) (MSAL Node) to handle authentication.
In this article, you complete the following tasks:
active-directory Tutorial Daemon Node Call Api Build App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/tutorial-daemon-node-call-api-build-app.md
In the code:
- Prepare the `tokenRequest` and `apiConfig` object. The `tokenRequest` contains the scope for which you request an access token. The scope looks something like `api://Enter_the_Web_Api_Application_Id_Here/.default`. The `apiConfig` object contains the endpoint to your web API. Learn more about [OAuth 2.0 client credentials flow](../../develop/v2-oauth2-client-creds-grant-flow.md). -- You create a confidential client instance by passing the `msalConfig` object to the [ConfidentialClientApplication](/javascript/api/@azure/msal-node/confidentialclientapplication#constructors) class' constructor.
+- You create a confidential client instance by passing the `msalConfig` object to the [ConfidentialClientApplication](/javascript/api/%40azure/msal-node/confidentialclientapplication#constructors) class' constructor.
```javascript const cca = new msal.ConfidentialClientApplication(msalConfig); ``` -- You then use the [acquireTokenByClientCredential](/javascript/api/@azure/msal-node/confidentialclientapplication#@azure-msal-node-confidentialclientapplication-acquiretokenbyclientcredential) function to acquire an access token. You implement this logic in the `getToken` function:
+- You then use the [acquireTokenByClientCredential](/javascript/api/%40azure/msal-node/confidentialclientapplication#@azure-msal-node-confidentialclientapplication-acquiretokenbyclientcredential) function to acquire an access token. You implement this logic in the `getToken` function:
```javascript cca.acquireTokenByClientCredential(tokenRequest);
active-directory Tutorial Protect Web Api Dotnet Core Build App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/tutorial-protect-web-api-dotnet-core-build-app.md
In this section, we add code to the placeholders we created. The focus here isn'
Run your API to ensure that it's running well without any errors using the command `dotnet run`. If you intend to use https protocol even during testing, you need to [trust .NET's development certificate](/aspnet/core/tutorials/first-web-api#test-the-project).
-For a full example of this API code, see the [samples file](https://github.com/Azure-Samples/ms-identity-ciam-dotnet-tutorial/blob/main/2-Authorization/3-call-own-api-dotnet-core-daemon/ToDoListAPI).
+For a full example of this API code, see the [samples file](https://github.com/Azure-Samples/ms-identity-ciam-dotnet-tutorial/tree/main/2-Authorization/3-call-own-api-dotnet-core-daemon/ToDoListAPI).
## Next steps
active-directory Tutorial Single Page App React Sign In Prepare App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/tutorial-single-page-app-react-sign-in-prepare-app.md
Identity related **npm** packages must be installed in the project to enable use
## Modify *index.js* to include the authentication provider
-All parts of the app that require authentication must be wrapped in the [`MsalProvider`](/javascript/api/@azure/msal-react/#@azure-msal-react-msalprovider) component. You instantiate a [PublicClientApplication](/javascript/api/@azure/msal-browser/publicclientapplication) then pass it to `MsalProvider`.
+All parts of the app that require authentication must be wrapped in the [`MsalProvider`](/javascript/api/%40azure/msal-react/#@azure-msal-react-msalprovider) component. You instantiate a [PublicClientApplication](/javascript/api/%40azure/msal-browser/publicclientapplication) then pass it to `MsalProvider`.
1. In the *src* folder, open *index.js* and replace the contents of the file with the following code snippet to use the `msal` packages and bootstrap styling:
active-directory Tutorial Single Page App Vanillajs Prepare App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/tutorial-single-page-app-vanillajs-prepare-app.md
In this tutorial;
## Edit the *server.js* file
-**Express** is a web application framework for **Node.js**. It's used to create a server that hosts the application. **Morgan** is the middleware that logs HTTP requests to the console. The server file is used to host these dependencies and contains the routes for the application. Authentication and authorization are handled by the [Microsoft Authentication Library for JavaScript (MSAL.js)](/javascript/api/overview/).
+**Express** is a web application framework for **Node.js**. It's used to create a server that hosts the application. **Morgan** is the middleware that logs HTTP requests to the console. The server file is used to host these dependencies and contains the routes for the application. Authentication and authorization are handled by the [Microsoft Authentication Library for JavaScript (MSAL.js)](/javascript/api/overview).
1. Add the following code snippet to the *server.js* file:
active-directory Tutorial Web App Dotnet Sign In Prepare Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/tutorial-web-app-dotnet-sign-in-prepare-tenant.md
Last updated 05/23/2023
# Tutorial: Prepare your customer tenant to authenticate users in an ASP.NET web app
-This tutorial series demonstrates how to build an ASP.NET web application from scratch and prepare it for authentication using the Microsoft Entra admin center. You'll use the [Microsoft Authentication Library for .NET](/entra/msal/dotnet) and [Microsoft Identity Web](/dotnet/api/microsoft-authentication-library-dotnet/confidentialclient) libraries to authenticate your app with your Microsoft Entra ID for customers tenant. Finally, you'll run the application and test the sign-in and sign-out experiences.
+This tutorial series demonstrates how to build an ASP.NET web application from scratch and prepare it for authentication using the Microsoft Entra admin center. You'll use the [Microsoft Authentication Library for .NET](/entra/msal/dotnet/) and [Microsoft Identity Web](/dotnet/api/microsoft-authentication-library-dotnet/confidentialclient) libraries to authenticate your app with your Microsoft Entra ID for customers tenant. Finally, you'll run the application and test the sign-in and sign-out experiences.
In this tutorial, you'll;
active-directory External Identities Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/external-identities-overview.md
Azure AD B2C is a Customer Identity and Access Management (CIAM) solution that l
With Azure AD B2C, customers can sign in with an identity they've already established (like Facebook or Gmail). You can completely customize and control how customers sign up, sign in, and manage their profiles when using your applications.
-Although Azure AD B2C is built on the same technology as Microsoft Entra External ID, it's a separate service with some feature differences. For more information about how an Azure AD B2C tenant differs from a Microsoft Entra tenant, see [Supported Microsoft Entra features](../../active-directory-b2c/supported-azure-ad-features.md) in the [Azure AD B2C documentation](../../active-directory-b2c/index.yml).
+Although Azure AD B2C is built on the same technology as Microsoft Entra External ID, it's a separate service with some feature differences. For more information about how an Azure AD B2C tenant differs from a Microsoft Entra tenant, see [Supported Microsoft Entra features](/azure/active-directory-b2c/supported-azure-ad-features) in the [Azure AD B2C documentation](/azure/active-directory-b2c/).
## Comparing External Identities feature sets
The following table gives a detailed comparison of the scenarios you can enable
| **User management** | B2B collaboration users are managed in the same directory as employees but are typically annotated as guest users. Guest users can be managed the same way as employees, added to the same groups, and so on. Cross-tenant access settings can be used to determine which users have access to B2B collaboration. | No user object is created in your Microsoft Entra directory. Cross-tenant access settings determine which users have access to B2B collaboration. direct connect. Shared channel users can be managed in Teams, and usersΓÇÖ access is determined by the Teams shared channelΓÇÖs policies. | User objects are created for consumer users in your Azure AD B2C directory. They're managed separately from the organization's employee and partner directory (if any). | | **Identity providers supported** | External users can collaborate using work accounts, school accounts, any email address, SAML and WS-Fed based identity providers, and social identity providers like Gmail and Facebook. | External users collaborate using Microsoft Entra ID work accounts or school accounts. | Consumer users with local application accounts (any email address, user name, or phone number), Microsoft Entra ID, various supported social identities, and users with corporate and government-issued identities via SAML/WS-Fed-based identity provider federation. | | **Single sign-on (SSO)** | SSO to all Microsoft Entra connected apps is supported. For example, you can provide access to Microsoft 365 or on-premises apps, and to other SaaS apps such as Salesforce or Workday. | SSO to a Teams shared channel. | SSO to customer owned apps within the Azure AD B2C tenants is supported. SSO to Microsoft 365 or to other Microsoft SaaS apps isn't supported. |
-| **Licensing and billing** | Based on monthly active users (MAU), including B2B collaboration and Azure AD B2C users. Learn more about [External Identities pricing](https://azure.microsoft.com/pricing/details/active-directory/external-identities/) and [billing setup for B2B](external-identities-pricing.md). | Based on monthly active users (MAU), including B2B collaboration, B2B direct connect, and Azure AD B2C users. Learn more about [External Identities pricing](https://azure.microsoft.com/pricing/details/active-directory/external-identities/) and [billing setup for B2B](external-identities-pricing.md). | Based on monthly active users (MAU), including B2B collaboration and Azure AD B2C users. Learn more about [External Identities pricing](https://azure.microsoft.com/pricing/details/active-directory/external-identities/) and [billing setup for Azure AD B2C](../../active-directory-b2c/billing.md). |
-| **Security policy and compliance** | Managed by the host/inviting organization (for example, with [Conditional Access policies](authentication-conditional-access.md) and cross-tenant access settings). | Managed by the host/inviting organization (for example, with [Conditional Access policies](authentication-conditional-access.md) and cross-tenant access settings). See also the [Teams documentation](/microsoftteams/security-compliance-overview). | Managed by the organization via [Conditional Access and Identity Protection](../../active-directory-b2c/conditional-access-identity-protection-overview.md). |
-| **Multifactor authentication** | If inbound trust settings to accept MFA claims from the user's home tenant are configured, and MFA policies have already been met in the user's home tenant, the external user can sign in. If MFA trust isn't enabled, the user is presented with an MFA challenge from the resource organization. [Learn more](authentication-conditional-access.md#mfa-for-azure-ad-external-users) about MFA for Microsoft Entra external users. | If inbound trust settings to accept MFA claims from the user's home tenant are configured, and MFA policies have already been met in the user's home tenant, the external user can sign in. If MFA trust isn't enabled, and Conditional Access policies require MFA, the user is blocked from accessing resources. You *must* configure your inbound trust settings to accept MFA claims from the organization. [Learn more](authentication-conditional-access.md#mfa-for-azure-ad-external-users) about MFA for Microsoft Entra external users. | [Integrates directly](../../active-directory-b2c/multi-factor-authentication.md) with Microsoft Entra multifactor authentication. |
+| **Licensing and billing** | Based on monthly active users (MAU), including B2B collaboration and Azure AD B2C users. Learn more about [External Identities pricing](https://azure.microsoft.com/pricing/details/active-directory/external-identities/) and [billing setup for B2B](external-identities-pricing.md). | Based on monthly active users (MAU), including B2B collaboration, B2B direct connect, and Azure AD B2C users. Learn more about [External Identities pricing](https://azure.microsoft.com/pricing/details/active-directory/external-identities/) and [billing setup for B2B](external-identities-pricing.md). | Based on monthly active users (MAU), including B2B collaboration and Azure AD B2C users. Learn more about [External Identities pricing](https://azure.microsoft.com/pricing/details/active-directory/external-identities/) and [billing setup for Azure AD B2C](/azure/active-directory-b2c/billing). |
+| **Security policy and compliance** | Managed by the host/inviting organization (for example, with [Conditional Access policies](authentication-conditional-access.md) and cross-tenant access settings). | Managed by the host/inviting organization (for example, with [Conditional Access policies](authentication-conditional-access.md) and cross-tenant access settings). See also the [Teams documentation](/microsoftteams/security-compliance-overview). | Managed by the organization via [Conditional Access and Identity Protection](/azure/active-directory-b2c/conditional-access-identity-protection-overview). |
+| **Multifactor authentication** | If inbound trust settings to accept MFA claims from the user's home tenant are configured, and MFA policies have already been met in the user's home tenant, the external user can sign in. If MFA trust isn't enabled, the user is presented with an MFA challenge from the resource organization. [Learn more](authentication-conditional-access.md#mfa-for-azure-ad-external-users) about MFA for Microsoft Entra external users. | If inbound trust settings to accept MFA claims from the user's home tenant are configured, and MFA policies have already been met in the user's home tenant, the external user can sign in. If MFA trust isn't enabled, and Conditional Access policies require MFA, the user is blocked from accessing resources. You *must* configure your inbound trust settings to accept MFA claims from the organization. [Learn more](authentication-conditional-access.md#mfa-for-azure-ad-external-users) about MFA for Microsoft Entra external users. | [Integrates directly](/azure/active-directory-b2c/multi-factor-authentication) with Microsoft Entra multifactor authentication. |
| **Microsoft cloud settings** | [Supported.](cross-cloud-settings.md) | [Not supported.](cross-cloud-settings.md) | Not applicable. | | **Entitlement management** | [Supported.](../governance/entitlement-management-overview.md) | Not supported. | Not applicable. |
-| **Line-of-business (LOB) apps** | Supported. | Not supported. Only B2B direct connect-enabled apps can be shared (currently, Teams Connect shared channels). | Works with [RESTful API](../../active-directory-b2c/technical-overview.md#add-your-own-business-logic-and-call-restful-apis). |
-| **Conditional Access** | Managed by the host/inviting organization. [Learn more](authentication-conditional-access.md) about Conditional Access policies. | Managed by the host/inviting organization. [Learn more](authentication-conditional-access.md) about Conditional Access policies. | Managed by the organization via [Conditional Access and Identity Protection](../../active-directory-b2c/conditional-access-identity-protection-overview.md). |
+| **Line-of-business (LOB) apps** | Supported. | Not supported. Only B2B direct connect-enabled apps can be shared (currently, Teams Connect shared channels). | Works with [RESTful API](/azure/active-directory-b2c/technical-overview#add-your-own-business-logic-and-call-restful-apis). |
+| **Conditional Access** | Managed by the host/inviting organization. [Learn more](authentication-conditional-access.md) about Conditional Access policies. | Managed by the host/inviting organization. [Learn more](authentication-conditional-access.md) about Conditional Access policies. | Managed by the organization via [Conditional Access and Identity Protection](/azure/active-directory-b2c/conditional-access-identity-protection-overview). |
| **Branding** | Host/inviting organization's brand is used. | For sign-in screens, the userΓÇÖs home organization brand is used. In the shared channel, the resource organization's brand is used. | Fully customizable branding per application or organization. |
-| **More information** | [Blog post](https://blogs.technet.microsoft.com/enterprisemobility/2017/02/01/azure-ad-b2b-new-updates-make-cross-business-collab-easy/), [Documentation](what-is-b2b.md) | [Documentation](b2b-direct-connect-overview.md) | [Product page](https://azure.microsoft.com/services/active-directory-b2c/), [Documentation](../../active-directory-b2c/index.yml) |
+| **More information** | [Blog post](https://blogs.technet.microsoft.com/enterprisemobility/2017/02/01/azure-ad-b2b-new-updates-make-cross-business-collab-easy/), [Documentation](what-is-b2b.md) | [Documentation](b2b-direct-connect-overview.md) | [Product page](https://azure.microsoft.com/services/active-directory-b2c/), [Documentation](/azure/active-directory-b2c/) |
Based on your organizationΓÇÖs requirements you might use cross-tenant synchronization in multi-tenant organizations. For more information about this new feature, see the [multi-tenant organization documentation](../multi-tenant-organizations/index.yml) and the [feature comparison](../multi-tenant-organizations/overview.md#compare-multi-tenant-capabilities).
For B2B collaboration end-users who perform cross-tenant sign-ins, their home te
Azure AD B2C is a separate consumer-based directory that you manage in the Azure portal through the Azure AD B2C service. Each Azure AD B2C tenant is separate and distinct from other Microsoft Entra ID and Azure AD B2C tenants. The Azure AD B2C portal experience is similar to Microsoft Entra ID, but there are key differences, such as the ability to customize your user journeys using the Identity Experience Framework.
-For details about configuring and managing Azure AD B2C, see the [Azure AD B2C documentation](../../active-directory-b2c/index.yml).
+For details about configuring and managing Azure AD B2C, see the [Azure AD B2C documentation](/azure/active-directory-b2c/).
<a name='related-azure-ad-technologies'></a>
A multi-tenant organization is an organization that has more than one instance o
- [What is Microsoft Entra B2B collaboration?](what-is-b2b.md) - [What is Microsoft Entra B2B direct connect?](b2b-direct-connect-overview.md)-- [About Azure AD B2C](../../active-directory-b2c/overview.md)
+- [About Azure AD B2C](/azure/active-directory-b2c/overview)
- [About Microsoft Entra multi-tenant organizations](../../active-directory/multi-tenant-organizations/overview.md)
active-directory External Identities Pricing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/external-identities-pricing.md
Previously updated : 03/15/2023 Last updated : 10/05/2023
# Billing model for Microsoft Entra External ID
-Microsoft Entra External ID pricing is based on monthly active users (MAU), which is the count of unique users with authentication activity within a calendar month. This billing model applies to both Microsoft Entra guest user collaboration (B2B) and [Azure AD B2C tenants](../../active-directory-b2c/billing.md). MAU billing helps you reduce costs by offering a free tier and flexible, predictable pricing. In this article, learn about MAU billing and linking your Microsoft Entra tenants to a subscription.
+Microsoft Entra External ID pricing is based on monthly active users (MAU), which is the count of unique users with authentication activity within a calendar month. This billing model applies to both Microsoft Entra guest user collaboration (B2B) and [Azure AD B2C tenants](/azure/active-directory-b2c/billing). MAU billing helps you reduce costs by offering a free tier and flexible, predictable pricing. In this article, learn about MAU billing and linking your Microsoft Entra tenants to a subscription.
> [!IMPORTANT] > This article does not contain pricing details. For the latest information about usage billing and pricing, see [Microsoft Entra pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
+>
+> In Azure Government, the External ID billing model doesn't apply because the service is available through Preview only.
## What do I need to do?
If no subscriptions are available in the **Link a subscription** pane, here are
- A subscription exists, but it hasn't been associated with your directory yet. You can [associate an existing subscription to your tenant](../fundamentals/how-subscriptions-associated-directory.md) and then repeat the steps for [linking it to your tenant](#link-your-azure-ad-tenant-to-a-subscription). -- No subscription exists. In the **Link a subscription** pane, you can create a subscription by selecting the link **if you don't already have a subscription you may create one here**. After you create a new subscription, you'll need to [create a resource group](../../azure-resource-manager/management/manage-resource-groups-portal.md) in the new subscription, and then repeat the steps for [linking it to your tenant](#link-your-azure-ad-tenant-to-a-subscription).
+- No subscription exists. In the **Link a subscription** pane, you can create a subscription by selecting the link **if you don't already have a subscription you may create one here**. After you create a new subscription, you'll need to [create a resource group](/azure/azure-resource-manager/management/manage-resource-groups-portal) in the new subscription, and then repeat the steps for [linking it to your tenant](#link-your-azure-ad-tenant-to-a-subscription).
## Next steps
active-directory Google Federation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/google-federation.md
By setting up federation with Google, you can allow invited users to sign in to
> [!IMPORTANT] > > - **Starting July 12, 2021**, if Microsoft Entra B2B customers set up new Google integrations for use with self-service sign-up or for inviting external users for their custom or line-of-business applications, authentication could be blocked for Gmail users (with the error screen shown below in [What to expect](#what-to-expect)). This issue occurs only if you create Google integration for self-service sign-up user flows or invitations after July 12, 2021 and Gmail authentications in your custom or line-of-business applications havenΓÇÖt been moved to system web-views. Because system web-views are enabled by default, most apps will not be affected. To avoid the issue, we strongly advise you to move Gmail authentications to system browsers before creating any new Google integrations for self-service sign-up. Please refer to [Action needed for embedded web-views](#action-needed-for-embedded-frameworks).
-> - **Starting September 30, 2021**, Google is [deprecating web-view sign-in support](https://developers.googleblog.com/2021/06/upcoming-security-changes-to-googles-oauth-2.0-authorization-endpoint.html). If your apps authenticate users with an embedded web-view and you're using Google federation with [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md) or Microsoft Entra B2B for external user invitations or [self-service sign-up](identity-providers.md), Google Gmail users won't be able to authenticate. [Learn more](#deprecation-of-web-view-sign-in-support).
+> - **Starting September 30, 2021**, Google is [deprecating web-view sign-in support](https://developers.googleblog.com/2021/06/upcoming-security-changes-to-googles-oauth-2.0-authorization-endpoint.html). If your apps authenticate users with an embedded web-view and you're using Google federation with [Azure AD B2C](/azure/active-directory-b2c/identity-provider-google) or Microsoft Entra B2B for external user invitations or [self-service sign-up](identity-providers.md), Google Gmail users won't be able to authenticate. [Learn more](#deprecation-of-web-view-sign-in-support).
## What is the experience for the Google user?
You can also give Google guest users a direct link to an application or resource
## Deprecation of web-view sign-in support
-Starting September 30, 2021, Google is [deprecating embedded web-view sign-in support](https://developers.googleblog.com/2021/06/upcoming-security-changes-to-googles-oauth-2.0-authorization-endpoint.html). If your apps authenticate users with an embedded web-view and you're using Google federation with [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md) or Microsoft Entra B2B for [external user invitations](google-federation.md) or [self-service sign-up](identity-providers.md), Google Gmail users won't be able to authenticate.
+Starting September 30, 2021, Google is [deprecating embedded web-view sign-in support](https://developers.googleblog.com/2021/06/upcoming-security-changes-to-googles-oauth-2.0-authorization-endpoint.html). If your apps authenticate users with an embedded web-view and you're using Google federation with [Azure AD B2C](/azure/active-directory-b2c/identity-provider-google) or Microsoft Entra B2B for [external user invitations](google-federation.md) or [self-service sign-up](identity-providers.md), Google Gmail users won't be able to authenticate.
The following are known scenarios that will impact Gmail users: - Microsoft apps (e.g. Teams and Power Apps) on Windows
This change does not affect:
### Action needed for embedded web-views
-Modify your apps to use the system browser for sign-in. For details, see [Embedded vs System Web UI](../develop/msal-net-web-browsers.md#embedded-vs-system-web-ui) in the MSAL.NET documentation. All MSAL SDKs use the system web-view by default.
+Modify your apps to use the system browser for sign-in. For details, see [Embedded vs System Web UI](/entra/msal/dotnet/acquiring-tokens/using-web-browsers#embedded-vs-system-web-ui) in the MSAL.NET documentation. All MSAL SDKs use the system web-view by default.
### What to expect
active-directory Hybrid On Premises To Cloud https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/hybrid-on-premises-to-cloud.md
Before Microsoft Entra ID, organizations with on-premises identity systems have traditionally managed partner accounts in their on-premises directory. In such an organization, when you start to move apps to Microsoft Entra ID, you want to make sure your partners can access the resources they need. It shouldn't matter whether the resources are on-premises or in the cloud. Also, you want your partner users to be able to use the same sign-in credentials for both on-premises and Microsoft Entra resources.
-If you create accounts for your external partners in your on-premises directory (for example, you create an account with a sign-in name of "msullivan" for an external user named Maria Sullivan in your partners.contoso.com domain), you can now sync these accounts to the cloud. Specifically, you can use [Microsoft Entra Connect](../hybrid/connect/whatis-azure-ad-connect.md) to sync the partner accounts to the cloud, which creates a user account with UserType = Guest. This enables your partner users to access cloud resources using the same credentials as their local accounts, without giving them more access than they need. For more information about converting local guest accounts see [Convert local guest accounts to Microsoft Entra B2B guest accounts](/azure/active-directory/architecture/10-secure-local-guest).
+If you create accounts for your external partners in your on-premises directory (for example, you create an account with a sign-in name of "msullivan" for an external user named Maria Sullivan in your partners.contoso.com domain), you can now sync these accounts to the cloud. Specifically, you can use [Microsoft Entra Connect](/azure/active-directory/hybrid/connect/whatis-azure-ad-connect) to sync the partner accounts to the cloud, which creates a user account with UserType = Guest. This enables your partner users to access cloud resources using the same credentials as their local accounts, without giving them more access than they need. For more information about converting local guest accounts see [Convert local guest accounts to Microsoft Entra B2B guest accounts](/azure/active-directory/architecture/10-secure-local-guest).
> [!NOTE] > See also how to [invite internal users to B2B collaboration](invite-internal-users.md). With this feature, you can invite internal guest users to use B2B collaboration, regardless of whether you've synced their accounts from your on-premises directory to the cloud. Once the user accepts the invitation to use B2B collaboration, they'll be able to use their own identities and credentials to sign in to the resources you want them to access. You wonΓÇÖt need to maintain passwords or manage account lifecycles.
For implementation instructions, see [Enable synchronization of UserType](../hyb
- [Microsoft Entra B2B collaboration for hybrid organizations](hybrid-organizations.md) - [Grant B2B users in Microsoft Entra ID access to your on-premises applications](hybrid-cloud-to-on-premises.md)-
active-directory Identity Providers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/identity-providers.md
External Identities offers a variety of identity providers.
> [!IMPORTANT] > > - **Starting July 12, 2021**, if Microsoft Entra B2B customers set up new Google integrations for use with self-service sign-up for their custom or line-of-business applications, authentication with Google identities wonΓÇÖt work until authentications are moved to system web-views. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
- > - **Starting September 30, 2021**, Google is [deprecating embedded web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If your apps authenticate users with an embedded web-view and you're using Google federation with [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md) or Microsoft Entra B2B for [external user invitations](google-federation.md) or self-service sign-up, Google Gmail users won't be able to authenticate. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
+ > - **Starting September 30, 2021**, Google is [deprecating embedded web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If your apps authenticate users with an embedded web-view and you're using Google federation with [Azure AD B2C](/azure/active-directory-b2c/identity-provider-google) or Microsoft Entra B2B for [external user invitations](google-federation.md) or self-service sign-up, Google Gmail users won't be able to authenticate. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
- **Facebook**: When building an app, you can configure self-service sign-up and enable Facebook federation so that users can sign up for your app using their own Facebook accounts. Facebook can only be used for self-service sign-up user flows and isn't available as a sign-in option when users are redeeming invitations from you. See how to [add Facebook as an identity provider](facebook-federation.md).
active-directory Invitation Email Elements https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/invitation-email-elements.md
The subject of the email follows this pattern:
We use a LinkedIn-like pattern for the From address. This pattern should make it clear that although the email comes from invites@microsoft.com, the invitation is from another organization. The format is: Microsoft InvitationsΓÇ»<invites@microsoft.com> or Microsoft invitations on behalf of &lt;tenantname&gt;ΓÇ»<invites@microsoft.com>. > [!NOTE]
-> For the Azure service operated by [21Vianet in China](/azure/china), the sender address is Invites@oe.21vianet.com.
-> For [Microsoft Entra ID for government](../../azure-government/index.yml), the sender address is invites@azuread.us.
+> For the Azure service operated by [21Vianet in China](/azure/china/), the sender address is Invites@oe.21vianet.com.
+> For [Microsoft Entra ID for government](/azure/azure-government/), the sender address is invites@azuread.us.
### Reply To
active-directory Redemption Experience https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/redemption-experience.md
When you add a guest user to your directory, the guest user account has a consen
> [!IMPORTANT] > - **Starting July 12, 2021**, if Microsoft Entra B2B customers set up new Google integrations for use with self-service sign-up for their custom or line-of-business applications, authentication with Google identities wonΓÇÖt work until authentications are moved to system web-views. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
-> - **Starting September 30, 2021**, Google is [deprecating embedded web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If your apps authenticate users with an embedded web-view and you're using Google federation with [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md) or Microsoft Entra B2B for [external user invitations](google-federation.md) or [self-service sign-up](identity-providers.md), Google Gmail users won't be able to authenticate. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
+> - **Starting September 30, 2021**, Google is [deprecating embedded web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If your apps authenticate users with an embedded web-view and you're using Google federation with [Azure AD B2C](/azure/active-directory-b2c/identity-provider-google) or Microsoft Entra B2B for [external user invitations](google-federation.md) or [self-service sign-up](identity-providers.md), Google Gmail users won't be able to authenticate. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
> - The [email one-time passcode feature](one-time-passcode.md) is now turned on by default for all new tenants and for any existing tenants where you haven't explicitly turned it off. When this feature is turned off, the fallback authentication method is to prompt invitees to create a Microsoft account. ## Redemption process and sign-in through a common endpoint
active-directory Self Service Sign Up Add Api Connector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/self-service-sign-up-add-api-connector.md
To use an [API connector](api-connectors-overview.md), you first create the API
> [!IMPORTANT] > > - **Starting July 12, 2021**, if Microsoft Entra B2B customers set up new Google integrations for use with self-service sign-up for their custom or line-of-business applications, authentication with Google identities wonΓÇÖt work until authentications are moved to system web-views. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
-> - **Starting September 30, 2021**, Google is [deprecating embedded web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If your apps authenticate users with an embedded web-view and you're using Google federation with [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md) or Microsoft Entra B2B for [external user invitations](google-federation.md) or [self-service sign-up](identity-providers.md), Google Gmail users won't be able to authenticate. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
+> - **Starting September 30, 2021**, Google is [deprecating embedded web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If your apps authenticate users with an embedded web-view and you're using Google federation with [Azure AD B2C](/azure/active-directory-b2c/identity-provider-google) or Microsoft Entra B2B for [external user invitations](google-federation.md) or [self-service sign-up](identity-providers.md), Google Gmail users won't be able to authenticate. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
## Create an API connector
Content-type: application/json
### Using serverless cloud functions
-Serverless functions, like [HTTP triggers in Azure Functions](../../azure-functions/functions-bindings-http-webhook-trigger.md), provide a way create API endpoints to use with the API connector. You can use the serverless cloud function to, [for example](code-samples-self-service-sign-up.md#api-connector-azure-function-quickstarts), perform validation logic and limit sign-ups to specific email domains. The serverless cloud function can also call and invoke other web APIs, data stores, and other cloud services for complex scenarios.
+Serverless functions, like [HTTP triggers in Azure Functions](/azure/azure-functions/functions-bindings-http-webhook-trigger), provide a way create API endpoints to use with the API connector. You can use the serverless cloud function to, [for example](code-samples-self-service-sign-up.md#api-connector-azure-function-quickstarts), perform validation logic and limit sign-ups to specific email domains. The serverless cloud function can also call and invoke other web APIs, data stores, and other cloud services for complex scenarios.
### Best practices Ensure that:
Ensure that:
* Your API implements an authentication method outlined in [secure your API Connector](self-service-sign-up-secure-api-connector.md). * Your API responds as quickly as possible to ensure a fluid user experience. * Microsoft Entra ID will wait for a maximum of *20 seconds* to receive a response. If none is received, it will make *one more attempt (retry)* at calling your API.
- * If using a serverless function or scalable web service, use a hosting plan that keeps the API "awake" or "warm" in production. For Azure Functions, it's recommended to use at minimum the [Premium plan](../../azure-functions/functions-scale.md#overview-of-plans)
+ * If using a serverless function or scalable web service, use a hosting plan that keeps the API "awake" or "warm" in production. For Azure Functions, it's recommended to use at minimum the [Premium plan](/azure/azure-functions/functions-scale#overview-of-plans)
* Ensure high availability of your API. * Monitor and optimize performance of downstream APIs, databases, or other dependencies of your API.
-* Your endpoints must comply with the Microsoft Entra TLS and cipher security requirements. For more information, see [TLS and cipher suite requirements](../../active-directory-b2c/https-cipher-tls-requirements.md).
+* Your endpoints must comply with the Microsoft Entra TLS and cipher security requirements. For more information, see [TLS and cipher suite requirements](/azure/active-directory-b2c/https-cipher-tls-requirements).
### Use logging
-In general, it's helpful to use the logging tools enabled by your web API service, like [Application insights](../../azure-functions/functions-monitoring.md), to monitor your API for unexpected error codes, exceptions, and poor performance.
+In general, it's helpful to use the logging tools enabled by your web API service, like [Application insights](/azure/azure-functions/functions-monitoring), to monitor your API for unexpected error codes, exceptions, and poor performance.
* Monitor for HTTP status codes that aren't HTTP 200 or 400. * A 401 or 403 HTTP status code typically indicates there's an issue with your authentication. Double-check your API's authentication layer and the corresponding configuration in the API connector. * Use more aggressive levels of logging (for example "trace" or "debug") in development if needed.
active-directory Self Service Sign Up Add Approvals https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/self-service-sign-up-add-approvals.md
This article gives an example of how to integrate with an approval system. In th
> [!IMPORTANT] > > - **Starting July 12, 2021**, if Microsoft Entra B2B customers set up new Google integrations for use with self-service sign-up for their custom or line-of-business applications, authentication with Google identities wonΓÇÖt work until authentications are moved to system web-views. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
-> - **Starting September 30, 2021**, Google is [deprecating embedded web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If your apps authenticate users with an embedded web-view and you're using Google federation with [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md) or Microsoft Entra B2B for [external user invitations](google-federation.md) or [self-service sign-up](identity-providers.md), Google Gmail users won't be able to authenticate. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
+> - **Starting September 30, 2021**, Google is [deprecating embedded web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If your apps authenticate users with an embedded web-view and you're using Google federation with [Azure AD B2C](/azure/active-directory-b2c/identity-provider-google) or Microsoft Entra B2B for [external user invitations](google-federation.md) or [self-service sign-up](identity-providers.md), Google Gmail users won't be able to authenticate. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
## Register an application for your approval system
active-directory Self Service Sign Up Secure Api Connector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/self-service-sign-up-secure-api-connector.md
Client certificate authentication is a mutual certificate-based authentication,
#### Option 1: Use Azure Key Vault (recommended)
-To create a certificate, you can use [Azure Key Vault](../../key-vault/certificates/create-certificate.md), which has options for self-signed certificates and integrations with certificate issuer providers for signed certificates. Recommended settings include:
+To create a certificate, you can use [Azure Key Vault](/azure/key-vault/certificates/create-certificate), which has options for self-signed certificates and integrations with certificate issuer providers for signed certificates. Recommended settings include:
- **Subject**: `CN=<yourapiname>.<tenantname>.onmicrosoft.com` - **Content Type**: `PKCS #12` - **Lifetime Acton Type**: `Email all contacts at a given percentage lifetime` or `Email all contacts a given number of days before expiry`
To create a certificate, you can use [Azure Key Vault](../../key-vault/certifica
- **Key Size**: `2048` - **Exportable Private Key**: `Yes` (in order to be able to export `.pfx` file)
-You can then [export the certificate](../../key-vault/certificates/how-to-export-certificate.md).
+You can then [export the certificate](/azure/key-vault/certificates/how-to-export-certificate).
#### Option 2: prepare a self-signed certificate using PowerShell
To configure an API Connector with client certificate authentication, follow the
1. Select **Save**. ### Perform authorization decisions
-Your API must implement the authorization based on sent client certificates in order to protect the API endpoints. For Azure App Service and Azure Functions, see [configure TLS mutual authentication](../../app-service/app-service-web-configure-tls-mutual-auth.md) to learn how to enable and *validate the certificate from your API code*. You can alternatively use Azure API Management as a layer in front of any API service to [check client certificate properties](
+Your API must implement the authorization based on sent client certificates in order to protect the API endpoints. For Azure App Service and Azure Functions, see [configure TLS mutual authentication](/azure/app-service/app-service-web-configure-tls-mutual-auth) to learn how to enable and *validate the certificate from your API code*. You can alternatively use Azure API Management as a layer in front of any API service to [check client certificate properties](
../../api-management/api-management-howto-mutual-certificates-for-clients.md) against desired values. ### Renewing certificates
To upload a new certificate to an existing API connector, select the API connect
## API key authentication
-Some services use an "API key" mechanism to obfuscate access to your HTTP endpoints during development by requiring the caller to include a unique key as an HTTP header or HTTP query parameter. For [Azure Functions](../../azure-functions/functions-bindings-http-webhook-trigger.md#authorization-keys), you can accomplish this by including the `code` as a query parameter in the **Endpoint URL** of your API connector. For example, `https://contoso.azurewebsites.net/api/endpoint`<b>`?code=0123456789`</b>).
+Some services use an "API key" mechanism to obfuscate access to your HTTP endpoints during development by requiring the caller to include a unique key as an HTTP header or HTTP query parameter. For [Azure Functions](/azure/azure-functions/functions-bindings-http-webhook-trigger#authorization-keys), you can accomplish this by including the `code` as a query parameter in the **Endpoint URL** of your API connector. For example, `https://contoso.azurewebsites.net/api/endpoint`<b>`?code=0123456789`</b>).
This isn't a mechanism that should be used alone in production. Therefore, configuration for basic or certificate authentication is always required. If you don't wish to implement any authentication method (not recommended) for development purposes, you can select 'basic' authentication in the API connector configuration and use temporary values for `username` and `password` that your API can disregard while you implement proper authorization.
active-directory Tenant Restrictions V2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/tenant-restrictions-v2.md
- Title: Configure tenant restrictions - Microsoft Entra ID
-description: Use tenant restrictions to control the types of external accounts your users can use on your networks and the devices you manage. You can scope settings to apps, groups, and users for specified tenants.
---- Previously updated : 10/04/2023--------
-# Set up tenant restrictions v2
-
-> [!NOTE]
-> Certain features described in this article are preview features. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-
-To enhance security, you can limit what your users can access when they use an external account to sign in from your networks or devices. The **Tenant restrictions** settings, included with [cross-tenant access settings](cross-tenant-access-overview.md), let you create a policy to control access to external apps.
-
-For example, suppose a user in your organization has created a separate account in an unknown tenant, or an external organization has given your user an account that lets them sign in to their organization. You can use tenant restrictions to prevent the user from using some or all external apps while they're signed in with the external account on your network or devices.
---
-| Steps | Description |
-|||
-|**1** | Contoso configures **Tenant restrictions** in their cross-tenant access settings to block all external accounts and external apps. Contoso enforces the policy on each Windows device by updating the local computer configuration with Contoso's tenant ID and the tenant restrictions policy ID. |
-|**2** | A user with a Contoso-managed Windows device tries to sign in to an external app using an account from an unknown tenant. The Windows device adds an HTTP header to the authentication request. The header contains Contoso's tenant ID and the tenant restrictions policy ID. |
-|**3** | *Authentication plane protection:* Microsoft Entra ID uses the header in the authentication request to look up the tenant restrictions policy in the Microsoft Entra cloud. Because Contoso's policy blocks external accounts from accessing external tenants, the request is blocked at the authentication level. |
-|**4** | *Data plane protection (preview):* The user tries to access the external application by copying an authentication response token they obtained outside of Contoso's network and pasting it into the Windows device. However, Microsoft Entra ID compares the claim in the token to the HTTP header added by the Windows device. Because they don't match, Microsoft Entra ID blocks the session so the user can't access the application. |
-|||
-
-Tenant restrictions v2 provides options for both authentication plane protection and data plane protection.
--- *Authentication plane protection* refers to using a tenant restrictions v2 policy to block sign-ins using external identities. For example, you can prevent a malicious insider from leaking data over external email by preventing the attacker from signing in to their malicious tenant. Tenant restrictions v2 authentication plane protection is generally available.--- *Data Plane protection* refers to preventing attacks that bypass authentication. For example, an attacker might try to allow access to malicious tenant apps by using Teams anonymous meeting join or SharePoint anonymous file access. Or the attacker might copy an access token from a device in a malicious tenant and import it to your organizational device. Tenant restrictions v2 data plane protection forces the user to authenticate when attempting to access a resource and blocks access if authentication fails.-
-While [tenant restrictions v1](../manage-apps/tenant-restrictions.md) provide authentication plane protection through a tenant allowlist configured on your corporate proxy, tenant restrictions v2 give you options for granular authentication and data plane protection, with or without a corporate proxy.
-
-## Tenant restrictions v2 overview
-
-In your organization's [cross-tenant access settings](cross-tenant-access-overview.md), you can configure a tenant restrictions v2 policy. After you create the policy, there are three ways to apply the policy in your organization.
--- **Universal tenant restrictions v2**. This option provides both authentication plane and data plane protection without a corporate proxy. [Universal tenant restrictions](/azure/global-secure-access/how-to-universal-tenant-restrictions) use Global Secure Access (preview) to tag all traffic no matter the operating system, browser, or device form factor. It allows support for both client and remote network connectivity.-- **Authentication plane tenant restrictions v2**. You can deploy a corporate proxy in your organization and [configure the proxy to set tenant restrictions v2 signals](#option-2-set-up-tenant-restrictions-v2-on-your-corporate-proxy) on all traffic to Microsoft Entra ID and Microsoft Accounts (MSA).-- **Windows tenant restrictions v2**. For your corporate-owned Windows devices, you can enforce both authentication plane and data plane protection by enforcing tenant restrictions directly on devices. Tenant restrictions are enforced upon resource access, providing data path coverage and protection against token infiltration. A corporate proxy isn't required for policy enforcement. Devices can be Microsoft Entra ID managed or domain-joined devices that are managed via Group Policy.-
-> [!NOTE]
-> This article describes how to configure tenant restrictions v2 using the Microsoft Entra admin center. You can also use the [Microsoft Graph cross-tenant access API](/graph/api/resources/crosstenantaccesspolicy-overview?view=graph-rest-beta&preserve-view=true) to create these same tenant restrictions policies.
-
-### Supported scenarios
-
-Tenant restrictions v2 can be scoped to specific users, groups, organizations, or external apps. Apps built on the Windows operating system networking stack are protected, including:
--- All Office apps (all versions/release channels).-- Universal Windows Platform (UWP) .NET applications.-- Auth plane protection for all applications that authenticate with Microsoft Entra ID, including all Microsoft first-party applications and any third-party applications that use Microsoft Entra ID for authentication.-- Data plane protection for SharePoint Online and Exchange Online.-- Anonymous access protection for SharePoint Online, OneDrive for business, and Teams (with Federation Controls configured).-- Authentication and Data plane protection for Microsoft tenant or Consumer accounts.-- When using Universal tenant restrictions in Global Secure Access (preview), all browsers and platforms.-- When using Windows Group Policy, Microsoft Edge and all websites in Microsoft Edge.
-### Unsupported scenarios
--- Anonymous blocking to consumer OneDrive account. Customers can work around at proxy level by blocking https://onedrive.live.com/.-- When a user accesses a third-party app, like Slack, using an anonymous link or non-Azure AD account.-- When a user copies a Microsoft Entra ID-issued token from a home machine to a work machine and uses it to access a third-party app like Slack.-- Per-user tenant restrictions for Microsoft Accounts.--
-### Compare Tenant restrictions v1 and v2
-
-The following table compares the features in each version.
-
-| |Tenant restrictions v1 |Tenant restrictions v2 |
-|-|||
-|**Policy enforcement** | The corporate proxy enforces the tenant restriction policy in the Microsoft Entra ID control plane. | Options: <br></br>- Universal tenant restrictions in Global Secure Access (preview), which uses policy signaling to tag all traffic, providing both authentication and data plane support on all platforms. <br></br>- Authentication plane-only protection, where the corporate proxy sets tenant restrictions v2 signals on all traffic. <br></br>- Windows device management, where devices are configured to point Microsoft traffic to the tenant restriction policy, and the policy is enforced in the cloud. |
-|**Policy enforcement limitation** | Manage corporate proxies by adding tenants to the Microsoft Entra traffic allowlist. The character limit of the header value in Restrict-Access-To-Tenants: `<allowed-tenant-list>` limits the number of tenants that can be added. | Managed by a cloud policy in the cross-tenant access policy. A partner policy is created for each external tenant. Currently, the configuration for all external tenants is contained in one policy with a 25KB size limit. |
-|**Malicious tenant requests** | Microsoft Entra ID blocks malicious tenant authentication requests to provide authentication plane protection. | Microsoft Entra ID blocks malicious tenant authentication requests to provide authentication plane protection. |
-|**Granularity** | Limited. | Tenant, user, group, and application granularity. (User-level granularity isn't supported with Microsoft Accounts.) |
-|**Anonymous access** | Anonymous access to Teams meetings and file sharing is allowed. | Anonymous access to Teams meetings is blocked. Access to anonymously shared resources (ΓÇ£Anyone with the linkΓÇ¥) is blocked. |
-|**Microsoft Accounts** |Uses a Restrict-MSA header to block access to consumer accounts. | Allows control of Microsoft Accounts (MSA and Live ID) authentication on both the identity and data planes.<br></br>For example, if you enforce tenant restrictions by default, you can create a Microsoft Accounts-specific policy that allows users to access specific apps with their Microsoft Accounts, for example: <br> Microsoft Learn (app ID `18fbca16-2224-45f6-85b0-f7bf2b39b3f3`), or <br> Microsoft Enterprise Skills Initiative (app ID `195e7f27-02f9-4045-9a91-cd2fa1c2af2f`). |
-|**Proxy management** | Manage corporate proxies by adding tenants to the Microsoft Entra traffic allowlist. | For corporate proxy authentication plane protection, configure the proxy to set tenant restrictions v2 signals on all traffic. |
-|**Platform support** |Supported on all platforms. Provides only authentication plane protection. | Universal tenant restrictions in Global Secure Access (preview) support any operating system, browser, or device form factor.<br></br>Corporate proxy authentication plane protection supports macOS, Chrome browser, and .NET applications.<br></br>Windows device management supports Windows operating systems and Microsoft Edge. |
-|**Portal support** |No user interface in the Microsoft Entra admin center for configuring the policy. | User interface available in the Microsoft Entra admin center for setting up the cloud policy. |
-|**Unsupported apps** | N/A | Block unsupported app use with Microsoft endpoints by using Windows Defender Application Control (WDAC) or Windows Firewall (for example, for Chrome, Firefox, and so on). See [Block Chrome, Firefox and .NET applications like PowerShell](#block-chrome-firefox-and-net-applications-like-powershell). |
--
-### Tenant restrictions vs. inbound and outbound settings
-
-Although tenant restrictions are configured along with your cross-tenant access settings, they operate separately from inbound and outbound access settings. Cross-tenant access settings give you control when users sign in with an account from your organization. By contrast, tenant restrictions give you control when users are using an external account. Your inbound and outbound settings for B2B collaboration and B2B direct connect don't affect (and are unaffected by) your tenant restrictions settings.
-
-Think of the different cross-tenant access settings this way:
--- Inbound settings control *external* account access to your *internal* apps.-- Outbound settings control *internal* account access to *external* apps.-- Tenant restrictions control *external* account access to *external* apps.-
-### Tenant restrictions vs. B2B collaboration
-
-When your users need access to external organizations and apps, we recommend enabling tenant restrictions to block external accounts and use B2B collaboration instead. B2B collaboration gives you the ability to:
--- Use Conditional Access and force multifactor authentication for B2B collaboration users.-- Manage inbound and outbound access.-- Terminate sessions and credentials when a B2B collaboration user's employment status changes or their credentials are breached.-- Use sign-in logs to view details about the B2B collaboration user.-
-### Tenant restrictions and Microsoft Teams (preview)
-
-Teams by default has open federation, which means we don't block anyone joining a meeting hosted by an external tenant. For greater control over access to Teams meetings, you can use [Federation Controls](/microsoftteams/manage-external-access) in Teams to allow or block specific tenants, along with tenant restrictions v2 to block anonymous access to Teams meetings. To enforce tenant restrictions for Teams, you need to configure tenant restrictions v2 in your Microsoft Entra cross-tenant access settings. You also need to set up Federation Controls in the Teams Admin portal and restart Teams. Tenant restrictions implemented on the corporate proxy won't block anonymous access to Teams meetings, SharePoint files, and other resources that don't require authentication.
--- Teams currently allows users to join <i>any</i> externally hosted meeting using their corporate/home provided identity. You can use outbound cross-tenant access settings to control users with corporate/home provided identity to join externally hosted Teams meetings.-- Tenant restrictions prevent users from using an externally issued identity to join Teams meetings.-
-#### Pure Anonymous Meeting join
-
-Tenant restrictions v2 automatically block all unauthenticated and externally issued identity access to externally hosted Teams meetings.
-For example, suppose Contoso uses Teams Federation Controls to block the Fabrikam tenant. If someone with a Contoso device uses a Fabrikam account to join a Contoso Teams meeting, they're allowed into the meeting as an anonymous user. Now, if Contoso also enables tenant restrictions v2, Teams blocks anonymous access, and the user isn't able to join the meeting.
-
-#### Meeting join using an externally issued identity
-
-You can configure the tenant restrictions v2 policy to allow specific users or groups with externally issued identities to join specific externally hosted Teams meetings. With this configuration, users can sign in to Teams with their externally issued identities and join the specified tenant's externally hosted Teams meetings.
--
-| Auth identity | Authenticated session | Result |
-|-|||
-|Tenant Member users (authenticated session)<br></br> Example: A user uses their home identity as a member user (for example, user@mytenant.com) | Authenticated | Tenant restrictions v2 allows access to the Teams meeting. TRv2 never get applied to tenant member users. Cross tenant access inbound/outbound policy applies. |
-|Anonymous (no authenticated session) <br></br> Example: A user tries to use an unauthenticated session, for example in an InPrivate browser window, to access a Teams meeting. | Not authenticated | Tenant restrictions v2 blocks access to the Teams meeting. |
-|Externally issued identity (authenticated session)<br></br> Example: A user uses any identity other than their home identity (for example, user@externaltenant.com) | Authenticated as an externally issued identity | Allow or block access to the Teams meeting per Tenant restrictions v2 policy. If allowed by the policy, the user can join the meeting. Otherwise access is blocked. |
-
-### Tenant restrictions v2 and SharePoint Online
-
-SharePoint Online supports tenant restrictions v2 on both the authentication plane and the data plane.
-
-#### Authenticated sessions
-
-When tenant restrictions v2 are enabled on a tenant, unauthorized access is blocked during authentication. If a user directly accesses a SharePoint Online resource without an authenticated session, they're prompted to sign in. If the tenant restrictions v2 policy allows access, the user can access the resource; otherwise, access is blocked.
-
-#### Anonymous access (preview)
-
-If a user tries to access an anonymous file using their home tenant/corporate identity, they're able to access the file. But if the user tries to access the anonymous file using any externally issued identity, access is blocked.
-
-For example, say a user is using a managed device configured with tenant restrictions v2 for Tenant A. If they select an anonymous access link generated for a Tenant A resource, they should be able to access the resource anonymously. But if they select an anonymous access link generated for Tenant B SharePoint Online, they're prompted to sign-in. Anonymous access to resources using an externally issued identity is always blocked.
-
-### Tenant restrictions v2 and OneDrive
-
-#### Authenticated sessions
-
-When tenant restrictions v2 are enabled on a tenant, unauthorized access is blocked during authentication. If a user directly accesses a OneDrive for Business without an authenticated session, they're prompted to sign in. If the tenant restrictions v2 policy allows access, the user can access the resource; otherwise, access is blocked.
-
-#### Anonymous access (preview)
-
-Like SharePoint, OneDrive for Business supports tenant restrictions v2 on both the authentication plane and the data plane. Blocking anonymous access to OneDrive for business is also supported. For example, tenant restrictions v2 policy enforcement works at the OneDrive for Business endpoint (microsoft-my.sharepoint.com).
-
-#### Not in scope
-
-OneDrive for consumer accounts (via onedrive.live.com) doesn't support tenant restrictions v2. Some URLs (such as onedrive.live.com) are unconverged and use our legacy stack. When a user accesses the OneDrive consumer tenant through these URLs, the policy isn't enforced. As a workaround, you can block https://onedrive.live.com/ at the proxy level.
-
-## Prerequisites
-
-To configure tenant restrictions, you need:
--- Microsoft Entra ID P1 or P2-- Account with a role of Global administrator or Security administrator-- Windows devices running Windows 10, Windows 11 with the latest updates-
-## Configure server-side tenant restrictions v2 cloud policy
-
-### Step 1: Configure default tenant restrictions v2
-
-Settings for tenant restrictions v2 are located in the Microsoft Entra admin center under **Cross-tenant access settings**. First, configure the default tenant restrictions you want to apply to all users, groups, apps, and organizations. Then, if you need partner-specific configurations, you can add a partner's organization and customize any settings that differ from your defaults.
-
-#### To configure default tenant restrictions
--
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Security administrator](../roles/permissions-reference.md#security-administrator).
-
-1. Browse to **Identity** > **External Identities** > **Cross-tenant access settings**, then select **Cross-tenant access settings**.
-
-1. Select the **Default settings** tab.
-
- :::image type="content" source="media/tenant-restrictions-v2/tenant-restrictions-default-section.png" alt-text="Screenshot showing the tenant restrictions section on the default settings tab.":::
-
-1. Scroll to the **Tenant restrictions** section.
-
-1. Select the **Edit tenant restrictions defaults** link.
-
- :::image type="content" source="media/tenant-restrictions-v2/tenant-restrictions-default-section-edit.png" alt-text="Screenshot showing edit buttons for Default settings.":::
-
-1. If a default policy doesn't exist yet in the tenant, next to the **Policy ID** a **Create Policy** link appears. Select this link.
-
- :::image type="content" source="media/tenant-restrictions-v2/create-tenant-restrictions-policy.png" alt-text="Screenshot showing the Create Policy link.":::
-
-1. The **Tenant restrictions** page displays both your **Tenant ID** and your tenant restrictions **Policy ID**. Use the copy icons to copy both of these values. You use them later when you configure Windows clients to enable tenant restrictions.
-
- :::image type="content" source="media/tenant-restrictions-v2/tenant-policy-id.png" alt-text="Screenshot showing the tenant ID and policy ID for the tenant restrictions.":::
-
-1. Select the **External users and groups** tab. Under **Access status**, choose one of the following:
-
- - **Allow access**: Allows all users who are signed in with external accounts to access external apps (specified on the **External applications** tab).
- - **Block access**: Blocks all users who are signed in with external accounts from accessing external apps (specified on the **External applications** tab).
-
- :::image type="content" source="media/tenant-restrictions-v2/tenant-restrictions-default-external-users-block.png" alt-text="Screenshot showing settings for access status.":::
-
- > [!NOTE]
- > Default settings can't be scoped to individual accounts or groups, so **Applies to** always equals **All &lt;your tenant&gt; users and groups**. Be aware that if you block access for all users and groups, you also need to block access to all external applications (on the **External applications** tab).
-
-1. Select the **External applications** tab. Under **Access status**, choose one of the following:
-
- - **Allow access**: Allows all users who are signed in with external accounts to access the apps specified in the **Applies to** section.
- - **Block access**: Blocks all users who are signed in with external accounts from accessing the apps specified in the **Applies to** section.
-
- :::image type="content" source="media/tenant-restrictions-v2/tenant-restrictions-default-applications.png" alt-text="Screenshot showing access status on the external applications tab.":::
-
-1. Under **Applies to**, select one of the following:
-
- - **All external applications**: Applies the action you chose under **Access status** to all external applications. If you block access to all external applications, you also need to block access for all of your users and groups (on the **Users and groups** tab).
- - **Select external applications**: Lets you choose the external applications you want the action under **Access status** to apply to. To select applications, choose **Add Microsoft applications** or **Add other applications**. Then search by the application name or the application ID (either the *client app ID* or the *resource app ID*) and select the app. ([See a list of IDs for commonly used Microsoft applications.](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in)) If you want to add more apps, use the **Add** button. When you're done, select **Submit**.
-
- :::image type="content" source="media/tenant-restrictions-v2/tenant-restrictions-default-applications-applies-to.png" alt-text="Screenshot showing selecting the external applications tab.":::
-
-1. Select **Save**.
-
-### Step 2: Configure tenant restrictions v2 for specific partners
-
-Suppose you use tenant restrictions to block access by default, but you want to allow users to access certain applications using their own external accounts. For example, say you want users to be able to access Microsoft Learn with their own Microsoft Accounts. The instructions in this section describe how to add organization-specific settings that take precedence over the default settings.
-
-#### Example: Configure tenant restrictions v2 to allow Microsoft Accounts
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Security administrator](../roles/permissions-reference.md#security-administrator) or a [Conditional Access administrator](../roles/permissions-reference.md#conditional-access-administrator).
-
-1. Browse to **Identity** > **External Identities** > **Cross-tenant access settings**.
-
-1. Select **Organizational settings**.
-
- > [!NOTE]
- > If the organization you want to add has already been added to the list, you can skip adding it and go directly to modifying the settings.
-
-1. Select **Add organization**.
-
-1. On the **Add organization** pane, type the full domain name (or tenant ID) for the organization.
-
- **Example**: Search for the following Microsoft Accounts tenant ID:
-
- ```
- 9188040d-6c67-4c5b-b112-36a304b66dad
- ```
-
- :::image type="content" source="media/tenant-restrictions-v2/add-organization-microsoft-accounts.png" alt-text="Screenshot showing adding an organization.":::
-
-1. Select the organization in the search results, and then select **Add**.
-
-1. Modifying the settings: Find the organization in the **Organizational settings** list, and then scroll horizontally to see the **Tenant restrictions** column. At this point, all tenant restrictions settings for this organization are inherited from your default settings. To change the settings for this organization, select the **Inherited from default** link under the **Tenant restrictions** column.
-
- :::image type="content" source="media/tenant-restrictions-v2/tenant-restrictions-edit-link.png" alt-text="Screenshot showing an organization added with default settings.":::
-
-1. The **Tenant restrictions** page for the organization appears. Copy the values for **Tenant ID** and **Policy ID**. You use them later when you configure Windows clients to enable tenant restrictions.
-
- :::image type="content" source="media/tenant-restrictions-v2/org-tenant-policy-id.png" alt-text="Screenshot showing tenant ID and policy ID.":::
-
-1. Select **Customize settings**, and then select the **External users and groups** tab. Under **Access status**, choose an option:
-
- - **Allow access**: Allows users and groups specified under **Applies to** who are signed in with external accounts to access external apps (specified on the **External applications** tab).
- - **Block access**: Blocks users and groups specified under **Applies to** who are signed in with external accounts from accessing external apps (specified on the **External applications** tab).
-
- > [!NOTE]
- > For our Microsoft Accounts example, we select **Allow access**.
-
- :::image type="content" source="media/tenant-restrictions-v2/tenant-restrictions-external-users-organizational.png" alt-text="Screenshot showing selecting the external users allow access selections.":::
-
-1. Under **Applies to**, choose **All &lt;organization&gt; users and groups**.
-
- > [!NOTE]
- > User granularity isn't supported with Microsoft Accounts, so the **Select &lt;organization&gt; users and groups** capability isn't available. For other organizations, you could choose **Select &lt;organization&gt; users and groups**, and then perform these steps for each user or group you want to add:
- >
- >- Select **Add external users and groups**.
- >- In the **Select** pane, type the user name or group name in the search box.
- >- Select the user or group in the search results.
- >- If you want to add more, select **Add** and repeat these steps. When you're done selecting the users and groups you want to add, select **Submit**.
-
- :::image type="content" source="media/tenant-restrictions-v2/tenant-restrictions-external-users-organizational-applies-to.png" alt-text="Screenshot showing selecting the external users and groups selections.":::
-
-1. Select the **External applications** tab. Under **Access status**, choose whether to allow or block access to external applications.
-
- - **Allow access**: Allows the external applications specified under **Applies to** to be accessed by your users when using external accounts.
- - **Block access**: Blocks the external applications specified under **Applies to** from being accessed by your users when using external accounts.
-
- > [!NOTE]
- > For our Microsoft Accounts example, we select **Allow access**.
-
- :::image type="content" source="media/tenant-restrictions-v2/tenant-restrictions-edit-applications-access-status.png" alt-text="Screenshot showing the Access status selections.":::
-
-1. Under **Applies to**, select one of the following:
-
- - **All external applications**: Applies the action you chose under **Access status** to all external applications.
- - **Select external applications**: Applies the action you chose under **Access status** to all external applications.
-
- > [!NOTE]
- >
- > - For our Microsoft Accounts example, we choose **Select external applications**.
- > - If you block access to all external applications, you also need to block access for all of your users and groups (on the **Users and groups** tab).
-
- :::image type="content" source="media/tenant-restrictions-v2/tenant-restrictions-edit-applications-applies-to.png" alt-text="Screenshot showing selecting the Applies to selections.":::
-
-1. If you chose **Select external applications**, do the following for each application you want to add:
-
- - Select **Add Microsoft applications** or **Add other applications**. For our Microsoft Learn example, we choose **Add other applications**.
- - In the search box, type the application name or the application ID (either the *client app ID* or the *resource app ID*). ([See a list of IDs for commonly used Microsoft applications.](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in)) For our Microsoft Learn example, we enter the application ID `18fbca16-2224-45f6-85b0-f7bf2b39b3f3`.
- - Select the application in the search results, and then select **Add**.
- - Repeat for each application you want to add.
- - When you're done selecting applications, select **Submit**.
-
- :::image type="content" source="media/tenant-restrictions-v2/add-learning-app.png" alt-text="Screenshot showing selecting applications.":::
-
-1. The applications you selected are listed on the **External applications** tab. Select **Save**.
-
- :::image type="content" source="media/tenant-restrictions-v2/add-app-save.png" alt-text="Screenshot showing the selected application.":::
-
-> [!NOTE]
- >
- > Blocking the MSA tenant will not block:
- > - User-less traffic for devices. This includes traffic for Autopilot, Windows Update, and organizational telemetry.
- > - B2B authentication of consumer accounts.
- > - "Passthrough" authentication, used by many Azure apps and Office.com, where apps use Microsoft Entra ID to sign in consumer users in a consumer context.
-
-## Configure client-side tenant restrictions v2
-
-There are three options for enforcing tenant restrictions v2 for clients:
--- [Option 1](#option-1-universal-tenant-restrictions-v2-as-part-of-microsoft-entra-global-secure-access-preview): Universal tenant restrictions v2 as part of Microsoft Entra Global Secure Access (preview)-- [Option 2](#option-2-set-up-tenant-restrictions-v2-on-your-corporate-proxy): Set up tenant restrictions v2 on your corporate proxy-- [Option 3](#option-3-enable-tenant-restrictions-on-windows-managed-devices-preview): Enable tenant restrictions on Windows managed devices (preview)-
-### Option 1: Universal tenant restrictions v2 as part of Microsoft Entra Global Secure Access (preview)
-
-Universal tenant restrictions v2 as part of [Microsoft Entra Global Secure Access](/azure/global-secure-access/overview-what-is-global-secure-access) is recommended because it provides authentication and data plane protection for all devices and platforms. This option provides more protection against sophisticated attempts to bypasses authentication. For example, attackers might try to allow anonymous access to a malicious tenantΓÇÖs apps, such as anonymous meeting join in Teams. Or, attackers might attempt to import to your organizational device an access token lifted from a device in the malicious tenant. Universal tenant restrictions v2 prevents these attacks by sending tenant restrictions v2 signals on the authentication plane (Microsoft Entra ID and Microsoft Account) and data plane (Microsoft cloud applications).
-
-### Option 2: Set up tenant restrictions v2 on your corporate proxy
-
-Tenant restrictions v2 policies can't be directly enforced on non-Windows 10, Windows 11, or Windows Server 2022 devices, such as Mac computers, mobile devices, unsupported Windows applications, and Chrome browsers. To ensure sign-ins are restricted on all devices and apps in your corporate network, configure your corporate proxy to enforce tenant restrictions v2. Although configuring tenant restrictions on your corporate proxy doesn't provide data plane protection, it does provide authentication plane protection.
-
-> [!IMPORTANT]
-> If you've previously set up tenant restrictions, you'll need to stop sending `restrict-msa` to login.live.com. Otherwise, the new settings will conflict with your existing instructions to the MSA login service.
-
-1. Configure the tenant restrictions v2 header as follows:
-
- |Header name |Header Value |
- |||
- |`sec-Restrict-Tenant-Access-Policy` | `<TenantId>:<policyGuid>` |
-
- - `TenantID` is your Microsoft Entra tenant ID. Find this value by signing in to the [Microsoft Entra admin center](https://entra.microsoft.com) as an administrator and browsing to **Identity** > **Overview** and selecting the **Overview** tab.
- - `policyGUID` is the object ID for your cross-tenant access policy. Find this value by calling `/crosstenantaccesspolicy/default` and using the ΓÇ£idΓÇ¥ field returned.
-
-1. On your corporate proxy, send the tenant restrictions v2 header to the following Microsoft login domains:
-
- - login.live.com
- - login.microsoft.com
- - login.microsoftonline.com
- - login.windows.net
-
- This header enforces your tenant restrictions v2 policy on all sign-ins on your network. This header doesn't block anonymous access to Teams meetings, SharePoint files, or other resources that don't require authentication.
-
-### Migrate tenant restrictions v1 policies to v2
-
-Migrating tenant restriction policies from v1 to v2 is a one-time operation. After migration, no client-side changes are required. You can make any subsequent policy changes via the Microsoft Entra admin center.
-
-On your corporate proxy, you can move from tenant restrictions v1 to tenant restrictions v2 by changing this tenant restrictions v1 header:
-
-`Restrict-Access-To-Tenants: <allowed-tenant-list>`
-
-to this tenant restrictions v2 header:
-
-`sec-Restrict-Tenant-Access-Policy: <DirectoryID>:<policyGUID>`
-
-where `<DirectoryID>` is your Microsoft Entra tenant ID and `<policyGUID>` is the object ID for your cross-tenant access policy.
-
-#### Tenant restrictions v1 settings on the corporate proxy
-
-The following example shows an existing tenant restrictions V1 setting on the corporate proxy:
-
-`Restrict-Access-To-Tenants: contoso.com, fabrikam.com, dogfood.com sec-Restrict-Tenant-Access-Policy: restrict-msa`
-
-[Learn more](../manage-apps/tenant-restrictions.md) about tenant restrictions v1.
-
-#### Tenant restrictions v2 settings on the corporate proxy
-
-You can configure the corporate proxy to enable client-side tagging of the tenant restrictions V2 header by using the following corporate proxy setting:
-
-`sec-Restrict-Tenant-Access-Policy: <DirectoryID>:<policyGUID>`
-
-where `<DirectoryID>` is your Microsoft Entra tenant ID and `<policyGUID>` is the object ID for your cross-tenant access policy. For details, see [Set up tenant restrictions v2 on your corporate proxy](#option-2-set-up-tenant-restrictions-v2-on-your-corporate-proxy)
-
-You can configure server-side cloud tenant restrictions v2 policies by following the steps at [Step 2: Configure tenant restrictions v2 for specific partners](#step-2-configure-tenant-restrictions-v2-for-specific-partners). Be sure to follow these guidelines:
--- Keep the tenant restrictions v2 default policy that blocks all external tenant access using foreign identities (for example, `user@externaltenant.com`).--- Create a partner tenant policy for each tenant listed in your v1 allowlist by following the steps at [Step 2: Configure tenant restrictions v2 for specific partners](#step-2-configure-tenant-restrictions-v2-for-specific-partners).--- Allow only specific users to access specific applications. This design increases your security posture by limiting access to necessary users only.--- Tenant restrictions v2 policies treat MSA as a partner tenant. Create a partner tenant configuration for MSA by following the steps in [Step 2: Configure tenant restrictions v2 for specific partners](#step-2-configure-tenant-restrictions-v2-for-specific-partners). Because user-level assignment isn't available for MSA tenants, the policy applies to all MSA users. However, application-level granularity is available, and you should limit the applications that MSA or consumer accounts can access to only those applications that are necessary.-
-> [!NOTE]
->Blocking the MSA tenant will not block user-less traffic for devices, including:
->
->- Traffic for Autopilot, Windows Update, and organizational telemetry.
->- B2B authentication of consumer accounts, or "passthrough" authentication, where Azure apps and Office.com apps use Microsoft Entra ID to sign in consumer users in a consumer context.
-
-#### Tenant restrictions v2 with no support for break and inspect
-
-For non-Windows platforms, you can break and inspect traffic to add the tenant restrictions v2 parameters into the header via proxy. However, some platforms don't support break and inspect, so tenant restrictions v2 don't work. For these platforms, the following features of Microsoft Entra ID can provide protection:
--- [Conditional Access: Only allow use of managed/compliant devices](/mem/intune/protect/conditional-access-intune-common-ways-use#device-based-conditional-access)-- [Conditional Access: Manage access for guest/external users](/microsoft-365/security/office-365-security/identity-access-policies-guest-access)-- [B2B Collaboration: Restrict outbound rules by Cross-tenant access for the same tenants listed in the parameter "Restrict-Access-To-Tenants"](../external-identities/cross-tenant-access-settings-b2b-collaboration.md)-- [B2B Collaboration: Restrict invitations to B2B users to the same domains listed in the "Restrict-Access-To-Tenants" parameter](../external-identities/allow-deny-list.md)-- [Application management: Restrict how users consent to applications](../manage-apps/configure-user-consent.md)-- [Intune: Apply App Policy through Intune to restrict usage of managed apps to only the UPN of the account that enrolled the device](/mem/intune/apps/app-configuration-policies-use-android) (under **Allow only configured organization accounts in apps**)-
-Although these alternatives provide protection, certain scenarios can only be covered through tenant restrictions, such as the use of a browser to access Microsoft 365 services through the web instead of the dedicated app.
-
-### Option 3: Enable tenant restrictions on Windows managed devices (preview)
-
-After you create a tenant restrictions v2 policy, you can enforce the policy on each Windows 10, Windows 11, and Windows Server 2022 device by adding your tenant ID and the policy ID to the device's **Tenant Restrictions** configuration. When tenant restrictions are enabled on a Windows device, corporate proxies aren't required for policy enforcement. Devices don't need to be Microsoft Entra ID managed to enforce tenant restrictions v2; domain-joined devices that are managed with Group Policy are also supported.
-
-> [!NOTE]
-> Tenant restrictions V2 on Windows is a partial solution that protects the authentication and data planes for some scenarios. It works on managed Windows devices and does not protect .NET stack, Chrome, or Firefox. The Windows solution provides a temporary solution until general availability of Universal tenant restrictions in [Microsoft Entra Global Secure Access (preview)](/azure/global-secure-access/overview-what-is-global-secure-access).
-
-#### Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2) and Group policy settings
-
-You can use Group Policy to deploy the tenant restrictions configuration to Windows devices. Refer to these resources:
--- [Administrative Templates for Windows 10](https://www.microsoft.com/download/details.aspx?id=104042)-- [Group Policy Settings Reference Spreadsheet for Windows 10](https://www.microsoft.com/download/details.aspx?id=104043)-
-#### Test the policies on a device
-
-To test the tenant restrictions v2 policy on a device, follow these steps.
-
-> [!NOTE]
->
-> - The device must be running Windows 10 or Windows 11 with the latest updates.
-
-1. On the Windows computer, press the Windows key, type **gpedit**, and then select **Edit group policy (Control panel)**.
-
-1. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Tenant Restrictions**.
-
-1. Right-click **Cloud Policy Details** in the right pane, and then select **Edit**.
-
-1. Retrieve the **Tenant ID** and **Policy ID** you recorded earlier (in step 7 under [To configure default tenant restrictions](#to-configure-default-tenant-restrictions)) and enter them in the following fields (leave all other fields blank):
-
- - **Microsoft Entra Directory ID**: Enter the **Tenant ID** you recorded earlier. by signing in to the [Microsoft Entra admin center](https://entra.microsoft.com) as an administrator and browsing to **Identity** > **Overview** and selecting the **Overview** tab.
- - **Policy GUID**: The ID for your cross-tenant access policy. It's the **Policy ID** you recorded earlier. You can also find this ID by using the Graph Explorer command [https://graph.microsoft.com/v1.0/policies/crossTenantAccessPolicy/default](https://graph.microsoft.com/v1.0/policies/crossTenantAccessPolicy/default).
-
- :::image type="content" source="media/tenant-restrictions-v2/windows-cloud-policy-details.png" alt-text="Screenshot of Windows Cloud Policy Details.":::
-
-1. Select **OK**.
-
-#### Block Chrome, Firefox and .NET applications like PowerShell
-
-You can use the Windows Firewall feature to block unprotected apps from accessing Microsoft resources via Chrome, Firefox, and .NET applications like PowerShell. The applications that would be blocked/allowed as per the tenant restrictions v2 policy.
-
-For example, if a customer adds PowerShell to their tenant restrictions v2 CIP policy and has graph.microsoft.com in their tenant restrictions v2 policy endpoint list, then PowerShell should be able to access it with firewall enabled.
-
-1. On the Windows computer, press the Windows key, type **gpedit**, and then select **Edit group policy (Control panel)**.
-
-1. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Tenant Restrictions**.
-
-1. Right-click **Cloud Policy Details** in the right pane, and then select **Edit**.
-
-1. Select the **Enable firewall protection of Microsoft endpoints** checkbox, and then select **OK**.
--
-After you enable the firewall setting, try signing in using a Chrome browser. Sign-in should fail with the following message:
-
-
-#### View tenant restrictions v2 events
-
-View events related to tenant restrictions in Event Viewer.
-
-1. In Event Viewer, open **Applications and Services Logs**.
-1. Navigate to **Microsoft** > **Windows** > **TenantRestrictions** > **Operational** and look for events.
-
-## Sign-in logs
-
-Microsoft Entra sign-in logs let you view details about sign-ins with a tenant restrictions v2 policy in place. When a B2B user signs into a resource tenant to collaborate, a sign-in log is generated in both the home tenant and the resource tenant. These logs include information such as the application being used, email addresses, tenant name, and tenant ID for both the home tenant and the resource tenant. The following example shows a successful sign-in:
--
-If sign-in fails, the Activity Details give information about the reason for failure:
--
-## Audit logs
-
-The **Audit logs** provide records of system and user activities, including activities initiated by guest users. You can view audit logs for the tenant under Monitoring, or view audit logs for a specific user by navigating to the user's profile.
-
-
-Select an event in the log to get more details about the event, for example:
-
-
-You can also export these logs from Microsoft Entra ID and use the reporting tool of your choice to get customized reports.
-
-## Microsoft Graph
-
-Use Microsoft Graph to get policy information:
-
-### HTTP request
--- Get default policy-
- ``` http
- GET https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy/default
- ```
--- Reset to system default-
- ``` http
- POST https://graph.microsoft.com/betefault
- ```
--- Get partner configuration-
- ``` http
- GET https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy/partners
- ```
--- Get a specific partner configuration-
- ``` http
- GET https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy/partners/9188040d-6c67-4c5b-b112-36a304b66dad
- ```
--- Update a specific partner-
- ``` http
- PATCH https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy/partners/9188040d-6c67-4c5b-b112-36a304b66dad
- ```
-
-### Request body
-
-``` json
-"tenantRestrictions": {
- "usersAndGroups": {
- "accessType": "allowed",
- "targets": [
- {
- "target": "AllUsers",
- "targetType": "user"
- }
- ]
- },
- "applications": {
- "accessType": "allowed",
- "targets": [
- {
- "target": "AllApplications",
- "targetType": "application"
- }
- ]
- }
-}
-```
-
-## Next steps
-
-See [Configure external collaboration settings](external-collaboration-settings-configure.md) for B2B collaboration with non-Azure AD identities, social identities, and non-IT managed external accounts.
+
+ Title: Configure tenant restrictions - Microsoft Entra ID
+description: Use tenant restrictions to control the types of external accounts your users can use on your networks and the devices you manage. You can scope settings to apps, groups, and users for specified tenants.
++++ Last updated : 10/04/2023++++++++
+# Set up tenant restrictions v2
+
+> [!NOTE]
+> Certain features described in this article are preview features. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+To enhance security, you can limit what your users can access when they use an external account to sign in from your networks or devices. The **Tenant restrictions** settings, included with [cross-tenant access settings](cross-tenant-access-overview.md), let you create a policy to control access to external apps.
+
+For example, suppose a user in your organization has created a separate account in an unknown tenant, or an external organization has given your user an account that lets them sign in to their organization. You can use tenant restrictions to prevent the user from using some or all external apps while they're signed in with the external account on your network or devices.
+++
+| Steps | Description |
+|||
+|**1** | Contoso configures **Tenant restrictions** in their cross-tenant access settings to block all external accounts and external apps. Contoso enforces the policy on each Windows device by updating the local computer configuration with Contoso's tenant ID and the tenant restrictions policy ID. |
+|**2** | A user with a Contoso-managed Windows device tries to sign in to an external app using an account from an unknown tenant. The Windows device adds an HTTP header to the authentication request. The header contains Contoso's tenant ID and the tenant restrictions policy ID. |
+|**3** | *Authentication plane protection:* Microsoft Entra ID uses the header in the authentication request to look up the tenant restrictions policy in the Microsoft Entra cloud. Because Contoso's policy blocks external accounts from accessing external tenants, the request is blocked at the authentication level. |
+|**4** | *Data plane protection (preview):* The user tries to access the external application by copying an authentication response token they obtained outside of Contoso's network and pasting it into the Windows device. However, Microsoft Entra ID compares the claim in the token to the HTTP header added by the Windows device. Because they don't match, Microsoft Entra ID blocks the session so the user can't access the application. |
+|||
+
+Tenant restrictions v2 provides options for both authentication plane protection and data plane protection.
+
+- *Authentication plane protection* refers to using a tenant restrictions v2 policy to block sign-ins using external identities. For example, you can prevent a malicious insider from leaking data over external email by preventing the attacker from signing in to their malicious tenant. Tenant restrictions v2 authentication plane protection is generally available.
+
+- *Data Plane protection* refers to preventing attacks that bypass authentication. For example, an attacker might try to allow access to malicious tenant apps by using Teams anonymous meeting join or SharePoint anonymous file access. Or the attacker might copy an access token from a device in a malicious tenant and import it to your organizational device. Tenant restrictions v2 data plane protection forces the user to authenticate when attempting to access a resource and blocks access if authentication fails.
+
+While [tenant restrictions v1](../manage-apps/tenant-restrictions.md) provide authentication plane protection through a tenant allowlist configured on your corporate proxy, tenant restrictions v2 give you options for granular authentication and data plane protection, with or without a corporate proxy.
+
+## Tenant restrictions v2 overview
+
+In your organization's [cross-tenant access settings](cross-tenant-access-overview.md), you can configure a tenant restrictions v2 policy. After you create the policy, there are three ways to apply the policy in your organization.
+
+- **Universal tenant restrictions v2**. This option provides both authentication plane and data plane protection without a corporate proxy. [Universal tenant restrictions](/entra/global-secure-access/how-to-universal-tenant-restrictions) use Global Secure Access (preview) to tag all traffic no matter the operating system, browser, or device form factor. It allows support for both client and remote network connectivity.
+- **Authentication plane tenant restrictions v2**. You can deploy a corporate proxy in your organization and [configure the proxy to set tenant restrictions v2 signals](#option-2-set-up-tenant-restrictions-v2-on-your-corporate-proxy) on all traffic to Microsoft Entra ID and Microsoft Accounts (MSA).
+- **Windows tenant restrictions v2**. For your corporate-owned Windows devices, you can enforce both authentication plane and data plane protection by enforcing tenant restrictions directly on devices. Tenant restrictions are enforced upon resource access, providing data path coverage and protection against token infiltration. A corporate proxy isn't required for policy enforcement. Devices can be Microsoft Entra ID managed or domain-joined devices that are managed via Group Policy.
+
+> [!NOTE]
+> This article describes how to configure tenant restrictions v2 using the Microsoft Entra admin center. You can also use the [Microsoft Graph cross-tenant access API](/graph/api/resources/crosstenantaccesspolicy-overview?view=graph-rest-beta&preserve-view=true) to create these same tenant restrictions policies.
+
+### Supported scenarios
+
+Tenant restrictions v2 can be scoped to specific users, groups, organizations, or external apps. Apps built on the Windows operating system networking stack are protected, including:
+
+- All Office apps (all versions/release channels).
+- Universal Windows Platform (UWP) .NET applications.
+- Auth plane protection for all applications that authenticate with Microsoft Entra ID, including all Microsoft first-party applications and any third-party applications that use Microsoft Entra ID for authentication.
+- Data plane protection for SharePoint Online and Exchange Online.
+- Anonymous access protection for SharePoint Online, OneDrive for business, and Teams (with Federation Controls configured).
+- Authentication and Data plane protection for Microsoft tenant or Consumer accounts.
+- When using Universal tenant restrictions in Global Secure Access (preview), all browsers and platforms.
+- When using Windows Group Policy, Microsoft Edge and all websites in Microsoft Edge.
+### Unsupported scenarios
+
+- Anonymous blocking to consumer OneDrive account. Customers can work around at proxy level by blocking https://onedrive.live.com/.
+- When a user accesses a third-party app, like Slack, using an anonymous link or non-Azure AD account.
+- When a user copies a Microsoft Entra ID-issued token from a home machine to a work machine and uses it to access a third-party app like Slack.
+- Per-user tenant restrictions for Microsoft Accounts.
++
+### Compare Tenant restrictions v1 and v2
+
+The following table compares the features in each version.
+
+| |Tenant restrictions v1 |Tenant restrictions v2 |
+|-|||
+|**Policy enforcement** | The corporate proxy enforces the tenant restriction policy in the Microsoft Entra ID control plane. | Options: <br></br>- Universal tenant restrictions in Global Secure Access (preview), which uses policy signaling to tag all traffic, providing both authentication and data plane support on all platforms. <br></br>- Authentication plane-only protection, where the corporate proxy sets tenant restrictions v2 signals on all traffic. <br></br>- Windows device management, where devices are configured to point Microsoft traffic to the tenant restriction policy, and the policy is enforced in the cloud. |
+|**Policy enforcement limitation** | Manage corporate proxies by adding tenants to the Microsoft Entra traffic allowlist. The character limit of the header value in Restrict-Access-To-Tenants: `<allowed-tenant-list>` limits the number of tenants that can be added. | Managed by a cloud policy in the cross-tenant access policy. A partner policy is created for each external tenant. Currently, the configuration for all external tenants is contained in one policy with a 25KB size limit. |
+|**Malicious tenant requests** | Microsoft Entra ID blocks malicious tenant authentication requests to provide authentication plane protection. | Microsoft Entra ID blocks malicious tenant authentication requests to provide authentication plane protection. |
+|**Granularity** | Limited. | Tenant, user, group, and application granularity. (User-level granularity isn't supported with Microsoft Accounts.) |
+|**Anonymous access** | Anonymous access to Teams meetings and file sharing is allowed. | Anonymous access to Teams meetings is blocked. Access to anonymously shared resources (ΓÇ£Anyone with the linkΓÇ¥) is blocked. |
+|**Microsoft Accounts** |Uses a Restrict-MSA header to block access to consumer accounts. | Allows control of Microsoft Accounts (MSA and Live ID) authentication on both the identity and data planes.<br></br>For example, if you enforce tenant restrictions by default, you can create a Microsoft Accounts-specific policy that allows users to access specific apps with their Microsoft Accounts, for example: <br> Microsoft Learn (app ID `18fbca16-2224-45f6-85b0-f7bf2b39b3f3`), or <br> Microsoft Enterprise Skills Initiative (app ID `195e7f27-02f9-4045-9a91-cd2fa1c2af2f`). |
+|**Proxy management** | Manage corporate proxies by adding tenants to the Microsoft Entra traffic allowlist. | For corporate proxy authentication plane protection, configure the proxy to set tenant restrictions v2 signals on all traffic. |
+|**Platform support** |Supported on all platforms. Provides only authentication plane protection. | Universal tenant restrictions in Global Secure Access (preview) support any operating system, browser, or device form factor.<br></br>Corporate proxy authentication plane protection supports macOS, Chrome browser, and .NET applications.<br></br>Windows device management supports Windows operating systems and Microsoft Edge. |
+|**Portal support** |No user interface in the Microsoft Entra admin center for configuring the policy. | User interface available in the Microsoft Entra admin center for setting up the cloud policy. |
+|**Unsupported apps** | N/A | Block unsupported app use with Microsoft endpoints by using Windows Defender Application Control (WDAC) or Windows Firewall (for example, for Chrome, Firefox, and so on). See [Block Chrome, Firefox and .NET applications like PowerShell](#block-chrome-firefox-and-net-applications-like-powershell). |
++
+### Tenant restrictions vs. inbound and outbound settings
+
+Although tenant restrictions are configured along with your cross-tenant access settings, they operate separately from inbound and outbound access settings. Cross-tenant access settings give you control when users sign in with an account from your organization. By contrast, tenant restrictions give you control when users are using an external account. Your inbound and outbound settings for B2B collaboration and B2B direct connect don't affect (and are unaffected by) your tenant restrictions settings.
+
+Think of the different cross-tenant access settings this way:
+
+- Inbound settings control *external* account access to your *internal* apps.
+- Outbound settings control *internal* account access to *external* apps.
+- Tenant restrictions control *external* account access to *external* apps.
+
+### Tenant restrictions vs. B2B collaboration
+
+When your users need access to external organizations and apps, we recommend enabling tenant restrictions to block external accounts and use B2B collaboration instead. B2B collaboration gives you the ability to:
+
+- Use Conditional Access and force multifactor authentication for B2B collaboration users.
+- Manage inbound and outbound access.
+- Terminate sessions and credentials when a B2B collaboration user's employment status changes or their credentials are breached.
+- Use sign-in logs to view details about the B2B collaboration user.
+
+### Tenant restrictions and Microsoft Teams (preview)
+
+Teams by default has open federation, which means we don't block anyone joining a meeting hosted by an external tenant. For greater control over access to Teams meetings, you can use [Federation Controls](/microsoftteams/trusted-organizations-external-meetings-chat) in Teams to allow or block specific tenants, along with tenant restrictions v2 to block anonymous access to Teams meetings. To enforce tenant restrictions for Teams, you need to configure tenant restrictions v2 in your Microsoft Entra cross-tenant access settings. You also need to set up Federation Controls in the Teams Admin portal and restart Teams. Tenant restrictions implemented on the corporate proxy won't block anonymous access to Teams meetings, SharePoint files, and other resources that don't require authentication.
+
+- Teams currently allows users to join <i>any</i> externally hosted meeting using their corporate/home provided identity. You can use outbound cross-tenant access settings to control users with corporate/home provided identity to join externally hosted Teams meetings.
+- Tenant restrictions prevent users from using an externally issued identity to join Teams meetings.
+
+#### Pure Anonymous Meeting join
+
+Tenant restrictions v2 automatically block all unauthenticated and externally issued identity access to externally hosted Teams meetings.
+For example, suppose Contoso uses Teams Federation Controls to block the Fabrikam tenant. If someone with a Contoso device uses a Fabrikam account to join a Contoso Teams meeting, they're allowed into the meeting as an anonymous user. Now, if Contoso also enables tenant restrictions v2, Teams blocks anonymous access, and the user isn't able to join the meeting.
+
+#### Meeting join using an externally issued identity
+
+You can configure the tenant restrictions v2 policy to allow specific users or groups with externally issued identities to join specific externally hosted Teams meetings. With this configuration, users can sign in to Teams with their externally issued identities and join the specified tenant's externally hosted Teams meetings.
++
+| Auth identity | Authenticated session | Result |
+|-|||
+|Tenant Member users (authenticated session)<br></br> Example: A user uses their home identity as a member user (for example, user@mytenant.com) | Authenticated | Tenant restrictions v2 allows access to the Teams meeting. TRv2 never get applied to tenant member users. Cross tenant access inbound/outbound policy applies. |
+|Anonymous (no authenticated session) <br></br> Example: A user tries to use an unauthenticated session, for example in an InPrivate browser window, to access a Teams meeting. | Not authenticated | Tenant restrictions v2 blocks access to the Teams meeting. |
+|Externally issued identity (authenticated session)<br></br> Example: A user uses any identity other than their home identity (for example, user@externaltenant.com) | Authenticated as an externally issued identity | Allow or block access to the Teams meeting per Tenant restrictions v2 policy. If allowed by the policy, the user can join the meeting. Otherwise access is blocked. |
+
+### Tenant restrictions v2 and SharePoint Online
+
+SharePoint Online supports tenant restrictions v2 on both the authentication plane and the data plane.
+
+#### Authenticated sessions
+
+When tenant restrictions v2 are enabled on a tenant, unauthorized access is blocked during authentication. If a user directly accesses a SharePoint Online resource without an authenticated session, they're prompted to sign in. If the tenant restrictions v2 policy allows access, the user can access the resource; otherwise, access is blocked.
+
+#### Anonymous access (preview)
+
+If a user tries to access an anonymous file using their home tenant/corporate identity, they're able to access the file. But if the user tries to access the anonymous file using any externally issued identity, access is blocked.
+
+For example, say a user is using a managed device configured with tenant restrictions v2 for Tenant A. If they select an anonymous access link generated for a Tenant A resource, they should be able to access the resource anonymously. But if they select an anonymous access link generated for Tenant B SharePoint Online, they're prompted to sign-in. Anonymous access to resources using an externally issued identity is always blocked.
+
+### Tenant restrictions v2 and OneDrive
+
+#### Authenticated sessions
+
+When tenant restrictions v2 are enabled on a tenant, unauthorized access is blocked during authentication. If a user directly accesses a OneDrive for Business without an authenticated session, they're prompted to sign in. If the tenant restrictions v2 policy allows access, the user can access the resource; otherwise, access is blocked.
+
+#### Anonymous access (preview)
+
+Like SharePoint, OneDrive for Business supports tenant restrictions v2 on both the authentication plane and the data plane. Blocking anonymous access to OneDrive for business is also supported. For example, tenant restrictions v2 policy enforcement works at the OneDrive for Business endpoint (microsoft-my.sharepoint.com).
+
+#### Not in scope
+
+OneDrive for consumer accounts (via onedrive.live.com) doesn't support tenant restrictions v2. Some URLs (such as onedrive.live.com) are unconverged and use our legacy stack. When a user accesses the OneDrive consumer tenant through these URLs, the policy isn't enforced. As a workaround, you can block https://onedrive.live.com/ at the proxy level.
+
+## Prerequisites
+
+To configure tenant restrictions, you need:
+
+- Microsoft Entra ID P1 or P2
+- Account with a role of Global administrator or Security administrator
+- Windows devices running Windows 10, Windows 11 with the latest updates
+
+## Configure server-side tenant restrictions v2 cloud policy
+
+### Step 1: Configure default tenant restrictions v2
+
+Settings for tenant restrictions v2 are located in the Microsoft Entra admin center under **Cross-tenant access settings**. First, configure the default tenant restrictions you want to apply to all users, groups, apps, and organizations. Then, if you need partner-specific configurations, you can add a partner's organization and customize any settings that differ from your defaults.
+
+#### To configure default tenant restrictions
++
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Security administrator](../roles/permissions-reference.md#security-administrator).
+
+1. Browse to **Identity** > **External Identities** > **Cross-tenant access settings**, then select **Cross-tenant access settings**.
+
+1. Select the **Default settings** tab.
+
+ :::image type="content" source="media/tenant-restrictions-v2/tenant-restrictions-default-section.png" alt-text="Screenshot showing the tenant restrictions section on the default settings tab.":::
+
+1. Scroll to the **Tenant restrictions** section.
+
+1. Select the **Edit tenant restrictions defaults** link.
+
+ :::image type="content" source="media/tenant-restrictions-v2/tenant-restrictions-default-section-edit.png" alt-text="Screenshot showing edit buttons for Default settings.":::
+
+1. If a default policy doesn't exist yet in the tenant, next to the **Policy ID** a **Create Policy** link appears. Select this link.
+
+ :::image type="content" source="media/tenant-restrictions-v2/create-tenant-restrictions-policy.png" alt-text="Screenshot showing the Create Policy link.":::
+
+1. The **Tenant restrictions** page displays both your **Tenant ID** and your tenant restrictions **Policy ID**. Use the copy icons to copy both of these values. You use them later when you configure Windows clients to enable tenant restrictions.
+
+ :::image type="content" source="media/tenant-restrictions-v2/tenant-policy-id.png" alt-text="Screenshot showing the tenant ID and policy ID for the tenant restrictions.":::
+
+1. Select the **External users and groups** tab. Under **Access status**, choose one of the following:
+
+ - **Allow access**: Allows all users who are signed in with external accounts to access external apps (specified on the **External applications** tab).
+ - **Block access**: Blocks all users who are signed in with external accounts from accessing external apps (specified on the **External applications** tab).
+
+ :::image type="content" source="media/tenant-restrictions-v2/tenant-restrictions-default-external-users-block.png" alt-text="Screenshot showing settings for access status.":::
+
+ > [!NOTE]
+ > Default settings can't be scoped to individual accounts or groups, so **Applies to** always equals **All &lt;your tenant&gt; users and groups**. Be aware that if you block access for all users and groups, you also need to block access to all external applications (on the **External applications** tab).
+
+1. Select the **External applications** tab. Under **Access status**, choose one of the following:
+
+ - **Allow access**: Allows all users who are signed in with external accounts to access the apps specified in the **Applies to** section.
+ - **Block access**: Blocks all users who are signed in with external accounts from accessing the apps specified in the **Applies to** section.
+
+ :::image type="content" source="media/tenant-restrictions-v2/tenant-restrictions-default-applications.png" alt-text="Screenshot showing access status on the external applications tab.":::
+
+1. Under **Applies to**, select one of the following:
+
+ - **All external applications**: Applies the action you chose under **Access status** to all external applications. If you block access to all external applications, you also need to block access for all of your users and groups (on the **Users and groups** tab).
+ - **Select external applications**: Lets you choose the external applications you want the action under **Access status** to apply to. To select applications, choose **Add Microsoft applications** or **Add other applications**. Then search by the application name or the application ID (either the *client app ID* or the *resource app ID*) and select the app. ([See a list of IDs for commonly used Microsoft applications.](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in)) If you want to add more apps, use the **Add** button. When you're done, select **Submit**.
+
+ :::image type="content" source="media/tenant-restrictions-v2/tenant-restrictions-default-applications-applies-to.png" alt-text="Screenshot showing selecting the external applications tab.":::
+
+1. Select **Save**.
+
+### Step 2: Configure tenant restrictions v2 for specific partners
+
+Suppose you use tenant restrictions to block access by default, but you want to allow users to access certain applications using their own external accounts. For example, say you want users to be able to access Microsoft Learn with their own Microsoft Accounts. The instructions in this section describe how to add organization-specific settings that take precedence over the default settings.
+
+#### Example: Configure tenant restrictions v2 to allow Microsoft Accounts
+
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Security administrator](../roles/permissions-reference.md#security-administrator) or a [Conditional Access administrator](../roles/permissions-reference.md#conditional-access-administrator).
+
+1. Browse to **Identity** > **External Identities** > **Cross-tenant access settings**.
+
+1. Select **Organizational settings**.
+
+ > [!NOTE]
+ > If the organization you want to add has already been added to the list, you can skip adding it and go directly to modifying the settings.
+
+1. Select **Add organization**.
+
+1. On the **Add organization** pane, type the full domain name (or tenant ID) for the organization.
+
+ **Example**: Search for the following Microsoft Accounts tenant ID:
+
+ ```
+ 9188040d-6c67-4c5b-b112-36a304b66dad
+ ```
+
+ :::image type="content" source="media/tenant-restrictions-v2/add-organization-microsoft-accounts.png" alt-text="Screenshot showing adding an organization.":::
+
+1. Select the organization in the search results, and then select **Add**.
+
+1. Modifying the settings: Find the organization in the **Organizational settings** list, and then scroll horizontally to see the **Tenant restrictions** column. At this point, all tenant restrictions settings for this organization are inherited from your default settings. To change the settings for this organization, select the **Inherited from default** link under the **Tenant restrictions** column.
+
+ :::image type="content" source="media/tenant-restrictions-v2/tenant-restrictions-edit-link.png" alt-text="Screenshot showing an organization added with default settings.":::
+
+1. The **Tenant restrictions** page for the organization appears. Copy the values for **Tenant ID** and **Policy ID**. You use them later when you configure Windows clients to enable tenant restrictions.
+
+ :::image type="content" source="media/tenant-restrictions-v2/org-tenant-policy-id.png" alt-text="Screenshot showing tenant ID and policy ID.":::
+
+1. Select **Customize settings**, and then select the **External users and groups** tab. Under **Access status**, choose an option:
+
+ - **Allow access**: Allows users and groups specified under **Applies to** who are signed in with external accounts to access external apps (specified on the **External applications** tab).
+ - **Block access**: Blocks users and groups specified under **Applies to** who are signed in with external accounts from accessing external apps (specified on the **External applications** tab).
+
+ > [!NOTE]
+ > For our Microsoft Accounts example, we select **Allow access**.
+
+ :::image type="content" source="media/tenant-restrictions-v2/tenant-restrictions-external-users-organizational.png" alt-text="Screenshot showing selecting the external users allow access selections.":::
+
+1. Under **Applies to**, choose **All &lt;organization&gt; users and groups**.
+
+ > [!NOTE]
+ > User granularity isn't supported with Microsoft Accounts, so the **Select &lt;organization&gt; users and groups** capability isn't available. For other organizations, you could choose **Select &lt;organization&gt; users and groups**, and then perform these steps for each user or group you want to add:
+ >
+ >- Select **Add external users and groups**.
+ >- In the **Select** pane, type the user name or group name in the search box.
+ >- Select the user or group in the search results.
+ >- If you want to add more, select **Add** and repeat these steps. When you're done selecting the users and groups you want to add, select **Submit**.
+
+ :::image type="content" source="media/tenant-restrictions-v2/tenant-restrictions-external-users-organizational-applies-to.png" alt-text="Screenshot showing selecting the external users and groups selections.":::
+
+1. Select the **External applications** tab. Under **Access status**, choose whether to allow or block access to external applications.
+
+ - **Allow access**: Allows the external applications specified under **Applies to** to be accessed by your users when using external accounts.
+ - **Block access**: Blocks the external applications specified under **Applies to** from being accessed by your users when using external accounts.
+
+ > [!NOTE]
+ > For our Microsoft Accounts example, we select **Allow access**.
+
+ :::image type="content" source="media/tenant-restrictions-v2/tenant-restrictions-edit-applications-access-status.png" alt-text="Screenshot showing the Access status selections.":::
+
+1. Under **Applies to**, select one of the following:
+
+ - **All external applications**: Applies the action you chose under **Access status** to all external applications.
+ - **Select external applications**: Applies the action you chose under **Access status** to all external applications.
+
+ > [!NOTE]
+ >
+ > - For our Microsoft Accounts example, we choose **Select external applications**.
+ > - If you block access to all external applications, you also need to block access for all of your users and groups (on the **Users and groups** tab).
+
+ :::image type="content" source="media/tenant-restrictions-v2/tenant-restrictions-edit-applications-applies-to.png" alt-text="Screenshot showing selecting the Applies to selections.":::
+
+1. If you chose **Select external applications**, do the following for each application you want to add:
+
+ - Select **Add Microsoft applications** or **Add other applications**. For our Microsoft Learn example, we choose **Add other applications**.
+ - In the search box, type the application name or the application ID (either the *client app ID* or the *resource app ID*). ([See a list of IDs for commonly used Microsoft applications.](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in)) For our Microsoft Learn example, we enter the application ID `18fbca16-2224-45f6-85b0-f7bf2b39b3f3`.
+ - Select the application in the search results, and then select **Add**.
+ - Repeat for each application you want to add.
+ - When you're done selecting applications, select **Submit**.
+
+ :::image type="content" source="media/tenant-restrictions-v2/add-learning-app.png" alt-text="Screenshot showing selecting applications.":::
+
+1. The applications you selected are listed on the **External applications** tab. Select **Save**.
+
+ :::image type="content" source="media/tenant-restrictions-v2/add-app-save.png" alt-text="Screenshot showing the selected application.":::
+
+> [!NOTE]
+ >
+ > Blocking the MSA tenant will not block:
+ > - User-less traffic for devices. This includes traffic for Autopilot, Windows Update, and organizational telemetry.
+ > - B2B authentication of consumer accounts.
+ > - "Passthrough" authentication, used by many Azure apps and Office.com, where apps use Microsoft Entra ID to sign in consumer users in a consumer context.
+
+## Configure client-side tenant restrictions v2
+
+There are three options for enforcing tenant restrictions v2 for clients:
+
+- [Option 1](#option-1-universal-tenant-restrictions-v2-as-part-of-microsoft-entra-global-secure-access-preview): Universal tenant restrictions v2 as part of Microsoft Entra Global Secure Access (preview)
+- [Option 2](#option-2-set-up-tenant-restrictions-v2-on-your-corporate-proxy): Set up tenant restrictions v2 on your corporate proxy
+- [Option 3](#option-3-enable-tenant-restrictions-on-windows-managed-devices-preview): Enable tenant restrictions on Windows managed devices (preview)
+
+### Option 1: Universal tenant restrictions v2 as part of Microsoft Entra Global Secure Access (preview)
+
+Universal tenant restrictions v2 as part of [Microsoft Entra Global Secure Access](/azure/global-secure-access/overview-what-is-global-secure-access) is recommended because it provides authentication and data plane protection for all devices and platforms. This option provides more protection against sophisticated attempts to bypasses authentication. For example, attackers might try to allow anonymous access to a malicious tenantΓÇÖs apps, such as anonymous meeting join in Teams. Or, attackers might attempt to import to your organizational device an access token lifted from a device in the malicious tenant. Universal tenant restrictions v2 prevents these attacks by sending tenant restrictions v2 signals on the authentication plane (Microsoft Entra ID and Microsoft Account) and data plane (Microsoft cloud applications).
+
+### Option 2: Set up tenant restrictions v2 on your corporate proxy
+
+Tenant restrictions v2 policies can't be directly enforced on non-Windows 10, Windows 11, or Windows Server 2022 devices, such as Mac computers, mobile devices, unsupported Windows applications, and Chrome browsers. To ensure sign-ins are restricted on all devices and apps in your corporate network, configure your corporate proxy to enforce tenant restrictions v2. Although configuring tenant restrictions on your corporate proxy doesn't provide data plane protection, it does provide authentication plane protection.
+
+> [!IMPORTANT]
+> If you've previously set up tenant restrictions, you'll need to stop sending `restrict-msa` to login.live.com. Otherwise, the new settings will conflict with your existing instructions to the MSA login service.
+
+1. Configure the tenant restrictions v2 header as follows:
+
+ |Header name |Header Value |
+ |||
+ |`sec-Restrict-Tenant-Access-Policy` | `<TenantId>:<policyGuid>` |
+
+ - `TenantID` is your Microsoft Entra tenant ID. Find this value by signing in to the [Microsoft Entra admin center](https://entra.microsoft.com) as an administrator and browsing to **Identity** > **Overview** and selecting the **Overview** tab.
+ - `policyGUID` is the object ID for your cross-tenant access policy. Find this value by calling `/crosstenantaccesspolicy/default` and using the ΓÇ£idΓÇ¥ field returned.
+
+1. On your corporate proxy, send the tenant restrictions v2 header to the following Microsoft login domains:
+
+ - login.live.com
+ - login.microsoft.com
+ - login.microsoftonline.com
+ - login.windows.net
+
+ This header enforces your tenant restrictions v2 policy on all sign-ins on your network. This header doesn't block anonymous access to Teams meetings, SharePoint files, or other resources that don't require authentication.
+
+### Migrate tenant restrictions v1 policies to v2
+
+Migrating tenant restriction policies from v1 to v2 is a one-time operation. After migration, no client-side changes are required. You can make any subsequent policy changes via the Microsoft Entra admin center.
+
+On your corporate proxy, you can move from tenant restrictions v1 to tenant restrictions v2 by changing this tenant restrictions v1 header:
+
+`Restrict-Access-To-Tenants: <allowed-tenant-list>`
+
+to this tenant restrictions v2 header:
+
+`sec-Restrict-Tenant-Access-Policy: <DirectoryID>:<policyGUID>`
+
+where `<DirectoryID>` is your Microsoft Entra tenant ID and `<policyGUID>` is the object ID for your cross-tenant access policy.
+
+#### Tenant restrictions v1 settings on the corporate proxy
+
+The following example shows an existing tenant restrictions V1 setting on the corporate proxy:
+
+`Restrict-Access-To-Tenants: contoso.com, fabrikam.com, dogfood.com sec-Restrict-Tenant-Access-Policy: restrict-msa`
+
+[Learn more](../manage-apps/tenant-restrictions.md) about tenant restrictions v1.
+
+#### Tenant restrictions v2 settings on the corporate proxy
+
+You can configure the corporate proxy to enable client-side tagging of the tenant restrictions V2 header by using the following corporate proxy setting:
+
+`sec-Restrict-Tenant-Access-Policy: <DirectoryID>:<policyGUID>`
+
+where `<DirectoryID>` is your Microsoft Entra tenant ID and `<policyGUID>` is the object ID for your cross-tenant access policy. For details, see [Set up tenant restrictions v2 on your corporate proxy](#option-2-set-up-tenant-restrictions-v2-on-your-corporate-proxy)
+
+You can configure server-side cloud tenant restrictions v2 policies by following the steps at [Step 2: Configure tenant restrictions v2 for specific partners](#step-2-configure-tenant-restrictions-v2-for-specific-partners). Be sure to follow these guidelines:
+
+- Keep the tenant restrictions v2 default policy that blocks all external tenant access using foreign identities (for example, `user@externaltenant.com`).
+
+- Create a partner tenant policy for each tenant listed in your v1 allowlist by following the steps at [Step 2: Configure tenant restrictions v2 for specific partners](#step-2-configure-tenant-restrictions-v2-for-specific-partners).
+
+- Allow only specific users to access specific applications. This design increases your security posture by limiting access to necessary users only.
+
+- Tenant restrictions v2 policies treat MSA as a partner tenant. Create a partner tenant configuration for MSA by following the steps in [Step 2: Configure tenant restrictions v2 for specific partners](#step-2-configure-tenant-restrictions-v2-for-specific-partners). Because user-level assignment isn't available for MSA tenants, the policy applies to all MSA users. However, application-level granularity is available, and you should limit the applications that MSA or consumer accounts can access to only those applications that are necessary.
+
+> [!NOTE]
+>Blocking the MSA tenant will not block user-less traffic for devices, including:
+>
+>- Traffic for Autopilot, Windows Update, and organizational telemetry.
+>- B2B authentication of consumer accounts, or "passthrough" authentication, where Azure apps and Office.com apps use Microsoft Entra ID to sign in consumer users in a consumer context.
+
+#### Tenant restrictions v2 with no support for break and inspect
+
+For non-Windows platforms, you can break and inspect traffic to add the tenant restrictions v2 parameters into the header via proxy. However, some platforms don't support break and inspect, so tenant restrictions v2 don't work. For these platforms, the following features of Microsoft Entra ID can provide protection:
+
+- [Conditional Access: Only allow use of managed/compliant devices](/mem/intune/protect/conditional-access-intune-common-ways-use#device-based-conditional-access)
+- [Conditional Access: Manage access for guest/external users](/microsoft-365/security/office-365-security/identity-access-policies-guest-access)
+- [B2B Collaboration: Restrict outbound rules by Cross-tenant access for the same tenants listed in the parameter "Restrict-Access-To-Tenants"](../external-identities/cross-tenant-access-settings-b2b-collaboration.md)
+- [B2B Collaboration: Restrict invitations to B2B users to the same domains listed in the "Restrict-Access-To-Tenants" parameter](../external-identities/allow-deny-list.md)
+- [Application management: Restrict how users consent to applications](../manage-apps/configure-user-consent.md)
+- [Intune: Apply App Policy through Intune to restrict usage of managed apps to only the UPN of the account that enrolled the device](/mem/intune/apps/app-configuration-policies-use-android) (under **Allow only configured organization accounts in apps**)
+
+Although these alternatives provide protection, certain scenarios can only be covered through tenant restrictions, such as the use of a browser to access Microsoft 365 services through the web instead of the dedicated app.
+
+### Option 3: Enable tenant restrictions on Windows managed devices (preview)
+
+After you create a tenant restrictions v2 policy, you can enforce the policy on each Windows 10, Windows 11, and Windows Server 2022 device by adding your tenant ID and the policy ID to the device's **Tenant Restrictions** configuration. When tenant restrictions are enabled on a Windows device, corporate proxies aren't required for policy enforcement. Devices don't need to be Microsoft Entra ID managed to enforce tenant restrictions v2; domain-joined devices that are managed with Group Policy are also supported.
+
+> [!NOTE]
+> Tenant restrictions V2 on Windows is a partial solution that protects the authentication and data planes for some scenarios. It works on managed Windows devices and does not protect .NET stack, Chrome, or Firefox. The Windows solution provides a temporary solution until general availability of Universal tenant restrictions in [Microsoft Entra Global Secure Access (preview)](/entra/global-secure-access/overview-what-is-global-secure-access).
+
+#### Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2) and Group policy settings
+
+You can use Group Policy to deploy the tenant restrictions configuration to Windows devices. Refer to these resources:
+
+- [Administrative Templates for Windows 10](https://www.microsoft.com/download/details.aspx?id=104042)
+- [Group Policy Settings Reference Spreadsheet for Windows 10](https://www.microsoft.com/download/details.aspx?id=104043)
+
+#### Test the policies on a device
+
+To test the tenant restrictions v2 policy on a device, follow these steps.
+
+> [!NOTE]
+>
+> - The device must be running Windows 10 or Windows 11 with the latest updates.
+
+1. On the Windows computer, press the Windows key, type **gpedit**, and then select **Edit group policy (Control panel)**.
+
+1. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Tenant Restrictions**.
+
+1. Right-click **Cloud Policy Details** in the right pane, and then select **Edit**.
+
+1. Retrieve the **Tenant ID** and **Policy ID** you recorded earlier (in step 7 under [To configure default tenant restrictions](#to-configure-default-tenant-restrictions)) and enter them in the following fields (leave all other fields blank):
+
+ - **Microsoft Entra Directory ID**: Enter the **Tenant ID** you recorded earlier. by signing in to the [Microsoft Entra admin center](https://entra.microsoft.com) as an administrator and browsing to **Identity** > **Overview** and selecting the **Overview** tab.
+ - **Policy GUID**: The ID for your cross-tenant access policy. It's the **Policy ID** you recorded earlier. You can also find this ID by using the Graph Explorer command [https://graph.microsoft.com/v1.0/policies/crossTenantAccessPolicy/default](https://graph.microsoft.com/v1.0/policies/crossTenantAccessPolicy/default).
+[//]: # (BROKEN LINK HttpLinkUnauthorized ABOVE: https://graph.microsoft.com/v1.0/policies/crossTenantAccessPolicy/default)
+
+ :::image type="content" source="media/tenant-restrictions-v2/windows-cloud-policy-details.png" alt-text="Screenshot of Windows Cloud Policy Details.":::
+
+1. Select **OK**.
+
+#### Block Chrome, Firefox and .NET applications like PowerShell
+
+You can use the Windows Firewall feature to block unprotected apps from accessing Microsoft resources via Chrome, Firefox, and .NET applications like PowerShell. The applications that would be blocked/allowed as per the tenant restrictions v2 policy.
+
+For example, if a customer adds PowerShell to their tenant restrictions v2 CIP policy and has graph.microsoft.com in their tenant restrictions v2 policy endpoint list, then PowerShell should be able to access it with firewall enabled.
+
+1. On the Windows computer, press the Windows key, type **gpedit**, and then select **Edit group policy (Control panel)**.
+
+1. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Tenant Restrictions**.
+
+1. Right-click **Cloud Policy Details** in the right pane, and then select **Edit**.
+
+1. Select the **Enable firewall protection of Microsoft endpoints** checkbox, and then select **OK**.
++
+After you enable the firewall setting, try signing in using a Chrome browser. Sign-in should fail with the following message:
+
+
+#### View tenant restrictions v2 events
+
+View events related to tenant restrictions in Event Viewer.
+
+1. In Event Viewer, open **Applications and Services Logs**.
+1. Navigate to **Microsoft** > **Windows** > **TenantRestrictions** > **Operational** and look for events.
+
+## Sign-in logs
+
+Microsoft Entra sign-in logs let you view details about sign-ins with a tenant restrictions v2 policy in place. When a B2B user signs into a resource tenant to collaborate, a sign-in log is generated in both the home tenant and the resource tenant. These logs include information such as the application being used, email addresses, tenant name, and tenant ID for both the home tenant and the resource tenant. The following example shows a successful sign-in:
++
+If sign-in fails, the Activity Details give information about the reason for failure:
++
+## Audit logs
+
+The **Audit logs** provide records of system and user activities, including activities initiated by guest users. You can view audit logs for the tenant under Monitoring, or view audit logs for a specific user by navigating to the user's profile.
+
+
+Select an event in the log to get more details about the event, for example:
+
+
+You can also export these logs from Microsoft Entra ID and use the reporting tool of your choice to get customized reports.
+
+## Microsoft Graph
+
+Use Microsoft Graph to get policy information:
+
+### HTTP request
+
+- Get default policy
+
+ ``` http
+ GET https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy/default
+ ```
+
+- Reset to system default
+
+ ``` http
+ POST https://graph.microsoft.com/betefault
+ ```
+
+- Get partner configuration
+
+ ``` http
+ GET https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy/partners
+ ```
+
+- Get a specific partner configuration
+
+ ``` http
+ GET https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy/partners/9188040d-6c67-4c5b-b112-36a304b66dad
+ ```
+
+- Update a specific partner
+
+ ``` http
+ PATCH https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy/partners/9188040d-6c67-4c5b-b112-36a304b66dad
+ ```
+
+### Request body
+
+``` json
+"tenantRestrictions": {
+ "usersAndGroups": {
+ "accessType": "allowed",
+ "targets": [
+ {
+ "target": "AllUsers",
+ "targetType": "user"
+ }
+ ]
+ },
+ "applications": {
+ "accessType": "allowed",
+ "targets": [
+ {
+ "target": "AllApplications",
+ "targetType": "application"
+ }
+ ]
+ }
+}
+```
+
+## Next steps
+
+See [Configure external collaboration settings](external-collaboration-settings-configure.md) for B2B collaboration with non-Azure AD identities, social identities, and non-IT managed external accounts.
active-directory Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/troubleshoot.md
Here are some remedies for common problems with Microsoft Entra B2B collaboratio
> [!IMPORTANT] > > - **Starting July 12, 2021**, if Microsoft Entra B2B customers set up new Google integrations for use with self-service sign-up for their custom or line-of-business applications, authentication with Google identities wonΓÇÖt work until authentications are moved to system web-views. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
- > - **Starting September 30, 2021**, Google is [deprecating embedded web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If your apps authenticate users with an embedded web-view and you're using Google federation with [Azure AD B2C](../../active-directory-b2c/identity-provider-google.md) or Microsoft Entra B2B for [external user invitations](google-federation.md) or [self-service sign-up](identity-providers.md), Google Gmail users won't be able to authenticate. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
+ > - **Starting September 30, 2021**, Google is [deprecating embedded web-view sign-in support](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). If your apps authenticate users with an embedded web-view and you're using Google federation with [Azure AD B2C](/azure/active-directory-b2c/identity-provider-google) or Microsoft Entra B2B for [external user invitations](google-federation.md) or [self-service sign-up](identity-providers.md), Google Gmail users won't be able to authenticate. [Learn more](google-federation.md#deprecation-of-web-view-sign-in-support).
> - The [email one-time passcode](one-time-passcode.md) feature is now turned on by default for all new tenants and for any existing tenants where you haven't explicitly turned it off. When this feature is turned off, the fallback authentication method is to prompt invitees to create a Microsoft account. ## Guest sign-in fails with error code AADSTS50020
You can enable this feature by using the setting 'ShowPeoplePickerSuggestionsFor
## My guest invite settings and domain restrictions aren't being respected by SharePoint Online/OneDrive
-By default, SharePoint Online and OneDrive have their own set of external user options and don't use the settings from Microsoft Entra ID. You need to enable [SharePoint and OneDrive integration with Microsoft Entra B2B](/sharepoint/sharepoint-azureb2b-integration-preview) to ensure the options are consistent among those applications.
+By default, SharePoint Online and OneDrive have their own set of external user options and don't use the settings from Microsoft Entra ID. You need to enable [SharePoint and OneDrive integration with Microsoft Entra B2B](/sharepoint/sharepoint-azureb2b-integration) to ensure the options are consistent among those applications.
## Invitations have been disabled for directory If you're notified that you don't have permissions to invite users, verify that your user account is authorized to invite external users under Identity > Users > User settings > External users > Manage external collaboration settings:
As of November 18, 2019, guest users in your directory (defined as user accounts
## In an Azure US Government tenant, I can't invite a B2B collaboration guest user
-Within the Azure US Government cloud, B2B collaboration is enabled between tenants that are both within Azure US Government cloud and that both support B2B collaboration. If you invite a user in a tenant that doesn't yet support B2B collaboration, you'll get an error. For details and limitations, see [Microsoft Entra ID P1 and P2 Variations](../../azure-government/compare-azure-government-global-azure.md#azure-active-directory-premium-p1-and-p2).
+Within the Azure US Government cloud, B2B collaboration is enabled between tenants that are both within Azure US Government cloud and that both support B2B collaboration. If you invite a user in a tenant that doesn't yet support B2B collaboration, you'll get an error. For details and limitations, see [Microsoft Entra ID P1 and P2 Variations](/azure/azure-government/compare-azure-government-global-azure#azure-active-directory-premium-p1-and-p2).
If you need to collaborate with a Microsoft Entra organization that's outside of the Azure US Government cloud, you can use [Microsoft cloud settings](cross-cloud-settings.md) to enable B2B collaboration.
Let's say you inadvertently invite a guest user with an email address that match
## External access blocked by policy error on the login screen
-When you try to login to your tenant, you might see this error message: "Your network administrator has restricted what organizations can be accessed. Contact your IT department to unblock access." This error is related to tenant restriction settings. To resolve this issue, ask your IT team to follow the instructions in [this article](/azure/active-directory/manage-apps/tenant-restrictions).
+When you try to login to your tenant, you might see this error message: "Your network administrator has restricted what organizations can be accessed. Contact your IT department to unblock access." This error is related to tenant restriction settings. To resolve this issue, ask your IT team to follow the instructions in [this article](../manage-apps/tenant-restrictions.md).
## Invitation is blocked due missing cross-tenant access settings
active-directory User Flow Add Custom Attributes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/user-flow-add-custom-attributes.md
For each application, you might have different requirements for the information you want to collect during sign-up. Microsoft Entra External ID comes with a built-in set of information stored in attributes, such as Given Name, Surname, City, and Postal Code. With Microsoft Entra External ID, you can extend the set of attributes stored on a guest account when the external user signs up through a user flow.
-You can create custom attributes in the Microsoft Entra admin center and use them in your [self-service sign-up user flows](self-service-sign-up-user-flow.md). You can also read and write these attributes by using the [Microsoft Graph API](../../active-directory-b2c/microsoft-graph-operations.md). Microsoft Graph API supports creating and updating a user with extension attributes. Extension attributes in the Graph API are named by using the convention `extension_<extensions-app-id>_attributename`. For example:
+You can create custom attributes in the Microsoft Entra admin center and use them in your [self-service sign-up user flows](self-service-sign-up-user-flow.md). You can also read and write these attributes by using the [Microsoft Graph API](/azure/active-directory-b2c/microsoft-graph-operations). Microsoft Graph API supports creating and updating a user with extension attributes. Extension attributes in the Graph API are named by using the convention `extension_<extensions-app-id>_attributename`. For example:
```JSON "extension_831374b3bd5041bfaa54263ec9e050fc_loyaltyNumber": "212342"
active-directory User Properties https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/user-properties.md
Yes. By default, guest objects aren't visible in your organization's global addr
## Can I update a guest user's email address?
-If a guest user accepts your invitation and they subsequently change their email address, the new email doesn't automatically sync to the guest user object in your directory. The mail property is created via [Microsoft Graph API](/graph/api/resources/user). You can update the mail property via the Microsoft Graph API, the Exchange admin center, or [Exchange Online PowerShell](/powershell/module/exchange/users-and-groups/set-mailuser). The change will be reflected in the Microsoft Entra guest user object.
+If a guest user accepts your invitation and they subsequently change their email address, the new email doesn't automatically sync to the guest user object in your directory. The mail property is created via [Microsoft Graph API](/graph/api/resources/user). You can update the mail property via the Microsoft Graph API, the Exchange admin center, or [Exchange Online PowerShell](/powershell/module/exchange/set-mailuser). The change will be reflected in the Microsoft Entra guest user object.
## Next steps
active-directory What Is B2b https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/what-is-b2b.md
B2B collaboration is enabled by default, but comprehensive admin settings let yo
- Use [external collaboration settings](external-collaboration-settings-configure.md) to define who can invite external users, allow or block B2B specific domains, and set restrictions on guest user access to your directory. -- Use [Microsoft cloud settings](cross-cloud-settings.md) to establish mutual B2B collaboration between the Microsoft Azure global cloud and [Microsoft Azure Government](../../azure-government/index.yml) or [Microsoft Azure operated by 21Vianet](/azure/china).
+- Use [Microsoft cloud settings](cross-cloud-settings.md) to establish mutual B2B collaboration between the Microsoft Azure global cloud and [Microsoft Azure Government](/azure/azure-government/) or [Microsoft Azure operated by 21Vianet](/azure/china).
## Easily invite guest users from the Azure portal
active-directory Whats New Docs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/whats-new-docs.md
This month, we renamed Azure Active Directory (Azure AD) to Microsoft Entra ID.
- [Tenant restrictions V2](tenant-restrictions-v2.md) - Note update - [Leave an organization](leave-the-organization.md) - Screenshot update - [Use audit logs and access reviews](auditing-and-reporting.md) - B2B sponsors feature update----
active-directory Add Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/add-custom-domain.md
Create your new directory by following the steps in [Create a new tenant for you
> [!IMPORTANT] > The person who creates the tenant is automatically granted [Global Administrator](../roles/permissions-reference.md#global-administrator) privileges. The Global Administrator role is highly privileged and can add additional administrators to the tenant.
-For more information about subscription roles, see [Azure roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#azure-roles).
+For more information about subscription roles, see [Azure roles](/azure/role-based-access-control/rbac-and-directory-admin-roles#azure-roles).
> [!TIP] > If you plan to federate on-premises Windows Server Active Directory with Microsoft Entra ID, then you need to select **I plan to configure this domain for single sign-on with my local Active Directory** when you run the Microsoft Entra Connect tool to synchronize your directories.
active-directory Add Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/add-users.md
The process for inviting a guest is the same as [adding a new user](./add-users.
## Add other users
-There might be scenarios in which you want to manually create consumer accounts in your Azure Active Directory B2C (Azure AD B2C) directory. For more information about creating consumer accounts, see [Create and delete consumer users in Azure AD B2C](../../active-directory-b2c/manage-users-portal.md).
+There might be scenarios in which you want to manually create consumer accounts in your Azure Active Directory B2C (Azure AD B2C) directory. For more information about creating consumer accounts, see [Create and delete consumer users in Azure AD B2C](/azure/active-directory-b2c/manage-users-portal).
If you have an environment with both Microsoft Entra ID (cloud) and Windows Server Active Directory (on-premises), you can add new users by syncing the existing user account data. For more information about hybrid environments and users, see [Integrate your on-premises directories with Microsoft Entra ID](../hybrid/whatis-hybrid-identity.md).
active-directory Concept Learn About Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/concept-learn-about-groups.md
After a user requests to join a group, the request is forwarded to the group own
## Next steps - [Create and manage Microsoft Entra groups and group membership](how-to-manage-groups.md)-- [Learn about group-based licensing in Microsoft Entra ID](./licensing-whatis-azure-portal.md)
+- [Learn about group-based licensing in Microsoft Entra ID](./concept-group-based-licensing.md)
- [Manage access to SaaS apps using groups](../enterprise-users/groups-saasapps.md) - [Manage dynamic rules for users in a group](../enterprise-users/groups-create-rule.md) - [Learn about Privileged Identity Management for Microsoft Entra roles](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md)
active-directory Create New Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/create-new-tenant.md
If you're not going to continue to use this application, you can delete the tena
- Add groups and members, see [Create a basic group and add members](./how-to-manage-groups.md). -- Learn about [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md) and [Conditional Access](../conditional-access/overview.md) to help manage your organization's application and resource access.
+- Learn about [Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/overview) and [Conditional Access](../conditional-access/overview.md) to help manage your organization's application and resource access.
- Learn about Microsoft Entra ID, including [basic licensing information, terminology, and associated features](./whatis.md).
active-directory Custom Security Attributes Manage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/custom-security-attributes-manage.md
Once you have a better understanding of how your attributes will be organized an
| | | :: | | <ul><li>Read all attribute sets in a tenant</li><li>Read all attribute definitions in a tenant</li><li>[Add or edit all attribute sets in a tenant](custom-security-attributes-add.md)</li><li>[Add, edit, or deactivate all attribute definitions in a tenant](custom-security-attributes-add.md)</li></ul> | [Attribute Definition Administrator](../roles/permissions-reference.md#attribute-definition-administrator) | ![Icon for tenant scope.](./media/custom-security-attributes-manage/icon-tenant.png)<br/>Tenant | | <ul><li>Read attribute definitions in a scoped attribute set</li><li>[Add, edit, or deactivate attribute definitions in a scoped attribute set](custom-security-attributes-add.md)</li><li>**Cannot** update the scoped attribute set</li><li>**Cannot** read, add, or update other attribute sets</li></ul> | [Attribute Definition Administrator](../roles/permissions-reference.md#attribute-definition-administrator) | ![Icon for attribute set scope.](./media/custom-security-attributes-manage/icon-attribute-set.png)<br/>Attribute set |
-| <ul><li>Read all attribute sets in a tenant</li><li>Read all attribute definitions in a tenant</li><li>Read all attribute assignments in a tenant for users</li><li>Read all attribute assignments in a tenant for applications (service principals)</li><li>[Assign all attributes in a tenant to users](../enterprise-users/users-custom-security-attributes.md)</li><li>[Assign all attributes in a tenant to applications (service principals)](../manage-apps/custom-security-attributes-apps.md)</li><li>[Author Azure role assignment conditions that use the Principal attribute for all attributes in a tenant](../../role-based-access-control/conditions-format.md#attributes)</li></ul> | [Attribute Assignment Administrator](../roles/permissions-reference.md#attribute-assignment-administrator) | ![Icon for tenant scope.](./media/custom-security-attributes-manage/icon-tenant.png)<br/>Tenant |
-| <ul><li>Read attribute definitions in a scoped attribute set</li><li>Read attribute assignments that use attributes in a scoped attribute set for users</li><li>Read attribute assignments that use attributes in a scoped attribute set for applications (service principals)</li><li>[Assign attributes in a scoped attribute set to users](../enterprise-users/users-custom-security-attributes.md)</li><li>[Assign attributes in a scoped attribute set to applications (service principals)](../manage-apps/custom-security-attributes-apps.md)</li><li>[Author Azure role assignment conditions that use the Principal attribute for all attributes in a scoped attribute set](../../role-based-access-control/conditions-format.md#attributes)</li><li>**Cannot** read attributes in other attribute sets</li><li>**Cannot** read attribute assignments that use attributes in other attribute sets</li></ul> | [Attribute Assignment Administrator](../roles/permissions-reference.md#attribute-assignment-administrator) | ![Icon for attribute set scope.](./media/custom-security-attributes-manage/icon-attribute-set.png)<br/>Attribute set |
+| <ul><li>Read all attribute sets in a tenant</li><li>Read all attribute definitions in a tenant</li><li>Read all attribute assignments in a tenant for users</li><li>Read all attribute assignments in a tenant for applications (service principals)</li><li>[Assign all attributes in a tenant to users](../enterprise-users/users-custom-security-attributes.md)</li><li>[Assign all attributes in a tenant to applications (service principals)](../manage-apps/custom-security-attributes-apps.md)</li><li>[Author Azure role assignment conditions that use the Principal attribute for all attributes in a tenant](/azure/role-based-access-control/conditions-format#attributes)</li></ul> | [Attribute Assignment Administrator](../roles/permissions-reference.md#attribute-assignment-administrator) | ![Icon for tenant scope.](./media/custom-security-attributes-manage/icon-tenant.png)<br/>Tenant |
+| <ul><li>Read attribute definitions in a scoped attribute set</li><li>Read attribute assignments that use attributes in a scoped attribute set for users</li><li>Read attribute assignments that use attributes in a scoped attribute set for applications (service principals)</li><li>[Assign attributes in a scoped attribute set to users](../enterprise-users/users-custom-security-attributes.md)</li><li>[Assign attributes in a scoped attribute set to applications (service principals)](../manage-apps/custom-security-attributes-apps.md)</li><li>[Author Azure role assignment conditions that use the Principal attribute for all attributes in a scoped attribute set](/azure/role-based-access-control/conditions-format#attributes)</li><li>**Cannot** read attributes in other attribute sets</li><li>**Cannot** read attribute assignments that use attributes in other attribute sets</li></ul> | [Attribute Assignment Administrator](../roles/permissions-reference.md#attribute-assignment-administrator) | ![Icon for attribute set scope.](./media/custom-security-attributes-manage/icon-attribute-set.png)<br/>Attribute set |
| <ul><li>Read all attribute sets in a tenant</li><li>Read all attribute definitions in a tenant</li></ul> | [Attribute Definition Reader](../roles/permissions-reference.md#attribute-definition-reader) | ![Icon for tenant scope.](./media/custom-security-attributes-manage/icon-tenant.png)<br/>Tenant | | <ul><li>Read attribute definitions in a scoped attribute set</li><li>**Cannot** read other attribute sets</li></ul> | [Attribute Definition Reader](../roles/permissions-reference.md#attribute-definition-reader) | ![Icon for attribute set scope.](./media/custom-security-attributes-manage/icon-attribute-set.png)<br/>Attribute set | | <ul><li>Read all attribute sets in a tenant</li><li>Read all attribute definitions in a tenant</li><li>Read all attribute assignments in a tenant for users</li><li>Read all attribute assignments in a tenant for applications (service principals)</li></ul> | [Attribute Assignment Reader](../roles/permissions-reference.md#attribute-assignment-reader) | ![Icon for tenant scope.](./media/custom-security-attributes-manage/icon-tenant.png)<br/>Tenant |
active-directory Custom Security Attributes Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/custom-security-attributes-overview.md
> Custom security attributes are currently in PREVIEW. > For more information about previews, see [Universal License Terms For Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all).
-Custom security attributes in Microsoft Entra ID are business-specific attributes (key-value pairs) that you can define and assign to Microsoft Entra objects. These attributes can be used to store information, categorize objects, or enforce fine-grained access control over specific Azure resources. Custom security attributes can be used with [Azure attribute-based access control (Azure ABAC)](../../role-based-access-control/conditions-overview.md).
+Custom security attributes in Microsoft Entra ID are business-specific attributes (key-value pairs) that you can define and assign to Microsoft Entra objects. These attributes can be used to store information, categorize objects, or enforce fine-grained access control over specific Azure resources. Custom security attributes can be used with [Azure attribute-based access control (Azure ABAC)](/azure/role-based-access-control/conditions-overview).
## Why use custom security attributes?
Custom security attributes include these capabilities:
Custom security attributes **aren't** supported in the following areas: -- [Microsoft Entra Domain Services](../../active-directory-domain-services/overview.md)
+- [Microsoft Entra Domain Services](/entra/identity/domain-services/overview)
- [SAML token claims](../develop/saml-claims-customization.md) ## Features of custom security attributes
For more information about working with extensions, see [Add custom data to reso
Filter users and applications that use custom security attributes. [Learn more](../enterprise-users/users-custom-security-attributes.md)
- Add conditions that use custom security attributes to Azure role assignments for fine-grained access control. [Learn more](../../role-based-access-control/conditions-custom-security-attributes.md)
+ Add conditions that use custom security attributes to Azure role assignments for fine-grained access control. [Learn more](/azure/role-based-access-control/conditions-custom-security-attributes)
## Terminology
Here are some of the limits and constraints for custom security attributes.
> | Attribute values assigned per object | 50 | Values can be distributed across single and multi-valued attributes.<br/>Example: 5 attributes with 10 values each or 50 attributes with 1 value each | > | Special characters **not** allowed for:<br/>Attribute set name<br/>Attribute name | ``<space> ` ~ ! @ # $ % ^ & * ( ) _ - + = { [ } ] \| \ : ; " ' < , > . ? /`` | Attribute set name and attribute name cannot start with a number | > | Special characters allowed for attribute values | All special characters | |
-> | Special characters allowed for attribute values when used with blob index tags | `<space> + - . : = _ /` | If you plan to use [attribute values with blob index tags](../../role-based-access-control/conditions-custom-security-attributes.md), these are the only special characters allowed for blob index tags. For more information, see [Setting blob index tags](../../storage/blobs/storage-manage-find-blobs.md#setting-blob-index-tags). |
+> | Special characters allowed for attribute values when used with blob index tags | `<space> + - . : = _ /` | If you plan to use [attribute values with blob index tags](/azure/role-based-access-control/conditions-custom-security-attributes), these are the only special characters allowed for blob index tags. For more information, see [Setting blob index tags](/azure/storage/blobs/storage-manage-find-blobs#setting-blob-index-tags). |
## Custom security attribute roles
active-directory Custom Security Attributes Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/custom-security-attributes-troubleshoot.md
If required, add `ConsistencyLevel=eventual` in the request or the header. You m
## Next steps - [Manage access to custom security attributes in Microsoft Entra ID](custom-security-attributes-manage.md)-- [Troubleshoot Azure role assignment conditions](../../role-based-access-control/conditions-troubleshoot.md)
+- [Troubleshoot Azure role assignment conditions](/azure/role-based-access-control/conditions-troubleshoot)
active-directory Data Operational Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/data-operational-considerations.md
Microsoft personnel can execute operations only from a secure access workstation
Physical access to servers that comprise the Microsoft Entra service, and access to Microsoft Entra back-end systems, is restricted by Azure facility, premises, and physical security. Microsoft Entra customers have no access to physical assets or locations, therefore they can't bypass the logical role-based access control (RBAC) policy checks. Personnel with operator access are authorized to run approved workflows for maintenance.
-Learn more: [Azure facilities, premises, and physical security](../../security/fundamentals/physical-security.md)
+Learn more: [Azure facilities, premises, and physical security](/azure/security/fundamentals/physical-security)
## Change control process
active-directory Data Residency https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/data-residency.md
Learn more: [Microsoft Entra product overview](https://www.microsoft.com/cloud-p
|Microsoft Entra business-to-business (B2B) collaboration|Microsoft Entra B2B collaboration has no directory data. Users and other directory objects in a B2B relationship, with another tenant, result in user data copied in other tenants, which might have data residency implications.|In geo location| |Microsoft Entra ID Protection|Microsoft Entra ID Protection uses real-time user log-in data, with multiple signals from company and industry sources, to feed its machine-learning systems that detect anomalous logins. Personal data is scrubbed from real-time log-in data before it's passed to the machine learning system. The remaining log-in data identifies potentially risky usernames and logins. After analysis, the data goes to Microsoft reporting systems. Risky logins and usernames appear in reporting for Administrators.|In geo location| |Microsoft Entra managed identities for Azure resources|Microsoft Entra managed identities for Azure resources with managed identities systems can authenticate to Azure services, without storing credentials. Rather than use username and password, managed identities authenticate to Azure services with certificates. The service writes certificates it issues in Azure Cosmos DB in the East US region, which fail over to another region, as needed. Azure Cosmos DB geo-redundancy occurs by global data replication. Database replication puts a read-only copy in each region that Microsoft Entra managed identities runs. To learn more, see [Azure services that can use managed identities to access other services](../managed-identities-azure-resources/managed-identities-status.md). Microsoft isolates each Cosmos DB instance in a Microsoft Entra cloud solution model. </br> The resource provider, such as the virtual machine (VM) host, stores the certificate for authentication, and identity flows, with other Azure services. The service stores its master key to access Azure Cosmos DB in a datacenter secrets management service. Azure Key Vault stores the master encryption keys.|In geo location|
-|Azure Active Directory B2C |[Azure AD B2C](../../active-directory-b2c/data-residency.md) is an identity management service to customize and manage how customers sign up, sign in, and manage their profiles when using applications. B2C uses the Core Store to keep user identity information. The Core Store database follows known storage, replication, deletion, and data-residency rules. B2C uses an Azure Cosmos DB system to store service policies and secrets. Cosmos DB has encryption and replication services on database information. Its encryption key is stored in the secrets storage for Microsoft. Microsoft isolates Cosmos DB instances in a Microsoft Entra cloud solution model.|Customer-selectable geo location|
+|Azure Active Directory B2C |[Azure AD B2C](/azure/active-directory-b2c/data-residency) is an identity management service to customize and manage how customers sign up, sign in, and manage their profiles when using applications. B2C uses the Core Store to keep user identity information. The Core Store database follows known storage, replication, deletion, and data-residency rules. B2C uses an Azure Cosmos DB system to store service policies and secrets. Cosmos DB has encryption and replication services on database information. Its encryption key is stored in the secrets storage for Microsoft. Microsoft isolates Cosmos DB instances in a Microsoft Entra cloud solution model.|Customer-selectable geo location|
## Related resources
active-directory Data Storage Australia Newzealand https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/data-storage-australia-newzealand.md
Additionally, certain Microsoft Entra features don't yet support storage of Cust
## Azure role-based access control (Azure RBAC)
-Role definitions, role assignments, and deny assignments are stored globally to ensure that you have access to your resources regardless of the region you created the resource. For more information, see [What is Azure role-based access control (Azure RBAC)?](../../role-based-access-control/overview.md#where-is-azure-rbac-data-stored).
+Role definitions, role assignments, and deny assignments are stored globally to ensure that you have access to your resources regardless of the region you created the resource. For more information, see [What is Azure role-based access control (Azure RBAC)?](/azure/role-based-access-control/overview#where-is-azure-rbac-data-stored).
active-directory Data Storage Eu https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/data-storage-eu.md
Some components of a service will continue to transfer a limited amount of custo
**EU Data Residency:**
-[Microsoft Entra ID](/azure/active-directory/fundamentals/whatis): When an IP Address or phone number is determined to be used in fraudulent activities, they are published globally to block access from any workloads using them.
+[Microsoft Entra ID](./whatis.md): When an IP Address or phone number is determined to be used in fraudulent activities, they are published globally to block access from any workloads using them.
**EU Data Boundary:**
See more information on Microsoft Entra permanent partial customer data transfer
Some services include capabilities that are optional (in some cases requiring a customer subscription), and where customer administrators can choose to enable or disable these capabilities for their service tenancies. If made available and used by a customer's users, these capabilities will result in data transfers out of Europe as described in the following sections in this article. -- [Mulitenant administration](/azure/active-directory/multi-tenant-organizations/overview): An organization may choose to create a multitenant organization within Microsoft Entra ID. For example, a customer can invite users to their tenant in a B2B context. A customer can create a multitenant SaaS application that allows other third-party tenants to provision the application in the third-party tenant. A customer can make two or more tenants affiliated with one another and act as a single tenant in certain scenarios, such as multitenant organization (MTO) formation, tenant to tenant sync, and shared e-mail domain sharing. Administrator configuration and use of multitenant collaboration may occur with tenants outside of the EU Data Residency and EU Data Boundary resulting in some customer data, such as user and device account data, usage data, and service configuration (application, policy, and group) being stored and processed in the location of the collaborating tenant. -- [Application Proxy](/azure/active-directory/app-proxy/application-proxy): Application proxy allows customers to access both cloud and on-premises applications through an external URL or an internal application portal. Customers may choose advanced routing configurations that would cause Customer Data to egress outside of the EU Data Residency and EU Data Boundary, including user account data, usage data, and application configuration data.
+- [Mulitenant administration](../multi-tenant-organizations/overview.md): An organization may choose to create a multitenant organization within Microsoft Entra ID. For example, a customer can invite users to their tenant in a B2B context. A customer can create a multitenant SaaS application that allows other third-party tenants to provision the application in the third-party tenant. A customer can make two or more tenants affiliated with one another and act as a single tenant in certain scenarios, such as multitenant organization (MTO) formation, tenant to tenant sync, and shared e-mail domain sharing. Administrator configuration and use of multitenant collaboration may occur with tenants outside of the EU Data Residency and EU Data Boundary resulting in some customer data, such as user and device account data, usage data, and service configuration (application, policy, and group) being stored and processed in the location of the collaborating tenant.
+- [Application Proxy](../app-proxy/application-proxy.md): Application proxy allows customers to access both cloud and on-premises applications through an external URL or an internal application portal. Customers may choose advanced routing configurations that would cause Customer Data to egress outside of the EU Data Residency and EU Data Boundary, including user account data, usage data, and application configuration data.
**EU Data Boundary:**
active-directory Data Storage Japan https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/data-storage-japan.md
Additionally, certain Microsoft Entra features do not yet support storage of Cus
## Azure role-based access control (Azure RBAC)
-Role definitions, role assignments, and deny assignments are stored globally to ensure that you have access to your resources regardless of the region you created the resource. For more information, see [What is Azure role-based access control (Azure RBAC)?](../../role-based-access-control/overview.md#where-is-azure-rbac-data-stored).
+Role definitions, role assignments, and deny assignments are stored globally to ensure that you have access to your resources regardless of the region you created the resource. For more information, see [What is Azure role-based access control (Azure RBAC)?](/azure/role-based-access-control/overview#where-is-azure-rbac-data-stored).
active-directory How Subscriptions Associated Directory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-subscriptions-associated-directory.md
While users may only have a single authentication *home* directory, users may pa
:::image type="content" source="media/how-subscriptions-associated-directory/trust-relationship.png" alt-text="Screenshot that shows the trust relationship between Azure subscriptions and Azure active directories."::: > [!IMPORTANT]
-> When a subscription is associated with a different directory, users who have roles assigned using [Azure role-based access control](../../role-based-access-control/role-assignments-portal.md) lose their access. Classic subscription administrators, including Service Administrator and Co-Administrators, also lose access.
+> When a subscription is associated with a different directory, users who have roles assigned using [Azure role-based access control](/azure/role-based-access-control/role-assignments-portal) lose their access. Classic subscription administrators, including Service Administrator and Co-Administrators, also lose access.
>
-> Moving your Azure Kubernetes Service (AKS) cluster to a different subscription, or moving the cluster-owning subscription to a new tenant, causes the cluster to lose functionality due to lost role assignments and service principal's rights. For more information about AKS, see [Azure Kubernetes Service (AKS)](../../aks/index.yml).
+> Moving your Azure Kubernetes Service (AKS) cluster to a different subscription, or moving the cluster-owning subscription to a new tenant, causes the cluster to lose functionality due to lost role assignments and service principal's rights. For more information about AKS, see [Azure Kubernetes Service (AKS)](/azure/aks/).
## Before you begin
Before you can associate or add your subscription, do the following steps:
- If you have any managed identities for resources such as Virtual Machines or Logic Apps, you must re-enable or recreate them after the association. - If you have a registered Azure Stack, you'll have to re-register it after association.
- For more information, see [Transfer an Azure subscription to a different Microsoft Entra directory](../../role-based-access-control/transfer-subscription.md).
+ For more information, see [Transfer an Azure subscription to a different Microsoft Entra directory](/azure/role-based-access-control/transfer-subscription).
- Sign in using an account that:
- - Has an [Owner](../../role-based-access-control/built-in-roles.md#owner) role assignment for the subscription. For information about how to assign the Owner role, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
+ - Has an [Owner](/azure/role-based-access-control/built-in-roles#owner) role assignment for the subscription. For information about how to assign the Owner role, see [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal).
- Exists in both the current directory and in the new directory. The current directory is associated with the subscription. You'll associate the new directory with the subscription. For more information about getting access to another directory, see [Add Microsoft Entra B2B collaboration users in the Azure portal](../external-identities/add-users-administrator.md). - Make sure that you're not using an Azure Cloud Service Providers (CSP) subscription (MS-AZR-0145P, MS-AZR-0146P, MS-AZR-159P), a Microsoft Internal subscription (MS-AZR-0015P), or a Microsoft Azure for Students Starter subscription (MS-AZR-0144P).
Before you can associate or add your subscription, do the following steps:
To associate an existing subscription with your Microsoft Entra ID, follow these steps:
-1. Sign to the [Azure portal](https://portal.azure.com) with the [Owner](../../role-based-access-control/built-in-roles.md#owner) role assignment for the subscription.
+1. Sign to the [Azure portal](https://portal.azure.com) with the [Owner](/azure/role-based-access-control/built-in-roles#owner) role assignment for the subscription.
1. Browse to **Subscriptions**.
To associate an existing subscription with your Microsoft Entra ID, follow these
It can take several hours for everything to show up properly. If it seems to be taking too long, check the **Global subscription filter**. Make sure the moved subscription isn't hidden. You may need to sign out of the Azure portal and sign back in to see the new directory.
-Changing the subscription directory is a service-level operation, so it doesn't affect subscription billing ownership. To delete the original directory, you must transfer the subscription billing ownership to a new Account Admin. To learn more about transferring billing ownership, see [Transfer ownership of an Azure subscription to another account](../../cost-management-billing/manage/billing-subscription-transfer.md).
+Changing the subscription directory is a service-level operation, so it doesn't affect subscription billing ownership. To delete the original directory, you must transfer the subscription billing ownership to a new Account Admin. To learn more about transferring billing ownership, see [Transfer ownership of an Azure subscription to another account](/azure/cost-management-billing/manage/billing-subscription-transfer).
## Post-association steps After you associate a subscription with a different directory, you might need to do the following tasks to resume operations: -- If you have any key vaults, you must change the key vault tenant ID. For more information, see [Change a key vault tenant ID after a subscription move](../../key-vault/general/move-subscription.md).
+- If you have any key vaults, you must change the key vault tenant ID. For more information, see [Change a key vault tenant ID after a subscription move](/azure/key-vault/general/move-subscription).
- If you used system-assigned Managed Identities for resources, you must re-enable these identities. If you used user-assigned Managed Identities, you must re-create these identities. After re-enabling or recreating the Managed Identities, you must re-establish the permissions assigned to those identities. For more information, see [What are managed identities for Azure resources?](../managed-identities-azure-resources/overview.md). - If you've registered an Azure Stack using this subscription, you must re-register. For more information, see [Register Azure Stack Hub with Azure](/azure-stack/operator/azure-stack-registration). -- For more information, see [Transfer an Azure subscription to a different Microsoft Entra directory](../../role-based-access-control/transfer-subscription.md).
+- For more information, see [Transfer an Azure subscription to a different Microsoft Entra directory](/azure/role-based-access-control/transfer-subscription).
## Next steps - To create a new Microsoft Entra tenant, see [Quickstart: Create a new tenant in Microsoft Entra ID](./create-new-tenant.md). -- To learn more about how Microsoft Azure controls resource access, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).
+- To learn more about how Microsoft Azure controls resource access, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](/azure/role-based-access-control/rbac-and-directory-admin-roles).
- To learn more about how to assign roles in Microsoft Entra ID, see [Assign administrator and non-administrator roles to users with Microsoft Entra ID](./how-subscriptions-associated-directory.md).
active-directory How To Create Delete Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-create-delete-users.md
When you invite an external guest user by sending an email invitation, you can c
## Add other users
-There might be scenarios in which you want to manually create consumer accounts in your Azure Active Directory B2C (Azure AD B2C) directory. For more information about creating consumer accounts, see [Create and delete consumer users in Azure AD B2C](../../active-directory-b2c/manage-users-portal.md).
+There might be scenarios in which you want to manually create consumer accounts in your Azure Active Directory B2C (Azure AD B2C) directory. For more information about creating consumer accounts, see [Create and delete consumer users in Azure AD B2C](/azure/active-directory-b2c/manage-users-portal).
If you have an environment with both Microsoft Entra ID (cloud) and Windows Server Active Directory (on-premises), you can add new users by syncing the existing user account data. For more information about hybrid environments and users, see [Integrate your on-premises directories with Microsoft Entra ID](../hybrid/whatis-hybrid-identity.md).
active-directory How To Get Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-get-support.md
Microsoft Q&A is Azure's recommended source for community support. We recommend
| Component/area| Tags | |||
-| Microsoft Authentication Library (MSAL) | [[`msal`]](/answers/topics/azure-ad-msal.html) |
+| Microsoft Authentication Library (MSAL) | [[`msal`]](/answers/tags/455/entra-id) |
| Open Web Interface for .NET (OWIN) middleware | [[`azure-active-directory`]](/answers/topics/azure-active-directory.html) |
-| [Microsoft Entra B2B / External Identities](../external-identities/what-is-b2b.md) | [[`azure-ad-b2b`]](/answers/topics/azure-ad-b2b.html) |
-| [Azure AD B2C](https://azure.microsoft.com/services/active-directory-b2c/) | [[`azure-ad-b2c`]](/answers/topics/azure-ad-b2c.html) |
-| [Microsoft Graph API](https://developer.microsoft.com/graph/) | [[`azure-ad-graph`]](/answers/topics/azure-ad-graph.html) |
+| [Microsoft Entra B2B / External Identities](../external-identities/what-is-b2b.md) | [[`azure-ad-b2b`]](/answers/tags/438/entra-external-id) |
+| [Azure AD B2C](https://azure.microsoft.com/services/active-directory-b2c/) | [[`azure-ad-b2c`]](/answers/tags/438/entra-external-id) |
+| [Microsoft Graph API](https://developer.microsoft.com/graph/) | [[`azure-ad-graph`]](/answers/tags/455/entra-id) |
| All other authentication and authorization areas | [[`azure-active-directory`]](/answers/topics/azure-active-directory.html) | ## Open a support request
If you're still unable to resolve the issue, select **Next** to continue creatin
Next, we collect more details about the problem. Providing thorough and detailed information in this step helps us route your support request to the right engineer.
-1. Complete the **Problem details** section so that we have more information about your issue. If possible, tell us when the problem started and any steps to reproduce it. You can upload a file, such as a log file or output from diagnostics. For more information on file uploads, see [File upload guidelines](../../azure-portal/supportability/how-to-manage-azure-support-request.md#file-upload-guidelines).
+1. Complete the **Problem details** section so that we have more information about your issue. If possible, tell us when the problem started and any steps to reproduce it. You can upload a file, such as a log file or output from diagnostics. For more information on file uploads, see [File upload guidelines](/azure/azure-portal/supportability/how-to-manage-azure-support-request#file-upload-guidelines).
1. In the **Advanced diagnostic information** section, select **Yes** or **No**. - Selecting **Yes** allows Azure support to gather [advanced diagnostic information](https://azure.microsoft.com/support/legal/support-diagnostic-information-collection/) from your Azure resources.
- - If you prefer not to share this information, select **No**. For more information about the types of files we might collect, see [Advanced diagnostic information logs](../../azure-portal/supportability/how-to-create-azure-support-request.md#advanced-diagnostic-information-logs) section.
+ - If you prefer not to share this information, select **No**. For more information about the types of files we might collect, see [Advanced diagnostic information logs](/azure/azure-portal/supportability/how-to-create-azure-support-request#advanced-diagnostic-information-logs) section.
- In some scenarios, an administrator in your tenant may need to approve Microsoft Support access to your Microsoft Entra identity data. 1. In the **Support method** section, select your preferred contact method and support language.
A support engineer will contact you using the method you indicated. For informat
## Get Microsoft 365 admin center support
-Support for Microsoft Entra ID in the [Microsoft 365 admin center](https://admin.microsoft.com) is offered for administrators through the admin center. Review the [support for Microsoft 365 for business article](/microsoft-365/admin).
+Support for Microsoft Entra ID in the [Microsoft 365 admin center](https://admin.microsoft.com) is offered for administrators through the admin center. Review the [support for Microsoft 365 for business article](/microsoft-365/admin/).
## Stay informed Things can change quickly. The following resources provide updates and information on the latest releases.
active-directory How To Rename Azure Ad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-rename-azure-ad.md
To help your customers with the transition, it's helpful to add a note: "Azure A
- [Stay up-to-date with what's new in Microsoft Entra ID (formerly Azure AD)](./whats-new.md) - [Get started using Microsoft Entra ID at the Microsoft Entra admin center](https://entra.microsoft.com/)-- [Learn more about Microsoft Entra ID with content from Microsoft Learn](/entra)
+- [Learn more about Microsoft Entra ID with content from Microsoft Learn](/entra/)
<!-- docutune:ignore "Azure Active Directory" "Azure AD" "AAD" -->
active-directory Identity Fundamental Concepts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/identity-fundamental-concepts.md
Authentication is the process of challenging a person, software component, or ha
Multi-factor authentication (MFA) is a security measure that requires users to provide more than one piece of evidence to verify their identities, such as: - Something they know, for example a password.-- Something they have, like a badge or [security token](/azure/active-directory/develop/security-tokens).
+- Something they have, like a badge or [security token](../develop/security-tokens.md).
- Something they are, like a biometric (fingerprint or face). Single sign-on (SSO) allows users to authenticate their identity once and then later silently authenticate when accessing various resources that rely on the same identity. Once authenticated, the IAM system acts as the source of identity truth for the other resources available to the user. It removes the need for signing on to multiple, separate target systems.
Here's a quick overview of authentication and authorization:
| Information is transferred in an ID token. | Information is transferred in an access token. | | Often uses the OpenID Connect (OIDC) (which is built on the OAuth 2.0 protocol) or SAML protocols. | Often uses the OAuth 2.0 protocol. |
-For more detailed information, read [Authentication vs. authorization](/azure/active-directory/develop/authentication-vs-authorization).
+For more detailed information, read [Authentication vs. authorization](../develop/authentication-vs-authorization.md).
### Example
If you're staying at the hotel, you first go to reception to start the "authenti
The doors to the hotel rooms and other areas have keycard sensors. Swiping the keycard in front of a sensor is the "authorization process". The keycard only lets you open the doors to rooms you're permitted to access, such as your hotel room and the hotel exercise room. If you swipe your keycard to enter any other hotel guest room, your access is denied.
-Individual [permissions](/azure/active-directory/fundamentals/users-default-permissions?context=/azure/active-directory/roles/context/ugr-context), such as accessing the exercise room and a specific guest room, are collected into [roles](/azure/active-directory/roles/concept-understand-roles) which can be granted to individual users. When you're staying at the hotel, you're granted the Hotel Patron role. Hotel room service staff would be granted the Hotel Room Service role. This role permits access to all hotel guest rooms (but only between 11am and 4pm), the laundry room, and the supply closets on each floor.
+Individual [permissions](./users-default-permissions.md?context=/active-directory/roles/context/ugr-context), such as accessing the exercise room and a specific guest room, are collected into [roles](../roles/concept-understand-roles.md) which can be granted to individual users. When you're staying at the hotel, you're granted the Hotel Patron role. Hotel room service staff would be granted the Hotel Room Service role. This role permits access to all hotel guest rooms (but only between 11am and 4pm), the laundry room, and the supply closets on each floor.
:::image type="content" source="./media/identity-fundamentals/hotel-authorization.png" alt-text="Diagram that shows a user getting access to a room with a keycard." :::
With modern authentication, all services, including all authentication services,
With a central identity provider, organizations can establish authentication and authorization policies, monitor user behavior, identify suspicious activities, and reduce malicious attacks.
-[Microsoft Entra ID](/azure/active-directory/) is an example of a cloud-based identity provider. Other examples include Twitter, Google, Amazon, LinkedIn, and GitHub.
+[Microsoft Entra ID](../index.yml) is an example of a cloud-based identity provider. Other examples include Twitter, Google, Amazon, LinkedIn, and GitHub.
## Next steps - Read [Introduction to identity and access management](introduction-identity-access-management.md) to learn more.-- Learn about [Single sign-on (SSO)](/azure/active-directory/manage-apps/what-is-single-sign-on).-- Learn about [Multi-factor authentication (MFA)](/azure/active-directory/authentication/concept-mfa-howitworks).
+- Learn about [Single sign-on (SSO)](../manage-apps/what-is-single-sign-on.md).
+- Learn about [Multi-factor authentication (MFA)](../authentication/concept-mfa-howitworks.md).
active-directory Introduction Identity Access Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/introduction-identity-access-management.md
Let's say you have an application that signs in a user and then accesses a prote
1. The identity provider/authorization server validates the access token. If successful the request for protected resources is granted, and a response is sent back to the client application.
-For more information, read [Authentication and authorization](/azure/active-directory/develop/authentication-vs-authorization#authentication-and-authorization-using-the-microsoft-identity-platform).
+For more information, read [Authentication and authorization](../develop/authentication-vs-authorization.md#authentication-and-authorization-using-the-microsoft-identity-platform).
### Authentication and authorization standards
With the release of the OpenID Connect (which uses public-key encryption), OpenI
#### JSON web tokens (JWTs)
-JWTs are an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. JWTs can be verified and trusted because theyΓÇÖre digitally signed. They can be used to pass the identity of authenticated users between the identity provider and the service requesting the authentication. They also can be authenticated and encrypted. To learn more, read [JSON Web Tokens](/azure/active-directory/develop/active-directory-v2-protocols#tokens).
+JWTs are an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. JWTs can be verified and trusted because theyΓÇÖre digitally signed. They can be used to pass the identity of authenticated users between the identity provider and the service requesting the authentication. They also can be authenticated and encrypted. To learn more, read [JSON Web Tokens](../develop/v2-protocols.md#tokens).
#### Security Assertion Markup Language (SAML)
-SAML is an open standard utilized for exchanging authentication and authorization information between, in this case, an IAM solution and another application. This method uses XML to transmit data and is typically the method used by identity and access management platforms to grant users the ability to sign in to applications that have been integrated with IAM solutions. To learn more, read [SAML protocol](/azure/active-directory/develop/active-directory-saml-protocol-reference).
+SAML is an open standard utilized for exchanging authentication and authorization information between, in this case, an IAM solution and another application. This method uses XML to transmit data and is typically the method used by identity and access management platforms to grant users the ability to sign in to applications that have been integrated with IAM solutions. To learn more, read [SAML protocol](../develop/saml-protocol-reference.md).
#### System for Cross-Domain Identity Management (SCIM)
-Created to simplify the process of managing user identities, SCIM provisioning allows organizations to efficiently operate in the cloud and easily add or remove users, benefitting budgets, reducing risk, and streamlining workflows. SCIM also facilitates communication between cloud-based applications. To learn more, read [Develop and plan provisioning for a SCIM endpoint](/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups?toc=/azure/active-directory/develop/toc.json&bc=/azure/active-directory/develop/breadcrumb/toc.json).
+Created to simplify the process of managing user identities, SCIM provisioning allows organizations to efficiently operate in the cloud and easily add or remove users, benefitting budgets, reducing risk, and streamlining workflows. SCIM also facilitates communication between cloud-based applications. To learn more, read [Develop and plan provisioning for a SCIM endpoint](../app-provisioning/use-scim-to-provision-users-and-groups.md?toc=/active-directory/develop/toc.json&bc=/active-directory/develop/breadcrumb/toc.json).
#### Web Services Federation (WS-Fed)
WS-Fed was developed by Microsoft and used extensively in their applications, th
To learn more, see: -- [Single sign-on (SSO)](/azure/active-directory/manage-apps/what-is-single-sign-on)-- [Multi-factor authentication (MFA)](/azure/active-directory/authentication/concept-mfa-howitworks)-- [Authentication vs authorization](/azure/active-directory/develop/authentication-vs-authorization)-- [OAuth 2.0 and OpenID Connect](/azure/active-directory/develop/active-directory-v2-protocols)-- [App types and authentication flows](/azure/active-directory/develop/authentication-flows-app-scenarios)-- [Security tokens](/azure/active-directory/develop/security-tokens)
+- [Single sign-on (SSO)](../manage-apps/what-is-single-sign-on.md)
+- [Multi-factor authentication (MFA)](../authentication/concept-mfa-howitworks.md)
+- [Authentication vs authorization](../develop/authentication-vs-authorization.md)
+- [OAuth 2.0 and OpenID Connect](../develop/v2-protocols.md)
+- [App types and authentication flows](../develop/authentication-flows-app-scenarios.md)
+- [Security tokens](../develop/security-tokens.md)
active-directory Licensing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/licensing.md
+
+ Title: 'Microsoft Entra ID licensing'
+description: This article documents licensing requirements for Microsoft Entra ID features.
+
+documentationcenter: ''
++
+editor: ''
++
+ na
+ Last updated : 09/21/2023++++
+# Microsoft Entra ID licensing
+
+This article discusses Microsoft Entra services' licensing. It is intended for IT decision makers, IT administrators, and IT professionals who are considering Microsoft Entra services for their organizations. This article isn't intended for end users.
+
+>[!IMPORTANT]
+> For licensing information on services not listed here, refer to the service's documentation or the [Azure Active Directory pricing page.](https://azure.microsoft.com/pricing/details/active-directory/)
++
+## App provisioning
++
+## Authentication
++
+## Microsoft Entra Connect
++
+## Microsoft Entra Connect health
++
+## Microsoft Entra Conditional Access
++
+## Microsoft Entra ID Governance
++
+## Microsoft Entra ID Protection
++
+## Managed identities
++
+## Multi-tenant organizations
++
+## Microsoft Entra Privileged Identity management
++
+## Role based access control
++
+### Roles
++
+## Microsoft Entra reporting and monitoring
++
+## Microsoft Entra Verified ID
++
+## Features in preview
++
+## Next steps
+
+- [Azure AD pricing](https://azure.microsoft.com/pricing/details/active-directory/)
+- [Azure AD B2C pricing](https://azure.microsoft.com/pricing/details/active-directory-b2c/)
+- [Microsoft Entra Plans & Pricing](https://www.microsoft.com/en-us/security/business/microsoft-entra-pricing?rtc=1)
+
active-directory New Name https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/new-name.md
The following table lists terminology that is not impacted by the Azure AD renam
|-|-| | Active Directory <br/><br/>&#8226; Windows Server Active Directory <br/>&#8226; Active Directory Federation Services (AD FS) <br/>&#8226; Active Directory Domain Services (AD DS) <br/>&#8226; Active Directory <br/>&#8226; Any Active Directory feature(s) | Windows Server Active Directory, commonly known as Active Directory, and related features and services associated with Active Directory aren't branded with Microsoft Entra. | | Authentication library <br/><br/>&#8226; Azure AD Authentication Library (ADAL) <br/>&#8226; Microsoft Authentication Library (MSAL) | Azure Active Directory Authentication Library (ADAL) is deprecated. While existing apps that use ADAL continue to work, Microsoft will no longer release security fixes on ADAL. Migrate applications to the Microsoft Authentication Library (MSAL) to avoid putting your app's security at risk. <br/><br/>[Microsoft Authentication Library (MSAL)](../develop/msal-overview.md) - Provides security tokens from the Microsoft identity platform to authenticate users and access secured web APIs to provide secure access to Microsoft Graph, other Microsoft APIs, third-party web APIs, or your own web API. |
-| B2C <br/><br/>&#8226; Azure Active Directory B2C <br/>&#8226; Azure AD B2C | [Azure Active Directory B2C](/azure/active-directory-b2c) isn't being renamed. We're continuing to invest in security, availability, and reliability in Azure AD B2C and our next-generation solution for external identities, [Microsoft Entra External ID](/azure/active-directory/external-identities). |
+| B2C <br/><br/>&#8226; Azure Active Directory B2C <br/>&#8226; Azure AD B2C | [Azure Active Directory B2C](/azure/active-directory-b2c) isn't being renamed. We're continuing to invest in security, availability, and reliability in Azure AD B2C and our next-generation solution for external identities, [Microsoft Entra External ID](../external-identities/index.yml). |
| Graph <br/><br/>&#8226; Azure Active Directory Graph <br/>&#8226; Azure AD Graph <br/>&#8226; Microsoft Graph | Azure Active Directory (Azure AD) Graph is deprecated. Going forward, further investment in Azure AD Graph won't be made, and Azure AD Graph APIs have no SLA or maintenance commitment beyond security-related fixes. Investments in new features and functionalities will only be made in Microsoft Graph.<br/><br/>[Microsoft Graph](/graph) - Grants programmatic access to organization, user, and application data stored in Microsoft Entra ID. | | PowerShell <br/><br/>&#8226; Azure Active Directory PowerShell <br/>&#8226; Azure AD PowerShell <br/>&#8226; Microsoft Graph PowerShell | Azure AD PowerShell for Graph is planned for deprecation on March 30, 2024. For more info on the deprecation plans, see the deprecation update. We encourage you to migrate to Microsoft Graph PowerShell, which is the recommended module for interacting with Azure AD. <br/><br/>[Microsoft Graph PowerShell](/powershell/microsoftgraph/overview) - Acts as an API wrapper for the Microsoft Graph APIs and helps administer every Microsoft Entra ID feature that has an API in Microsoft Graph. | | Accounts <br/><br/>&#8226; Microsoft account <br/>&#8226; Work or school account | For end user sign-ins and account experiences, follow guidance for work and school accounts in [Sign in with Microsoft branding guidelines](../develop/howto-add-branding-in-apps.md). | | Microsoft identity platform | The Microsoft identity platform encompasses all our identity and access developer assets. It continues to provide the resources to help you build applications that your users and customers can sign in to using their Microsoft identities or social accounts. |
-| <br/>&#8226; Azure AD Sync <br/>&#8226; DirSync | DirSync and Azure AD Sync aren't supported and no longer work. If you're still using DirSync or Azure AD Sync, you must upgrade to Microsoft Entra Connect to resume your sync process. For more info, see [Microsoft Entra Connect](/azure/active-directory/hybrid/connect/how-to-dirsync-upgrade-get-started). |
+| <br/>&#8226; Azure AD Sync <br/>&#8226; DirSync | DirSync and Azure AD Sync aren't supported and no longer work. If you're still using DirSync or Azure AD Sync, you must upgrade to Microsoft Entra Connect to resume your sync process. For more info, see [Microsoft Entra Connect](../hybrid/connect/how-to-dirsync-upgrade-get-started.md). |
## Frequently asked questions
Microsoft identity platform encompasses all our identity and access developer as
Naming is also not changing for: -- [Microsoft Authentication Library (MSAL)](/azure/active-directory/develop/msal-overview) ΓÇô Acquire security tokens from the Microsoft identity platform to authenticate users and access secured web APIs to provide secure access to Microsoft Graph, other Microsoft APIs, third-party web APIs, or your own web API.-- [Microsoft Graph](/graph) ΓÇô Get programmatic access to organizational, user, and application data stored in Microsoft Entra ID.
+- [Microsoft Authentication Library (MSAL)](../develop/msal-overview.md) ΓÇô Acquire security tokens from the Microsoft identity platform to authenticate users and access secured web APIs to provide secure access to Microsoft Graph, other Microsoft APIs, third-party web APIs, or your own web API.
+- [Microsoft Graph](/graph/) ΓÇô Get programmatic access to organizational, user, and application data stored in Microsoft Entra ID.
- [Microsoft Graph PowerShell](/powershell/microsoftgraph/overview) ΓÇô Acts as an API wrapper for the Microsoft Graph APIs; helps administer every Microsoft Entra ID feature that has an API in Microsoft Graph. - [Windows Server Active Directory](/troubleshoot/windows-server/identity/active-directory-overview), commonly known as ΓÇ£Active DirectoryΓÇ¥, and all related Windows Server identity services, associated with Active Directory.-- [Active Directory Federation Services (AD FS)](/windows-server/identity/active-directory-federation-services) nor [Active Directory Domain Services (AD DS)](/windows-server/identity/ad-ds/active-directory-domain-services) nor the product name ΓÇ£Active DirectoryΓÇ¥ or any corresponding features.
+- [Active Directory Federation Services (AD FS)](/windows-server/identity/ad-fs/ad-fs-overview) nor [Active Directory Domain Services (AD DS)](/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview) nor the product name ΓÇ£Active DirectoryΓÇ¥ or any corresponding features.
- [Azure Active Directory B2C](/azure/active-directory-b2c) continues to be available as an Azure service. The name Azure AD B2C is not changing nor is our commitment to the service and our customers. The service level agreement for Azure AD B2C remains unchanged and we'll continue investments to ensure security, availability, and reliability in both Azure AD B2C as well as our next generation solution for external identities, Microsoft Entra External ID, which is now in public preview. - Any deprecated or retired functionality, feature, or service of Azure Active Directory.
active-directory Scenario Azure First Sap Identity Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/scenario-azure-first-sap-identity-integration.md
Based on these assumptions, we focus mostly on the products and services present
![SAP services in scope](./media/scenario-azure-first-sap-identity-integration/sap-services-in-scope.png) > [!NOTE]
-> Most of the guidance here applies to [Azure Active Directory B2C](../../active-directory-b2c/overview.md) as well, but there are some important differences. See [Using Azure AD B2C as the Identity Provider](#using-azure-ad-b2c-as-the-identity-provider) for more information.
+> Most of the guidance here applies to [Azure Active Directory B2C](/azure/active-directory-b2c/overview) as well, but there are some important differences. See [Using Azure AD B2C as the Identity Provider](#using-azure-ad-b2c-as-the-identity-provider) for more information.
> [!WARNING] > Be aware of the SAP SAML assertion limits and impact of the length of SAP Cloud Foundry role collection names and amount of collections proxied by groups in SAP Cloud Identity Service. See SAP note [2732890](https://launchpad.support.sap.com/?sap-support-cross-site-visitor-id=b73c7292f9a46d52#/notes/2732890) for more information. Exceeded limits result in authorization issues.
Consider building automation to execute the entire certificate rollover process.
## Using Azure AD B2C as the Identity Provider
-[Azure Active Directory B2C](../../active-directory-b2c/overview.md) provides business-to-customer identity as a service. Given that the integration with Azure AD B2C is similar to how you would allow enterprise users to sign in with Microsoft Entra ID, the recommendations above still mostly apply when you want to use Azure AD B2C for your customers, consumers or citizens and allow them to use their preferred social, enterprise, or local account identities.
+[Azure Active Directory B2C](/azure/active-directory-b2c/overview) provides business-to-customer identity as a service. Given that the integration with Azure AD B2C is similar to how you would allow enterprise users to sign in with Microsoft Entra ID, the recommendations above still mostly apply when you want to use Azure AD B2C for your customers, consumers or citizens and allow them to use their preferred social, enterprise, or local account identities.
There are a few important differences, however. Setting up Azure AD B2C as a corporate identity provider in IAS and configuring federation between both tenants is described in more detail in [this blog post](https://blogs.sap.com/2023/02/08/identity-federation-between-azure-ad-b2c-and-sap-cloud-identity-services-using-custom-policies/). ### Registering a SAML application in Azure AD B2C
-Azure AD B2C doesn't have a gallery of enterprise applications that you can use to easily configure the trust relationship towards the Corporate Identity Provider in IAS. Instead, you will have to use [custom policies](../../active-directory-b2c/custom-policy-overview.md) to [register a SAML application](../../active-directory-b2c/saml-service-provider.md) in Azure AD B2C. This SAML application plays the same logical role as the enterprise application in Microsoft Entra ID, however, so the same guidance around rollover of SAML certificates applies, for example.
+Azure AD B2C doesn't have a gallery of enterprise applications that you can use to easily configure the trust relationship towards the Corporate Identity Provider in IAS. Instead, you will have to use [custom policies](/azure/active-directory-b2c/custom-policy-overview) to [register a SAML application](/azure/active-directory-b2c/saml-service-provider) in Azure AD B2C. This SAML application plays the same logical role as the enterprise application in Microsoft Entra ID, however, so the same guidance around rollover of SAML certificates applies, for example.
### Authorization with Azure AD B2C Azure AD B2C doesn't natively support the use of groups to create collections of users that you can assign access to, which means that the guidance to [use Microsoft Entra groups for authorization through Role Collections in BTP](#3use-azure-ad-groups-for-authorization-through-role-collections-in-iasbtp) has to be implemented differently.
-Fortunately, Azure AD B2C is highly customizable, so you can configure the SAML tokens it sends to IAS to include any custom information. For various options on supporting authorization claims, see the documentation accompanying the [Azure AD B2C App Roles sample](https://github.com/azure-ad-b2c/api-connector-samples/tree/main/Authorization-AppRoles), but in summary: through its [API Connector](../../active-directory-b2c/api-connectors-overview.md) extensibility mechanism you can optionally still use groups, app roles, or even a custom database to determine what the user is allowed to access.
+Fortunately, Azure AD B2C is highly customizable, so you can configure the SAML tokens it sends to IAS to include any custom information. For various options on supporting authorization claims, see the documentation accompanying the [Azure AD B2C App Roles sample](https://github.com/azure-ad-b2c/api-connector-samples/tree/main/Authorization-AppRoles), but in summary: through its [API Connector](/azure/active-directory-b2c/api-connectors-overview) extensibility mechanism you can optionally still use groups, app roles, or even a custom database to determine what the user is allowed to access.
-Regardless of where the authorization information comes from, it can then be emitted as the `Groups` attribute inside the SAML token by configuring that attribute name as the [default partner claim type on the claims schema](../../active-directory-b2c/claimsschema.md#defaultpartnerclaimtypes) or by overriding the [partner claim type on the output claims](../../active-directory-b2c/relyingparty.md#outputclaims). Note however that BTP allows you to [map Role Collections to User Attributes](https://help.sap.com/products/BTP/65de2977205c403bbc107264b8eccf4b/b3fbb1a9232d4cf99967a0b29dd85d4c.html), which means that *any* attribute name can be used for authorization decisions, even if you don't use the `Groups` attribute name.
+Regardless of where the authorization information comes from, it can then be emitted as the `Groups` attribute inside the SAML token by configuring that attribute name as the [default partner claim type on the claims schema](/azure/active-directory-b2c/claimsschema#defaultpartnerclaimtypes) or by overriding the [partner claim type on the output claims](/azure/active-directory-b2c/relyingparty#outputclaims). Note however that BTP allows you to [map Role Collections to User Attributes](https://help.sap.com/products/BTP/65de2977205c403bbc107264b8eccf4b/b3fbb1a9232d4cf99967a0b29dd85d4c.html), which means that *any* attribute name can be used for authorization decisions, even if you don't use the `Groups` attribute name.
## Next Steps - Learn more about the initial setup in [this tutorial](../saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial.md)-- Discover additional [SAP integration scenarios with Microsoft Entra ID](../../sap/workloads/integration-get-started.md#microsoft-entra-id-formerly-azure-ad) and beyond
+- Discover additional [SAP integration scenarios with Microsoft Entra ID](/azure/sap/workloads/integration-get-started#microsoft-entra-id-formerly-azure-ad) and beyond
active-directory Users Assign Role Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/users-assign-role-azure-portal.md
# Assign user roles with Microsoft Entra ID
-The ability to manage resources is granted by assigning roles that provide the required permissions. Roles can be assigned to individual users or groups. To align with the [Zero Trust guiding principles](../../security/fundamentals/zero-trust.md), use Just-In-Time and Just-Enough-Access policies when assigning roles.
+The ability to manage resources is granted by assigning roles that provide the required permissions. Roles can be assigned to individual users or groups. To align with the [Zero Trust guiding principles](/azure/security/fundamentals/zero-trust), use Just-In-Time and Just-Enough-Access policies when assigning roles.
Before assigning roles to users, review the following Microsoft Learn articles: - [Learn about Microsoft Entra roles](../roles/concept-understand-roles.md)-- [Learn about role based access control](../../role-based-access-control/rbac-and-directory-admin-roles.md)
+- [Learn about role based access control](/azure/role-based-access-control/rbac-and-directory-admin-roles)
- [Explore the Azure built-in roles](../roles/permissions-reference.md) ## Assign roles
active-directory Users Default Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/users-default-permissions.md
Users can perform the following actions on owned groups.
* To learn more about the **Guest user access restrictions** setting, see [Restrict guest access permissions in Microsoft Entra ID](../enterprise-users/users-restrict-guest-permissions.md). * To learn more about how to assign Microsoft Entra administrator roles, see [Assign a user to administrator roles in Microsoft Entra ID](./how-subscriptions-associated-directory.md).
-* To learn more about how resource access is controlled in Microsoft Azure, see [Understanding resource access in Azure](../../role-based-access-control/rbac-and-directory-admin-roles.md).
+* To learn more about how resource access is controlled in Microsoft Azure, see [Understanding resource access in Azure](/azure/role-based-access-control/rbac-and-directory-admin-roles).
* For more information on how Microsoft Entra ID relates to your Azure subscription, see [How Azure subscriptions are associated with Microsoft Entra ID](./how-subscriptions-associated-directory.md). * [Manage users](./add-users.md).
active-directory What Is Deprecated https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/what-is-deprecated.md
Use the following table to learn about changes including deprecations, retiremen
|[My Groups experience](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Feature change|May 2023| |[My Apps browser extension](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Feature change|May 2023| |Microsoft Authenticator app [Number matching](../authentication/how-to-mfa-number-match.md)|Feature change|May 8, 2023|
-|[Microsoft Entra Domain Services virtual network deployments](../../active-directory-domain-services/overview.md)|Retirement|Mar 1, 2023|
+|[Microsoft Entra Domain Services virtual network deployments](/entra/identity/domain-services/overview)|Retirement|Mar 1, 2023|
|[License management API, PowerShell](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/migrate-your-apps-to-access-the-license-managements-apis-from/ba-p/2464366)|Retirement|*Mar 31, 2023| \* The legacy license management API and PowerShell cmdlets won't work for **new tenants** created after Nov 1, 2022.
active-directory Whatis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whatis.md
To enhance your Microsoft Entra implementation, you can also add paid features b
- **Microsoft Entra ID P2.** In addition to the Free and P1 features, P2 also offers [Microsoft Entra ID Protection](../identity-protection/overview-identity-protection.md) to help provide risk-based Conditional Access to your apps and critical company data and [Privileged Identity Management](../privileged-identity-management/pim-getting-started.md) to help discover, restrict, and monitor administrators and their access to resources and to provide just-in-time access when needed. -- **"Pay as you go" feature licenses.** You can also get licenses for features such as, Microsoft Entra Business-to-Customer (B2C). B2C can help you provide identity and access management solutions for your customer-facing apps. For more information, see [Azure Active Directory B2C documentation](../../active-directory-b2c/index.yml).
+- **"Pay as you go" feature licenses.** You can also get licenses for features such as, Microsoft Entra Business-to-Customer (B2C). B2C can help you provide identity and access management solutions for your customer-facing apps. For more information, see [Azure Active Directory B2C documentation](/azure/active-directory-b2c/).
For more information about associating an Azure subscription to Microsoft Entra ID, see [Associate or add an Azure subscription to Microsoft Entra ID](./how-subscriptions-associated-directory.md). For more information about assigning licenses to your users, see [How to: Assign or remove Microsoft Entra ID licenses](license-users-groups.md).
After you choose your Microsoft Entra ID license, you'll get access to some or a
|Authentication|Manage Microsoft Entra self-service password reset, Multi-Factor Authentication, custom banned password list, and smart lockout. For more information, see [Microsoft Entra authentication documentation](../authentication/index.yml).| |Microsoft Entra ID for developers|Build apps that sign in all Microsoft identities, get tokens to call Microsoft Graph, other Microsoft APIs, or custom APIs. For more information, see [Microsoft identity platform (Microsoft Entra ID for developers)](../develop/index.yml).| |Business-to-Business (B2B)|Manage your guest users and external partners, while maintaining control over your own corporate data. For more information, see [Microsoft Entra B2B documentation](../external-identities/index.yml).|
-|Business-to-Customer (B2C)|Customize and control how users sign up, sign in, and manage their profiles when using your apps. For more information, see [Azure Active Directory B2C documentation](../../active-directory-b2c/index.yml).|
+|Business-to-Customer (B2C)|Customize and control how users sign up, sign in, and manage their profiles when using your apps. For more information, see [Azure Active Directory B2C documentation](/azure/active-directory-b2c/).|
|Conditional Access|Manage access to your cloud apps. For more information, see [Microsoft Entra Conditional Access documentation](../conditional-access/index.yml).| |Device Management|Manage how your cloud or on-premises devices access your corporate data. For more information, see [Microsoft Entra Device Management documentation](../devices/index.yml).| |Domain services|Join Azure virtual machines to a domain without using domain controllers. For more information, see [Microsoft Entra Domain Services documentation](../../active-directory-domain-services/index.yml).|
To better understand Microsoft Entra ID and its documentation, we recommend revi
|Identity| A thing that can get authenticated. An identity can be a user with a username and password. Identities also include applications or other servers that might require authentication through secret keys or certificates.| |Account| An identity that has data associated with it. You canΓÇÖt have an account without an identity.| |Microsoft Entra account| An identity created through Microsoft Entra ID or another Microsoft cloud service, such as Microsoft 365. Identities are stored in Microsoft Entra ID and accessible to your organization's cloud service subscriptions. This account is also sometimes called a Work or school account.|
-|Account Administrator|This classic subscription administrator role is conceptually the billing owner of a subscription. This role enables you to manage all subscriptions in an account. For more information, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).|
-|Service Administrator|This classic subscription administrator role enables you to manage all Azure resources, including access. This role has the equivalent access of a user who is assigned the Owner role at the subscription scope. For more information, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).|
-|Owner|This role helps you manage all Azure resources, including access. This role is built on a newer authorization system called Azure role-based access control (Azure RBAC) that provides fine-grained access management to Azure resources. For more information, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).|
+|Account Administrator|This classic subscription administrator role is conceptually the billing owner of a subscription. This role enables you to manage all subscriptions in an account. For more information, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](/azure/role-based-access-control/rbac-and-directory-admin-roles).|
+|Service Administrator|This classic subscription administrator role enables you to manage all Azure resources, including access. This role has the equivalent access of a user who is assigned the Owner role at the subscription scope. For more information, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](/azure/role-based-access-control/rbac-and-directory-admin-roles).|
+|Owner|This role helps you manage all Azure resources, including access. This role is built on a newer authorization system called Azure role-based access control (Azure RBAC) that provides fine-grained access management to Azure resources. For more information, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](/azure/role-based-access-control/rbac-and-directory-admin-roles).|
|Microsoft Entra Global Administrator|This administrator role is automatically assigned to whomever created the Microsoft Entra tenant. You can have multiple Global Administrators, but only Global Administrators can assign administrator roles (including assigning other Global Administrators) to users. For more information about the various administrator roles, see [Administrator role permissions in Microsoft Entra ID](../roles/permissions-reference.md).| |Azure subscription| Used to pay for Azure cloud services. You can have many subscriptions and they're linked to a credit card.| |Azure tenant| A dedicated and trusted instance of Microsoft Entra ID. The tenant is automatically created when your organization signs up for a Microsoft cloud service subscription. These subscriptions include Microsoft Azure, Microsoft Intune, or Microsoft 365. An Azure tenant represents a single organization.|
active-directory Whats New Archive https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-archive.md
Workload Identity Federation enables developers to use managed identities for th
For more information, see: - [Workload identity federation](../workload-identities/workload-identity-federation.md). - [Configure a user-assigned managed identity to trust an external identity provider (preview)](../workload-identities/workload-identity-federation-create-trust-user-assigned-managed-identity.md)-- [Use Azure AD workload identity with Azure Kubernetes Service (AKS)](../../aks/workload-identity-overview.md)
+- [Use Azure AD workload identity with Azure Kubernetes Service (AKS)](/azure/aks/workload-identity-overview)
We recognize that changing libraries isn't an easy task, and can't be accomplish
### How to find out which applications in my tenant are using Microsoft Authentication Library?
-Refer to our post on [Microsoft Q&A](/answers/questions/360928/information-how-to-find-apps-using-adal-in-your-te.html) for details on identifying Microsoft Authentication Library apps with the help of [Azure Workbooks](../../azure-monitor/visualize/workbooks-overview.md).
+Refer to our post on [Microsoft Q&A](/answers/questions/360928/information-how-to-find-apps-using-adal-in-your-te) for details on identifying Microsoft Authentication Library apps with the help of [Azure Workbooks](/azure/azure-monitor/visualize/workbooks-overview).
### If IΓÇÖm using Microsoft Authentication Library, what can I expect after the deadline? - There will be no new releases (security or otherwise) to the library after June 2023.
Developers can now use managed identities for their software workloads running a
For more information, see: - [Configure a user-assigned managed identity to trust an external identity provider (preview)](../workload-identities/workload-identity-federation-create-trust-user-assigned-managed-identity.md) - [Workload identity federation](../workload-identities/workload-identity-federation.md)-- [Use an Azure AD workload identity (preview) on Azure Kubernetes Service (AKS)](../../aks/workload-identity-overview.md)
+- [Use an Azure AD workload identity (preview) on Azure Kubernetes Service (AKS)](/azure/aks/workload-identity-overview)
For more information, see:[Customize app SAML token claims - Microsoft Entra](..
You can now create trusts on both user and resource forests. On-premises AD DS users can't authenticate to resources in the Azure AD DS resource forest until you create an outbound trust to your on-premises AD DS. An outbound trust requires network connectivity to your on-premises virtual network on which you have installed Azure AD Domain Service. On a user forest, trusts can be created for on-premises AD forests that aren't synchronized to Azure AD DS.
-To learn more about trusts and how to deploy your own, visit [How trust relationships work for forests in Active Directory](../../active-directory-domain-services/concepts-forest-trust.md).
+To learn more about trusts and how to deploy your own, visit [How trust relationships work for forests in Active Directory](/entra/identity/domain-services/concepts-forest-trust).
For more information about how to better secure your organization by using autom
**Product capability:** Platform
-Azure Service Health supports service outage notifications to Tenant Admins for Azure Active Directory issues. These outages will also appear on the Azure portal Overview page with appropriate links to Azure Service Health. Outage events will be able to be seen by built-in Tenant Administrator Roles. We'll continue to send outage notifications to subscriptions within a tenant for transition. More information is available at: [What are Service Health notifications in Azure Active Directory?](../reports-monitoring/overview-service-health-notifications.md).
+Azure Service Health supports service outage notifications to Tenant Admins for Azure Active Directory issues. These outages will also appear on the Azure portal Overview page with appropriate links to Azure Service Health. Outage events will be able to be seen by built-in Tenant Administrator Roles. We'll continue to send outage notifications to subscriptions within a tenant for transition. More information is available at: [What are Service Health notifications in Azure Active Directory?](/azure/service-health/service-health-portal-update).
End users are encouraged to enable the optional telemetry setting in the Authent
Previously to set up and administer your AAD-DS instance you needed top level permissions of Azure Contributor and Azure AD Global Administrator. Now for both initial creation, and ongoing administration, you can utilize more fine grain permissions for enhanced security and control. The prerequisites now minimally require: - You need [Application Administrator](../roles/permissions-reference.md#application-administrator) and [Groups Administrator](../roles/permissions-reference.md#groups-administrator) Azure AD roles in your tenant to enable Azure AD DS.-- You need [Domain Services Contributor](../../role-based-access-control/built-in-roles.md#domain-services-contributor) Azure role to create the required Azure AD DS resources.
+- You need [Domain Services Contributor](/azure/role-based-access-control/built-in-roles#domain-services-contributor) Azure role to create the required Azure AD DS resources.
Check out these resources to learn more: -- [Tutorial - Create an Azure Active Directory Domain Services managed domain](../../active-directory-domain-services/tutorial-create-instance.md#prerequisites)
+- [Tutorial - Create an Azure Active Directory Domain Services managed domain](/entra/identity/domain-services/tutorial-create-instance#prerequisites)
- [Least privileged roles by task](../roles/delegate-by-task.md#domain-services)-- [Azure built-in roles - Azure RBAC](../../role-based-access-control/built-in-roles.md#domain-services-contributor)
+- [Azure built-in roles - Azure RBAC](/azure/role-based-access-control/built-in-roles#domain-services-contributor)
active-directory Whats New Sovereign Clouds Archive https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-sovereign-clouds-archive.md
Admins can now enforce Conditional Access policies based off of GPS location fro
-We've improved the My Sign-ins experience to now support organization switching. Now users who are guests in other tenants can easily switch and sign-in to manage their security info and view activity. More improvements were made to make it easier to switch from My Sign-ins directly to other end user portals such as My Account, My Apps, My Groups, and My Access. For more information, see: [Sign-in logs in Azure Active Directory - preview](../reports-monitoring/concept-all-sign-ins.md)
+We've improved the My Sign-ins experience to now support organization switching. Now users who are guests in other tenants can easily switch and sign-in to manage their security info and view activity. More improvements were made to make it easier to switch from My Sign-ins directly to other end user portals such as My Account, My Apps, My Groups, and My Access. For more information, see: [Sign-in logs in Azure Active Directory - preview](../reports-monitoring/concept-sign-ins.md)
active-directory Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/apps.md
Microsoft Entra ID Governance can be integrated with many other applications, us
| Microsoft 365 | ΓùÅ | ΓùÅ | | Microsoft Active Directory Domain Services | | ΓùÅ | | Microsoft Azure | ΓùÅ | ΓùÅ |
-| [Microsoft Entra Domain Services](../../active-directory-domain-services/synchronization.md) | ΓùÅ | ΓùÅ |
+| [Microsoft Entra Domain Services](/entra/identity/domain-services/synchronization) | ΓùÅ | ΓùÅ |
| Microsoft Azure SQL ([SQL connector](../../active-directory/app-provisioning/tutorial-ecma-sql-connector.md) ) | ΓùÅ | | | Microsoft Lightweight Directory Server (ADAM) ([LDAP connector](../../active-directory/app-provisioning/on-premises-ldap-connector-configure.md) ) | ΓùÅ | | | Microsoft SharePoint Server (SharePoint) | ΓùÅ | |
active-directory Deploy Access Reviews https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/deploy-access-reviews.md
Access reviews can be for the members of a group or for users who were assigned
## Plan review of Microsoft Entra ID and Azure resource roles
-[Privileged Identity Management](../privileged-identity-management/pim-configure.md) simplifies how enterprises manage privileged access to resources in Microsoft Entra ID. Using PIM keeps the list of privileged roles in [Microsoft Entra ID](../roles/permissions-reference.md) and [Azure resources](../../role-based-access-control/built-in-roles.md) smaller. It also increases the overall security of the directory.
+[Privileged Identity Management](../privileged-identity-management/pim-configure.md) simplifies how enterprises manage privileged access to resources in Microsoft Entra ID. Using PIM keeps the list of privileged roles in [Microsoft Entra ID](../roles/permissions-reference.md) and [Azure resources](/azure/role-based-access-control/built-in-roles) smaller. It also increases the overall security of the directory.
Access reviews allow reviewers to attest whether users still need to be in a role. Just like access reviews for access packages, reviews for Microsoft Entra roles and Azure resources are integrated into the PIM admin user experience.
active-directory Entitlement Management Logic Apps Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-logic-apps-integration.md
# Trigger Logic Apps with custom extensions in entitlement management
-[Azure Logic Apps](../../logic-apps/logic-apps-overview.md) can be used to automate custom workflows and connect apps and services in one place. Users can integrate Logic Apps with entitlement management to broaden their governance workflows beyond the core entitlement management use cases.
+[Azure Logic Apps](/azure/logic-apps/logic-apps-overview) can be used to automate custom workflows and connect apps and services in one place. Users can integrate Logic Apps with entitlement management to broaden their governance workflows beyond the core entitlement management use cases.
These Logic Apps can then be triggered to run in accordance with entitlement management use cases such as when an access package is granted or requested. For example, an admin could create and link a custom Logic App to entitlement management, so that when a user requests an access package, a Logic App is triggered that ensures the user is also assigned certain characteristics in a third party SAAS app (like Salesforce) or is sent a custom email.
For newly created Logic Apps linked to custom extensions, these Logic Apps begin
1. Select the Logic App under the Logic app column for the associated custom extension row. This allows you to edit or create the workflow in Logic App designer.
-For more information on creating logic app workflows, see [Quickstart: Create an example Consumption workflow in multi-tenant Azure Logic Apps](../../logic-apps/quickstart-create-example-consumption-workflow.md).
+For more information on creating logic app workflows, see [Quickstart: Create an example Consumption workflow in multi-tenant Azure Logic Apps](/azure/logic-apps/quickstart-create-example-consumption-workflow).
## Configuring custom extensions that pause entitlement management processes
active-directory Entitlement Management Logs And Reporting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-logs-and-reporting.md
Archiving Microsoft Entra audit logs requires you to have Azure Monitor in an Az
## View events for an access package
-To view events for an access package, you must have access to the underlying Azure monitor workspace (see [Manage access to log data and workspaces in Azure Monitor](../../azure-monitor/logs/manage-access.md#azure-rbac) for information) and in one of the following roles:
+To view events for an access package, you must have access to the underlying Azure monitor workspace (see [Manage access to log data and workspaces in Azure Monitor](/azure/azure-monitor/logs/manage-access#azure-rbac) for information) and in one of the following roles:
- Global administrator - Security administrator
order by ActivityDateTime desc
``` ## Next steps-- [Create interactive reports with Azure Monitor workbooks](../../azure-monitor/visualize/workbooks-overview.md)
+- [Create interactive reports with Azure Monitor workbooks](/azure/azure-monitor/visualize/workbooks-overview)
active-directory Entitlement Management Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-overview.md
Entitlement management introduces the concept of an *access package*. An access
You can also control access to other resources that rely upon Microsoft Entra security groups or Microsoft 365 Groups. For example: - You can give users licenses for Microsoft 365 by using a Microsoft Entra security group in an access package and configuring [group-based licensing](../enterprise-users/licensing-groups-assign.md) for that group.-- You can give users access to manage Azure resources by using a Microsoft Entra security group in an access package and creating an [Azure role assignment](../../role-based-access-control/role-assignments-portal.md) for that group.
+- You can give users access to manage Azure resources by using a Microsoft Entra security group in an access package and creating an [Azure role assignment](/azure/role-based-access-control/role-assignments-portal) for that group.
- You can give users access to manage Microsoft Entra roles by using groups assignable to Microsoft Entra roles in an access package and [assigning a Microsoft Entra role to that group](../roles/groups-assign-role.md). ## How do I control who gets access?
active-directory Entitlement Management Reports https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-reports.md
When the user's access package assignment expires, is canceled by the user, or r
If you have configured to send audit log events to [Azure Monitor](entitlement-management-logs-and-reporting.md), then you can use the built-in workbooks and custom workbooks to view the audit logs retained in Azure Monitor.
-To view events for an access package, you must have access to the underlying Azure monitor workspace (see [Manage access to log data and workspaces in Azure Monitor](../../azure-monitor/logs/manage-access.md#azure-rbac) for information) and in one of the following roles:
+To view events for an access package, you must have access to the underlying Azure monitor workspace (see [Manage access to log data and workspaces in Azure Monitor](/azure/azure-monitor/logs/manage-access#azure-rbac) for information) and in one of the following roles:
- Global administrator - Security administrator
active-directory Entitlement Management Verified Id Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-verified-id-settings.md
Once an access package is configured with a verified ID requirement, end-users w
The requestor steps are as follows:
-1. Go to [myaccess.microsoft.com](HTTPS://myaccess.microsoft.com) and sign in.
+1. Go to [`myaccess.microsoft.com`](https://myaccess.microsoft.com) and sign in.
1. Search for the access package you want to request access to (you can browse the listed packages or use the search bar at the top of the page) and select **Request**.
active-directory Identity Governance Automation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-automation.md
# Automate Microsoft Entra ID Governance tasks via Azure Automation and Microsoft Graph
-[Azure Automation](../../automation/overview.md) is an Azure cloud service that allows you to automate common or repetitive systems management and processes. Microsoft Graph is the Microsoft unified API endpoint for Microsoft Entra features that manage users, groups, access packages, access reviews, and other resources in the directory. You can manage Microsoft Entra ID at scale from the PowerShell command line, using the [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started). You can also include the Microsoft Graph PowerShell cmdlets from a [PowerShell-based runbook in Azure Automation](/azure/automation/automation-intro), so that you can automate Microsoft Entra tasks from a simple script.
+[Azure Automation](/azure/automation/overview) is an Azure cloud service that allows you to automate common or repetitive systems management and processes. Microsoft Graph is the Microsoft unified API endpoint for Microsoft Entra features that manage users, groups, access packages, access reviews, and other resources in the directory. You can manage Microsoft Entra ID at scale from the PowerShell command line, using the [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started). You can also include the Microsoft Graph PowerShell cmdlets from a [PowerShell-based runbook in Azure Automation](/azure/automation/automation-intro), so that you can automate Microsoft Entra tasks from a simple script.
Azure Automation and the PowerShell Graph SDK supports certificate-based authentication and application permissions, so you can have Azure Automation runbooks authenticate to Microsoft Entra ID without needing a user context.
This article shows you how to get started using Azure Automation for Microsoft E
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-Azure Automation provides a cloud-hosted environment for [runbook execution](../../automation/automation-runbook-execution.md). Those runbooks can start automatically based on a schedule, or be triggered by webhooks or by Logic Apps.
+Azure Automation provides a cloud-hosted environment for [runbook execution](/azure/automation/automation-runbook-execution). Those runbooks can start automatically based on a schedule, or be triggered by webhooks or by Logic Apps.
Using Azure Automation requires you to have an Azure subscription.
Param
) ```
-The format of the allowed parameters depends upon the calling service. If your runbook does take parameters from the caller, then you'll need to add validation logic to your runbook to ensure that the parameter values supplied are appropriate for how the runbook could be started. For example, if your runbook is started by a [webhook](../../automation/automation-webhooks.md), Azure Automation doesn't perform any authentication on a webhook request as long as it's made to the correct URL, so you'll need an alternate means of validating the request.
+The format of the allowed parameters depends upon the calling service. If your runbook does take parameters from the caller, then you'll need to add validation logic to your runbook to ensure that the parameter values supplied are appropriate for how the runbook could be started. For example, if your runbook is started by a [webhook](/azure/automation/automation-webhooks), Azure Automation doesn't perform any authentication on a webhook request as long as it's made to the correct URL, so you'll need an alternate means of validating the request.
-Once you [configure runbook input parameters](../../automation/runbook-input-parameters.md), then when you test your runbook you can provide values through the Test page. Later, when the runbook is published, you can provide parameters when starting the runbook from PowerShell, the REST API, or a Logic App.
+Once you [configure runbook input parameters](/azure/automation/runbook-input-parameters), then when you test your runbook you can provide values through the Test page. Later, when the runbook is published, you can provide parameters when starting the runbook from PowerShell, the REST API, or a Logic App.
## Parse the output of an Azure Automation account in Logic Apps (optional) Once your runbook is published, your can create a schedule in Azure Automation, and link your runbook to that schedule to run automatically. Scheduling runbooks from Azure Automation is suitable for runbooks that don't need to interact with other Azure or Office 365 services that don't have PowerShell interfaces.
-If you wish to send the output of your runbook to another service, then you may wish to consider using [Azure Logic Apps](../../logic-apps/logic-apps-overview.md) to start your Azure Automation runbook, as Logic Apps can also parse the results.
+If you wish to send the output of your runbook to another service, then you may wish to consider using [Azure Logic Apps](/azure/logic-apps/logic-apps-overview) to start your Azure Automation runbook, as Logic Apps can also parse the results.
1. In Azure Logic Apps, create a Logic App in the Logic Apps Designer starting with **Recurrence**.
If you wish to send the output of your runbook to another service, then you may
1. Select **New step** and add the operation **Get job output**. Select the same Subscription, Resource Group, Automation Account as the previous step, and select the Dynamic value of the **Job ID** from the previous step.
-1. You can then add more operations to the Logic App, such as the [**Parse JSON** action](../../logic-apps/logic-apps-perform-data-operations.md#parse-json-action) that uses the **Content** returned when the runbook completes. (If you're auto-generating the **Parse JSON** schema from a sample payload, be sure to account for PowerShell script potentially returning null; you might need to change some of the `"type": ΓÇï"string"` to `"type": [ΓÇï"string",ΓÇï "null"ΓÇï]` in the schema.)
+1. You can then add more operations to the Logic App, such as the [**Parse JSON** action](/azure/logic-apps/logic-apps-perform-data-operations#parse-json-action) that uses the **Content** returned when the runbook completes. (If you're auto-generating the **Parse JSON** schema from a sample payload, be sure to account for PowerShell script potentially returning null; you might need to change some of the `"type": ΓÇï"string"` to `"type": [ΓÇï"string",ΓÇï "null"ΓÇï]` in the schema.)
Note that in Azure Automation, a PowerShell runbook can fail to complete if it tries to write a large amount of data to the output stream at once. You can typically work around this issue by having the runbook output just the information needed by the Logic App, such as by using the `Select-Object -Property` cmdlet to exclude unneeded properties.
There are two places where you can see the expiration date in the Azure portal.
## Next steps -- [Create an Automation account using the Azure portal](../../automation/quickstarts/create-azure-automation-account-portal.md)
+- [Create an Automation account using the Azure portal](/azure/automation/quickstarts/create-azure-automation-account-portal)
active-directory Licensing Fundamentals https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/licensing-fundamentals.md
The following table shows what features are available with each license. Note t
|Feature|Free|Microsoft Entra ID P1|Microsoft Entra ID P2|Microsoft Entra ID Governance| |--|:--:|:--:|:--:|:--:|
-|HR-driven Provisioning||x|x|x|
+|[HR-driven Provisioning](/azure/active-directory/app-provisioning/what-is-hr-driven-provisioning)||x|x|x|
|Automated user provisioning to SaaS apps|x|x|x|x| |Automated group provisioning to SaaS apps||x|x|x| |Automated provisioning to on-premises apps||x|x|x|
-|Conditional Access - Terms of use attestation||x|x|x|
+|[Conditional Access - Terms of use attestation](/azure/active-directory/conditional-access/terms-of-use)||x|x|x|
|Entitlement management - Basic entitlement management|||x|x| |Entitlement management - Conditional Access Scoping|||x|x| |Entitlement management MyAccess Search|||x|x|
active-directory Lifecycle Workflow Extensibility https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/lifecycle-workflow-extensibility.md
# Lifecycle Workflows custom task extension
-Lifecycle Workflows allow you to create workflows that can be triggered based on joiner, mover, or leaver scenarios. While Lifecycle Workflows provide several built-in tasks to automate common scenarios throughout the lifecycle of users, eventually you may reach the limits of these built-in tasks. With the extensibility feature, you're able to utilize the concept of custom task extensions to call-out to external systems as part of a workflow. For example, when a user joins your organization you can have a workflow with a custom task extension that assigns a Teams number, or have a separate workflow that grants access to an email account for a manager when a user leaves. With the extensibility feature, Lifecycle Workflows currently support creating custom tasks extensions to call-out to [Azure Logic Apps](../../logic-apps/logic-apps-overview.md).
+Lifecycle Workflows allow you to create workflows that can be triggered based on joiner, mover, or leaver scenarios. While Lifecycle Workflows provide several built-in tasks to automate common scenarios throughout the lifecycle of users, eventually you may reach the limits of these built-in tasks. With the extensibility feature, you're able to utilize the concept of custom task extensions to call-out to external systems as part of a workflow. For example, when a user joins your organization you can have a workflow with a custom task extension that assigns a Teams number, or have a separate workflow that grants access to an email account for a manager when a user leaves. With the extensibility feature, Lifecycle Workflows currently support creating custom tasks extensions to call-out to [Azure Logic Apps](/azure/logic-apps/logic-apps-overview).
## Logic Apps prerequisites
active-directory Lifecycle Workflow History https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/lifecycle-workflow-history.md
-Workflows created using Lifecycle Workflows allow for the automation of lifecycle task for users no matter where they fall in the Joiner-Mover-Leaver (JML) model of their identity lifecycle in your organization. Making sure workflows are processed correctly is an important part of an organization's lifecycle management process. Workflows that aren't processed correctly can lead to many issues in terms of security and compliance. With Lifecycle Workflow's history features, you can specify which workflow events you want to view a history of based on user, runs, or task summaries. This reporting feature allows you to quickly see what ran for who, and rather or not it was successful. Along with the summaries in these specific areas, you're also able to view detailed information about each specific event recorded in their respective summary section. In this article you'll learn the difference between the three different type of history summaries, and details, you can query with Lifecycle Workflows. You'll also learn when you would use each when getting more information about how your workflows were utilized for users in your organization. For detailed information about every action Lifecycle Workflows take, see: [Auditing Lifecycle Workflows](lifecycle-workflow-audits.md).
+Workflows created using Lifecycle Workflows allow for the automation of lifecycle task for users no matter where they fall in the Joiner-Mover-Leaver (JML) model of their identity lifecycle in your organization. Making sure workflows are processed correctly is an important part of an organization's lifecycle management process. Workflows that aren't processed correctly can lead to many issues in terms of security and compliance. With Lifecycle Workflow's history features, you can specify which workflow events you want to view a history of based on users, runs, or task summaries. This reporting feature allows you to quickly see what ran for who, and rather or not it was successful. Along with the summaries in these specific areas, you're also able to view detailed information about each specific event recorded in their respective summary section. In this article, you'll learn the difference between the three different type of history summaries, and details, you can query with Lifecycle Workflows. You'll also learn when you would use each when getting more information about how your workflows were utilized for users in your organization. For detailed information about every action Lifecycle Workflows takes, see: [Auditing Lifecycle Workflows](lifecycle-workflow-audits.md).
## Lifecycle Workflow History Summaries
User detailed history information allows you to filter for specific information
- **Workflow execution type**: You can filter on workflow execution type such as **Scheduled** or **on-demand** - **Completed date**: You can filter a specific range from as short as 24 hours up to 30 days of when the user was processed in a workflow.
+### User history status details
+
+When viewing the status of user processing history, the status values correspond to the following information:
+
+|Status |Details |
+|||
+|Completed | This state is reported if all of the workflow's tasks processes successfully for a user. |
+|In Progress | This state is reported when a workflow begins running tasks for a user.. The status remains in this state until all the workflow's tasks are processed for the user, or it fails. |
+|Queued | This state is reported when a user is identified by the Lifecycle Workflow engine that meets the execution conditions of a workflow. From here a user either enters a state of *In progress* if the workflow begins running for them, or canceled if the admin manually cancels the workflow. |
+|Canceled | This state is reported for the following reasons: <br><br>**1.** If the workflow was deleted, all scheduled users it's set to run for are canceled.<br>**2.** If the workflow was disabled, all scheduled users it's set to run for are canceled.<br>**3**. If the workflow's schedule was disabled, all scheduled users it's set to run for are canceled.<br>**4.** If the workflow had a new version created and all tasks were disabled, all scheduled users it's set to run for are canceled.<br>**5.** If users don't meet the current execution conditions of the workflow's new version, the scheduled runs are canceled.<br>**6.** If the user was queued to have the workflow run for them, but has a profile change and no longer meet the current execution conditions of the workflow immediately before it runs, the processing is canceled. |
+|Completed with errors | This state is reported if the workflow completed, but one or more tasks that are set have **continueOnError** set as *true* have failed. |
+|Failed | This state is reported if a task with **continueOnError** set as *false* fails. |
+ For a complete guide on getting user processed summary information, see: [User workflow history using the Microsoft Entra admin center](check-status-workflow.md#user-workflow-history-using-the-microsoft-entra-admin-center). + ## Runs Summary Runs summaries allow you to view workflow information through the lens of its run history
Runs detailed history information allows you to filter for specific information
- **Workflow execution type**: You can filter on workflow execution type such as **Scheduled** or **On-demand**. - **Completed date**: You can filter a specific range from as short as 24 hours up to 30 days of when the workflow ran.
-For a complete guide on getting runs information, see: [Run workflow history using the Microsoft Entra admin center](check-status-workflow.md#run-workflow-history-using-the-microsoft-entra-admin-center)
+### Runs history status details
+
+When viewing the status of run history, the status values correspond to the following information:
++
+|Status |Details |
+|||
+|Queued | This state is reported the first time a workflow is set to run. |
+|In Progress | This state is reported as soon as the workflow begins processing its first task. |
+|Canceled | This state is reported if it was *In Progress* at one point of time, and is now frozen in that state. |
+|Completed with errors | This state is reported if the workflow runs successfully for some, but not others. If a workflow enters the queued state, but all of its instances are canceled before executing, then it will also show this state before ever entering a state of *In Progress*. |
+|Completed | This state is reported if the workflow ran successfully for every user. |
+|Failed | This state is reported if all tasks failed for all users the workflow runs for. Canceled users aren't counted as failures in the report. |
+
+For a complete guide on getting runs information, see: [Run workflow history using the Microsoft Entra admin center](check-status-workflow.md#run-workflow-history-using-the-microsoft-entra-admin-center).
+ ## Tasks summary
Task detailed history information allows you to filter for specific information
- **Completed date**: You can filter a specific range from as short as 24 hours up to 30 days of when the workflow ran. - **Tasks**: You can filter based on specific task names.
+### Task history status details
+
+When viewing the status of task history, the status values correspond to the following information:
++
+|Status |Details |
+|||
+|Queued | This state is reported once a workflow instance is scheduled for execution, task reports for all of the tasks within the workflow are also created with this status with Run record. Each task report includes all users but represents a specific task. |
+|In Progress | This state is reported as soon as the first task begins being processed. |
+|Canceled | This state is reported if no tasks are processed before the workflow is canceled. If a workflow that contains the tasks is deleted, then the status will also show as canceled. |
+|Completed with errors | This state is reported if a task is processed for a user, but not every task succeeds. |
+|Completed | This state is reported if all tasks ran successfully for every user. |
+|Failed | This state is reported if all tasks failed. |
+ Separating processing of the workflow from the tasks is important because, in a workflow, processing a user certain tasks could be successful, while others could fail. Whether or not a task runs after a failed task in a workflow depends on parameters such as enabling continue On Error, and their placement within the workflow. For more information, see [Common task parameters](lifecycle-workflow-tasks.md#common-task-parameters). ## Next steps
active-directory How To Cloud Sync Workbook https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-cloud-sync-workbook.md
This workbook:
## Enabling provisioning logs
-You should already be familiar with Azure monitoring and Log Analytics. If not, jump over to learn about them and then come back to learn about application provisioning logs. To learn more about Azure monitoring, see [Azure Monitor overview](../../../azure-monitor/overview.md). To learn more about Azure Monitor logs and Log Analytics, see [Overview of log queries in Azure Monitor](../../../azure-monitor/logs/log-query-overview.md) and [Provisioning Logs for troubleshooting cloud sync](how-to-troubleshoot.md).
+You should already be familiar with Azure monitoring and Log Analytics. If not, jump over to learn about them and then come back to learn about application provisioning logs. To learn more about Azure monitoring, see [Azure Monitor overview](/azure/azure-monitor/overview). To learn more about Azure Monitor logs and Log Analytics, see [Overview of log queries in Azure Monitor](/azure/azure-monitor/logs/log-query-overview) and [Provisioning Logs for troubleshooting cloud sync](how-to-troubleshoot.md).
## Sync summary The sync summary section provides a summary of your organizations synchronization activities. These activities include:
A Job Id will be created for each configuration when it runs and is populated wi
## Custom queries
-You can create custom queries and show the data on Azure dashboards. To learn how, see [Create and share dashboards of Log Analytics data](../../../azure-monitor/logs/get-started-queries.md). Also, be sure to check out [Overview of log queries in Azure Monitor](../../../azure-monitor/logs/log-query-overview.md).
+You can create custom queries and show the data on Azure dashboards. To learn how, see [Create and share dashboards of Log Analytics data](/azure/azure-monitor/logs/get-started-queries). Also, be sure to check out [Overview of log queries in Azure Monitor](/azure/azure-monitor/logs/log-query-overview).
## Custom alerts Azure Monitor lets you configure custom alerts so that you can get notified about key events related to Provisioning. For example, you might want to receive an alert on spikes in failures. Or perhaps spikes in disables or deletes. Another example of where you might want to be alerted is a lack of any provisioning, which indicates something is wrong.
-To learn more about alerts, see [Azure Monitor Log Alerts](../../../azure-monitor/alerts/alerts-create-new-alert-rule.md).
+To learn more about alerts, see [Azure Monitor Log Alerts](/azure/azure-monitor/alerts/alerts-create-new-alert-rule).
## Next steps
active-directory How To Inbound Synch Ms Graph https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-inbound-synch-ms-graph.md
Content-type: application/json
The output of the above command returns the objectId of the service principal that was created. For this example, the objectId is 614ac0e9-a59b-481f-bd8f-79a73d167e1c. Use Microsoft Graph to add a synchronizationJob to that service principal.
-Documentation for creating a sync job can be found [here](/graph/api/synchronization-synchronizationjob-post?tabs=http&view=graph-rest-beta&preserve-view=true).
+Documentation for creating a sync job can be found [here](/graph/api/synchronization-synchronization-post-jobs?tabs=http&preserve-view=true&view=graph-rest-beta).
If you didn't record the ID above, you can find the service principal by running the following MS Graph call. You'll need Directory.Read.All permissions to make that call:
Enabling Exchange hybrid writeback programmatically requires two steps.
### Schema verification Prior to enabling and using Exchange hybrid writeback, cloud sync needs to determine whether or not the on-premises Active Directory has been extended to include the Exchange schema.
-You can use the [directoryDefinition:discover](/graph/api/directorydefinition-discover?view=graph-rest-beta&tabs=http&preserve-view=true) to initiate schema discovery.
+You can use the [directoryDefinition:discover](/graph/api/synchronization-directorydefinition-discover?tabs=http&preserve-view=true&view=graph-rest-beta) to initiate schema discovery.
``` POST https://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/jobs/[AD2AADProvisioningJobId]/schema/directories/[ADDirectoryID]/discover
The jobs can be retrieved again via the following command:
`GET https://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/jobs/`
-Documentation for retrieving jobs can be found [here](/graph/api/synchronization-synchronizationjob-list?tabs=http&view=graph-rest-beta&preserve-view=true).
+Documentation for retrieving jobs can be found [here](/graph/api/synchronization-synchronization-list-jobs?tabs=http&preserve-view=true&view=graph-rest-beta).
To start the jobs, issue this request, using the objectId of the service principal created in the first step, and the job identifiers returned from the request that created the job.
active-directory How To Prerequisites https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-prerequisites.md
You need the following to use Microsoft Entra Cloud Sync:
- Domain Administrator or Enterprise Administrator credentials to create the Microsoft Entra Connect cloud sync gMSA (group managed service account) to run the agent service. - A hybrid identity administrator account for your Microsoft Entra tenant that is not a guest user.-- An on-premises server for the provisioning agent with Windows 2016 or later. This server should be a tier 0 server based on the [Active Directory administrative tier model](/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material). Installing the agent on a domain controller is supported.
+- An on-premises server for the provisioning agent with Windows 2016 or later. This server should be a tier 0 server based on the [Active Directory administrative tier model](/security/privileged-access-workstations/privileged-access-access-model). Installing the agent on a domain controller is supported.
- High availability refers to the Microsoft Entra Cloud Sync's ability to operate continuously without failure for a long time. By having multiple active agents installed and running, Microsoft Entra Cloud Sync can continue to function even if one agent should fail. Microsoft recommends having 3 active agents installed for high availability. - On-premises firewall configurations.
For more information on how to prepare your Active Directory for group Managed S
### In your directory in Active Directory
-Run the [IdFix tool](/office365/enterprise/prepare-directory-attributes-for-synch-with-idfix) to prepare the directory attributes for synchronization.
+Run the [IdFix tool](/microsoft-365/enterprise/set-up-directory-synchronization) to prepare the directory attributes for synchronization.
### In your on-premises environment
active-directory Migrate Azure Ad Connect To Cloud Sync https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/migrate-azure-ad-connect-to-cloud-sync.md
Microsoft Entra Cloud Sync is the future for accomplishing your hybrid identity
|Verify all users are provisioned|As you migrate users, verify that they're provisioning and synchronizing correctly.| |Stop Microsoft Entra Connect|Once you've verified that all of your users are migrated, you can turn off the Microsoft Entra Connect synchronization service. Microsoft recommends that you leave the server is a disabled state for a period of time, so you can verify the migration was successful |Verify everything is good|After a period of time, verify that everything is good.|
-|Decommission the Microsoft Entra Connect server|Once you've verified everything is good you can use the steps below to take the Microsoft Entra Connect server offline.|
+|Decommission the Microsoft Entra Connect server|Once you've verified everything is good, take the Microsoft Entra Connect server offline. For more information, see [Uninstall Microsoft Entra Connect](../connect/how-to-connect-uninstall.md).|
active-directory Choose Ad Authn https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/choose-ad-authn.md
Microsoft Entra ID supports the following authentication methods for hybrid iden
### Cloud authentication When you choose this authentication method, Microsoft Entra ID handles users' sign-in process. Coupled with single sign-on (SSO), users can sign in to cloud apps without having to reenter their credentials. With cloud authentication, you can choose from two options:
-**Microsoft Entra password hash synchronization**. The simplest way to enable authentication for on-premises directory objects in Microsoft Entra ID. Users can use the same username and password that they use on-premises without having to deploy any other infrastructure. Some premium features of Microsoft Entra ID, like Identity Protection and [Microsoft Entra Domain Services](../../../active-directory-domain-services/tutorial-create-instance.md), require password hash synchronization, no matter which authentication method you choose.
+**Microsoft Entra password hash synchronization**. The simplest way to enable authentication for on-premises directory objects in Microsoft Entra ID. Users can use the same username and password that they use on-premises without having to deploy any other infrastructure. Some premium features of Microsoft Entra ID, like Identity Protection and [Microsoft Entra Domain Services](/entra/identity/domain-services/tutorial-create-instance), require password hash synchronization, no matter which authentication method you choose.
> [!NOTE] > Passwords are never stored in clear text or encrypted with a reversible algorithm in Microsoft Entra ID. For more information on the actual process of password hash synchronization, see [Implement password hash synchronization with Microsoft Entra Connect Sync](how-to-connect-password-hash-synchronization.md).
Details on decision questions:
* **User experience**. To improve users' sign-in experience, use [Microsoft Entra joined devices](../../devices/concept-directory-join.md) or [Microsoft Entra hybrid joined devices](../../devices/how-to-hybrid-join.md). If you can't join your Windows devices to Microsoft Entra ID, we recommend deploying seamless SSO with password hash synchronization. Seamless SSO eliminates unnecessary prompts when users are signed in.
-* **Advanced scenarios**. If organizations choose to, it's possible to use insights from identities with Microsoft Entra ID Protection reports with Microsoft Entra ID P2. An example is the leaked credentials report. Windows Hello for Business has [specific requirements when you use password hash synchronization](/windows/access-protection/hello-for-business/hello-identity-verification). [Microsoft Entra Domain Services](../../../active-directory-domain-services/tutorial-create-instance.md) requires password hash synchronization to provision users with their corporate credentials in the managed domain.
+* **Advanced scenarios**. If organizations choose to, it's possible to use insights from identities with Microsoft Entra ID Protection reports with Microsoft Entra ID P2. An example is the leaked credentials report. Windows Hello for Business has [specific requirements when you use password hash synchronization](/windows/security/identity-protection/hello-for-business/hello-identity-verification). [Microsoft Entra Domain Services](/entra/identity/domain-services/tutorial-create-instance) requires password hash synchronization to provision users with their corporate credentials in the managed domain.
Organizations that require multifactor authentication with password hash synchronization must use Microsoft Entra multifactor authentication or [Conditional Access custom controls](../../conditional-access/controls.md#custom-controls-preview). Those organizations can't use third-party or on-premises multifactor authentication methods that rely on federation.
The following diagrams outline the high-level architecture components required f
|Is there a health monitoring solution?|Not required|Agent status provided by the [[Microsoft Entra admin center](https://entra.microsoft.com)](tshoot-connect-pass-through-authentication.md)|[Microsoft Entra Connect Health](how-to-connect-health-adfs.md)| |Do users get single sign-on to cloud resources from domain-joined devices within the company network?|Yes with [Microsoft Entra joined devices](../../devices/concept-directory-join.md), [Microsoft Entra hybrid joined devices](../../devices/how-to-hybrid-join.md), the [Microsoft Enterprise SSO plug-in for Apple devices](../../develop/apple-sso-plugin.md), or [Seamless SSO](how-to-connect-sso.md)|Yes with [Microsoft Entra joined devices](../../devices/concept-directory-join.md), [Microsoft Entra hybrid joined devices](../../devices/how-to-hybrid-join.md), the [Microsoft Enterprise SSO plug-in for Apple devices](../../develop/apple-sso-plugin.md), or [Seamless SSO](how-to-connect-sso.md)|Yes| |What sign-in types are supported?|UserPrincipalName + password<br><br>Windows-Integrated Authentication by using [Seamless SSO](how-to-connect-sso.md)<br><br>[Alternate login ID](how-to-connect-install-custom.md)<br><br>[Microsoft Entra joined Devices](../../devices/concept-directory-join.md)<br><br>[Microsoft Entra hybrid joined devices](../../devices/how-to-hybrid-join.md)<br><br>[Certificate and smart card authentication](../../authentication/concept-certificate-based-authentication-smartcard.md)|UserPrincipalName + password<br><br>Windows-Integrated Authentication by using [Seamless SSO](how-to-connect-sso.md)<br><br>[Alternate login ID](how-to-connect-pta-faq.yml)<br><br>[Microsoft Entra joined Devices](../../devices/concept-directory-join.md)<br><br>[Microsoft Entra hybrid joined devices](../../devices/how-to-hybrid-join.md)<br><br>[Certificate and smart card authentication](../../authentication/concept-certificate-based-authentication-smartcard.md)|UserPrincipalName + password<br><br>sAMAccountName + password<br><br>Windows-Integrated Authentication<br><br>[Certificate and smart card authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication)<br><br>[Alternate login ID](/windows-server/identity/ad-fs/operations/configuring-alternate-login-id)|
-|Is Windows Hello for Business supported?|[Key trust model](/windows/security/identity-protection/hello-for-business/hello-identity-verification)<br><br>[Hybrid Cloud Trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust)|[Key trust model](/windows/security/identity-protection/hello-for-business/hello-identity-verification)<br><br>[Hybrid Cloud Trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust)<br><br>*Both require Windows Server 2016 Domain functional level*|[Key trust model](/windows/security/identity-protection/hello-for-business/hello-identity-verification)<br><br>[Hybrid Cloud Trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust)<br><br>[Certificate trust model](/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs)|
-|What are the multifactor authentication options?|[Microsoft Entra multifactor authentication](/azure/multi-factor-authentication/)<br><br>[Custom Controls with Conditional Access*](../../conditional-access/controls.md)|[Microsoft Entra multifactor authentication](/azure/multi-factor-authentication/)<br><br>[Custom Controls with Conditional Access*](../../conditional-access/controls.md)|[Microsoft Entra multifactor authentication](/azure/multi-factor-authentication/)<br><br>[Third-party MFA](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs)<br><br>[Custom Controls with Conditional Access*](../../conditional-access/controls.md)|
+|Is Windows Hello for Business supported?|[Key trust model](/windows/security/identity-protection/hello-for-business/hello-identity-verification)<br><br>[Hybrid Cloud Trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust)|[Key trust model](/windows/security/identity-protection/hello-for-business/hello-identity-verification)<br><br>[Hybrid Cloud Trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust)<br><br>*Both require Windows Server 2016 Domain functional level*|[Key trust model](/windows/security/identity-protection/hello-for-business/hello-identity-verification)<br><br>[Hybrid Cloud Trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust)<br><br>[Certificate trust model](/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs)|
+|What are the multifactor authentication options?|[Microsoft Entra multifactor authentication](/azure/multi-factor-authentication/)<br><br>[Custom Controls with Conditional Access*](../../conditional-access/controls.md)|[Microsoft Entra multifactor authentication](/azure/multi-factor-authentication/)<br><br>[Custom Controls with Conditional Access*](../../conditional-access/controls.md)|[Microsoft Entra multifactor authentication](../../authentication/index.yml)<br><br>[Third-party MFA](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs)<br><br>[Custom Controls with Conditional Access*](../../conditional-access/controls.md)|
|What user account states are supported?|Disabled accounts<br>(up to 30-minute delay)|Disabled accounts<br><br>Account locked out<br><br>Account expired<br><br>Password expired<br><br>Sign-in hours|Disabled accounts<br><br>Account locked out<br><br>Account expired<br><br>Password expired<br><br>Sign-in hours| |What are the Conditional Access options?|[Microsoft Entra Conditional Access, with Microsoft Entra ID P1 or P2](../../conditional-access/overview.md)|[Microsoft Entra Conditional Access, with Microsoft Entra ID P1 or P2](../../conditional-access/overview.md)|[Microsoft Entra Conditional Access, with Microsoft Entra ID P1 or P2](../../conditional-access/overview.md)<br><br>[AD FS claim rules](https://adfshelp.microsoft.com/AadTrustClaims/ClaimsGenerator)| |Is blocking legacy protocols supported?|[Yes](../../conditional-access/overview.md)|[Yes](../../conditional-access/overview.md)|[Yes](/windows-server/identity/ad-fs/operations/access-control-policies-w2k12)|
active-directory Cloud Governed Management For On Premises https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/cloud-governed-management-for-on-premises.md
For many organizations, identity lifecycle for employees is tied to the represen
Microsoft Entra ID P1 or P2 also includes Microsoft Identity Manager, which can import records from other on-premises HCM systems, including SAP, Oracle eBusiness, and Oracle PeopleSoft.
-Business-to-business collaboration increasingly requires granting access to people outside your organization. [Microsoft Entra B2B](/azure/active-directory/b2b/) collaboration enables organizations to securely share their applications and services with guest users and external partners while maintaining control over their own corporate data.
+Business-to-business collaboration increasingly requires granting access to people outside your organization. [Microsoft Entra B2B](../../external-identities/index.yml) collaboration enables organizations to securely share their applications and services with guest users and external partners while maintaining control over their own corporate data.
Microsoft Entra ID can [automatically create accounts in AD for guest users](../../external-identities/hybrid-cloud-to-on-premises.md) as needed, enabling business guests to access on-premises AD-integrated applications without needing another password. Organizations can set up [multifactor authentication policies for guest user](../../external-identities/authentication-conditional-access.md)s so MFA checks are done during application proxy authentication. Also, any [access reviews](../../governance/manage-guest-access-with-access-reviews.md) that are done on cloud B2B users apply to on-premises users. For example, if the cloud user is deleted through lifecycle management policies, the on-premises user is also deleted.
Self-service password reset in Microsoft Entra ID allows users who have forgotte
Finally, for organizations that permit users to change their passwords in AD, AD can be configured to use the same password policy as the organization is using in Microsoft Entra ID through the [Microsoft Entra password protection feature](../../authentication/concept-password-ban-bad-on-premises.md), currently in public preview.
-When an organization is ready to move an AD-integrated application to the cloud by moving the operating system hosting the application to Azure, [Microsoft Entra Domain Services](../../../active-directory-domain-services/overview.md) provides AD-compatible domain services (such as domain join, group policy, LDAP, and Kerberos/NTLM authentication). Microsoft Entra Domain Services integrates with the organization's existing Microsoft Entra tenant, making it possible for users to sign in using their corporate credentials. Additionally, existing groups and user accounts can be used to secure access to resources, ensuring a smoother 'lift-and-shift' of on-premises resources to Azure infrastructure services.
+When an organization is ready to move an AD-integrated application to the cloud by moving the operating system hosting the application to Azure, [Microsoft Entra Domain Services](/entra/identity/domain-services/overview) provides AD-compatible domain services (such as domain join, group policy, LDAP, and Kerberos/NTLM authentication). Microsoft Entra Domain Services integrates with the organization's existing Microsoft Entra tenant, making it possible for users to sign in using their corporate credentials. Additionally, existing groups and user accounts can be used to secure access to resources, ensuring a smoother 'lift-and-shift' of on-premises resources to Azure infrastructure services.
![Microsoft Entra Domain Services](media/cloud-governed-management-for-on-premises/image4.png)
active-directory Concept Azure Ad Connect Sync User And Contacts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/concept-azure-ad-connect-sync-user-and-contacts.md
Important points to be aware of when synchronizing groups from Active Directory
* Microsoft Entra Connect doesn't support synchronizing [Primary Group memberships](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771489(v=ws.11)) to Microsoft Entra ID.
-* Microsoft Entra Connect doesn't support synchronizing [Dynamic Distribution Group memberships](/Exchange/recipients/dynamic-distribution-groups/dynamic-distribution-groups) to Microsoft Entra ID.
+* Microsoft Entra Connect doesn't support synchronizing [Dynamic Distribution Group memberships](/exchange/recipients/dynamic-distribution-groups/dynamic-distribution-groups) to Microsoft Entra ID.
* To synchronize an Active Directory group to Microsoft Entra ID as a mail-enabled group:
active-directory Four Steps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/four-steps.md
To learn more, go read [Monitor AD FS using Microsoft Entra Connect Health](./ho
### Use Azure Monitor to collect data logs for analytics
-[Azure Monitor](../../../azure-monitor/overview.md) is a unified monitoring portal for all Microsoft Entra logs, which provides deep insights, advanced analytics, and smart machine learning. With Azure Monitor, you can consume metrics and logs within the portal and via APIs to gain more visibility into the state and performance of your resources. It enables a single pane of glass experience within the portal while enabling a wide range of product integrations via APIs and data export options that support traditional third-party SIEM systems. Azure Monitor also gives you the ability to configure alert rules to get notified or to take automated actions on issues impacting your resources.
+[Azure Monitor](/azure/azure-monitor/overview) is a unified monitoring portal for all Microsoft Entra logs, which provides deep insights, advanced analytics, and smart machine learning. With Azure Monitor, you can consume metrics and logs within the portal and via APIs to gain more visibility into the state and performance of your resources. It enables a single pane of glass experience within the portal while enabling a wide range of product integrations via APIs and data export options that support traditional third-party SIEM systems. Azure Monitor also gives you the ability to configure alert rules to get notified or to take automated actions on issues impacting your resources.
![Azure Monitor](./media/four-steps/image1.png) ### Create custom dashboards for your leadership and your day to day
-Organizations that don't have a SIEM solution can use Azure Monitor workbooks for Microsoft Entra ID(../reports-monitoring/howto-use-azure-monitor-workbooks). The integration contains pre-built workbooks and templates to help you understand how your users adopt and use Microsoft Entra features, which allows you to gain insights into all the activities within your directory. You can also create your own workbooks and share with your leadership team to report on day-to-day activities. Workbooks are a great way to monitor your business and see all of your most important metrics at a glance.
+Organizations that don't have a SIEM solution can use [Azure Monitor workbooks for Microsoft Entra ID](/azure/active-directory/reports-monitoring/howto-use-workbooks). The integration contains pre-built workbooks and templates to help you understand how your users adopt and use Microsoft Entra features, which allows you to gain insights into all the activities within your directory. You can also create your own workbooks and share with your leadership team to report on day-to-day activities. Workbooks are a great way to monitor your business and see all of your most important metrics at a glance.
### Understand your support call drivers
If you don't observe a reduction in support calls, we recommend that you analyze
### Monitor your usage of apps to drive insights
-In addition to discovering Shadow IT, monitoring app usage across your organization using [Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security) can help your organization as you move to take full advantage of the promise of cloud applications. It can help keep you in control of your assets through improved visibility into activity and increase the protection of critical data across cloud applications. Monitoring app usage in your organization using Defender for Cloud Apps can help you answer the following questions:
+In addition to discovering Shadow IT, monitoring app usage across your organization using [Microsoft Defender for Cloud Apps](/defender-cloud-apps/what-is-defender-for-cloud-apps) can help your organization as you move to take full advantage of the promise of cloud applications. It can help keep you in control of your assets through improved visibility into activity and increase the protection of critical data across cloud applications. Monitoring app usage in your organization using Defender for Cloud Apps can help you answer the following questions:
* What unsanctioned apps are employees using to store data in? * Where and when is sensitive data being stored in the cloud?
We recommend that you print the following checklist for reference as you begin y
## Next steps
-Learn how you can increase your secure posture using the capabilities of Microsoft Entra ID and this five-step checklist - [Five steps to securing your identity infrastructure](../../../security/fundamentals/steps-secure-identity.md).
+Learn how you can increase your secure posture using the capabilities of Microsoft Entra ID and this five-step checklist - [Five steps to securing your identity infrastructure](/azure/security/fundamentals/steps-secure-identity).
Learn how the identity features in Microsoft Entra ID can help you accelerate your transition to cloud governed management by providing the solutions and capabilities that allow organizations to quickly adopt and move more of their identity management from traditional on-premises systems to Microsoft Entra ID - [How Microsoft Entra ID Delivers Cloud Governed Management for on-premises Workloads](./cloud-governed-management-for-on-premises.md).
active-directory How To Connect Device Writeback https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-device-writeback.md
The following documentation provides information on how to enable the device writeback feature in Microsoft Entra Connect. Device Writeback is used in the following scenarios:
-* Enable [Windows Hello for Business using hybrid certificate trust deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#device-registration)
+* Enable [Windows Hello for Business using hybrid certificate trust deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#device-registration)
* Enable Conditional Access based on devices to ADFS (2012 R2 or higher) protected applications (relying party trusts). This provides additional security and assurance that access to applications is granted only to trusted devices. For more information on Conditional Access, see [Managing Risk with Conditional Access](../../conditional-access/overview.md) and [Setting up On-premises Conditional Access using Microsoft Entra Device Registration](../../devices/overview.md).
active-directory How To Connect Fed Group Claims https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-fed-group-claims.md
You can also configure group claims in the [optional claims](../../develop/optio
In `additionalProperties`, only one of `"sam_account_name"`, `"dns_domain_and_sam_account_name"`, or `"netbios_domain_and_sam_account_name"` is required. If more than one is present, the first is used and any others are ignored.
- Some applications require group information about the user in the role claim. To change the claim type to from a group claim to a role claim, add `"emit_as_roles"` to additional properties. The group values will be emitted in the role claim.
+ Some applications require group information about the user in the role claim. To change the claim type from a group claim to a role claim, add `"emit_as_roles"` to additional properties. The group values will be emitted in the role claim.
To emit group display name for cloud-only groups, you can add `"cloud_displayname"` to `additional properties`. This option will work only when `ΓÇ£groupMembershipClaimsΓÇ¥` is set to `ApplicationGroup`
active-directory How To Connect Fed Saml Idp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-fed-saml-idp.md
A request and response message pair is shown for the sign-on message exchange.
The following is a sample request message that is sent from Microsoft Entra ID to a sample SAML 2.0 identity provider. The sample SAML 2.0 identity provider is Active Directory Federation Services (AD FS) configured to use SAML-P protocol. Interoperability testing has also been completed with other SAML 2.0 identity providers. ```xml
- <samlp:AuthnRequest
- xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
- xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
- ID="_7171b0b2-19f2-4ba2-8f94-24b5e56b7f1e"
- IssueInstant="2014-01-30T16:18:35Z"
- Version="2.0"
- AssertionConsumerServiceIndex="0" >
- <saml:Issuer>urn:federation:MicrosoftOnline</saml:Issuer>
- <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
- </samlp:AuthnRequest>
+ <?xml version="1.0"?>
+<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_f6f7cf98-e2c8-470e-ace9-4c0dabdd36cb" Version="2.0" IssueInstant="2023-10-09T15:48:00.361Z">
+ <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer>
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+ <SignedInfo>
+ <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+ <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+ <Reference URI="#_f6f7cf98-e2c8-470e-ace9-4c0dabdd36cb">
+ <Transforms>
+ <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+ <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+ </Transforms>
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+ <DigestValue>f5c2T/UEzCMjKYp6yuscKKFojDI=</DigestValue>
+ </Reference>
+ </SignedInfo>
+ <SignatureValue>BdlWtxZE+ZvkfbD1B8wskZwiGVDDFRcnlIDrAOvvOd625vpEHpjW4j8Y3Buks+W1PLV1nC2cCRIAmPZMsxt7GLjT9AjYpgo+E5FlGQq7AezcLsKRrmxI4eVwRpy4zWthq/Gae9HGF5gajU+dE4jMd2275lk7poCHdlPXJR+EH6oikILBjWZeeWs4HAxYn7TtZ4/H2tcaz8yOQkWWlbR8ZVsUF5ZTbdtr24N9Mk4ZWooJN0jYN5nBv0LuGTlmpwjcdY9fuaBLwqlq6nUKzpDNiPXTn7BW8+EPidS/GonXzbJl18WwyaDKPre1qWtJzSuLInoYIWIcSdA+uwhETrcaew==</SignatureValue>
+ <KeyInfo>
+ <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:X509SKI>bwzmkdKETWhixlS99FL36FH37EI=</ds:X509SKI>
+ </ds:X509Data>
+ <KeyName>MicrosoftOnline</KeyName>
+ </KeyInfo>
+ </Signature>
+ <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
+</samlp:AuthnRequest>
``` The following is a sample response message that is sent from the sample SAML 2.0 compliant identity provider to Microsoft Entra ID / Microsoft 365.
active-directory How To Connect Fix Default Rules https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-fix-default-rules.md
As with the inbound rule, you can use your own naming convention to name the rul
Keep **Scoping filter** and **Join rules** empty. Fill in the transformation as constant, direct, or expression.
-You now know how to make a new attribute for a user object flow from Active Directory to Microsoft Entra ID. You can use these steps to map any attribute from any object to source and target. For more information, see [Creating custom sync rules](how-to-connect-create-custom-sync-rule.md) and [Prepare to provision users](/office365/enterprise/prepare-for-directory-synchronization).
+You now know how to make a new attribute for a user object flow from Active Directory to Microsoft Entra ID. You can use these steps to map any attribute from any object to source and target. For more information, see [Creating custom sync rules](how-to-connect-create-custom-sync-rule.md) and [Prepare to provision users](/microsoft-365/enterprise/prepare-for-directory-synchronization).
### Override the value of an existing attribute You might want to override the value of an attribute that has already been mapped. For example, if you always want to set a null value to an attribute in Microsoft Entra ID, simply create an inbound rule only. Make the expression value, `AuthoritativeNull`, flow to the target attribute.
active-directory How To Connect Health Ad Fs Sign In https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-health-ad-fs-sign-in.md
# AD FS sign-ins in Microsoft Entra ID with Connect Health - preview
-AD FS sign-ins can now be integrated into the Microsoft Entra sign-ins report by using Connect Health. The [Microsoft Entra sign-ins Report](../../reports-monitoring/concept-all-sign-ins.md) report includes information about when users, applications, and managed resources sign in to Microsoft Entra ID and access resources.
+AD FS sign-ins can now be integrated into the Microsoft Entra sign-ins report by using Connect Health. The [Microsoft Entra sign-ins Report](../../reports-monitoring/concept-sign-ins.md) report includes information about when users, applications, and managed resources sign in to Microsoft Entra ID and access resources.
The Connect Health for AD FS agent correlates multiple Event IDs from AD FS, dependent on the server version, to provide information about the request and error details if the request fails. This information is correlated to the Microsoft Entra sign-in report schema and displayed in the Microsoft Entra sign-in report UX. Alongside the report, a new Log Analytics stream is available with the AD FS data and a new Azure Monitor Workbook template. The template can be used and modified for an in-depth analysis for scenarios such as AD FS account lockouts, bad password attempts, and spikes of unexpected sign-in attempts.
active-directory How To Connect Health Agent Install https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-health-agent-install.md
The following table lists requirements for using Microsoft Entra Connect Health:
| | | | You have a Microsoft Entra ID P1 or P2 subscription. |Microsoft Entra Connect Health is a feature of Microsoft Entra ID P1 or P2. For more information, see [Sign up for Microsoft Entra ID P1 or P2](../../fundamentals/get-started-premium.md). <br /><br />To start a free 30-day trial, see [Start a trial](https://azure.microsoft.com/trial/get-started-active-directory/). | | You're a global administrator in Microsoft Entra ID. |Currently, only Global Administrator accounts can install and configure health agents. For more information, see [Administering your Microsoft Entra directory](../../fundamentals/whatis.md). <br /><br /> By using Azure role-based access control (Azure RBAC), you can allow other users in your organization to access Microsoft Entra Connect Health. For more information, see [Azure RBAC for Microsoft Entra Connect Health](how-to-connect-health-operations.md#manage-access-with-azure-rbac). <br /><br />**Important**: Use a work or school account to install the agents. You can't use a Microsoft account to install the agents. For more information, see [Sign up for Azure as an organization](../../fundamentals/sign-up-organization.md). |
-| The Microsoft Entra Connect Health agent is installed on each targeted server. | Health agents must be installed and configured on targeted servers so that they can receive data and provide monitoring and analytics capabilities. <br /><br />For example, to get data from your Active Directory Federation Services (AD FS) infrastructure, you must install the agent on the AD FS server and on the Web Application Proxy server. Similarly, to get data from your on-premises Microsoft Entra Domain Services infrastructure, you must install the agent on the domain controllers. |
+| The Microsoft Entra Connect Health agent is installed on each targeted server. | Health agents must be installed and configured on targeted servers so that they can receive data and provide monitoring and analytics capabilities. <br /><br />For example, to get data from your Active Directory Federation Services (AD FS) infrastructure, you must install the agent on the AD FS server and on the Web Application Proxy server. Similarly, to get data from your on-premises AD Domain Services infrastructure, you must install the agent on the domain controllers. |
| The Azure service endpoints have outbound connectivity. | During installation and runtime, the agent requires connectivity to Microsoft Entra Connect Health service endpoints. If firewalls block outbound connectivity, add the [outbound connectivity endpoints](how-to-connect-health-agent-install.md#outbound-connectivity-to-azure-service-endpoints) to an allowlist. | |Outbound connectivity is based on IP addresses. | For information about firewall filtering based on IP addresses, see [Azure IP ranges](https://www.microsoft.com/download/details.aspx?id=56519).| | TLS inspection for outbound traffic is filtered or disabled. | The agent registration step or data upload operations might fail if there's TLS inspection or termination for outbound traffic at the network layer. For more information, see [Set up TLS inspection](/previous-versions/tn-archive/ee796230(v=technet.10)). |
To download and install the Microsoft Entra Connect Health agent:
- See the [installation instructions](#install-the-agent-for-ad-fs). - Get started using Microsoft Entra Connect Health for sync: - [Download and install the latest version of Microsoft Entra Connect](https://go.microsoft.com/fwlink/?linkid=615771). The health agent for sync is installed as part of the Microsoft Entra Connect installation (version 1.0.9125.0 or later).-- Get started using Microsoft Entra Connect Health for Microsoft Entra Domain
- - [Download the Microsoft Entra Connect Health agent for Microsoft Entra Domain Services](https://go.microsoft.com/fwlink/?LinkID=820540).
+- Get started using Microsoft Entra Connect Health for AD Domain
+ - [Download the Microsoft Entra Connect Health agent for AD Domain Services](https://go.microsoft.com/fwlink/?LinkID=820540).
- See the [installation instructions](#install-the-agent-for-azure-ad-ds). ## Install the agent for AD FS
At this point, the agent services should start to automatically allow the agent
To verify that the agent was installed, look for the following services on the server. If you completed the configuration, they should already be running. Otherwise, they're stopped until the configuration is complete. -- Microsoft Entra Connect Agent Updater
+- Microsoft Azure AD Connect Agent Updater
- Microsoft Entra Connect Health Agent :::image type="content" source="media/how-to-connect-health-agent-install/install5.png" alt-text="Screenshot that shows Microsoft Entra Connect Health AD FS services.":::
The Microsoft Entra Connect Health agent for sync is installed automatically in
To verify that the agent has been installed, look for the following services on the server. If you completed the configuration, the services should already be running. Otherwise, the services are stopped until the configuration is complete. -- Microsoft Entra Connect Health Sync Insights Service-- Microsoft Entra Connect Health Sync Monitoring Service
+- Microsoft Azure AD Connect Agent Updater
+- Microsoft Entra Connect Health Agent
> [!NOTE] > Remember that you must have Microsoft Entra ID P1 or P2 to use Microsoft Entra Connect Health. If you don't have Microsoft Entra ID P1 or P2, you can't complete the configuration in the [Microsoft Entra admin center](https://entra.microsoft.com). For more information, see the [requirements](how-to-connect-health-agent-install.md#requirements).
When you're prompted for authentication, use the same Global Administrator accou
<a name='install-the-agent-for-microsoft-entra-ds'></a>
-## Install the agent for Microsoft Entra Domain Services
+## Install the agent for AD Domain Services
To start the agent installation, double-click the *.exe* file that you downloaded. In the first window, select **Install**.
To start the agent installation, double-click the *.exe* file that you downloade
When the installation finishes, select **Configure Now**. A Command Prompt window opens. PowerShell runs `Register-AzureADConnectHealthADDSAgent`. When you're prompted, sign in to Azure. After you sign in, PowerShell continues. When it finishes, you can close PowerShell. The configuration is complete. At this point, the services should be started automatically, allowing the agent to monitor and gather data. If you haven't met all the prerequisites outlined in the previous sections, warnings appear in the PowerShell window. Be sure to complete the [requirements](how-to-connect-health-agent-install.md#requirements) before you install the agent. The following screenshot shows an example of these warnings. To verify that the agent is installed, look for the following services on the domain controller:
Check out the following related articles:
- [Microsoft Entra Connect Health operations](how-to-connect-health-operations.md) - [Using Microsoft Entra Connect Health with AD FS](how-to-connect-health-adfs.md) - [Using Microsoft Entra Connect Health for sync](how-to-connect-health-sync.md)-- [Using Microsoft Entra Connect Health with Microsoft Entra Domain Services](how-to-connect-health-adds.md)
+- [Using Microsoft Entra Connect Health with AD Domain Services](how-to-connect-health-adds.md)
- [Microsoft Entra Connect Health FAQ](reference-connect-health-faq.yml) - [Microsoft Entra Connect Health version history](reference-connect-health-version-history.md)
active-directory How To Connect Health Alert Catalog https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-health-alert-catalog.md
Microsoft Entra Connect Health alerts get resolved on a success condition. Micro
| Alert Name | Description | Remediation | | | | -- |
-| Microsoft Entra Connect Sync Service isn't running | Microsoft Entra ID Sync Windows service isn't running or couldn't start. As a result, objects won't synchronize with Microsoft Entra ID. | Start Microsoft Azure Active Directory Sync Services</b> <ol> <li>Click <b>Start</b>, click <b>Run</b>, type <b>Services.msc</b>, and then click <b>OK</b>.</li> <li>Locate the <b>Microsoft Entra ID Sync service</b>, and then check whether the service is started. If the service isn't started, right-click it, and then click <b>Start</b>. |
+| Microsoft Entra Connect Sync Service isn't running | Microsoft Entra Sync Windows service isn't running or couldn't start. As a result, objects won't synchronize with Microsoft Entra ID. | Start Microsoft Entra Sync Services</b> <ol> <li>Click <b>Start</b>, click <b>Run</b>, type <b>Services.msc</b>, and then click <b>OK</b>.</li> <li>Locate the <b>Microsoft Entra Sync service</b>, and then check whether the service is started. If the service isn't started, right-click it, and then click <b>Start</b>. |
| Import from Microsoft Entra ID failed | The import operation from Microsoft Entra Connector has failed. | Investigate the event log errors of import operation for further details. | | Connection to Microsoft Entra ID failed due to authentication failure | Connection to Microsoft Entra ID failed due to authentication failure. As a result objects won't be synchronized with Microsoft Entra ID. | Investigate the event log errors for further details. | | Export to Active Directory failed | The export operation to Active Directory Connector has failed. | Investigate the event log errors of export operation for further details. | | Import from Active Directory failed | Import from Active Directory failed. As a result, objects from some domains from this forest may not be imported. | <li>Verify DC connectivity</li> <li>Rerun import manually</li> <li> Investigate event log errors of the import operation for further details. | | Export to Microsoft Entra ID failed | The export operation to Microsoft Entra Connector has failed. As a result, some objects may not be exported successfully to Microsoft Entra ID. | Investigate the event log errors of export operation for further details. |
-| Password Hash Synchronization heartbeat was skipped in last 120 minutes | Password Hash Synchronization has not connected with Microsoft Entra ID in the last 120 minutes. As a result, passwords won't be synchronized with Microsoft Entra ID. | Restart Microsoft Azure Active Directory Sync
-| High CPU Usage detected | The percentage of CPU consumption crossed the recommended threshold on this server. | <li>This could be a temporary spike in CPU consumption. Check the CPU usage trend from the Monitoring section.</li><li>Inspect the top processes consuming the highest CPU usage on the server.<ol type="a"><li>You may use the Task Manager or execute the following PowerShell Command: <br> <i>get-process \| Sort-Object -Descending CPU \| Select-Object -First 10</i></li><li>If there are unexpected processes consuming high CPU usage, stop the processes using the following PowerShell command: <br> <i>stop-process -ProcessName [name of the process]</i></li></li></ol><li>If the processes seen in the above list are the intended processes running on the server and the CPU consumption is continuously near the threshold please consider re-evaluating the deployment requirements of this server.</li><li>As a fail-safe option you may consider restarting the server. |
-| High Memory Consumption Detected | The percentage of memory consumption of the server is beyond the recommended threshold on this server. | Inspect the top processes consuming the highest memory on the server. You may use the Task Manager or execute the following PowerShell Command:<br> <i>get-process \| Sort-Object -Descending WS \| Select-Object -First 10</i> </br> If there are unexpected processes consuming high memory, stop the processes using the following PowerShell command:<br><i>stop-process -ProcessName [name of the process] </i></li><li> If the processes seen in the above list are the intended processes running on the server, please consider re-evaluating the deployment requirements of this server.</li><li>As a failsafe option, you may consider restarting the server. |
-| Password Hash Synchronization has stopped working | Password Hash Synchronization has stopped. As a result passwords won't be synchronized with Microsoft Entra ID. | Restart Microsoft Azure Active Directory Sync
+| Password Hash Synchronization heartbeat was skipped in last 120 minutes | Password Hash Synchronization has not connected with Microsoft Entra ID in the last 120 minutes. As a result, passwords won't be synchronized with Microsoft Entra ID. | Restart Microsoft Entra Sync
+| High CPU Usage detected | The percentage of CPU consumption crossed the recommended threshold on this server. | <li>This could be a temporary spike in CPU consumption. Check the CPU usage trend from the Monitoring section.</li><li>Inspect the top processes consuming the highest CPU usage on the server.<ol type="a"><li>You may use the Task Manager or execute the following PowerShell Command: <br> <i>get-process \| Sort-Object -Descending CPU \| Select-Object -First 10</i></li><li>If there are unexpected processes consuming high CPU usage, stop the processes using the following PowerShell command: <br> <i>stop-process -ProcessName [name of the process]</i></li></li></ol><li>If the processes seen in the above list are the intended processes running on the server and the CPU consumption is continuously near the threshold, consider re-evaluating the deployment requirements of this server.</li><li>As a fail-safe option you may consider restarting the server. |
+| High Memory Consumption Detected | The percentage of memory consumption of the server is beyond the recommended threshold on this server. | Inspect the top processes consuming the highest memory on the server. You may use the Task Manager or execute the following PowerShell Command:<br> <i>get-process \| Sort-Object -Descending WS \| Select-Object -First 10</i> </br> If there are unexpected processes consuming high memory, stop the processes using the following PowerShell command:<br><i>stop-process -ProcessName [name of the process] </i></li><li> If the processes seen in the above list are the intended processes running on the server, consider re-evaluating the deployment requirements of this server.</li><li>As a failsafe option, you may consider restarting the server. |
+| Password Hash Synchronization has stopped working | Password Hash Synchronization has stopped. As a result passwords won't be synchronized with Microsoft Entra ID. | Restart Microsoft Entra Sync
| Export to Microsoft Entra ID was Stopped. Accidental delete threshold was reached | The export operation to Microsoft Entra ID has failed. There were more objects to be deleted than the configured threshold. As a result, no objects were exported. | <li> The number of objects are marked for deletion are greater than the set threshold. Ensure this outcome is desired.</li> <li> To allow the export to continue, perform the following steps: <ol type="a"> <li>Disable Threshold by running Disable-ADSyncExportDeletionThreshold</li> <li>Start Synchronization Service Manager</li> <li>Run Export on Connector with type = Microsoft Entra ID</li> <li>After successfully exporting the objects, enable Threshold by running: Enable-ADSyncExportDeletionThreshold</li> </ol> </li> | ## Alerts for Active Directory Federation Services
Microsoft Entra Connect Health alerts get resolved on a success condition. Micro
|Test Authentication Request (Synthetic Transaction) failed to obtain a token | The test authentication requests (Synthetic Transactions) initiated from this server has failed to obtain a token after 5 retries. This may be caused due to transient network issues, AD DS Domain Controller availability or a mis-configured AD FS server. As a result, authentication requests processed by the federation service may fail. The agent uses the Local Computer Account context to obtain a token from the Federation Service. | Ensure that the following steps are taken to validate the health of the server.<ol><li>Validate that there are no additional unresolved alerts for this or other AD FS servers in your farm.</li><li>Validate that this condition isn't a transient failure by logging on with a test user from the AD FS login page available at https://{your_adfs_server_name}/adfs/ls/idpinitiatedsignon.aspx</li><li>Go to <a href="https://testconnectivity.microsoft.com">https://testconnectivity.microsoft.com</a> and choose the ΓÇÿOffice 365ΓÇÖ tab. Perform the ΓÇÿOffice 365 single sign-on TestΓÇÖ.</li><li>Verify if your AD FS service name can be resolved from this server by executing the following command from a command prompt on this server. nslookup your_adfs_server_name</li></ol><p>If the service name can't be resolved, refer to the FAQ section for instructions of adding a HOST file entry of your AD FS service with the IP address of this server. This will allow the synthetic transaction module running on this server to request a token</p> | | The proxy server can't reach the federation server | This AD FS proxy server is unable to contact the AD FS service. As a result, authentication requests processed by this server will fail. | Perform the following steps to validate the connectivity between this server and the AD FS service. <ol><li> Ensure that the firewall between this server and the AD FS service is configured accurately. </li><li> Ensure that DNS resolution for the AD FS service name appropriately points to the AD FS service that resides within the corporate network. This can be achieved through a DNS server that serves this server in the perimeter network or through entries in the HOSTS files for the AD FS service name. </li><li> Validate the network connectivity by opening up the browser on this server and accessing the federation metadata endpoint, which is at `https://<your-adfs-service-name>/federationmetadata/2007-06/federationmetadata.xml` </li> | | The SSL Certificate is about to expire | The TLS/SSL certificate used by the Federation servers is about to expire within 90 days. Once expired, any requests that require a valid TLS connection will fail. For example, for Microsoft 365 customers, mail clients won't be able to authenticate. | Update the TLS/SSL certificate on each AD FS server.<ol><li>Obtain the TLS/SSL certificate with the following requirements.<ol type="a"><li>Enhanced Key Usage is at least Server Authentication. </li><li>Certificate Subject or Subject Alternative Name (SAN) contains the DNS name of the Federation Service or appropriate wild card. For example: sso.contoso.com or *.contoso.com</li></ol></li><li>Install the new TLS/SSL certificate on each server in the local machine certificate store.</li><li>Ensure that the AD FS Service Account has read access to the certificate's Private Key</li></ol></p><p><b>For AD FS 2.0 in Windows Server 2008R2:</b><ul><li>Bind the new TLS/SSL certificate to the web site in IIS, which hosts the Federation Service. Note that you must perform this step on each Federation Server and Federation Server proxy.</li></ul></p><p><b>For AD FS in Windows Server 2012 R2 and later versions:</b> <li> Refer to <a href="/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap">Managing SSL Certificates in AD FS and WAP </a> </li> |
-| AD FS service isn't running on the server | Active Directory Federation Service (Windows Service) isn't running on this server. Any requests targeted to this server will fail. | To start the Active Directory Federation Service (Windows Service):<ol><li>Log on to the server as an administrator.</li><li> Open services.msc</li><li>Find "Active Directory Federation Services". </li><li>Right-click and select "Start". |
+| AD FS service isn't running on the server | Active Directory Federation Service (Windows Service) isn't running on this server. Any requests targeted to this server will fail. | To start the Active Directory Federation Service (Windows Service):<ol><li>Log on to the server as an administrator.</li><li> Open services.msc</li><li>Find "Active Directory Federation Services" </li><li>Right-click and select "Start" |
| DNS for the Federation Service may be misconfigured | The DNS server could be configured to use a CNAME record for the AD FS farm name. It is recommended to use A or AAAA record for AD FS in order for the Windows Integrated Authentication to work seamlessly within your corporate network. | Ensure that the DNS record type of the AD FS farm `<Farm Name>` isn't CNAME. Configure it to be an A or AAAA record. |
-| AD FS Auditing is disabled | AD FS Auditing is disabled for the server. AD FS Usage section on the portal won't include data from this server. | If AD FS Audits aren't enabled follow these instructions:<ol><li>Grant the AD FS service account the "Generate security audits" right on the AD FS server.<li>Open the local security policy on the server gpedit.msc.</li><li>Navigate to "Computer Configuration\Windows Settings\Local Policies\User Rights Assignment" </li><li>Add the AD FS Service Account to have the "Generate security audits" right.</li></li><li>Run the following command from the command prompt:<br><i>auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable </i></li><li>Update Federation Service Properties to include Success and Failure Audits.<li>In the AD FS console, choose "Edit Federation Service Properties".</li><li>From "Federation Service Properties" dialogue box choose the Events tab and select "Success Audits" and "Failure Audits".</li></li></ol></p><p>After following these steps, AD FS Audit Events should be visible from the Event Viewer. To verify:<ol><li>Go to Event Viewer/ Windows Logs /Security.</li><li>Select Filter Current Logs and select AD FS Auditing from the Event sources drop down. For an active AD FS server with AD FS auditing enabled, events should be visible for the above filtering.</li></ol></p><p>If you've followed these instructions before, but still seeing this alert, it is possible that a Group Policy Object is disabling AD FS auditing. The root cause can be one of the following:<ol><li>AD FS service account is being removed from having the right to Generate Security Audits.</li><li>A custom script in Group Policy Object is disabling success and failure audits based on "Application Generated".</li><li>AD FS configuration isn't enabled to generate Success/Failure audits. |
+| AD FS Auditing is disabled | AD FS Auditing is disabled for the server. AD FS Usage section on the portal won't include data from this server. | If AD FS Audits aren't enabled, follow these instructions:<ol><li>Grant the AD FS service account the "Generate security audits" right on the AD FS server.<li>Open the local security policy on the server gpedit.msc.</li><li>Navigate to "Computer Configuration\Windows Settings\Local Policies\User Rights Assignment" </li><li>Add the AD FS Service Account to have the "Generate security audits" right.</li></li><li>Run the following command from the command prompt:<br><i>auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable </i></li><li>Update Federation Service Properties to include Success and Failure Audits.<li>In the AD FS console, choose "Edit Federation Service Properties"</li><li>From "Federation Service Properties" dialogue box choose the Events tab and select "Success Audits" and "Failure Audits"</li></li></ol></p><p>After following these steps, AD FS Audit Events should be visible from the Event Viewer. To verify:<ol><li>Go to Event Viewer/ Windows Logs /Security.</li><li>Select Filter Current Logs and select AD FS Auditing from the Event sources drop down. For an active AD FS server with AD FS auditing enabled, events should be visible for the above filtering.</li></ol></p><p>If you've followed these instructions before, but still seeing this alert, it is possible that a Group Policy Object is disabling AD FS auditing. The root cause can be one of the following:<ol><li>AD FS service account is being removed from having the right to Generate Security Audits.</li><li>A custom script in Group Policy Object is disabling success and failure audits based on "Application Generated".</li><li>AD FS configuration isn't enabled to generate Success/Failure audits. |
| AD FS SSL certificate is self-signed | You are currently using a self-signed certificate as the TLS/SSL certificate in your AD FS farm. As a result, mail client authentication for Microsoft 365 will fail | <p> Update the TLS/SSL certificate on each AD FS server. </p> <ol><li>Obtain a publicly trusted TLS/SSL certificate with the following requirements. </li><li>Certificate installation file contains its private key. </li> <li>Enhanced Key Usage is at least Server Authentication. </li> <li>Certificate Subject or Subject Alternative Name (SAN) contains the DNS name of the Federation Service or appropriate wild card. For example: sso.contoso.com or *.contoso.com </li></ol> <p>Install the new TLS/SSL certificate on each server in the local machine certificate store. </p> <ol>Ensure that the AD FS Service Account has read access to the certificate's Private Key. <br /> <b>For AD FS 2.0 in Windows Server 2008R2: </b> <li>Bind the new TLS/SSL certificate to the web site in IIS, which hosts the Federation Service. Note that you must perform this step on each Federation Server and Federation Server proxy. </li> <br /><b>For AD FS in Windows Server 2012 R2 or later versions: </b> <li> Refer to <a href="/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap">Managing SSL Certificates in AD FS and WAP </a> </li> </ol> | | The trust between the proxy server and federation server isn't valid | The trust between the federation server proxy and the Federation Service couldn't be established or renewed. | Update the Proxy Trust Certificate on the proxy server. Re-Run the Proxy Configuration Wizard. | | Extranet Lockout Protection Disabled for AD FS | The Extranet Lockout Protection feature is DISABLED on your AD FS farm. This feature protects your users from brute force password attacks from the internet and prevents denial of service attacks against your users when AD DS account lockout policies are in effect. With this feature enabled, if the number of failed extranet login attempts for a user (login attempts made via WAP server and AD FS) exceed the 'ExtranetLockoutThreshold' then AD FS servers will stop processing further login attempts for ΓÇÿExtranetObservationWindow' We highly recommend you enable this feature on your AD FS servers. | Run the following command to enable AD FS Extranet Lockout Protection with default values.<br><i>Set-AdfsProperties -EnableExtranetLockout $true</i><br><br>If you've AD lockout policies configured for your users, ensure that the <i>'ExtranetLockoutThreshold'</i> property is set to a value below your AD DS lockout threshold. This ensures that requests that have exceeded the threshold for AD FS are dropped and never validated against your AD DS servers. | | Invalid Service Principal Name (SPN) for the AD FS service account | The Service Principal Name of the Federation Service account isn't registered or isn't unique. As a result, Windows Integrated Authentication from domain-joined clients may not be seamless. | Use [<b>SETSPN -L ServiceAccountName</b>] to list the Service Principals.<br>Use [<b>SETSPN -X</b>] to check for duplicate Service Principal Names.</p><p>If SPN is duplicated for the AD FS service account, remove the SPN from the duplicated account using [<b>SETSPN -d service/namehostname</b>]</p><p>If SPN isn't set, use [<b>SETSPN -s {Desired-SPN} {domain_name}\{service_account}</b>] to set the desired SPN for the Federation Service Account. |
-| The Primary AD FS Token Decrypting certificate is about to expire | The Primary AD FS Token Decrypting certificate is about to expire in less than 90 days. AD FS can't decrypt tokens from trusted claims providers. AD FS can't decrypt encrypted SSO cookies. The end users won't be able to authenticate to access resources. | If Auto-certificate roll-over is enabled, AD FS manages the Token Decrypting Certificate.</p><p>If you manage your certificate manually, please follow the below instructions. <b>Obtain a new Token Decrypting Certificate.</b><ol type="a"><li>Ensure that the Enhanced Key Usage (EKU) includes "Key Encipherment".</li><li>Subject or Subject Alternative Name (SAN) do not have any restrictions.</li><li>Note that your Federation Servers and Claims Provider partners need to be able to chain to a trusted root certification authority when validating your Token-Decrypting certificate.</li></ol><b>Decide how your Claims Provider partners will trust the new Token-Decrypting certificate</b><ol type="a"><li>Ask partners to pull the Federation Metadata after updating the certificate.</li><li>Share the public key of the new certificate. (.cer file) with the partners. On the Claims Provider partner's AD FS server, launch AD FS Management from the Administrative Tools menu. Under Trust Relationships/Relying Party Trusts, select the trust that was created for you. Under Properties/Encryption click "Browse" to select the new Token-Decrypting certificate and click OK.</li></ol><b>Install the certificate in the local certificate store on each of your Federation Server.</b><ul><li>Ensure that the certificate installation file has the Private Key of the certificate on each server.</li></ul><b>Ensure that the federation service account has access to the new certificate's private key.</b> <b>Add the new certificate to AD FS.</b><ol type="a"><li>Launch AD FS Management from the Administrative Tools menu</li><li>Expand Service and select Certificates</li><li>In the Actions pane, click Add Token-Decrypting Certificate</li><li>You'll be presented with a list of certificates that are valid for Token-Decrypting. If you find that your new certificate isn't being presented in the list, you need to go back and make sure that the certificate is in the local computer personal store with a private key associated and the certificate has the Key Encipherment as Extended Key Usage.</li><li>Select your new Token-Decrypting certificate and click OK.</li></ol><b>Set the new Token-Decrypting Certificate as Primary.</b><ol type="a"><li>With the Certificates node in AD FS Management selected, you should now see two certificates listed under Token-Decrypting: existing and the new certificate.</li><li>Select your new Token-Decrypting certificate, right-click, and select Set as primary.</li><li>Leave the old certificate as secondary for roll-over purposes. You should plan to remove the old certificate once you're confident it is no longer needed for roll-over, or when the certificate has expired. </li></ol> |
-| The Primary AD FS Token Signing certificate is about to expire | The AD FS token signing certificate is about to expire within 90 days. AD FS can't issue signed tokens when this certificate isn't valid. | <b>Obtain a new Token Signing Certificate.</b><ol type="a"><li>Ensure that the Enhanced Key Usage (EKU) includes "Digital Signature". </li><li>Subject or Subject Alternative Name (SAN) doesn't have any restrictions. </li><li>Note that your Federation Servers, your Resource Partner Federation Servers and Relying Party Application servers need to be able to chain to a trusted root certificate authority when validating your Token-Signing certificate.</li></ol><b>Install the certificate in the local certificate store on each Federation Server.</b> <ul><li>Ensure that the certificate installation file has the Private Key of the certificate on each server.</li></ul></li><b>Ensure that the Federation Service Account has access to the new certificate's private key.</b> <b>Add the new certificate to AD FS.</b><ol type="a"><li>Launch AD FS Management from the Administrative Tools menu.</li><li>Expand Service and select Certificates</li><li>In the Actions pane, click Add Token-Signing Certificate...</li><li>You'll be presented with a list of certificates that are valid for Token-Signing. If you find that your new certificate isn't being presented in the list, you need to go back and make sure that the certificate is in the local computer Personal store with private key associated and the certificate has the Digital Signature KU.</li><li>Select your new Token-Signing certificate and click OK</li></ol><b>Inform all the Relying Parties about the change in Token Signing Certificate.</b><ol type="a"><li>Relying Parties that consume AD FS federation metadata, must pull the new Federation Metadata to start using the new certificate.</li><li>Relying Parties that do NOT consume AD FS federation metadata must manually update the public key of the new Token Signing Certificate. Share the .cer file with the Relying Parties.</li></a><b>Set the new Token-Signing Certificate as Primary.</b><ol type="a"><li>With the Certificates node in AD FS Management selected, you should now see two certificates listed under Token-Signing: existing and the new certificate.</li><li>Select your new Token-Signing certificate, right-click, and select Set as <b>primary</b></li><li>Leave the old certificate as secondary for rollover purposes. You should plan to remove the old certificate once you're confident it is no longer needed for rollover, or when the certificate has expired. Note that current users' SSO sessions are signed. Current AD FS Proxy Trust relationships utilize tokens that are signed and encrypted using the old certificate. </li></ol> |
+| The Primary AD FS Token Decrypting certificate is about to expire | The Primary AD FS Token Decrypting certificate is about to expire in less than 90 days. AD FS can't decrypt tokens from trusted claims providers. AD FS can't decrypt encrypted SSO cookies. The end users won't be able to authenticate to access resources. | If Auto-certificate roll-over is enabled, AD FS manages the Token Decrypting Certificate.</p><p>If you manage your certificate manually, follow the below instructions. <b>Obtain a new Token Decrypting Certificate.</b><ol type="a"><li>Ensure that the Enhanced Key Usage (EKU) includes "Key Encipherment"</li><li>Subject or Subject Alternative Name (SAN) do not have any restrictions.</li><li>Note that your Federation Servers and Claims Provider partners need to be able to chain to a trusted root certification authority when validating your Token-Decrypting certificate.</li></ol><b>Decide how your Claims Provider partners will trust the new Token-Decrypting certificate</b><ol type="a"><li>Ask partners to pull the Federation Metadata after updating the certificate.</li><li>Share the public key of the new certificate. (.cer file) with the partners. On the Claims Provider partner's AD FS server, launch AD FS Management from the Administrative Tools menu. Under Trust Relationships/Relying Party Trusts, select the trust that was created for you. Under Properties/Encryption click "Browse" to select the new Token-Decrypting certificate and click OK.</li></ol><b>Install the certificate in the local certificate store on each of your Federation Server.</b><ul><li>Ensure that the certificate installation file has the Private Key of the certificate on each server.</li></ul><b>Ensure that the federation service account has access to the new certificate's private key.</b> <b>Add the new certificate to AD FS.</b><ol type="a"><li>Launch AD FS Management from the Administrative Tools menu</li><li>Expand Service and select Certificates</li><li>In the Actions pane, click Add Token-Decrypting Certificate</li><li>You'll be presented with a list of certificates that are valid for Token-Decrypting. If you find that your new certificate isn't being presented in the list, you need to go back and make sure that the certificate is in the local computer personal store with a private key associated and the certificate has the Key Encipherment as Extended Key Usage.</li><li>Select your new Token-Decrypting certificate and click OK.</li></ol><b>Set the new Token-Decrypting Certificate as Primary.</b><ol type="a"><li>With the Certificates node in AD FS Management selected, you should now see two certificates listed under Token-Decrypting: existing and the new certificate.</li><li>Select your new Token-Decrypting certificate, right-click, and select Set as primary.</li><li>Leave the old certificate as secondary for roll-over purposes. You should plan to remove the old certificate once you're confident it is no longer needed for roll-over, or when the certificate has expired. </li></ol> |
+| The Primary AD FS Token Signing certificate is about to expire | The AD FS token signing certificate is about to expire within 90 days. AD FS can't issue signed tokens when this certificate isn't valid. | <b>Obtain a new Token Signing Certificate.</b><ol type="a"><li>Ensure that the Enhanced Key Usage (EKU) includes "Digital Signature" </li><li>Subject or Subject Alternative Name (SAN) doesn't have any restrictions. </li><li>Note that your Federation Servers, your Resource Partner Federation Servers and Relying Party Application servers need to be able to chain to a trusted root certificate authority when validating your Token-Signing certificate.</li></ol><b>Install the certificate in the local certificate store on each Federation Server.</b> <ul><li>Ensure that the certificate installation file has the Private Key of the certificate on each server.</li></ul></li><b>Ensure that the Federation Service Account has access to the new certificate's private key.</b> <b>Add the new certificate to AD FS.</b><ol type="a"><li>Launch AD FS Management from the Administrative Tools menu.</li><li>Expand Service and select Certificates</li><li>In the Actions pane, click Add Token-Signing Certificate...</li><li>You'll be presented with a list of certificates that are valid for Token-Signing. If you find that your new certificate isn't being presented in the list, you need to go back and make sure that the certificate is in the local computer Personal store with private key associated and the certificate has the Digital Signature KU.</li><li>Select your new Token-Signing certificate and click OK</li></ol><b>Inform all the Relying Parties about the change in Token Signing Certificate.</b><ol type="a"><li>Relying Parties that consume AD FS federation metadata, must pull the new Federation Metadata to start using the new certificate.</li><li>Relying Parties that do NOT consume AD FS federation metadata must manually update the public key of the new Token Signing Certificate. Share the .cer file with the Relying Parties.</li></a><b>Set the new Token-Signing Certificate as Primary.</b><ol type="a"><li>With the Certificates node in AD FS Management selected, you should now see two certificates listed under Token-Signing: existing and the new certificate.</li><li>Select your new Token-Signing certificate, right-click, and select Set as <b>primary</b></li><li>Leave the old certificate as secondary for rollover purposes. You should plan to remove the old certificate once you're confident it is no longer needed for rollover, or when the certificate has expired. Note that current users' SSO sessions are signed. Current AD FS Proxy Trust relationships utilize tokens that are signed and encrypted using the old certificate. </li></ol> |
| AD FS SSL certificate isn't found in the local certificate store | The certificate with the thumbprint that is configured as the TLS/SSL certificate in the AD FS database was not found in the local certificate store. As a result, any authentication request over the TLS will fail. For example mail client authentication for Microsoft 365 will fail. | Install the certificate with the configured thumbprint in the local certificate store. | | The SSL Certificate expired | The TLS/SSL certificate for the AD FS service has expired. As a result, any authentication requests that require a valid TLS connection will fail. For example: mail client authentication won't be able to authenticate for Microsoft 365. | Update the TLS/SSL certificate on each AD FS server.<ol><li>Obtain the TLS/SSL certificate with the following requirements.<li>Enhanced Key Usage is at least Server Authentication. </li><li>Certificate Subject or Subject Alternative Name (SAN) contains the DNS name of the Federation Service or appropriate wild card. For example: sso.contoso.com or *.contoso.com</li></li><li>Install the new TLS/SSL certificate on each server in the local machine certificate store.</li><li>Ensure that the AD FS Service Account has read access to the certificate's Private Key</li></ol></p><p><b>For AD FS 2.0 in Windows Server 2008R2:</b><ul><li>Bind the new TLS/SSL certificate to the web site in IIS, which hosts the Federation Service. Note that you must perform this step on each Federation Server and Federation Server proxy.</li></ul></p><p><b>For AD FS in Windows Server 2012 R2 or later versions:</b> Refer to: <a href="/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap">Managing SSL Certificates in AD FS and WAP </a> </li> | | The Required end points for Microsoft Entra ID (for Microsoft 365) aren't enabled | The following set of end points required by the Exchange Online Services, Microsoft Entra ID, and Microsoft 365 aren't enabled for the federation service: <li>/adfs/services/trust/2005/usernamemixed</li><li>/adfs/ls/</li> | Enable the required end points for the Microsoft Cloud Services on your federation service.<br>For AD FS in Windows Server 2012R2 or later versions <li> Refer to: <a href="/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap">Managing SSL Certificates in AD FS and WAP </a> </li></p> | | The Federation server was unable to connect to the AD FS Configuration Database | The AD FS service account is experiencing issues while connecting to the AD FS configuration database. As a result, the AD FS service on this computer may not function as expected. | <li> Ensure that the AD FS service account has access to the configuration database. </li><li>Ensure that the AD FS Configuration Database service is available and reachable. </li> | | Required SSL bindings are missing or not configured | The TLS bindings required for this federation server to successfully perform authentication are misconfigured. As a result, AD FS can't process any incoming requests. | For Windows Server 2012 R2</b><br>Open an elevated admin command prompt and execute the following commands: <ol> <li> To view the current TLS binding:<i> Get-AdfsSslCertificate </i> <li> To add new bindings: <i> netsh http add sslcert hostnameport=\<federation service name>:443 certhash=0102030405060708090A0B0C0D0E0F1011121314 appid={00112233-4455-6677-8899-AABBCCDDEEFF} certstorename=MY </i> |
-| The Primary AD FS Token Signing certificate has expired | The AD FS Token Signing certificate has expired. AD FS can't issue signed tokens when this certificate isn't valid. | If Auto-certificate rollover is enabled, AD FS will manage updating the Token Signing Certificate.</p><p>If you manage your certificate manually, follow the below instructions. <ol><li><b>Obtain a new Token Signing Certificate.</b><ol type="a"><li>Ensure that the Enhanced Key Usage (EKU) includes "Digital Signature". </li><li>Subject or Subject Alternative Name (SAN) doesn't have any restrictions. </li><li>Remember that your Federation Servers, your Resource Partner Federation Servers and Relying Party Application servers need to be able to chain to a trusted root certificate authority when validating your Token-Signing certificate.</li></ol></li><li><b>Install the certificate in the local certificate store on each Federation Server.</b> <ul><li>Ensure that the certificate installation file has the Private Key of the certificate on each server.</li></ul></li><li><b>Ensure that the Federation Service Account has access to the new certificate's private key.</b></li><li> <b>Add the new certificate to AD FS.</b><ol type="a"><li>Launch AD FS Management from the Administrative Tools menu.</li><li>Expand Service and select Certificates</li><li>In the Actions pane, click Add Token-Signing Certificate...</li><li>You'll be presented with a list of certificates that are valid for Token-Signing. If you find that your new certificate isn't being presented in the list, you need to go back and make sure that the certificate is in the local computer Personal store with private key associated and the certificate has the Digital Signature KU.</li><li>Select your new Token-Signing certificate and click OK</li></ol></li><li><b>Inform all the Relying Parties about the change in Token Signing Certificate.</b><ol type="a"><li>Relying Parties that consume AD FS federation metadata, must pull the new Federation Metadata to start using the new certificate.</li><li>Relying Parties that do NOT consume AD FS federation metadata must manually update the public key of the new Token Signing Certificate. Share the .cer file with the Relying Parties.</li></ol></li><li><b>Set the new Token-Signing Certificate as Primary.</b><ol type="a"><li>With the Certificates node in AD FS Management selected, you should now see two certificates listed under Token-Signing: existing and the new certificate.</li><li>Select your new Token-Signing certificate, right-click, and select Set as <b>primary</b></li><li>Leave the old certificate as secondary for rollover purposes. You should plan to remove the old certificate once you're confident it is no longer needed for rollover, or when the certificate has expired. Remember that current users' SSO sessions are signed. Current AD FS Proxy Trust relationships utilize tokens that are signed and encrypted using the old certificate. </li></ol></li>|
-| Proxy server is dropping requests for congestion control | This proxy server is currently dropping requests from the extranet due to a higher than normal latency between this proxy server and the federation server. As a result, certain portion of the authentication requests processed by the AD FS Proxy server can fail. | <li>Verify if the network latency between the Federation Proxy Server and the Federation Servers falls within the acceptable range. Refer to the Monitoring Section for trending values of the "Token Request Latency". A latency greater than [1500 ms] should be considered as high latency. If high latency is observed, ensure the network between AD FS and AD FS Proxy servers doesn't have any connectivity issues.</li><li>Ensure Federation Servers aren't overloaded with authentication requests. Monitoring Section provides trending views for Token Requests per second, CPU utilization and Memory consumption.</li><li>If the above items have been verified and this issue is still seen, adjust the congestion avoidance setting on each of the Federation Proxy Servers as per the guidance from the related links. |
+| The Primary AD FS Token Signing certificate has expired | The AD FS Token Signing certificate has expired. AD FS can't issue signed tokens when this certificate isn't valid. | If Auto-certificate rollover is enabled, AD FS will manage updating the Token Signing Certificate.</p><p>If you manage your certificate manually, follow the below instructions. <ol><li><b>Obtain a new Token Signing Certificate.</b><ol type="a"><li>Ensure that the Enhanced Key Usage (EKU) includes "Digital Signature" </li><li>Subject or Subject Alternative Name (SAN) doesn't have any restrictions. </li><li>Remember that your Federation Servers, your Resource Partner Federation Servers and Relying Party Application servers need to be able to chain to a trusted root certificate authority when validating your Token-Signing certificate.</li></ol></li><li><b>Install the certificate in the local certificate store on each Federation Server.</b> <ul><li>Ensure that the certificate installation file has the Private Key of the certificate on each server.</li></ul></li><li><b>Ensure that the Federation Service Account has access to the new certificate's private key.</b></li><li> <b>Add the new certificate to AD FS.</b><ol type="a"><li>Launch AD FS Management from the Administrative Tools menu.</li><li>Expand Service and select Certificates</li><li>In the Actions pane, click Add Token-Signing Certificate...</li><li>You'll be presented with a list of certificates that are valid for Token-Signing. If you find that your new certificate isn't being presented in the list, you need to go back and make sure that the certificate is in the local computer Personal store with private key associated and the certificate has the Digital Signature KU.</li><li>Select your new Token-Signing certificate and click OK</li></ol></li><li><b>Inform all the Relying Parties about the change in Token Signing Certificate.</b><ol type="a"><li>Relying Parties that consume AD FS federation metadata, must pull the new Federation Metadata to start using the new certificate.</li><li>Relying Parties that do NOT consume AD FS federation metadata must manually update the public key of the new Token Signing Certificate. Share the .cer file with the Relying Parties.</li></ol></li><li><b>Set the new Token-Signing Certificate as Primary.</b><ol type="a"><li>With the Certificates node in AD FS Management selected, you should now see two certificates listed under Token-Signing: existing and the new certificate.</li><li>Select your new Token-Signing certificate, right-click, and select Set as <b>primary</b></li><li>Leave the old certificate as secondary for rollover purposes. You should plan to remove the old certificate once you're confident it is no longer needed for rollover, or when the certificate has expired. Remember that current users' SSO sessions are signed. Current AD FS Proxy Trust relationships utilize tokens that are signed and encrypted using the old certificate. </li></ol></li>|
+| Proxy server is dropping requests for congestion control | This proxy server is currently dropping requests from the extranet due to a higher than normal latency between this proxy server and the federation server. As a result, certain portion of the authentication requests processed by the AD FS Proxy server can fail. | <li>Verify if the network latency between the Federation Proxy Server and the Federation Servers falls within the acceptable range. Refer to the Monitoring Section for trending values of the "Token Request Latency." A latency greater than [1500 ms] should be considered as high latency. If high latency is observed, ensure the network between AD FS and AD FS Proxy servers doesn't have any connectivity issues.</li><li>Ensure Federation Servers aren't overloaded with authentication requests. Monitoring Section provides trending views for Token Requests per second, CPU utilization and Memory consumption.</li><li>If the above items have been verified and this issue is still seen, adjust the congestion avoidance setting on each of the Federation Proxy Servers as per the guidance from the related links. |
| The AD FS service account is denied access to one of the certificate's private key. | The AD FS service account doesn't have access to the private key of one of the AD FS certificates on this computer. | Ensure that the AD FS service account is provided access to the TLS, token signing, and token decryption certificates stored in the local computer certificate store.<ol> <li> From Command Line type MMC.</li><li>Go to File->Add/Remove Snap-In</li><li> Select Certificates and click Add. -> Select Computer Account and click Next. -> Select Local Computer and click Finish. Click OK. </li></ol> <br>Open Certificates(Local Computer)/Personal/Certificates.For all the certificates that are used by AD FS:<ol><li>Right-click the certificate.</li><li>Select All Tasks -> Manage Private Keys.</li><li>On the Security Tab under Group or user names ensure that the AD FS service account is present. If not select Add and add the AD FS service account.</li><li>Select the AD FS service account and under "Permissions for \<AD FS Service Account Name>" make sure Read permission is allowed (check mark). |
-| The AD FS SSL certificate doesn't have a private key | AD FS TLS/SSL certificate was installed without a private key. As a result any authentication request over the SSL will fail. For example, mail client authentication for Microsoft 365 will fail. | Update the TLS/SSL certificate on each AD FS server.<ol><li>Obtain a publicly trusted TLS/SSL certificate with the following requirements.<ol type="a"><li>Certificate installation file contains its private key.</li><li>Enhanced Key Usage is at least Server Authentication. </li><li>Certificate Subject or Subject Alternative Name (SAN) contains the DNS name of the Federation Service or appropriate wild card. For example: sso.contoso.com or *.contoso.com</li></ol></li><li>Install the new TLS/SSL certificate on each server in the local machine certificate store.</li><li>Ensure that the AD FS Service Account has read access to the certificate's Private Key</li></ol></p><p><b>For AD FS 2.0 in Windows Server 2008R2:</b><ul><li>Bind the new TLS/SSL certificate to the web site in IIS which hosts the Federation Service. Note that you must perform this step on each Federation Server and Federation Server proxy.</li></ul></p><p><b>For AD FS in Windows Server 2012 R2 or later versions:</b> <li> Refer to: <a href="/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap">Managing SSL Certificates in AD FS and WAP </a> </li> |
+| The AD FS SSL certificate doesn't have a private key | AD FS TLS/SSL certificate was installed without a private key. As a result any authentication request over the SSL will fail. For example, mail client authentication for Microsoft 365 will fail. | Update the TLS/SSL certificate on each AD FS server.<ol><li>Obtain a publicly trusted TLS/SSL certificate with the following requirements.<ol type="a"><li>Certificate installation file contains its private key.</li><li>Enhanced Key Usage is at least Server Authentication. </li><li>Certificate Subject or Subject Alternative Name (SAN) contains the DNS name of the Federation Service or appropriate wild card. For example: sso.contoso.com or *.contoso.com</li></ol></li><li>Install the new TLS/SSL certificate on each server in the local machine certificate store.</li><li>Ensure that the AD FS Service Account has read access to the certificate's Private Key</li></ol></p><p><b>For AD FS 2.0 in Windows Server 2008R2:</b><ul><li>Bind the new TLS/SSL certificate to the web site in IIS, which hosts the Federation Service. Note that you must perform this step on each Federation Server and Federation Server proxy.</li></ul></p><p><b>For AD FS in Windows Server 2012 R2 or later versions:</b> <li> Refer to: <a href="/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap">Managing SSL Certificates in AD FS and WAP </a> </li> |
| The Primary AD FS Token Decrypting certificate has expired | The Primary AD FS Token Decrypting certificate has expired. AD FS can't decrypt tokens from trusted claims providers. AD FS can't decrypt encrypted SSO cookies. The end users won't be able to authenticate to access resources. | <p>If Auto-certificate roll-over is enabled, AD FS manages the Token Decrypting Certificate.</p><p>If you manage your certificate manually, follow the below instructions.<ol><li><b>Obtain a new Token Decrypting Certificate.</b><ul><li>Ensure that the Enhanced Key Usage (EKU) includes "Key Encipherment".</li><li>Subject or Subject Alternative Name (SAN) do not have any restrictions.</li><li>Note that your Federation Servers and Claims Provider partners need to be able to chain to a trusted root certification authority when validating your Token-Decrypting certificate.</li></ul></li><li><b>Decide how your Claims Provider partners will trust the new Token-Decrypting certificate</b><ul><li>Ask partners to pull the Federation Metadata after updating the certificate.</li><li>Share the public key of the new certificate. (.cer file) with the partners. On the Claims Provider partner's AD FS server, launch AD FS Management from the Administrative Tools menu. Under Trust Relationships/Relying Party Trusts, select the trust that was created for you. Under Properties/Encryption click "Browse" to select the new Token-Decrypting certificate and click OK.</li></ul></li><li><b>Install the certificate in the local certificate store on each of your Federation Server.</b><ul><li>Ensure that the certificate installation file has the Private Key of the certificate on each server.</li></ul></li><li><b>Ensure that the federation service account has access to the new certificate's private key.</b></li><li><b>Add the new certificate to AD FS.</b><ul><li>Launch AD FS Management from the Administrative Tools menu</li><li>Expand Service and select Certificates</li><li>In the Actions pane, click Add Token-Decrypting Certificate</li><li>You'll be presented with a list of certificates that are valid for Token-Decrypting. If you find that your new certificate isn't being presented in the list, you need to go back and make sure that the certificate is in the local computer personal store with a private key associated and the certificate has the Key Encipherment as Extended Key Usage.</li><li>Select your new Token-Decrypting certificate and click OK.</li></ul></li><li><b>Set the new Token-Decrypting Certificate as Primary.</b><ul><li>With the Certificates node in AD FS Management selected, you should now see two certificates listed under Token-Decrypting: existing and the new certificate.</li><li>Select your new Token-Decrypting certificate, right-click, and select Set as primary.</li><li>Leave the old certificate as secondary for roll-over purposes. You should plan to remove the old certificate once you're confident it is no longer needed for roll-over, or when the certificate has expired. </li></ul></li> | ## Alerts for Active Directory Domain Services
Microsoft Entra Connect Health alerts get resolved on a success condition. Micro
| ADWS service isn't running | If Active Directory Web Services service is stopped or disabled, client applications, such as Active Directory PowerShell, won't be able to access or manage any directory service instances that are running locally on this server. | Run '<b>net start adws</b>' on the affected Domain Controller | | Root PDC isn't Syncing from NTP Server | If you do not configure the PDC to synchronize time from an external or internal time source, the PDC emulator uses its internal clock and is itself the reliable time source for the forest. If time isn't accurate on the PDC itself, all computers will have incorrect time settings. | On the affected Domain Controller, open a command prompt. Stop the Time service: net stop w32time</li> <li>Configure the external time source: <br> <i>w32tm \/config \/manualpeerlist: time.windows.com \/syncfromflags:manual \/reliable:yes </i></br><br>Note: Replace time.windows.com with the address of your desired external time source. Start the Time service: <br> <i>net start w32time </i></br> | | Domain controller is quarantined | This Domain Controller isn't connected to any of the other working Domain Controllers. This may be caused due to improper configuration. As a result, this DC isn't being used and won't replicate from/to anyone. | Enable inbound and outbound replication: Run '<b>repadmin /options ServerName -DISABLE_INBOUND_REPL</b>' on the affected Domain Controller. Run '<b>repadmin /options ServerName -DISABLE_OUTBOUND_REPL</b>' on the affected Domain Controller. Create a new replication connection to another Domain Controller:<ol type="1"><li>Open Active Directory Sites and
-| Outbound Replication is Disabled | DCs with disabled Outbound Replication, won't be able to distribute any changes originating within itself. | To enable outbound replication on the affected Domain Controller, follow these steps: Click Start, click Run, type cmd and then click OK. Type the following text, and then press ENTER:<br><i>repadmin /options -DISABLE_OUTBOUND_REPL </i> |
-| Inbound Replication is Disabled | DCs with disabled Inbound Replication, won't have the latest information. This condition can lead to logon failures. | To enable inbound replication on the affected Domain Controller, follow these steps: Click Start, click Run, type cmd and then click OK. Type the following text, and then press ENTER:<br><i>repadmin /options -DISABLE_INBOUND_REPL</i> </br> |
+| Outbound Replication is Disabled | DCs with disabled Outbound Replication won't be able to distribute any changes originating within itself. | To enable outbound replication on the affected Domain Controller, follow these steps: Click Start, click Run, type cmd and then click OK. Type the following text, and then press ENTER:<br><i>repadmin /options -DISABLE_OUTBOUND_REPL </i> |
+| Inbound Replication is Disabled | DCs with disabled Inbound Replication won't have the latest information. This condition can lead to logon failures. | To enable inbound replication on the affected Domain Controller, follow these steps: Click Start, click Run, type cmd and then click OK. Type the following text, and then press ENTER:<br><i>repadmin /options -DISABLE_INBOUND_REPL</i> </br> |
| LanmanServer service isn't running | If this service is disabled, any services that explicitly depend on it will fail to start. | Run '<b>net start LanManServer</b>' on the affected Domain Controller. | | Kerberos Key Distribution Center service isn't running | If KDC Service is stopped, users won't be able to authentication through this DC using the Kerberos v5 authentication protocol. | Run '<b>net start kdc</b>' on the affected Domain Controller. | | DNS service isn't running | If DNS Service is stopped, computers and users using that server for DNS purposes will fail to find resources. | Run '<b>net start dns</b>' on the affected Domain Controller. |
active-directory How To Connect Health Operations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-health-operations.md
Microsoft Entra Connect Health for Active Directory Federation Services (AD FS)
3. Confirm by typing the server name in the confirmation box. 4. Click **Delete**.
-Microsoft Entra Connect Health for Microsoft Entra Domain
+Microsoft Entra Connect Health for AD Domain
1. Open the **Domain Controllers** dashboard. 2. Select the domain controller to be removed.
active-directory How To Connect Install Custom https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-install-custom.md
On a computer that has Group Policy management tools:
1. Open the Group Policy management tools. 2. Edit the group policy that will be applied to all users. For example, the Default Domain policy. 3. Go to **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Security Page**. Then select **Site to Zone Assignment List**.
-4. Enable the policy. Then, in the dialog box, enter a value name of `https://autologon.microsoftazuread-sso.com` and value of `1`. Your setup should look like the following image.
+4. Enable the policy. Then, in the dialog box, enter a value name of `https://autologon.microsoftazuread-sso.com`and `https://aadg.windows.net.nsatc.net` with a value of `1` for both URLs. Your setup should look like the following image.
![Screenshot showing intranet zones.](./media/how-to-connect-install-custom/sitezone.png)
active-directory How To Connect Install Prerequisites https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-install-prerequisites.md
To read more about securing your Active Directory environment, see [Best practic
### Harden your Microsoft Entra Connect server We recommend that you harden your Microsoft Entra Connect server to decrease the security attack surface for this critical component of your IT environment. Following these recommendations will help to mitigate some security risks to your organization. -- We recommend hardening the Microsoft Entra Connect server as a Control Plane (formerly Tier 0) asset by following the guidance provided in [Secure Privileged Access](/security/compass/overview) and [Active Directory administrative tier model](/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material).
+- We recommend hardening the Microsoft Entra Connect server as a Control Plane (formerly Tier 0) asset by following the guidance provided in [Secure Privileged Access](/security/privileged-access-workstations/overview) and [Active Directory administrative tier model](/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material).
- Restrict administrative access to the Microsoft Entra Connect server to only domain administrators or other tightly controlled security groups. - Create a [dedicated account for all personnel with privileged access](/windows-server/identity/securing-privileged-access/securing-privileged-access). Administrators shouldn't be browsing the web, checking their email, and doing day-to-day productivity tasks with highly privileged accounts.-- Follow the guidance provided in [Securing privileged access](/windows-server/identity/securing-privileged-access/securing-privileged-access).
+- Follow the guidance provided in [Securing privileged access](/security/privileged-access-workstations/overview).
- Deny use of NTLM authentication with the AADConnect server. Here are some ways to do this: [Restricting NTLM on the AADConnect Server](/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers) and [Restricting NTLM on a domain](/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain)-- Ensure every machine has a unique local administrator password. For more information, see [Local Administrator Password Solution (Windows LAPS)](/windows-server/identity/laps/laps-overview) can configure unique random passwords on each workstation and server store them in Active Directory protected by an ACL. Only eligible authorized users can read or request the reset of these local administrator account passwords. Additional guidance for operating an environment with Windows LAPS and privileged access workstations (PAWs) can be found in [Operational standards based on clean source principle](/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#operational-standards-based-on-clean-source-principle).
+- Ensure every machine has a unique local administrator password. For more information, see [Local Administrator Password Solution (Windows LAPS)](/windows-server/identity/laps/laps-overview) can configure unique random passwords on each workstation and server store them in Active Directory protected by an ACL. Only eligible authorized users can read or request the reset of these local administrator account passwords. Additional guidance for operating an environment with Windows LAPS and privileged access workstations (PAWs) can be found in [Operational standards based on clean source principle](/security/privileged-access-workstations/privileged-access-access-model#operational-standards-based-on-clean-source-principle).
- Implement dedicated [privileged access workstations](https://4sysops.com/archives/understand-the-microsoft-privileged-access-workstation-paw-security-model/) for all personnel with privileged access to your organization's information systems. - Follow these [additional guidelines](/windows-server/identity/ad-ds/plan/security-best-practices/reducing-the-active-directory-attack-surface) to reduce the attack surface of your Active Directory environment. - Follow the [Monitor changes to federation configuration](how-to-connect-monitor-federation-changes.md) to set up alerts to monitor changes to the trust established between your Idp and Microsoft Entra ID.
We recommend that you harden your Microsoft Entra Connect server to decrease the
* Microsoft Entra Connect requires network connectivity to all configured domains * Microsoft Entra Connect requires network connectivity to the root domain of all configured forest * If you have firewalls on your intranet and you need to open ports between the Microsoft Entra Connect servers and your domain controllers, see [Microsoft Entra Connect ports](reference-connect-ports.md) for more information.
-* If your proxy or firewall limit which URLs can be accessed, the URLs documented in [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) must be opened. Also see [Safelist the Microsoft Entra admin center URLs on your firewall or proxy server](../../../azure-portal/azure-portal-safelist-urls.md).
+* If your proxy or firewall limit which URLs can be accessed, the URLs documented in [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) must be opened. Also see [Safelist the Microsoft Entra admin center URLs on your firewall or proxy server](/azure/azure-portal/azure-portal-safelist-urls).
* If you're using the Microsoft cloud in Germany or the Microsoft Azure Government cloud, see [Microsoft Entra Connect Sync service instances considerations](reference-connect-instances.md) for URLs. * Microsoft Entra Connect (version 1.1.614.0 and after) by default uses TLS 1.2 for encrypting communication between the sync engine and Microsoft Entra ID. If TLS 1.2 isn't available on the underlying operating system, Microsoft Entra Connect incrementally falls back to older protocols (TLS 1.1 and TLS 1.0). From Microsoft Entra Connect version 2.0 onwards. TLS 1.0 and 1.1 are no longer supported and installation will fail if TLS 1.2 is not enabled. * Prior to version 1.1.614.0, Microsoft Entra Connect by default uses TLS 1.0 for encrypting communication between the sync engine and Microsoft Entra ID. To change to TLS 1.2, follow the steps in [Enable TLS 1.2 for Microsoft Entra Connect](#enable-tls-12-for-azure-ad-connect).
active-directory How To Connect Monitor Federation Changes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-monitor-federation-changes.md
To monitor the trust relationship, we recommend you set up alerts to be notified
Follow these steps to set up alerts to monitor the trust relationship:
-1. [Configure Microsoft Entra audit logs](../../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md) to flow to an Azure Log Analytics Workspace.
-2. [Create an alert rule](../../../azure-monitor/alerts/alerts-create-new-alert-rule.md) that triggers based on Microsoft Entra ID log query.
-3. [Add an action group](../../../azure-monitor/alerts/action-groups.md) to the alert rule that gets notified when the alert condition is met.
+1. [Configure Microsoft Entra audit logs](../../reports-monitoring/howto-integrate-activity-logs-with-azure-monitor-logs.md) to flow to an Azure Log Analytics Workspace.
+2. [Create an alert rule](/azure/azure-monitor/alerts/alerts-create-new-alert-rule) that triggers based on Microsoft Entra ID log query.
+3. [Add an action group](/azure/azure-monitor/alerts/action-groups) to the alert rule that gets notified when the alert condition is met.
After the environment is configured, the data flows as follows:
After the environment is configured, the data flows as follows:
## Next steps -- [Integrate Microsoft Entra logs with Azure Monitor logs](../../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)-- [Create, view, and manage log alerts using Azure Monitor](../../../azure-monitor/alerts/alerts-create-new-alert-rule.md)
+- [Integrate Microsoft Entra logs with Azure Monitor logs](../../reports-monitoring/howto-integrate-activity-logs-with-azure-monitor-logs.md)
+- [Create, view, and manage log alerts using Azure Monitor](/azure/azure-monitor/alerts/alerts-create-new-alert-rule)
- [Manage AD FS trust with Microsoft Entra ID using Microsoft Entra Connect](how-to-connect-azure-ad-trust.md) - [Best practices for securing Active Directory Federation Services](/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs)
active-directory How To Connect Password Hash Synchronization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-password-hash-synchronization.md
To synchronize your password, Microsoft Entra Connect Sync extracts your passwor
The actual data flow of the password hash synchronization process is similar to the synchronization of user data. However, passwords are synchronized more frequently than the standard directory synchronization window for other attributes. The password hash synchronization process runs every 2 minutes. You cannot modify the frequency of this process. When you synchronize a password, it overwrites the existing cloud password.
-The first time you enable the password hash synchronization feature, it performs an initial synchronization of the passwords of all in-scope users. [Staged Rollout](how-to-connect-staged-rollout.md) allows you to selectively test groups of users with cloud authentication capabilities like Microsoft Entra multifactor authentication, Conditional Access, Identity Protection for leaked credentials, Identity Governance, and others, before cutting over your domains. You cannot explicitly define a subset of user passwords that you want to synchronize. However, if there are multiple connectors, it is possible to disable password hash sync for some connectors but not others using the [Set-ADSyncAADPasswordSyncConfiguration](../../../active-directory-domain-services/tutorial-configure-password-hash-sync.md) cmdlet.
+The first time you enable the password hash synchronization feature, it performs an initial synchronization of the passwords of all in-scope users. [Staged Rollout](how-to-connect-staged-rollout.md) allows you to selectively test groups of users with cloud authentication capabilities like Microsoft Entra multifactor authentication, Conditional Access, Identity Protection for leaked credentials, Identity Governance, and others, before cutting over your domains. You cannot explicitly define a subset of user passwords that you want to synchronize. However, if there are multiple connectors, it is possible to disable password hash sync for some connectors but not others using the [Set-ADSyncAADPasswordSyncConfiguration](/entrlet.
When you change an on-premises password, the updated password is synchronized, most often in a matter of minutes. The password hash synchronization feature automatically retries failed synchronization attempts. If an error occurs during an attempt to synchronize a password, an error is logged in your event viewer.
If you use Microsoft Entra Domain Services to provide legacy authentication for
> > Microsoft Entra Connect only synchronizes legacy password hashes when you enable Microsoft Entra Domain Services for your Microsoft Entra tenant. The following steps aren't used if you only use Microsoft Entra Connect to synchronize an on-premises AD DS environment with Microsoft Entra ID. >
-> If your legacy applications don't use NTLM authentication or LDAP simple binds, we recommend that you disable NTLM password hash synchronization for Microsoft Entra Domain Services. For more information, see [Disable weak cipher suites and NTLM credential hash synchronization](../../../active-directory-domain-services/secure-your-domain.md).
+> If your legacy applications don't use NTLM authentication or LDAP simple binds, we recommend that you disable NTLM password hash synchronization for Microsoft Entra Domain Services. For more information, see [Disable weak cipher suites and NTLM credential hash synchronization](/entra/identity/domain-services/secure-your-domain).
1. Microsoft Entra Connect retrieves the public key for the tenant's instance of Microsoft Entra Domain Services. 1. When a user changes their password, the on-premises domain controller stores the result of the password change (hashes) in two attributes:
active-directory How To Connect Sso Quick Start https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-sso-quick-start.md
Ensure that the following prerequisites are in place:
- You sync to Microsoft Entra ID through Microsoft Entra Connect. - Contains users you want to enable Seamless SSO for. -- **Enable modern authentication**: To use this feature, you must enable [modern authentication](/office365/enterprise/modern-auth-for-office-2013-and-2016) on your tenant.
+- **Enable modern authentication**: To use this feature, you must enable [modern authentication](/microsoft-365/enterprise/modern-auth-for-office-2013-and-2016) on your tenant.
- **Use the latest versions of Microsoft 365 clients**: To get a silent sign-on experience with Microsoft 365 clients (for example, with Outlook, Word, or Excel), your users must use versions 16.0.8730.xxxx or later.
active-directory How To Connect Syncservice Duplicate Attribute Resiliency https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-syncservice-duplicate-attribute-resiliency.md
Here is an example of what the email notification looks like for a ProxyAddress
## Resolving conflicts Troubleshooting strategy and resolution tactics for these errors should not differ from the way duplicate attribute errors were handled in the past. The only difference is that the timer task sweeps through the tenant on the service-side to automatically add the attribute in question to the proper object once the conflict is resolved.
-The following article outlines various troubleshooting and resolution strategies: [Duplicate or invalid attributes prevent directory synchronization in Office 365](/office365/troubleshoot/active-directory/duplicate-attributes-prevent-dirsync).
+The following article outlines various troubleshooting and resolution strategies: [Duplicate or invalid attributes prevent directory synchronization in Office 365](/microsoft-365/troubleshoot/active-directory/duplicate-attributes-prevent-dirsync).
## Known issues None of these known issues causes data loss or service degradation. Several of them are aesthetic, others cause standard ΓÇ£*pre-resiliency*ΓÇ¥ duplicate attribute errors to be thrown instead of quarantining the conflict attribute, and another causes certain errors to require extra manual fix-up.
active-directory How To Upgrade Previous Version https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-upgrade-previous-version.md
There are a few different strategies that you can use to upgrade Microsoft Entra
| Method | Description | Pros | Cons | | | | | |
-| [Automatic upgrade](how-to-connect-install-automatic-upgrade.md) |This is the easiest method for customers with an express installation |No manual intervention |Auto-upgrade version might not include the latest features |
-| [In-place upgrade](#in-place-upgrade) |If you have a single server, you can upgrade the installation in-place on the same server |- Doesn't require another server<br/><br/> - Safest approach and smoother transition to a newer version. Supports Windows OS (Operating Systems) upgrade. Sync is not interrupted and doesn't impose a risk to production |- If there's an issue while in-place upgrading, you can't roll back the new release or configuration and change the active server when you are ready <br/><br/>- Requires another server|
+| [Automatic upgrade](how-to-connect-install-automatic-upgrade.md) |This is the easiest method for customers with an express installation |- No manual intervention |- Auto-upgrade version might not include the latest features |
+| [In-place upgrade](#in-place-upgrade) |If you have a single server, you can upgrade the installation in-place on the same server |- Doesn't require another server<br/><br/> - Safest approach and smoother transition to a newer version. Supports Windows OS (Operating Systems) upgrade. Sync is not interrupted and doesn't impose a risk to production |- If there's an issue while in-place upgrading, you can't roll back the new release or configuration and change the active server when you are ready <br/><br/> |
For permissions information, see the [permissions required for an upgrade](reference-connect-accounts-permissions.md#upgrade).
active-directory Migrate From Federation To Cloud Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/migrate-from-federation-to-cloud-authentication.md
For domains that have already set the **SupportsMfa** property, these rules dete
- If the **federatedIdpMfaBehavior** property is never set, Microsoft Entra ID continues to honor the **SupportsMfa** setting. - If neither **federatedIdpMfaBehavior** nor **SupportsMfa** is set, Microsoft Entra ID defaults to `acceptIfMfaDoneByFederatedIdp` behavior.
-You can check the status of protection by running [Get-MgDomainFederationConfiguration](/powershell/module/microsoft.graph.identity.directorymanagement/get-mgdomainfederationconfiguration?view=graph-powershell-beta&preserve-view=true):
+You can check the status of protection by running [Get-MgDomainFederationConfiguration](/powershell/module/microsoft.graph.identity.directorymanagement/get-mgdomainfederationconfiguration?viewFallbackFrom=graph-powershell-beta&preserve-view=true&view=graph-powershell-1.0):
```powershell Get-MgDomainFederationConfiguration -DomainId yourdomain.com
The version of SSO that you use is dependent on your device OS and join state.
- **For Windows 10, Windows Server 2016 and later versions**, we recommend using SSO via [Primary Refresh Token (PRT)](../../devices/concept-primary-refresh-token.md) with [Microsoft Entra joined devices](../../devices/concept-directory-join.md), [Microsoft Entra hybrid joined devices](../../devices/concept-hybrid-join.md) and [Microsoft Entra registered devices](../../devices/concept-device-registration.md). -- **For macOS and iOS devices**, we recommend using SSO via the [Microsoft Enterprise SSO plug-in for Apple devices](../../develop/apple-sso-plugin.md). This feature requires that your Apple devices are managed by an MDM. If you use Intune as your MDM then follow the [Microsoft Enterprise SSO plug-in for Apple Intune deployment guide](/mem/intune/configuration/use-enterprise-sso-plug-in-ios-ipados-macos). If you use another MDM then follow the [Jamf Pro / generic MDM deployment guide](/mem/intune/configuration/use-enterprise-sso-plug-in-ios-ipados-macos-with-jamf-pro).
+- **For macOS and iOS devices**, we recommend using SSO via the [Microsoft Enterprise SSO plug-in for Apple devices](../../develop/apple-sso-plugin.md). This feature requires that your Apple devices are managed by an MDM. If you use Intune as your MDM then follow the [Microsoft Enterprise SSO plug-in for Apple Intune deployment guide](/mem/intune/configuration/use-enterprise-sso-plug-in-ios-ipados-macos). If you use another MDM then follow the [Jamf Pro / generic MDM deployment guide](/mem/intune/configuration/use-enterprise-sso-plug-in-ios-ipados-macos).
- **For Windows 7 and 8.1 devices**, we recommend using [seamless SSO](how-to-connect-sso.md) with domain-joined to register the computer in Microsoft Entra ID. You don't have to sync these accounts like you do for Windows 10 devices. However, you must complete this [prework for seamless SSO using PowerShell](how-to-connect-staged-rollout.md#prework-for-seamless-sso).
You can move SaaS applications that are currently federated with ADFS to Microso
For more information, see ΓÇô - [Moving application authentication from Active Directory Federation Services to Microsoft Entra ID](../../manage-apps/migrate-adfs-apps-stages.md) and-- [AD FS to Microsoft Entra application migration playbook for developers](/samples/azure-samples/ms-identity-adfs-to-aad/ms-identity-dotnet-adfs-to-aad)
+- [AD FS to Microsoft Entra application migration playbook for developers](/samples/azure-samples/ms-identity-adfs-to-aad/ms-identity-dotnet-adfs-to-aad/)
### Remove relying party trust
active-directory Reference Connect Accounts Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-accounts-permissions.md
You also need the following accounts to *install* Microsoft Entra Connect:
> Beginning in build 1.4.###.#, you no longer can use an Enterprise Administrator account or a Domain Administrator account as the AD DS Connector account. If you attempt to enter an account that is an Enterprise Administrator or Domain Administrator for **Use existing account**, the wizard displays an error message and you can't proceed. > [!NOTE]
-> You can manage the administrative accounts that are used in Microsoft Entra Connect by using an *enterprise access model*. An organization can use an enterprise access model to host administrative accounts, workstations, and groups in an environment that has stronger security controls than a production environment. For more information, see [Enterprise access model](/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#esae-administrative-forest-design-approach).
+> You can manage the administrative accounts that are used in Microsoft Entra Connect by using an *enterprise access model*. An organization can use an enterprise access model to host administrative accounts, workstations, and groups in an environment that has stronger security controls than a production environment. For more information, see [Enterprise access model](/security/privileged-access-workstations/privileged-access-access-model#esae-administrative-forest-design-approach).
> > The Global Administrator role isn't required after initial setup. After setup, the only required account is the Directory Synchronization Accounts role account. Instead of removing the account that has the Global Administrator role, we recommend that you change the role to a role that has a lower level of permissions. Completely removing the account might introduce issues if you ever need to run the wizard again. You can add permissions if you need to use the Microsoft Entra Connect wizard again.
active-directory Reference Connect Government Cloud https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-government-cloud.md
This article describes considerations for integrating a hybrid environment with
> [!NOTE] > To integrate a Microsoft Active Directory environment (either on-premises or hosted in an IaaS that is part of the same cloud instance) with the Azure Government cloud, you need to upgrade to the latest release of [Microsoft Entra Connect](https://www.microsoft.com/download/details.aspx?id=47594).
-For a full list of United States government Department of Defense endpoints, refer to the [documentation](/office365/enterprise/office-365-u-s-government-dod-endpoints).
+For a full list of United States government Department of Defense endpoints, refer to the [documentation](/microsoft-365/enterprise/microsoft-365-u-s-government-dod-endpoints).
<a name='azure-ad-pass-through-authentication'></a>
active-directory Reference Connect Msexchuserholdpolicies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-msexchuserholdpolicies.md
The following reference document describes these attributes used by Exchange and the proper way to edit the default sync rules. ## What are msExchUserHoldPolicies and cloudMsExchUserHoldPolicies?
-There are two types of [holds](/Exchange/policy-and-compliance/holds/holds) available for an Exchange Server: Litigation Hold and In-Place Hold. When Litigation Hold is enabled, all mailbox all items are placed on hold. An In-Place Hold is used to preserve only those items that meet the criteria of a search query that you defined by using the In-Place eDiscovery tool.
+There are two types of [holds](/exchange/policy-and-compliance/holds/holds) available for an Exchange Server: Litigation Hold and In-Place Hold. When Litigation Hold is enabled, all mailbox all items are placed on hold. An In-Place Hold is used to preserve only those items that meet the criteria of a search query that you defined by using the In-Place eDiscovery tool.
The MsExchUserHoldPolcies and cloudMsExchUserHoldPolicies attributes allow on-premises AD and Microsoft Entra ID to determine which users are under a hold depending on whether they're using on-premises Exchange or Exchange on-line.
active-directory Reference Connect Sync Functions Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-sync-functions-reference.md
The FormatDateTime function is used to format a DateTime to a string with a spec
* format: a string representing the format to convert to. **Remarks:**
-The possible values for the format can be found here: [Custom date and time formats for the FORMAT function](/dax/custom-date-and-time-formats-for-the-format-function).
+The possible values for the format can be found here: [Custom date and time formats for the FORMAT function](/dax/format-function-dax).
**Example:**
active-directory Reference Connect Version History Archive https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-version-history-archive.md
Released: November 2015
**New supported scenario:**
-* Supports multiple on-premises Exchange organizations. For more information, see [Hybrid deployments with multiple Active Directory forests](/previous-versions/exchange-server/exchange-150/jj873754(v=exchg.150)).
+* Supports multiple on-premises Exchange organizations. For more information, see [Hybrid deployments with multiple Active Directory forests](/Exchange/hybrid-deployment/hybrid-with-multiple-forests).
**Fixed issues:**
active-directory Tshoot Connect Largeobjecterror Usercertificate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/tshoot-connect-largeobjecterror-usercertificate.md
Until the LargeObject error is resolved, other attribute changes to the same obj
* Reduce the number of certificate values on the on-premises AD object (15 or less) by removing values that are no longer in use by your organization. This is suitable if the attribute bloat is caused by expired or unused certificates. You can use the cmdlet [Remove-ADSyncToolsExpiredCertificates](reference-connect-adsynctools.md#remove-adsynctoolsexpiredcertificates) to help find, backup, and delete expired certificates in your on-premises AD. Before deleting the certificates, it is recommended that you verify with the Public-Key-Infrastructure administrators in your organization. * Configure Microsoft Entra Connect to exclude the userCertificate attribute from being exported to Microsoft Entra ID. In general, we do not recommend this option since the attribute may be used by Microsoft Online Services to enable specific scenarios. In particular:
- * The userCertificate attribute on the User object is used by Exchange Online and Outlook clients for message signing and encryption. To learn more about this feature, refer to article [S/MIME for message signing and encryption](/microsoft-365/security/office-365-security/s-mime-for-message-signing-and-encryption).
+ * The userCertificate attribute on the User object is used by Exchange Online and Outlook clients for message signing and encryption. To learn more about this feature, refer to article [S/MIME for message signing and encryption](/exchange/security-and-compliance/smime-exo/smime-exo).
* The userCertificate attribute on the Computer object is used by Microsoft Entra ID to allow Windows 10 on-premises domain-joined devices to connect to Microsoft Entra ID. To learn more about this feature, please refer to article [Connect domain-joined devices to Microsoft Entra ID for Windows 10 experiences](../../devices/hybrid-join-plan.md).
active-directory Tshoot Connect Password Hash Synchronization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/tshoot-connect-password-hash-synchronization.md
The following diagram illustrates the results of the cmdlet for a single-domain,
The rest of this section describes specific results that are returned by the task and corresponding issues.
-#### password hash synchronization feature isn't enabled
+#### Password hash synchronization feature isn't enabled
If you haven't enabled password hash synchronization by using the Microsoft Entra Connect wizard, the following error is returned:
active-directory Tshoot Connect Tshoot Sql Connectivity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/tshoot-connect-tshoot-sql-connectivity.md
Import-module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\T
>[!NOTE] >Install-Module requires updating to [PowerShell 5.0 (WMF 5.0)](https://www.microsoft.com/download/details.aspx?id=50395) or later;
-Or install [PackageManagement PowerShell module preview - March 2016 for PowerShell 3.0/4.0](/powershell/module/PackageManagement)
+Or install [PackageManagement PowerShell module preview - March 2016 for PowerShell 3.0/4.0](/powershell/module/packagemanagement/)
- **Show all commands**: `Get-Command -Module AdSyncTools` - **Execute the PowerShell function**: `Connect-ADSyncDatabase` with the following parameters
active-directory Whatis Azure Ad Connect V2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/whatis-azure-ad-connect-v2.md
Azure AD Connect V1 was released several years ago. Since this time, several of
To address this issue, we've bundled as many of these newer components into a new single release, so you only have to update once. This release is Microsoft Entra Connect V2. This release is a new version of the same software used to accomplish your hybrid identity goals, built using the latest foundational components. >[!NOTE]
- >Microsoft Entra Connect V1 has been retired as of August 31, 2022 and is no longer supported. Microsoft Entra Connect V1 installations may **stop working unexpectedly**. If you are still using Azure AD Connect V1, you need to upgrade to Microsoft Entra Connect V2 immediately.
+ >Azure AD Connect V1 has been retired as of August 31, 2022 and is no longer supported. Azure AD Connect V1 installations may **stop working unexpectedly**. If you are still using Azure AD Connect V1, you need to upgrade to Microsoft Entra Connect V2 immediately.
<a name='consider-moving-to-azure-ad-connect-cloud-sync'></a>
SQL Server 2019 requires the Visual C++ Redist 14 runtime, so we're updating the
### TLS 1.2 TLS1.0 and TLS 1.1 are protocols that are deemed unsafe. Microsoft is deprecating them. This release of Microsoft Entra Connect only supports TLS 1.2.
-All versions of Windows Server that are supported for Microsoft Entra Connect V2 already default to TLS 1.2. If your server doesn't support TLS 1.2 you will need to enable this before you can deploy Microsoft Entra Connect V2. For more information, see [TLS 1.2 enforcement for Microsoft Entra Connect](reference-connect-tls-enforcement.md).
+All versions of Windows Server that are supported for Microsoft Entra Connect V2 already default to TLS 1.2. If your server doesn't support TLS 1.2 you'll need to enable this before you can deploy Microsoft Entra Connect V2. For more information, see [TLS 1.2 enforcement for Microsoft Entra Connect](reference-connect-tls-enforcement.md).
### All binaries signed with SHA2
-We noticed that some components had SHA1 signed binaries. We no longer support SHA1 for downloadable binaries and we upgraded all binaries to SHA2 signing. The digital signatures are used to ensure that the updates come directly from Microsoft and were not tampered with during delivery. Because of weaknesses in the SHA-1 algorithm and to align to industry standards, we've changed the signing of Windows updates to use the more secure SHA-2 algorithm."ΓÇ»
+We noticed that some components had SHA1 signed binaries. We no longer support SHA1 for downloadable binaries and we upgraded all binaries to SHA2 signing. The digital signatures are used to ensure that the updates come directly from Microsoft and weren't tampered with during delivery. Because of weaknesses in the SHA-1 algorithm and to align to industry standards, we've changed the signing of Windows updates to use the more secure SHA-2 algorithm."ΓÇ»
-There is no action needed from your side.
+There's no action needed from your side.
### Windows Server 2012 and Windows Server 2012 R2 are no longer supported
SQL Server 2019 requires Windows Server 2016 or newer as a server operating syst
You can't install this version on an older Windows Server version. We suggest you upgrade your Microsoft Entra Connect server to Windows Server 2019, which is the most recent version of the Windows Server operating system.
-This [article](/windows-server/get-started-19/install-upgrade-migrate-19) describes the upgrade from older Windows Server versions to Windows Server 2019.
+This [article](/windows-server/get-started/install-upgrade-migrate) describes the upgrade from older Windows Server versions to Windows Server 2019.
### PowerShell 5.0
More details about PowerShell prerequisites can be found [here](/powershell/scri
## What else do I need to know? **Why is this upgrade important for me?** </br>
-Next year several of the components in your current Microsoft Entra Connect server installations will no longer be supported. If you are using unsupported products, it will be harder for our support team to provide you with the support experience your organization requires. So we recommend all customers to upgrade to this newer version as soon as they can.
+Next year several of the components in your current Microsoft Entra Connect server installations will no longer be supported. If you're using unsupported products, it will be harder for our support team to provide you with the support experience your organization requires. So we recommend all customers to upgrade to this newer version as soon as they can.
This upgrade is especially important since we've had to update our prerequisites for Microsoft Entra Connect and you may need additional time to plan and update your servers to the newer versions of these prerequisites
This upgrade is especially important since we've had to update our prerequisites
No ΓÇô the V2.0 release doesn't contain any new functionality. This release only contains updates of some of the foundational components on Microsoft Entra Connect. However, later releases of Microsoft Entra Connect V2 may contain new functionality. **Can I upgrade from any previous version to V2?** </br>
-Yes ΓÇô upgrades from any previous version of Microsoft Entra Connect to Microsoft Entra Connect V2 is supported. Please follow the guidance in [this article](how-to-upgrade-previous-version.md) to determine what is the best upgrade strategy for you.
+Yes ΓÇô upgrades from any previous version of Microsoft Entra Connect to Microsoft Entra Connect V2 is supported. Follow the guidance in [this article](how-to-upgrade-previous-version.md) to determine what is the best upgrade strategy for you.
**Can I export the configuration of my current server and import it in Microsoft Entra Connect V2?** </br>
-Yes, you can do that, and it is a great way to migrate to Microsoft Entra Connect V2 ΓÇô especially if you are also upgrading to a new operating system version. You can read more about the Import/export configuration feature and how you can use it in this [article](how-to-connect-import-export-config.md).
+Yes, you can do that, and it's a great way to migrate to Microsoft Entra Connect V2 ΓÇô especially if you're also upgrading to a new operating system version. You can read more about the Import/export configuration feature and how you can use it in this [article](how-to-connect-import-export-config.md).
**I have enabled auto upgrade for Microsoft Entra Connect ΓÇô will I get this new version automatically?** </br>
-Yes - your Microsoft Entra Connect server will be upgraded to the latest release if you have enabled the auto-upgrade feature. However, we can only upgrade your server if you are using Windows Server 2016 or newer and have enabled TLS 1.2.
+Yes - your Microsoft Entra Connect server will be upgraded to the latest release if you have enabled the auto-upgrade feature. However, we can only upgrade your server if you're using Windows Server 2016 or newer and have enabled TLS 1.2.
**I am not ready to upgrade yet ΓÇô how much time do I have?** </br>
-You should upgrade to Microsoft Entra Connect V2 as soon as you can. **__All Microsoft Entra Connect V1 versions have been retired on 31 August, 2022.__** For the time being we will continue to support older versions of Microsoft Entra Connect, but it may prove difficult to provide a good support experience if some of the components in Microsoft Entra Connect have dropped out of support. This upgrade is particularly important for ADAL and TLS1.0/1.1 as these services might stop working unexpectedly after they are deprecated.
+You should upgrade to Microsoft Entra Connect V2 as soon as you can. **__All Azure AD Connect V1 versions have been retired on 31 August, 2022.__** For the time being we'll continue to support older versions of Microsoft Entra Connect, but it may prove difficult to provide a good support experience if some of the components in Microsoft Entra Connect have dropped out of support. This upgrade is particularly important for ADAL and TLS1.0/1.1 as these services might stop working unexpectedly after they're deprecated.
**I use an external SQL database and don't use SQL 2012 LocalDb ΓÇô do I still have to upgrade?** </br> Yes, you still need to upgrade to remain in a supported state even if you don't use SQL Server 2012, due to the TLS1.0/1.1 and ADAL deprecation. Note that SQL Server 2012 can still be used as an external SQL database with Microsoft Entra Connect V2. The SQL 2019 drivers in Microsoft Entra Connect V2 are compatible with SQL Server 2012.
Yes, you still need to upgrade to remain in a supported state even if you don't
No, the upgrade to SQL 2019 doesn't remove any SQL 2012 components from your server. If you no longer need these components then you should follow [the SQL Server uninstallation instructions](/sql/sql-server/install/uninstall-an-existing-instance-of-sql-server-setup). **What happens if I don't upgrade?** </br>
-Until one of the components that are being retired are actually deprecated, you will not see any impact. Microsoft Entra Connect will keep on working.
+Until one of the components that are being retired are actually deprecated, you won't see any impact. Microsoft Entra Connect will keep on working.
Support for TLS 1.0/1.1 is deprecated in 2022, and you need to make sure you aren't using these protocols by that date as your service may stop working unexpectedly. You can manually configure your server for TLS 1.2 though, and that doesn't require an update of Microsoft Entra Connect to V2.
-Microsoft Entra Connect Health may stop working after March 2023. We will auto upgrade all Health agents to a new version before that, but we cannot auto upgrade if you are running Azure AD Connect V1 due to compatibility issues with V versions.
+Microsoft Entra Connect Health may stop working after March 2023. We'll auto upgrade all Health agents to a new version before that, but we can't auto upgrade if you're running Azure AD Connect V1 due to compatibility issues with V versions.
After December 2022, ADAL is planned to go out of support. When ADAL goes out of support, authentication may stop working unexpectedly, and this will block the Microsoft Entra Connect server from working properly. We strongly advise you to upgrade to Microsoft Entra Connect V2 before December 2022. You can't upgrade to a supported authentication library with your current Microsoft Entra Connect version.
active-directory Whatis Azure Ad Connect https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/whatis-azure-ad-connect.md
Microsoft Entra Connect is an on-premises Microsoft application that's designed
>[!IMPORTANT]
- >Microsoft Entra Connect V1 has been retired as of August 31, 2022 and is no longer supported. Microsoft Entra Connect V1 installations may **stop working unexpectedly**. If you are still using a Microsoft Entra Connect V1 you need to upgrade to Microsoft Entra Connect V2 immediately.
+ >Azure AD Connect V1 has been retired as of August 31, 2022 and is no longer supported. Azure AD Connect V1 installations may **stop working unexpectedly**. If you are still using a Azure AD Connect V1 you need to upgrade to Microsoft Entra Connect V2 immediately.
<a name='consider-moving-to-azure-ad-connect-cloud-sync'></a>
For more information see [What is cloud sync?](../cloud-sync/what-is-cloud-sync.
![What is Microsoft Entra Connect](../media/whatis-hybrid-identity/arch.png) > [!IMPORTANT]
-> Microsoft Entra Connect Health for Sync requires Microsoft Entra Connect Sync V2. If you are still using AADConnect V1 you must upgrade to the latest version.
-> AADConnect V1 is retired on August 31, 2022. Microsoft Entra Connect Health for Sync will no longer work with AADConnect V1 in December 2022.
+> Microsoft Entra Connect Health for Sync requires Microsoft Entra Connect Sync V2. If you are still using Azure AD Connect V1 you must upgrade to the latest version.
+> Azure AD Connect V1 is retired on August 31, 2022. Microsoft Entra Connect Health for Sync will no longer work with Azure AD Connect V1 in December 2022.
active-directory Decommission Connect Sync V1 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/decommission-connect-sync-v1.md
The one-year advanced notice of Azure AD Connect V1's retirement was announced in August 2021. As of August 31, 2022, all V1 versions went out of support and were subject to stop working unexpectedly at any point.
-On **October 1, 2023**, Azure AD cloud services will stop accepting connections from Azure AD Connect V1 servers, and identities will no longer synchronize.
+On **October 1, 2023**, Microsoft Entra cloud services stopped accepting connections from Azure AD Connect V1 servers, and identities will no longer synchronize.
If you are still using Azure AD Connect V1 you must take action immediately.
->[!IMPORTANT]
->Azure AD Connect V1 will stop working on October 1st 2023. You need to migrate to Microsoft Entra Connect cloud sync or Microsoft Entra Connect Sync.
## Migrate to cloud sync Before moving to Microsoft Entra Connect Sync, you should see if cloud sync is right for you instead. Cloud sync uses a light-weight provisioning agent and is fully configurable through the portal. To choose the best sync tool for your situation, use the [Wizard to evaluate sync options.](https://aka.ms/EvaluateSyncOptions)
If you aren't yet eligible to move to cloud sync, use this table for more inform
## Next steps -- [What is Azure AD Connect V2?](./connect/whatis-azure-ad-connect-v2.md)
+- [What is Microsoft Entra Connect V2?](./connect/whatis-azure-ad-connect-v2.md)
- [Azure AD cloud sync](./cloud-sync/what-is-cloud-sync.md)-- [Azure AD Connect version history](./connect/reference-connect-version-history.md)
+- [Microsoft Entra Connect version history](./connect/reference-connect-version-history.md)
active-directory Application List https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/application-list.md
When filtered to **All Applications**, the **All Applications** **List** shows e
- When you use managed identities for Azure resources. For more information, see [Managed identity types](../managed-identities-azure-resources/overview.md#managed-identity-types). - When you add a new application registration by creating a custom-developed application using the [Application Registry](../develop/quickstart-register-app.md) - When you add a new application registration by creating a custom-developed application using the [V2.0 Application Registration portal](../develop/quickstart-register-app.md)-- When you add an application, youΓÇÖre developing using Visual StudioΓÇÖs [ASP.NET Authentication Methods](https://www.asp.net/visual-studio/overview/2013/creating-web-projects-in-visual-studio#orgauthoptions) or [Connected Services](https://devblogs.microsoft.com/visualstudio/connecting-to-cloud-services/)
+- When you add an application, youΓÇÖre developing using Visual StudioΓÇÖs [ASP.NET Authentication Methods](/aspnet/visual-studio/overview/2013/creating-web-projects-in-visual-studio#orgauthoptions) or [Connected Services](https://devblogs.microsoft.com/visualstudio/connecting-to-cloud-services/)
- When you create a service principal object using the [Microsoft Graph PowerShell](/powershell/microsoftgraph/installation) module. - When you [consent to an application](../develop/howto-convert-app-to-be-multi-tenant.md) as an administrator to use data in your tenant - When a [user consents to an application](../develop/howto-convert-app-to-be-multi-tenant.md) to use data in your tenant
active-directory Cloud App Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/cloud-app-security.md
Use Microsoft Cloud App Discovery (a Microsoft Entra ID P1 feature) to discover
### Learn more -- [Discover and manage shadow IT in your network](/cloud-app-security/tutorial-shadow-it)-- [Discovered apps with Defender for Cloud Apps](/cloud-app-security/discovered-apps)
+- [Discover and manage shadow IT in your network](/defender-cloud-apps/tutorial-shadow-it)
+- [Discovered apps with Defender for Cloud Apps](/defender-cloud-apps/discovered-apps)
## User session visibility and control
With this control you can:
### Learn more -- [Protect apps with Session Control in Defender for Cloud Apps](/cloud-app-security/proxy-intro-aad)
+- [Protect apps with Session Control in Defender for Cloud Apps](/defender-cloud-apps/proxy-intro-aad)
## Advanced app visibility and controls
Defender for Cloud Apps leverages the APIs provided by the cloud provider. Each
### Learn more -- [Connect apps in Defender for Cloud Apps](/cloud-app-security/enable-instant-visibility-protection-and-governance-actions-for-your-apps)
+- [Connect apps in Defender for Cloud Apps](/defender-cloud-apps/enable-instant-visibility-protection-and-governance-actions-for-your-apps)
## Next steps -- [Discover and manage shadow IT in your network](/cloud-app-security/tutorial-shadow-it)-- [Discovered apps with Defender for Cloud Apps](/cloud-app-security/discovered-apps)-- [Protect apps with Session Control in Defender for Cloud Apps](/cloud-app-security/proxy-intro-aad)-- [Connect apps in Defender for Cloud Apps](/cloud-app-security/enable-instant-visibility-protection-and-governance-actions-for-your-apps)
+- [Discover and manage shadow IT in your network](/defender-cloud-apps/tutorial-shadow-it)
+- [Discovered apps with Defender for Cloud Apps](/defender-cloud-apps/discovered-apps)
+- [Protect apps with Session Control in Defender for Cloud Apps](/defender-cloud-apps/proxy-intro-aad)
+- [Connect apps in Defender for Cloud Apps](/defender-cloud-apps/enable-instant-visibility-protection-and-governance-actions-for-your-apps)
active-directory Cloudflare Conditional Access Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/cloudflare-conditional-access-policies.md
Learn more: [What is Conditional Access?](../conditional-access/overview.md)
* One of the following roles: Global Administrator, Cloud Application Administrator, or Application Administrator. * Configured users in the Microsoft Entra subscription * A Cloudflare account
- * Go to dash.cloudflare.com to [Get started with Cloudflare](https://dash.cloudflare.com/sign-up?https%3A%2F%2Fone.dash.cloudflare.com%2F)
+ * Go to `dash.cloudflare.com` to [Get started with Cloudflare](https://dash.cloudflare.com/sign-up)
## Scenario architecture
Go to developers.cloudflare.com to [set up Microsoft Entra ID as an IdP](https:/
Enforce Conditional Access policies on a Cloudflare Access application.
-1. Go to dash.cloudflare.com to [sign in to Cloudflare](https://dash.cloudflare.com/login).
+1. Go to `dash.cloudflare.com` to [sign in to Cloudflare](https://dash.cloudflare.com/login).
2. In **Zero Trust**, go to **Access**. 3. Select **Applications**. 4. See, [Add a self-hosted application](https://developers.cloudflare.com/cloudflare-one/applications/configure-apps/self-hosted-apps/).
active-directory Cloudflare Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/cloudflare-integration.md
See the [team domain](https://developers.cloudflare.com/cloudflare-one/glossary#
- Go to developer.cloudflare.com for [Integrate SSO](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/) - [Tutorial: Configure Conditional Access policies for Cloudflare Access](cloudflare-conditional-access-policies.md)-- [Tutorial: Configure Cloudflare Web Application Firewall with Azure AD B2C](../../active-directory-b2c/partner-cloudflare.md)
+- [Tutorial: Configure Cloudflare Web Application Firewall with Azure AD B2C](/azure/active-directory-b2c/partner-cloudflare)
active-directory Configure User Consent Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/configure-user-consent-groups.md
PATCH https://graph.microsoft.com/v1.0/policies/authorizationPolicy
To get help or find answers to your questions: -- [Microsoft Entra ID on Microsoft Q&A](/answers/topics/azure-active-directory.html)
+- [Microsoft Entra ID on Microsoft Q&A](/answers/tags/455/entra-id)
active-directory Configure User Consent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/configure-user-consent.md
PATCH https://graph.microsoft.com/v1.0/policies/authorizationPolicy
## Next steps - [Manage app consent policies](manage-app-consent-policies.md)-- [Configure the admin consent workflow](configure-admin-consent-workflow.md)
+- [Configure the admin consent workflow](configure-admin-consent-workflow.md)
active-directory Create Service Principal Cross Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/create-service-principal-cross-tenant.md
You can use an API client such as [Graph Explorer](https://aka.ms/ge) to work wi
## Next steps -- [Add RBAC role to the enterprise application](../../role-based-access-control/role-assignments-portal.md)
+- [Add RBAC role to the enterprise application](/azure/role-based-access-control/role-assignments-portal)
- [Assign users to your application](add-application-portal-assign-users.md)
active-directory Datawiza Configure Sha https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/datawiza-configure-sha.md
In this tutorial, learn how to integrate Microsoft Entra ID with [Datawiza](https://www.datawiza.com/) for [hybrid access](../devices/concept-hybrid-join.md). [Datawiza Access Proxy (DAP)](https://www.datawiza.com) extends Microsoft Entra ID to enable single sign-on (SSO) and provide access controls to protect on-premises and cloud-hosted applications, such as Oracle E-Business Suite, Microsoft IIS, and SAP. With this solution, enterprises can transition from legacy web access managers (WAMs), such as Symantec SiteMinder, NetIQ, Oracle, and IBM, to Microsoft Entra ID without rewriting applications. Enterprises can use Datawiza as a no-code, or low-code, solution to integrate new applications to Microsoft Entra ID. This approach enables enterprises to implement their Zero Trust strategy while saving engineering time and reducing costs.
-Learn more: [Zero Trust security](../../security/fundamentals/zero-trust.md)
+Learn more: [Zero Trust security](/azure/security/fundamentals/zero-trust)
<a name='datawiza-with-azure-ad-authentication-architecture'></a>
To get started, you need:
## Next steps
-* [Tutorial: Configure Azure Active Directory B2C with Datawiza to provide secure hybrid access](../../active-directory-b2c/partner-datawiza.md)
+* [Tutorial: Configure Azure Active Directory B2C with Datawiza to provide secure hybrid access](/azure/active-directory-b2c/partner-datawiza)
* [Tutorial: Configure Datawiza to enable Microsoft Entra multifactor authentication and SSO to Oracle JD Edwards](datawiza-sso-oracle-jde.md) * [Tutorial: Configure Datawiza to enable Microsoft Entra multifactor authentication and SSO to Oracle PeopleSoft](./datawiza-sso-oracle-peoplesoft.md) * Go to docs.datawiza.com for Datawiza [User Guides](https://docs.datawiza.com)
active-directory Datawiza Sso Mfa Oracle Ebs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/datawiza-sso-mfa-oracle-ebs.md
To provide more security for sign-ins, you can enable multifactor authentication
- [Video: Enable SSO and MFA for Oracle JD Edwards with Microsoft Entra ID via Datawiza](https://www.youtube.com/watch?v=_gUGWHT5m90) - [Tutorial: Configure Secure Hybrid Access with Microsoft Entra ID and Datawiza](./datawiza-configure-sha.md)-- [Tutorial: Configure Azure AD B2C with Datawiza to provide secure hybrid access](../../active-directory-b2c/partner-datawiza.md)
+- [Tutorial: Configure Azure AD B2C with Datawiza to provide secure hybrid access](/azure/active-directory-b2c/partner-datawiza)
- [Datawiza user guides](https://docs.datawiza.com/)
active-directory Datawiza Sso Oracle Jde https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/datawiza-sso-oracle-jde.md
To confirm Oracle JDE application access occurs, a prompt appears to use a Micro
* Video [Enable SSO and MFA for Oracle JDE) with Microsoft Entra ID via Datawiza](https://www.youtube.com/watch?v=_gUGWHT5m90) * [Tutorial: Configure Secure Hybrid Access with Microsoft Entra ID and Datawiza](./datawiza-configure-sha.md)
-* [Tutorial: Configure Azure AD B2C with Datawiza to provide secure hybrid access](../../active-directory-b2c/partner-datawiza.md)
+* [Tutorial: Configure Azure AD B2C with Datawiza to provide secure hybrid access](/azure/active-directory-b2c/partner-datawiza)
* Go to docs.datawiza.com for Datawiza [User Guides](https://docs.datawiza.com/)
active-directory Datawiza Sso Oracle Peoplesoft https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/datawiza-sso-oracle-peoplesoft.md
To confirm Oracle PeopleSoft application access occurs correctly, a prompt appea
- Video: [Enable SSO and MFA for Oracle JD Edwards with Microsoft Entra ID via Datawiza](https://www.youtube.com/watch?v=_gUGWHT5m90) - [Tutorial: Configure Secure Hybrid Access with Microsoft Entra ID and Datawiza](./datawiza-configure-sha.md)-- [Tutorial: Configure Azure AD B2C with Datawiza to provide secure hybrid access](../../active-directory-b2c/partner-datawiza.md)
+- [Tutorial: Configure Azure AD B2C with Datawiza to provide secure hybrid access](/azure/active-directory-b2c/partner-datawiza)
- Go to docs.datawiza.com for Datawiza [User Guides](https://docs.datawiza.com/)
active-directory F5 Big Ip Forms Advanced https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-forms-advanced.md
Learn to configure F5 BIG-IP Access Policy Manager (APM) and Microsoft Entra ID
* Improved Zero Trust governance through Microsoft Entra preauthentication and Conditional Access * See [What is Conditional Access?](../conditional-access/overview.md)
- * See [Zero Trust security](../../security/fundamentals/zero-trust.md)
+ * See [Zero Trust security](/azure/security/fundamentals/zero-trust)
* Full SSO between Microsoft Entra ID and BIG-IP published services * Managed identities and access from one control plane * See the [Microsoft Entra admin center](https://entra.microsoft.com)
You need the following components:
* An SSL certificate to publish services over HTTPS, or use default certificates while testing * See [SSL profile](./f5-bigip-deployment-guide.md#ssl-profile) * A form-based authentication application, or set up an IIS FBA app for testing
- * See [Forms-based authentication](/troubleshoot/aspnet/forms-based-authentication)
+ * See [Forms-based authentication](/troubleshoot/developer/webapps/aspnet/development/forms-based-authentication)
## BIG-IP configuration
active-directory F5 Big Ip Header Advanced https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-header-advanced.md
Learn to implement secure hybrid access (SHA) with single sign-on (SSO) to heade
* Improved Zero Trust governance through Microsoft Entra preauthentication and Conditional Access * See, [What is Conditional Access?](../conditional-access/overview.md)
- * See, [Zero Trust security](../../security/fundamentals/zero-trust.md)
+ * See, [Zero Trust security](/azure/security/fundamentals/zero-trust)
* Full SSO between Microsoft Entra ID and BIG-IP published services * Managed identities and access from one control plane * See, the [Microsoft Entra admin center](https://entra.microsoft.com)
active-directory F5 Big Ip Headers Easy Button https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-headers-easy-button.md
Learn to secure header-based applications with Microsoft Entra ID, with F5 BIG-I
Integrating a BIG-IP with Microsoft Entra ID provides many benefits, including: * Improved Zero Trust governance through Microsoft Entra preauthentication and Conditional Access * See, [What is Conditional Access?](../conditional-access/overview.md)
- * See, [Zero Trust security](../../security/fundamentals/zero-trust.md)
+ * See, [Zero Trust security](/azure/security/fundamentals/zero-trust)
* Full SSO between Microsoft Entra ID and BIG-IP published services * Managed identities and access from one control plane * See, the [Microsoft Entra admin center](https://entra.microsoft.com)
active-directory F5 Big Ip Oracle Enterprise Business Suite Easy Button https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-oracle-enterprise-business-suite-easy-button.md
Learn to secure Oracle E-Business Suite (EBS) using Microsoft Entra ID, with F5
* Improved Zero Trust governance through Microsoft Entra preauthentication and Conditional Access * See, [What is Conditional Access?](../conditional-access/overview.md)
- * See, [Zero Trust security](../../security/fundamentals/zero-trust.md)
+ * See, [Zero Trust security](/azure/security/fundamentals/zero-trust)
* Full SSO between Microsoft Entra ID and BIG-IP published services * Managed identities and access from one control plane * See, the [Microsoft Entra admin center](https://entra.microsoft.com)
active-directory F5 Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-integration.md
SHA enables organizations to continue using investments in F5 network and applic
When Microsoft Entra ID pre-authenticates access to BIG-IP published services, there are many benefits: - Password-less authentication with:
- - [Windows Hello](/windows/security/identity-protection/hello-for-business/hello-overview)
+ - [Windows Hello](/windows/security/identity-protection/hello-for-business/)
- [MS Authenticator](https://support.microsoft.com/account-billing/download-and-install-the-microsoft-authenticator-app-351498fc-850a-45da-b7b6-27e523b8702a) - [Fast Identity Online (FIDO) keys](../authentication/howto-authentication-passwordless-security-key.md) - [Certificate-based authentication](../authentication/concept-certificate-based-authentication.md)
Other benefits include:
- Entitlement management for governed guest access - [Partner collaboration](../governance/entitlement-management-external-users.md) - App discovery and control
- - [Defender for Cloud Apps (CASB)](/cloud-app-security/what-is-cloud-app-security)
+ - [Defender for Cloud Apps (CASB)](/defender-cloud-apps/what-is-defender-for-cloud-apps)
- Threat monitoring and analytics with [Microsoft Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ## Scenario description
The following diagram illustrates the front-end pre-authentication exchange betw
2. BIG-IP redirects the user to the SAML identity provider (IdP), Microsoft Entra ID, for pre-authentication 3. Microsoft Entra ID processes Conditional Access policies and [session controls](../conditional-access/concept-conditional-access-session.md) for authorization 4. User goes back to BIG-IP, and presents the SAML claims issued by Microsoft Entra ID
-5. BIG-IP requests session information for [SSO](../hybrid/connect/how-to-connect-sso.md) and [role-based access control (RBAC)](../../role-based-access-control/overview.md) to the published service
+5. BIG-IP requests session information for [SSO](../hybrid/connect/how-to-connect-sso.md) and [role-based access control (RBAC)](/azure/role-based-access-control/overview) to the published service
6. BIG-IP forwards the client request to the back-end service ## User experience
Users access the My Apps portal to find BIG-IP published services and to manage
You can monitor deployed BIG-IP instances to ensure published services are highly available, at an SHA level and operationally.
-There are several options to log events locally, or remotely through a Security Information and Event Management (SIEM) solution, which enables storage and telemetry processing. To monitor Microsoft Entra ID and SHA activity, you can use [Azure Monitor](../../azure-monitor/overview.md) and [Microsoft Sentinel](../../sentinel/overview.md), together:
+There are several options to log events locally, or remotely through a Security Information and Event Management (SIEM) solution, which enables storage and telemetry processing. To monitor Microsoft Entra ID and SHA activity, you can use [Azure Monitor](/azure/azure-monitor/overview) and [Microsoft Sentinel](/azure/sentinel/overview), together:
- Overview of your organization, potentially across multiple clouds, and on-premises locations, including BIG-IP infrastructure - One control plane with view of signals, avoiding reliance on complex, and disparate tools
Advanced configuration tutorials:
- [Securing F5 BIG-IP SSL-VPN with Microsoft Entra SHA](f5-passwordless-vpn.md) -- [Extend Azure AD B2C to protect applications using F5 BIG-IP](../../active-directory-b2c/partner-f5.md)
+- [Extend Azure AD B2C to protect applications using F5 BIG-IP](/azure/active-directory-b2c/partner-f5)
- [F5 BIG-IP APM and Microsoft Entra SSO to Kerberos applications](f5-big-ip-kerberos-advanced.md)
active-directory F5 Passwordless Vpn https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-passwordless-vpn.md
Enabling a BIG-IP SSL-VPN for Microsoft Entra single sign-on (SSO) provides many
To learn about more benefits, see * [Integrate F5 BIG-IP with Microsoft Entra ID](./f5-integration.md)
-* [What is single sign-on in Microsoft Entra ID?](/azure/active-directory/active-directory-appssoaccess-whatis)
+* [What is single sign-on in Microsoft Entra ID?](./what-is-single-sign-on.md)
>[!NOTE] >Classic VPNs remain network orientated, often providing little to no fine-grained access to corporate applications. We encourage a more identity-centric approach to achieve Zero Trust. Learn more: [Five steps for integrating all your apps with Microsoft Entra ID](../fundamentals/five-steps-to-full-application-integration.md).
active-directory Home Realm Discovery Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/home-realm-discovery-policy.md
The json object is an example HRD policy definition:
} ```
-The policy type is "[HomeRealmDiscoveryPolicy](/graph/api/resources/homeRealmDiscoveryPolicy)".
+The policy type is "[HomeRealmDiscoveryPolicy](/graph/api/resources/homerealmdiscoverypolicy)".
**AccelerateToFederatedDomain** is optional. If **AccelerateToFederatedDomain** is false, the policy has no effect on auto-acceleration. If **AccelerateToFederatedDomain** is true and there's only one verified and federated domain in the tenant, then users will be taken straight to the federated IdP for sign-in. If it's true and there's more than one verified domain in the tenant, **PreferredDomain** must be specified.
active-directory Manage App Consent Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/manage-app-consent-policies.md
The following table provides the list of supported conditions for app consent po
| ClientApplicationPublisherIds | A list of Microsoft Partner Network (MPN) IDs for [verified publishers](../develop/publisher-verification-overview.md) of the client application, or a list with the single value "all" to match with client apps from any publisher. Default is the single value "all". | | ClientApplicationsFromVerifiedPublisherOnly | Set this switch to only match on client applications with a [verified publishers](../develop/publisher-verification-overview.md). Disable this switch (`-ClientApplicationsFromVerifiedPublisherOnly:$false`) to match on any client app, even if it doesn't have a verified publisher. Default is `$false`. | |scopeType| The resource scope type the preapproval applies to. Possible values: `group` for [groups](/graph/api/resources/group) and [teams](/graph/api/resources/team), `chat` for [chats](/graph/api/resources/chat?view=graph-rest-1.0&preserve-view=true), or `tenant` for tenant-wide access. Required.|
-| sensitivityLabels| The sensitivity labels that are applicable to the scope type and have been preapproved. It allows you to protect sensitive organizational data. Learn about [sensitivity labels](/microsoft-365/compliance/sensitivity-labels). **Note:** Chat resource **does not** support sensitivityLabels yet.
+| sensitivityLabels| The sensitivity labels that are applicable to the scope type and have been preapproved. It allows you to protect sensitive organizational data. Learn about [sensitivity labels](/purview/sensitivity-labels). **Note:** Chat resource **does not** support sensitivityLabels yet.
## Next steps
The following table provides the list of supported conditions for app consent po
To get help or find answers to your questions:
-* [Microsoft Entra ID on Microsoft Q&A](/answers/products/)
+* [Microsoft Entra ID on Microsoft Q&A](/answers/)
active-directory Manage Consent Requests https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/manage-consent-requests.md
This article provides guidance on managing consent to applications and evaluatin
## Auditing and monitoring -- [Audit apps and granted permissions](../../security/fundamentals/steps-secure-identity.md#audit-apps-and-consented-permissions) in your organization to ensure that no unwarranted or suspicious applications have previously been granted access to data.
+- [Audit apps and granted permissions](/azure/security/fundamentals/steps-secure-identity#audit-apps-and-consented-permissions) in your organization to ensure that no unwarranted or suspicious applications have previously been granted access to data.
- Review the [Detect and Remediate Illicit Consent Grants in Office 365](/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants) article for more best practices and safeguards against suspicious applications that request OAuth consent. - If your organization has the appropriate license:
- - Use other [OAuth application auditing features in Microsoft Defender for Cloud Apps](/cloud-app-security/investigate-risky-oauth).
- - Use [Azure Monitor Workbooks](../reports-monitoring/howto-use-azure-monitor-workbooks.md) to monitor permissions and consent-related activity. The *Consent Insights* workbook provides a view of apps by number of failed consent requests. This information can help you prioritize applications for administrators to review and decide whether to grant them admin consent.
+ - Use other [OAuth application auditing features in Microsoft Defender for Cloud Apps](/defender-cloud-apps/investigate-risky-oauth).
+ - Use [Azure Monitor Workbooks](../reports-monitoring/howto-use-workbooks.md) to monitor permissions and consent-related activity. The *Consent Insights* workbook provides a view of apps by number of failed consent requests. This information can help you prioritize applications for administrators to review and decide whether to grant them admin consent.
### Other considerations for reducing friction
active-directory Migrate Adfs Classify Apps Plan Pilot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-adfs-classify-apps-plan-pilot.md
There are two main categories of users of your apps and resources that Microsoft
You can define groups for these users and populate these groups in diverse ways. You may choose that an administrator must manually add members into a group, or you can enable self-service group membership. Rules can be established that automatically add members into groups based on the specified criteria using [dynamic groups](../enterprise-users/groups-dynamic-membership.md).
-External users may also refer to customers. [Azure AD B2C](../../active-directory-b2c/overview.md), a separate product supports customer authentication. However, it is outside the scope of this paper.
+External users may also refer to customers. [Azure AD B2C](/azure/active-directory-b2c/overview), a separate product supports customer authentication. However, it is outside the scope of this paper.
## Plan a pilot
Before you initiate the migration process, take time to fully consider the secur
### Identities and data
-Most organizations have specific requirements about identities and data protection that vary by industry segment and by job functions within organizations. Refer to [identity and device access configurations](/microsoft-365/enterprise/microsoft-365-policies-configurations) for our recommendations including a prescribed set of [Conditional Access policies](../conditional-access/overview.md) and related capabilities.
+Most organizations have specific requirements about identities and data protection that vary by industry segment and by job functions within organizations. Refer to [identity and device access configurations](/microsoft-365/security/office-365-security/microsoft-365-policies-configurations) for our recommendations including a prescribed set of [Conditional Access policies](../conditional-access/overview.md) and related capabilities.
-You can use this information to protect access to all services integrated with Microsoft Entra ID. These recommendations are aligned with Microsoft Secure Score and the [identity score in Microsoft Entra ID](../fundamentals/identity-secure-score.md). The score helps you to:
+You can use this information to protect access to all services integrated with Microsoft Entra ID. These recommendations are aligned with Microsoft Secure Score and the [identity score in Microsoft Entra ID](../reports-monitoring/concept-identity-secure-score.md). The score helps you to:
- Objectively measure your identity security posture - Plan identity security improvements - Review the success of your improvements
-This also helps you implement the [five steps to securing your identity infrastructure](../../security/fundamentals/steps-secure-identity.md). Use the guidance as a starting point for your organization and adjust the policies to meet your organization's specific requirements.
+This also helps you implement the [five steps to securing your identity infrastructure](/azure/security/fundamentals/steps-secure-identity). Use the guidance as a starting point for your organization and adjust the policies to meet your organization's specific requirements.
### Device/location used to access data
active-directory Migrate Adfs Discover Scope Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-adfs-discover-scope-apps.md
Discover applications using ADFS:
In the cloud environment, you need rich visibility, control over data travel, and sophisticated analytics to find and combat cyber threats across all your cloud services. You can gather your cloud app inventory using the following tools: -- **Cloud Access Security Broker (CASB**) ΓÇô A [CASB](/cloud-app-security/) typically works alongside your firewall to provide visibility into your employeesΓÇÖ cloud application usage and helps you protect your corporate data from cybersecurity threats. The CASB report can help you determine the most used apps in your organization, and the early targets to migrate to Microsoft Entra ID.
+- **Cloud Access Security Broker (CASB**) ΓÇô A [CASB](/defender-cloud-apps/) typically works alongside your firewall to provide visibility into your employeesΓÇÖ cloud application usage and helps you protect your corporate data from cybersecurity threats. The CASB report can help you determine the most used apps in your organization, and the early targets to migrate to Microsoft Entra ID.
- **Cloud Discovery** - By configuring [Microsoft Defender for Cloud Apps](/defender-cloud-apps/what-is-defender-for-cloud-apps), you gain visibility into the cloud app usage, and can discover unsanctioned or Shadow IT apps. - **Azure Hosted Applications** - For apps connected to Azure infrastructure, you can use the APIs and tools on those systems to begin to take an inventory of hosted apps. In the Azure environment: - Use the [Get-AzureWebsite](/powershell/module/servicemanagement/azure/get-azurewebsite) cmdlet to get information about Azure websites.
active-directory Migrate Adfs Plan Management Insights https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-adfs-plan-management-insights.md
You can also use the [Microsoft Entra admin center](https://entra.microsoft.com)
- **Audit your app** using **Enterprise Applications, Audit**, or access the same information from the [Microsoft Entra reporting API](../reports-monitoring/howto-configure-prerequisites-for-reporting-api.md) to integrate into your favorite tools. - **View the permissions for an app** using **Enterprise Applications, Permissions** for apps using OAuth/OpenID Connect. - **Get sign-in insights** using **Enterprise Applications, Sign-Ins**. Access the same information from the [Microsoft Entra reporting API.](../reports-monitoring/howto-configure-prerequisites-for-reporting-api.md)-- **Visualize your appΓÇÖs usage** from the [Microsoft Entra ID Power BI content pack](../reports-monitoring/howto-use-azure-monitor-workbooks.md)
+- **Visualize your appΓÇÖs usage** from the [Microsoft Entra ID Power BI content pack](../reports-monitoring/howto-use-workbooks.md)
## Exit criteria
Many [deployment plans](../architecture/deployment-plans.md) are available for y
Visit the following support links to create or track support ticket and monitor health. - **Azure Support:** You can call [Microsoft Support](https://azure.microsoft.com/support) and open a ticket for any Azure Identity deployment issue depending on your Enterprise Agreement with Microsoft.-- **FastTrack**: If you've purchased Enterprise Mobility and Security (EMS) or Microsoft Entra ID P1 or P2 licenses, you're eligible to receive deployment assistance from the [FastTrack program.](/enterprise-mobility-security/solutions/enterprise-mobility-fasttrack-program)
+- **FastTrack**: If you've purchased Enterprise Mobility and Security (EMS) or Microsoft Entra ID P1 or P2 licenses, you're eligible to receive deployment assistance from the [FastTrack program.](/microsoft-365/fasttrack/introduction)
- **Engage the Product Engineering team:** If you're working on a major customer deployment with millions of users, you're entitled to support from the Microsoft account team or your Cloud Solutions Architect. Based on the projectΓÇÖs deployment complexity, you can work directly with the [Azure Identity Product Engineering team.](https://portal.azure.com/#blade/Microsoft_Azure_Marketplace/MarketplaceOffersBlade/selectedMenuItemId/solutionProviders) ## Next steps
active-directory Migrate Adfs Saml Based Sso https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-adfs-saml-based-sso.md
Signing certificates are an important part of any SSO deployment. Microsoft Entr
Both AD FS and Microsoft Entra ID provide token encryptionΓÇöthe ability to encrypt the SAML security assertions that go to applications. The assertions are encrypted with a public key, and decrypted by the receiving application with the matching private key. When you configure token encryption, you upload X.509 certificate files to provide the public keys.
-For information about Microsoft Entra SAML token encryption and how to configure it, see [How to: Configure Microsoft Entra SAML token encryption](howto-saml-token-encryption.md).
+For information about Microsoft Entra SAML token encryption and how to configure it, see [How to: Configure Microsoft Entra SAML token encryption](howto-saml-token-encryption.md).
> [!NOTE] > Token encryption is a Microsoft Entra ID P1 or P2 feature. To learn more about Microsoft Entra editions, features, and pricing, see [Microsoft Entra pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
This functionality validates the signature of signed authentication requests. An
## Custom claims providers (preview)
-To migrate data from legacy systems such as ADFS, or data stores such as LDAP, your apps are dependent on certain data in the tokens. You can use custom claims providers to add claims into the token. For more information, see [Custom claims provider overview](../develop/custom-claims-provider-overview.md).
+To migrate data from legacy systems such as ADFS, or data stores such as LDAP, your apps are dependent on certain data in the tokens. You can use custom claims providers to add claims into the token. For more information, see [Custom claims provider overview](../develop/custom-claims-provider-overview.md).
## Apps and configurations that can be moved today
The following table describes some of the most common mapping of settings betwee
| Configuration setting| AD FS| How to configure in Microsoft Entra ID| SAML Token | | - | - | - | - |
-| **App sign-on URL** <p>The URL for the user to sign in to the app in a SAML flow initiated by a Service Provider (SP).| N/A| Open Basic SAML Configuration from SAML based sign-on| N/A |
-| **App reply URL** <p>The URL of the app from the perspective of the identity provider (IdP). The IdP sends the user and token here after the user has signed in to the IdP. ΓÇÄThis is also known as **SAML assertion consumer endpoint**.| Select the **Endpoints** tab| Open Basic SAML Configuration from SAML based sign-on| Destination element in the SAML token. Example value: `https://contoso.my.salesforce.com` |
-| **App sign-out URL** <p>This is the URL to which sign-out cleanup requests are sent when a user signs out from an app. The IdP sends the request to sign out the user from all other apps as well.| Select the **Endpoints** tab| Open Basic SAML Configuration from SAML based sign-on| N/A |
-| **App identifier** <p>This is the app identifier from the IdP's perspective. The sign-on URL value is often used for the identifier (but not always). ΓÇÄSometimes the app calls this the "entity ID."| Select the **Identifiers** tab|Open Basic SAML Configuration from SAML based sign-on| Maps to the **Audience** element in the SAML token. |
-| **App federation metadata** <p>This is the location of the app's federation metadata. The IdP uses it to automatically update specific configuration settings, such as endpoints or encryption certificates.| Select the **Monitoring** tab| N/A. Microsoft Entra ID doesn't support consuming application federation metadata directly. You can manually import the federation metadata.| N/A |
-| **User Identifier/ Name ID** <p>Attribute that is used to uniquely indicate the user identity from Microsoft Entra ID or AD FS to your app. ΓÇÄThis attribute is typically either the UPN or the email address of the user.| Claim rules. In most cases, the claim rule issues a claim with a type that ends with the **NameIdentifier**.| You can find the identifier under the header **User Attributes and Claims**. By default, the UPN is used| Maps to the **NameID** element in the SAML token. |
-| **Other claims** <p>Examples of other claim information that is commonly sent from the IdP to the app include first name, last name, email address, and group membership.| In AD FS, you can find this as other claim rules on the relying party.| You can find the identifier under the header **User Attributes & Claims**. Select **View** and edit all other user attributes.| N/A |
+| **App sign-on URL** <p> The URL for the user to sign in to the app in a SAML flow initiated by a Service Provider (SP).| N/A| Open Basic SAML Configuration from SAML based sign-on| N/A |
+| **App reply URL** <p> The URL of the app from the perspective of the identity provider (IdP). The IdP sends the user and token here after the user has signed in to the IdP. This is also known as **SAML assertion consumer endpoint**.| Select the **Endpoints** tab| Open Basic SAML Configuration from SAML based sign-on| Destination element in the SAML token. Example value: `https://contoso.my.salesforce.com` |
+| **App sign-out URL** <p> This is the URL to which sign-out cleanup requests are sent when a user signs out from an app. The IdP sends the request to sign out the user from all other apps as well.| Select the **Endpoints** tab| Open Basic SAML Configuration from SAML based sign-on| N/A |
+| **App identifier** <p> This is the app identifier from the IdP's perspective. The sign-on URL value is often used for the identifier (but not always). Sometimes the app calls this the *entity ID.* | Select the **Identifiers** tab|Open Basic SAML Configuration from SAML based sign-on| Maps to the **Audience** element in the SAML token. |
+| **App federation metadata** <p> This is the location of the app's federation metadata. The IdP uses it to automatically update specific configuration settings, such as endpoints or encryption certificates.| Select the **Monitoring** tab| N/A. Microsoft Entra ID doesn't support consuming application federation metadata directly. You can manually import the federation metadata.| N/A |
+| **User Identifier/ Name ID** <p> Attribute that is used to uniquely indicate the user identity from Microsoft Entra ID or AD FS to your app. This attribute is typically either the UPN or the email address of the user.| Claim rules. In most cases, the claim rule issues a claim with a type that ends with the **NameIdentifier**.| You can find the identifier under the header **User Attributes and Claims**. By default, the UPN is used| Maps to the **NameID** element in the SAML token. |
+| **Other claims** <p> Examples of other claim information that is commonly sent from the IdP to the app include first name, last name, email address, and group membership.| In AD FS, you can find this as other claim rules on the relying party.| You can find the identifier under the header **User Attributes & Claims**. Select **View** and edit all other user attributes.| N/A |
### Map Identity Provider (IdP) settings Configure your applications to point to Microsoft Entra ID versus AD FS for SSO. Here, we're focusing on SaaS apps that use the SAML protocol. However, this concept extends to custom line-of-business apps as well. > [!NOTE]
-> The configuration values for Microsoft Entra ID follows the pattern where your Azure Tenant ID replaces {tenant-id} and the Application ID replaces {application-id}. You find this information in the [Microsoft Entra admin center](https://entra.microsoft.com/#home) under **Microsoft Entra ID > Properties**:
+> The configuration values for Microsoft Entra ID follows the pattern where your Azure Tenant ID replaces `{tenant-id}` and the Application ID replaces {application-id}. You find this information in the [Microsoft Entra admin center](https://entra.microsoft.com/#home) under **Microsoft Entra ID > Properties**:
* Select Directory ID to see your Tenant ID. * Select Application ID to see your Application ID.
Configure your applications to point to Microsoft Entra ID versus AD FS for SSO.
| Element| Configuration Value | | - | - |
-| Identity provider issuer| https:\//sts.windows.net/{tenant-id}/ |
-| Identity provider sign-in URL| [https://login.microsoftonline.com/{tenant-id}/saml2](https://login.microsoftonline.com/{tenant-id}/saml2) |
-| Identity provider sign-out URL| [https://login.microsoftonline.com/{tenant-id}/saml2](https://login.microsoftonline.com/{tenant-id}/saml2) |
-| Federation metadata location| [https://login.windows.net/{tenant-id}/federationmetadata/2007-06/federationmetadata.xml?appid={application-id}](https://login.windows.net/{tenant-id}/federationmetadata/2007-06/federationmetadata.xml?appid={application-id}) |
+| Identity provider issuer| `https://sts.windows.net/{tenant-id}/` |
+| Identity provider sign-in URL| `https://login.microsoftonline.com/{tenant-id}/saml2` |
+| Identity provider sign-out URL| `https://login.microsoftonline.com/{tenant-id}/saml2` |
+| Federation metadata location| `https://login.windows.net/{tenant-id}/federationmetadata/2007-06/federationmetadata.xml?appid={application-id}` |
## Map SSO settings for SaaS apps
-SaaS apps need to know where to send authentication requests and how to validate the received tokens. The following table describes the elements to configure SSO settings in the app, and their values or locations within AD FS and Microsoft Entra ID
+SaaS apps need to know where to send authentication requests and how to validate the received tokens. The following table describes the elements to configure SSO settings in the app, and their values or locations within AD FS and Microsoft Entra ID.
| Configuration setting| AD FS| How to configure in Microsoft Entra ID | | - | - | - |
-| **IdP Sign-on URL** <p>Sign-on URL of the IdP from the app's perspective (where the user is redirected for sign-in).| The AD FS sign-on URL is the AD FS federation service name followed by "/adfs/ls/." <p>For example: `https://fs.contoso.com/adfs/ls/`| Replace {tenant-id} with your tenant ID. <p> ΓÇÄFor apps that use the SAML-P protocol: [https://login.microsoftonline.com/{tenant-id}/saml2](https://login.microsoftonline.com/{tenant-id}/saml2) <p>ΓÇÄFor apps that use the WS-Federation protocol: [https://login.microsoftonline.com/{tenant-id}/wsfed](https://login.microsoftonline.com/{tenant-id}/wsfed) |
-| **IdP sign-out URL**<p>Sign-out URL of the IdP from the app's perspective (where the user is redirected when they choose to sign out of the app).| The sign-out URL is either the same as the sign-on URL, or the same URL with "wa=wsignout1.0" appended. For example: `https://fs.contoso.com/adfs/ls/?wa=wsignout1.0`| Replace {tenant-id} with your tenant ID.<p>For apps that use the SAML-P protocol:<p>[https://login.microsoftonline.com/{tenant-id}/saml2](https://login.microsoftonline.com/{tenant-id}/saml2) <p> ΓÇÄFor apps that use the WS-Federation protocol: [https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0](https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0) |
-| **Token signing certificate**<p>The IdP uses the private key of the certificate to sign issued tokens. It verifies that the token came from the same IdP that the app is configured to trust.| Find the AD FS token signing certificate in AD FS Management under **Certificates**.| Find it in the Microsoft Entra admin center in the application's **Single sign-on properties** under the header **SAML Signing Certificate**. There, you can download the certificate for upload to the app. <p>ΓÇÄIf the application has more than one certificate, you can find all certificates in the federation metadata XML file. |
-| **Identifier/ "issuer"**<p>Identifier of the IdP from the app's perspective (sometimes called the "issuer ID").<p>ΓÇÄIn the SAML token, the value appears as the Issuer element.| The identifier for AD FS is usually the federation service identifier in AD FS Management under **Service > Edit Federation Service Properties**. For example: `http://fs.contoso.com/adfs/services/trust`| Replace {tenant-id} with your tenant ID.<p>https:\//sts.windows.net/{tenant-id}/ |
-| **IdP federation metadata**<p>Location of the IdP's publicly available federation metadata. (Some apps use federation metadata as an alternative to the administrator configuring URLs, identifier, and token signing certificate individually.)| Find the AD FS federation metadata URL in AD FS Management under **Service > Endpoints > Metadata > Type: Federation Metadata**. For example: `https://fs.contoso.com/FederationMetadat). |
+| **IdP Sign-on URL** <p> Sign-on URL of the IdP from the app's perspective (where the user is redirected for sign-in).| The AD FS sign-on URL is the AD FS federation service name followed by `/adfs/ls/`. <p> For example: `https://fs.contoso.com/adfs/ls/`| Replace `{tenant-id}` with your tenant ID. <p> For apps that use the SAML-P protocol: `https://login.microsoftonline.com/{tenant-id}/saml2` <p> For apps that use the WS-Federation protocol: `https://login.microsoftonline.com/{tenant-id}/wsfed` |
+| **IdP sign-out URL** <p> Sign-out URL of the IdP from the app's perspective (where the user is redirected when they choose to sign out of the app).| The sign-out URL is either the same as the sign-on URL, or the same URL with `wa=wsignout1.0` appended. For example: `https://fs.contoso.com/adfs/ls/?wa=wsignout1.0`| Replace `{tenant-id}` with your tenant ID. <p> For apps that use the SAML-P protocol: <p> `https://login.microsoftonline.com/{tenant-id}/saml2` <p> For apps that use the WS-Federation protocol: `https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0` |
+| **Token signing certificate** <p> The IdP uses the private key of the certificate to sign issued tokens. It verifies that the token came from the same IdP that the app is configured to trust.| Find the AD FS token signing certificate in AD FS Management under **Certificates**.| Find it in the Microsoft Entra admin center in the application's **Single sign-on properties** under the header **SAML Signing Certificate**. There, you can download the certificate for upload to the app. <p> If the application has more than one certificate, you can find all certificates in the federation metadata XML file. |
+| **Identifier/ "issuer"** <p> Identifier of the IdP from the app's perspective (sometimes called the "issuer ID"). <p> In the SAML token, the value appears as the Issuer element.| The identifier for AD FS is usually the federation service identifier in AD FS Management under **Service > Edit Federation Service Properties**. For example: `http://fs.contoso.com/adfs/services/trust`| Replace `{tenant-id}` with your tenant ID. <p> `https://sts.windows.net/{tenant-id}/` |
+| **IdP federation metadata** <p> Location of the IdP's publicly available federation metadata. (Some apps use federation metadata as an alternative to the administrator configuring URLs, identifier, and token signing certificate individually.)| Find the AD FS federation metadata URL in AD FS Management under **Service > Endpoints > Metadata > Type: Federation Metadata**. For example: `https://fs.contoso.com/FederationMetadat). |
## Next steps
active-directory Migrate Okta Sign On Policies Conditional Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-okta-sign-on-policies-conditional-access.md
In this tutorial, learn to migrate an organization from global or application-level sign-on policies in Okta Conditional Access in Microsoft Entra ID. Conditional Access policies secure user access in Microsoft Entra ID and connected applications.
-Learn more: [What is Conditional Access?](/azure/active-directory/conditional-access/overview)
+Learn more: [What is Conditional Access?](../conditional-access/overview.md)
This tutorial assumes you have:
See the following two sections for licensing and credentials prerequisites.
There are licensing requirements if you switch from Okta sign-on to Conditional Access. The process requires a Microsoft Entra ID P1 license to enable registration for Microsoft Entra multifactor authentication.
-Learn more: [Assign or remove licenses in the Microsoft Entra admin center](/azure/active-directory/fundamentals/license-users-groups)
+Learn more: [Assign or remove licenses in the Microsoft Entra admin center](../fundamentals/license-users-groups.md)
### Enterprise Administrator credentials
Microsoft Entra hybrid join is a replacement for Okta device trust on Windows. C
If you deployed Microsoft Entra hybrid join, you can deploy another group policy to complete auto-enrollment of these devices in Intune.
-* [Enrollment in Microsoft Intune](/mem/intune/enrollment/)
+* [Enrollment in Microsoft Intune](/mem/intune/)
* [Quickstart: Set up automatic enrollment for Windows 10/11 devices](/mem/intune/enrollment/quickstart-setup-auto-enrollment)
-* [Enroll Android devices](/mem/intune/enrollment/android-enroll)
-* [Enroll iOS/iPadOS devices in Intune](/mem/intune/enrollment/ios-enroll)
+* [Enroll Android devices](/mem/intune/fundamentals/deployment-guide-enrollment-android)
+* [Enroll iOS/iPadOS devices in Intune](/mem/intune/fundamentals/deployment-guide-enrollment-ios-ipados)
<a name='configure-azure-ad-multi-factor-authentication-tenant-settings'></a>
Before you get started:
![Screenshot of the Keep you account secure dialog with the success message.](media/migrate-okta-sign-on-policies-conditional-access/success-test-user.png)
-5. After you configure the location-based policy and device trust policy, [Block legacy authentication with Microsoft Entra ID with Conditional Access](/azure/active-directory/conditional-access/block-legacy-authentication).
+5. After you configure the location-based policy and device trust policy, [Block legacy authentication with Microsoft Entra ID with Conditional Access](../conditional-access/block-legacy-authentication.md).
With these three Conditional Access policies, the original Okta sign-on policies experience is replicated in Microsoft Entra ID.
active-directory Myapps Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/myapps-overview.md
Previously updated : 11/24/2022 Last updated : 10/18/2023
Properties that are defined for an application can affect how the user interacts
- **Name** - The name of the application that users see on the My Apps portal. Administrators see the name when they manage access to the application. - **Homepage URL** -The URL that is launched when the application is selected in the My Apps portal. - **Logo** - The application logo that users see on the My Apps portal.-- **Visible to users** - Makes the application visible in the My Apps portal. When this value is set to **Yes**, applications may still not appear in the My Apps portal if they donΓÇÖt yet have users or groups assigned to it. Only assigned users are able to see the application in the My Apps portal.
+- **Visible to users** - Makes the application visible in the My Apps portal. When this value is set to **Yes**, applications still don't appear in the My Apps portal if they donΓÇÖt yet have users or groups assigned to it. Only assigned users are able to see the application in the My Apps portal.
For more information, see [Properties of an enterprise application](application-properties.md).
When signed in to the [My Apps](https://myapps.microsoft.com) portal, the applic
In the My Apps portal, to search for an application, enter an application name in the search box at the top of the page to find an application. The applications that are listed can be formatted in **List view** or a **Grid view**.
+> [!NOTE]
+> End users are no longer be able to add password SSO apps in My Apps. If you need to add a password SSO app for your end users, you can do so in the Microsoft Entra admin center. For more information, see [Add an application for password-based single sign-on](configure-password-single-sign-on-non-gallery-applications.md).
+ :::image type="content" source="./media/myapps-overview/myapp-app-list.png" alt-text="Screenshot that shows the search box for the My Apps portal."::: > [!IMPORTANT]
Applications can be hidden. For more information, see [Hide an Enterprise applic
## Assign company branding
-In the Microsoft Entra admin center, define the logo and name for the application to represent company branding in the My Apps portal. The banner logo appears at the top of the page, such as the Contoso demo logo shown below.
+In the Microsoft Entra admin center, define the logo and name for the application to represent company branding in the My Apps portal. The banner logo appears at the top of the page, such as the following Contoso demo logo.
:::image type="content" source="./media/myapps-overview/banner-logo.png" alt-text="Screenshot that shows the banner logo in the My Apps portal.":::
For more information, see [Add branding to your organization's sign-in page](../
## Manage access to applications
-Multiple factors affect how and whether an application can be accessed by users. Permissions that are assigned to the application can affect what can be done with it. Applications can be configured to allow self-service access, or access may be only granted by an administrator of the tenant.
+Multiple factors affect how and whether an application can be accessed by users. Permissions that are assigned to the application can affect what can be done with it. Applications can be configured to allow self-service access, or access can be only granted by an administrator of the tenant.
### My Apps Secure Sign-in Extension
To integrate these applications, define a mechanism to deploy the extension at s
- User-driven download and configuration for Chrome, Microsoft Edge, or IE - Configuration Manager for Internet Explorer
-The extension allows users to launch any application from its search bar, finding access to recently used applications, and having a link to the My Apps portal. For applications that use password-based SSO or accessed by using Microsoft Entra application proxy, use Microsoft Edge mobile. For other applications, any mobile browser can be used. Be sure to enable password-based SSO in the mobile settings, which can be off by default. For example, **Settings -> Privacy and Security -> Microsoft Entra Password SSO**.
+The extension allows users to launch any application from its search bar, find access to recently used applications, and have a link to the My Apps portal. For applications that use password-based SSO or accessed by using Microsoft Entra application proxy, use Microsoft Edge mobile. For other applications, any mobile browser can be used. Be sure to enable password-based SSO in the mobile settings, which can be off by default. For example, **Settings > Privacy and Security > Microsoft Entra Password SSO**.
To download and install the extension:
active-directory Plan An Application Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/plan-an-application-integration.md
Before integrating applications with Microsoft Entra ID, it is important to know
### Access management inventory
-* How do you currently manage user access to applications? Does that need to change? Have you considered other ways to manage access, such as with [Azure RBAC](../../role-based-access-control/role-assignments-portal.md) for example?
+* How do you currently manage user access to applications? Does that need to change? Have you considered other ways to manage access, such as with [Azure RBAC](/azure/role-based-access-control/role-assignments-portal) for example?
* Who needs access to what? Maybe you don't have the answers to all of these questions up front but that's okay. This guide can help you answer some of those questions and make some informed decisions.
Maybe you don't have the answers to all of these questions up front but that's o
### Find unsanctioned cloud applications with Cloud Discovery As mentioned above, there may be applications that haven't been managed by your organization until now. As part of the inventory process, it is possible to find unsanctioned cloud applications. See
-[Set up Cloud Discovery](/cloud-app-security/set-up-cloud-discovery).
+[Set up Cloud Discovery](/defender-cloud-apps/set-up-cloud-discovery).
<a name='integrating-applications-with-azure-ad'></a>
active-directory Protect Against Consent Phishing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/protect-against-consent-phishing.md
Administrators should be in control of application use by providing the right in
- Educate your organization on how our permissions and consent framework works: - Understand the data and the permissions an application is asking for and understand how [permissions and consent](../develop/permissions-consent-overview.md) works within the platform. - Make sure that administrators know how to [manage and evaluate consent requests](./manage-consent-requests.md).
- - Routinely [audit applications and consented permissions](../../security/fundamentals/steps-secure-identity.md#audit-apps-and-consented-permissions) in the organization to make sure that applications are accessing only the data they need and are adhering to the principles of least privilege.
+ - Routinely [audit applications and consented permissions](/azure/security/fundamentals/steps-secure-identity#audit-apps-and-consented-permissions) in the organization to make sure that applications are accessing only the data they need and are adhering to the principles of least privilege.
- Know how to spot and block common consent phishing tactics: - Check for poor spelling and grammar. If an email message or the consent screen of the application has spelling and grammatical errors, it's likely a suspicious application. In that case, report it directly on the [consent prompt](../develop/application-consent-experience.md#building-blocks-of-the-consent-prompt) with the **Report it here** link and Microsoft will investigate if it's a malicious application and disable it, if confirmed. - Don't rely on application names and domain URLs as a source of authenticity. Attackers like to spoof application names and domains that make it appear to come from a legitimate service or company to drive consent to a malicious application. Instead, validate the source of the domain URL and use applications from [verified publishers](../develop/publisher-verification-overview.md) when possible.
- - Block [consent phishing emails with Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/set-up-anti-phishing-policies#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) by protecting against phishing campaigns where an attacker is impersonating a known user in the organization.
- - Configure Microsoft Defender for Cloud Apps policies to help manage abnormal application activity in the organization. For example, [activity policies](/cloud-app-security/user-activity-policies), [anomaly detection](/cloud-app-security/anomaly-detection-policy), and [OAuth app policies](/cloud-app-security/app-permission-policy).
+ - Block [consent phishing emails with Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/anti-phishing-policies-about#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) by protecting against phishing campaigns where an attacker is impersonating a known user in the organization.
+ - Configure Microsoft Defender for Cloud Apps policies to help manage abnormal application activity in the organization. For example, [activity policies](/defender-cloud-apps/user-activity-policies), [anomaly detection](/defender-cloud-apps/anomaly-detection-policy), and [OAuth app policies](/defender-cloud-apps/app-permission-policy).
- Investigate and hunt for consent phishing attacks by following the guidance on [advanced hunting with Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-overview). - Allow access to trusted applications that meet certain criteria and protect against those applications that don't: - [Configure user consent settings](./configure-user-consent.md?tabs=azure-portal) to allow users to only consent to applications that meet certain criteria, such as applications developed by your organization or from verified publishers and only for low risk permissions you select. - Use applications that have been publisher verified. [Publisher verification](../develop/publisher-verification-overview.md) helps administrators and users understand the authenticity of application developers through a Microsoft supported vetting process. Even if an application does have a verified publisher, it is still important to review the consent prompt to understand and evaluate the request. For example, reviewing the permissions being requested to ensure they align with the scenario the app is requesting them to enable, additional app and publisher details on the consent prompt, etc.
- - Create proactive [application governance](/microsoft-365/compliance/app-governance-manage-app-governance) policies to monitor third-party application behavior on the Microsoft 365 platform to address common suspicious application behaviors.
+ - Create proactive [application governance](/defender-cloud-apps/app-governance-manage-app-governance) policies to monitor third-party application behavior on the Microsoft 365 platform to address common suspicious application behaviors.
## Next steps -- [Application consent grant investigation](/security/compass/incident-response-playbook-app-consent)
+- [Application consent grant investigation](/security/operations/incident-response-playbook-app-consent)
- [Managing access to applications](./what-is-access-management.md)-- [Restrict user consent operations in Microsoft Entra ID](../../security/fundamentals/steps-secure-identity.md#restrict-user-consent-operations)-- [Compromised and malicious applications investigation](/security/compass/incident-response-playbook-compromised-malicious-app)
+- [Restrict user consent operations in Microsoft Entra ID](/azure/security/fundamentals/steps-secure-identity#restrict-user-consent-operations)
+- [Compromised and malicious applications investigation](/security/operations/incident-response-playbook-compromised-malicious-app)
active-directory Secure Hybrid Access Integrations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/secure-hybrid-access-integrations.md
Microsoft Entra ID supports modern authentication protocols that help keep applications secure. However, many business applications work in a protected corporate network, and some use legacy authentication methods. As companies build Zero Trust strategies and support hybrid and cloud environments, there are solutions that connect apps to Microsoft Entra ID and provide authentication for legacy applications.
-Learn more: [Zero Trust security](../../security/fundamentals/zero-trust.md)
+Learn more: [Zero Trust security](/azure/security/fundamentals/zero-trust)
Microsoft Entra ID natively supports modern protocols:
We recommend use of the following APIs. Use Microsoft Entra ID to configure dele
* **Conditional Access API** - Apply Microsoft Entra Conditional Access policies to user applications * Permissions required: Policy.Read.All, Policy.ReadWrite.ConditionalAccess, and Application.Read.All
-Learn more [Use the Microsoft Graph API](/graph/use-the-api?context=graph%2Fapi%2F1.0&view=graph-rest-1.0&preserve-view=true)
+Learn more [Use the Microsoft Graph API](/graph/use-the-api?context=graph/api/1.0&view=graph-rest-1.0&preserve-view=true)
## Microsoft Graph API scenarios
active-directory Tenant Restrictions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/tenant-restrictions.md
For Outlook on Windows, customers may choose to implement restrictions preventin
### Azure RMS and Office Message Encryption incompatibility
-The [Azure Rights Management Service](/azure/information-protection/what-is-azure-rms) (RMS) and [Office Message Encryption](/microsoft-365/compliance/ome) features aren't compatible with tenant restrictions. These features rely on signing your users into other tenants in order to get decryption keys for the encrypted documents. Because tenant restrictions blocks access to other tenants, encrypted mail and documents sent to your users from untrusted tenants won't be accessible.
+The [Azure Rights Management Service](/azure/information-protection/what-is-azure-rms) (RMS) and [Office Message Encryption](/purview/ome) features aren't compatible with tenant restrictions. These features rely on signing your users into other tenants in order to get decryption keys for the encrypted documents. Because tenant restrictions blocks access to other tenants, encrypted mail and documents sent to your users from untrusted tenants won't be accessible.
## Testing
Applications from Microsoft that support both consumer accounts and organization
Some organizations attempt to fix this by blocking `login.live.com` in order to block personal accounts from authenticating. This has several downsides: 1. Blocking `login.live.com` blocks the use of personal accounts in B2B guest scenarios, which can intrude on visitors and collaboration.
-1. [Autopilot requires the use of `login.live.com`](/mem/autopilot/networking-requirements) in order to deploy. Intune and Autopilot scenarios can fail when `login.live.com` is blocked.
-1. Organizational telemetry and Windows updates that rely on the login.live.com service for device IDs [cease to work](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
+1. [Autopilot requires the use of `login.live.com`](/autopilot/networking-requirements) in order to deploy. Intune and Autopilot scenarios can fail when `login.live.com` is blocked.
+1. Organizational telemetry and Windows updates that rely on the login.live.com service for device IDs [cease to work](/troubleshoot/windows-client/deployment/windows-update-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#feature-updates-are-not-being-offered-while-other-updates-are).
### Configuration for consumer apps
active-directory Tutorial Govern Monitor https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/tutorial-govern-monitor.md
To access the sign-in logs report, go to **Identity** > **Monitoring & health**
## Send logs to Azure Monitor The Microsoft Entra activity logs only store information for a maximum of 30 days. Depending on your needs, you may require extra storage to back up the activity logs data. Using the Azure Monitor, you can archive the audit and sign logs to an Azure storage account to retain the data for a longer time.
-The Azure Monitor is also useful for rich visualization, monitoring and alerting of data. To learn more about the Azure Monitor and the cost considerations for extra storage, see [Microsoft Entra activity logs in Azure Monitor](../reports-monitoring/concept-activity-logs-azure-monitor.md).
+The Azure Monitor is also useful for rich visualization, monitoring and alerting of data. To learn more about the Azure Monitor and the cost considerations for extra storage, see [Microsoft Entra activity logs in Azure Monitor](../reports-monitoring/concept-log-monitoring-integration-options-considerations.md).
To send logs to your logs analytics workspace:
active-directory Ways Users Get Assigned To Applications https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/ways-users-get-assigned-to-applications.md
There are several ways a user can be assigned an application. Assignment can be
* An administrator enables [Self-service Group Management](../enterprise-users/groups-self-service-management.md) to allow a user to join a group that an application is assigned to **without business approval** * An administrator enables [Self-service Group Management](../enterprise-users/groups-self-service-management.md) to allow a user to join a group that an application is assigned to, but only **with prior approval from a selected set of business approvers** * One of the application's roles is included in an [entitlement management access package](../governance/entitlement-management-access-package-resources.md), and a user requests or is assigned to that access package
-* An administrator assigns a license to a user directly, for a Microsoft service such as [Microsoft 365](https://products.office.com/)
-* An administrator assigns a license to a group that the user is a member of, for a Microsoft service such as [Microsoft 365](https://products.office.com/)
+* An administrator assigns a license to a user directly, for a Microsoft service such as [Microsoft 365](https://www.microsoft.com/microsoft-365)
+* An administrator assigns a license to a group that the user is a member of, for a Microsoft service.
* A user [consents to an application](./user-admin-consent-overview.md#user-consent) on behalf of themselves. ## Next steps
active-directory How Manage User Assigned Managed Identities https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md
In this article, you learn how to create, list, delete, or assign a role to a us
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-To create a user-assigned managed identity, your account needs the [Managed Identity Contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) role assignment.
+To create a user-assigned managed identity, your account needs the [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role assignment.
1. Sign in to the [Azure portal](https://portal.azure.com). 1. In the search box, enter **Managed Identities**. Under **Services**, select **Managed Identities**.
To create a user-assigned managed identity, your account needs the [Managed Iden
## List user-assigned managed identities
-To list or read a user-assigned managed identity, your account needs to have either [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) or [Managed Identity Contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) role assignments.
+To list or read a user-assigned managed identity, your account needs to have either [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) or [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role assignments.
1. Sign in to the [Azure portal](https://portal.azure.com). 1. In the search box, enter **Managed Identities**. Under **Services**, select **Managed Identities**.
To list or read a user-assigned managed identity, your account needs to have eit
## Delete a user-assigned managed identity
-To delete a user-assigned managed identity, your account needs the [Managed Identity Contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) role assignment.
+To delete a user-assigned managed identity, your account needs the [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role assignment.
Deleting a user-assigned identity doesn't remove it from the VM or resource it was assigned to. To remove the user-assigned identity from a VM, see [Remove a user-assigned managed identity from a VM](qs-configure-portal-windows-vm.md#remove-a-user-assigned-managed-identity-from-a-vm).
Deleting a user-assigned identity doesn't remove it from the VM or resource it w
## Manage access to user-assigned managed identities
-In some environments, administrators choose to limit who can manage user-assigned managed identities. Administrators can implement this limitation using [built-in](../../role-based-access-control/built-in-roles.md#identity) RBAC roles. You can use these roles to grant a user or group in your organization rights over a user-assigned managed identity.
+In some environments, administrators choose to limit who can manage user-assigned managed identities. Administrators can implement this limitation using [built-in](/azure/role-based-access-control/built-in-roles#identity) RBAC roles. You can use these roles to grant a user or group in your organization rights over a user-assigned managed identity.
1. Sign in to the [Azure portal](https://portal.azure.com). 1. In the search box, enter **Managed Identities**. Under **Services**, select **Managed Identities**.
In some environments, administrators choose to limit who can manage user-assigne
1. Choose who should have the role assigned. >[!NOTE]
->You can find information on assigning roles to managed identities in [Assign a managed identity access to a resource by using the Azure portal](../../role-based-access-control/role-assignments-portal-managed-identity.md)
+>You can find information on assigning roles to managed identities in [Assign a managed identity access to a resource by using the Azure portal](/azure/role-based-access-control/role-assignments-portal-managed-identity)
::: zone-end
In this article, you learn how to create, list, delete, or assign a role to a us
## Create a user-assigned managed identity
-To create a user-assigned managed identity, your account needs the [Managed Identity Contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) role assignment.
+To create a user-assigned managed identity, your account needs the [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role assignment.
Use the [az identity create](/cli/azure/identity#az-identity-create) command to create a user-assigned managed identity. The `-g` parameter specifies the resource group where to create the user-assigned managed identity. The `-n` parameter specifies its name. Replace the `<RESOURCE GROUP>` and `<USER ASSIGNED IDENTITY NAME>` parameter values with your own values.
az identity create -g <RESOURCE GROUP> -n <USER ASSIGNED IDENTITY NAME>
``` ## List user-assigned managed identities
-To list or read a user-assigned managed identity, your account needs the [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) or [Managed Identity Contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) role assignment.
+To list or read a user-assigned managed identity, your account needs the [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) or [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role assignment.
To list user-assigned managed identities, use the [az identity list](/cli/azure/identity#az-identity-list) command. Replace the `<RESOURCE GROUP>` value with your own value.
In the JSON response, user-assigned managed identities have the `"Microsoft.Mana
## Delete a user-assigned managed identity
-To delete a user-assigned managed identity, your account needs the [Managed Identity Contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) role assignment.
+To delete a user-assigned managed identity, your account needs the [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role assignment.
To delete a user-assigned managed identity, use the [az identity delete](/cli/azure/identity#az-identity-delete) command. The -n parameter specifies its name. The -g parameter specifies the resource group where the user-assigned managed identity was created. Replace the `<USER ASSIGNED IDENTITY NAME>` and `<RESOURCE GROUP>` parameter values with your own values.
In this article, you learn how to create, list, delete, or assign a role to a us
- If you're unfamiliar with managed identities for Azure resources, check out the [overview section](overview.md). *Be sure to review the [difference between a system-assigned and user-assigned managed identity](overview.md#managed-identity-types)*. - If you don't already have an Azure account, [sign up for a free account](https://azure.microsoft.com/free/) before you continue. - To run the example scripts, you have two options:
- - Use [Azure Cloud Shell](../../cloud-shell/overview.md), which you can open by using the **Try It** button in the upper-right corner of code blocks.
+ - Use [Azure Cloud Shell](/azure/cloud-shell/overview), which you can open by using the **Try It** button in the upper-right corner of code blocks.
- Run scripts locally with Azure PowerShell, as described in the next section. In this article, you learn how to create, list, and delete a user-assigned managed identity by using PowerShell.
To use Azure PowerShell locally for this article instead of using Cloud Shell:
## Create a user-assigned managed identity
-To create a user-assigned managed identity, your account needs the [Managed Identity Contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) role assignment.
+To create a user-assigned managed identity, your account needs the [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role assignment.
To create a user-assigned managed identity, use the `New-AzUserAssignedIdentity` command. The `ResourceGroupName` parameter specifies the resource group where to create the user-assigned managed identity. The `-Name` parameter specifies its name. Replace the `<RESOURCE GROUP>` and `<USER ASSIGNED IDENTITY NAME>` parameter values with your own values.
New-AzUserAssignedIdentity -ResourceGroupName <RESOURCEGROUP> -Name <USER ASSIGN
## List user-assigned managed identities
-To list or read a user-assigned managed identity, your account needs the [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) or [Managed Identity Contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) role assignment.
+To list or read a user-assigned managed identity, your account needs the [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) or [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role assignment.
To list user-assigned managed identities, use the [Get-AzUserAssigned] command. The `-ResourceGroupName` parameter specifies the resource group where the user-assigned managed identity was created. Replace the `<RESOURCE GROUP>` value with your own value.
In the response, user-assigned managed identities have the `"Microsoft.ManagedId
## Delete a user-assigned managed identity
-To delete a user-assigned managed identity, your account needs the [Managed Identity Contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) role assignment.
+To delete a user-assigned managed identity, your account needs the [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role assignment.
To delete a user-assigned managed identity, use the `Remove-AzUserAssignedIdentity` command. The `-ResourceGroupName` parameter specifies the resource group where the user-assigned identity was created. The `-Name` parameter specifies its name. Replace the `<RESOURCE GROUP>` and the `<USER ASSIGNED IDENTITY NAME>` parameter values with your own values.
Remove-AzUserAssignedIdentity -ResourceGroupName <RESOURCE GROUP> -Name <USER AS
## Next steps
-For a full list and more details of the Azure PowerShell managed identities for Azure resources commands, see [Az.ManagedServiceIdentity](/powershell/module/az.managedserviceidentity#managed_service_identity).
+For a full list and more details of the Azure PowerShell managed identities for Azure resources commands, see [Az.ManagedServiceIdentity](/powershell/module/az.managedserviceidentity/#managed_service_identity).
Learn how to use [workload identity federation for managed identities](../workload-identities/workload-identity-federation.md) to access Microsoft Entra protected resources without managing secrets. ::: zone-end
In this article, you create a user-assigned managed identity by using Azure Reso
You can't list and delete a user-assigned managed identity by using a Resource Manager template. See the following articles to create and list a user-assigned managed identity: -- [List user-assigned managed identity](how-to-manage-ua-identity-cli.md#list-user-assigned-managed-identities)-- [Delete user-assigned managed identity](how-to-manage-ua-identity-cli.md#delete-a-user-assigned-managed-identity)-
+- [List user-assigned managed identity](./how-to-manage-ua-identity-cli.md#list-user-assigned-managed-identities)
+- [Delete user-assigned managed identity](./how-to-manage-ua-identity-cli.md#delete-a-user-assigned-managed-identity)
## Template creation and editing Resource Manager templates help you deploy new or modified resources defined by an Azure resource group. Several options are available for template editing and deployment, both local and portal-based. You can: -- Use a [custom template from Azure Marketplace](../../azure-resource-manager/templates/deploy-portal.md#deploy-resources-from-custom-template) to create a template from scratch or base it on an existing common or [quickstart template](https://azure.microsoft.com/resources/templates/).-- Derive from an existing resource group by exporting a template. You can export them from either [the original deployment](../../azure-resource-manager/management/manage-resource-groups-portal.md#export-resource-groups-to-templates) or from the [current state of the deployment](../../azure-resource-manager/management/manage-resource-groups-portal.md#export-resource-groups-to-templates).-- Use a local [JSON editor (such as VS Code)](../../azure-resource-manager/templates/quickstart-create-templates-use-the-portal.md), and then upload and deploy by using PowerShell or the Azure CLI.-- Use the Visual Studio [Azure Resource Group project](../../azure-resource-manager/templates/create-visual-studio-deployment-project.md) to create and deploy a template.
+- Use a [custom template from Azure Marketplace](/azure/azure-resource-manager/templates/deploy-portal#deploy-resources-from-custom-template) to create a template from scratch or base it on an existing common or [quickstart template](https://azure.microsoft.com/resources/templates/).
+- Derive from an existing resource group by exporting a template. You can export them from either [the original deployment](/azure/azure-resource-manager/management/manage-resource-groups-portal#export-resource-groups-to-templates) or from the [current state of the deployment](/azure/azure-resource-manager/management/manage-resource-groups-portal#export-resource-groups-to-templates).
+- Use a local [JSON editor (such as VS Code)](/azure/azure-resource-manager/templates/quickstart-create-templates-use-the-portal), and then upload and deploy by using PowerShell or the Azure CLI.
+- Use the Visual Studio [Azure Resource Group project](/azure/azure-resource-manager/templates/create-visual-studio-deployment-project) to create and deploy a template.
## Create a user-assigned managed identity
-To create a user-assigned managed identity, your account needs the [Managed Identity Contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) role assignment.
+To create a user-assigned managed identity, your account needs the [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role assignment.
To create a user-assigned managed identity, use the following template. Replace the `<USER ASSIGNED IDENTITY NAME>` value with your own values.
In this article, you learn how to create, list, and delete a user-assigned manag
- If you're unfamiliar with managed identities for Azure resources, check out the [overview section](overview.md). *Be sure to review the [difference between a system-assigned and user-assigned managed identity](overview.md#managed-identity-types)*. - If you don't already have an Azure account, [sign up for a free account](https://azure.microsoft.com/free/) before you continue. - You can run all the commands in this article either in the cloud or locally:
- - To run in the cloud, use [Azure Cloud Shell](../../cloud-shell/overview.md).
- - To run locally, install [curl](https://curl.haxx.se/download.html) and the [Azure CLI](/cli/azure/install-azure-cli).
+ - To run in the cloud, use [Azure Cloud Shell](/azure/cloud-shell/overview).
+ - To run locally, install [curl](https://curl.se/download.html) and the [Azure CLI](/cli/azure/install-azure-cli).
In this article, you learn how to create, list, and delete a user-assigned managed identity by using CURL to make REST API calls.
In this article, you learn how to create, list, and delete a user-assigned manag
## Create a user-assigned managed identity
-To create a user-assigned managed identity, your account needs the [Managed Identity Contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) role assignment.
+To create a user-assigned managed identity, your account needs the [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role assignment.
[!INCLUDE [ua-character-limit](~/includes/managed-identity-ua-character-limits.md)]
s/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<U
## List user-assigned managed identities
-To list or read a user-assigned managed identity, your account needs the [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) or [Managed Identity Contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) role assignment.
+To list or read a user-assigned managed identity, your account needs the [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) or [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role assignment.
```bash curl 'https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities?api-version=2015-08-31-preview' -H "Authorization: Bearer <ACCESS TOKEN>"
GET https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/
## Delete a user-assigned managed identity
-To delete a user-assigned managed identity, your account needs the [Managed Identity Contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) role assignment.
+To delete a user-assigned managed identity, your account needs the [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role assignment.
> [!NOTE] > Deleting a user-assigned managed identity won't remove the reference from any resource it was assigned to. To remove a user-assigned managed identity from a VM by using CURL, see [Remove a user-assigned identity from an Azure VM](qs-configure-rest-vm.md#remove-a-user-assigned-managed-identity-from-an-azure-vm).
active-directory How Managed Identities Work Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-managed-identities-work-vm.md
The following table shows the differences between the system-assigned and user-a
2. Azure Resource Manager creates a service principal in Microsoft Entra ID for the identity of the VM. The service principal is created in the Microsoft Entra tenant that's trusted by the subscription.
-3. Azure Resource Manager updates the VM identity using the Azure Instance Metadata Service identity endpoint (for [Windows](../../virtual-machines/windows/instance-metadata-service.md) and [Linux](../../virtual-machines/linux/instance-metadata-service.md)), providing the endpoint with the service principal client ID and certificate.
+3. Azure Resource Manager updates the VM identity using the Azure Instance Metadata Service identity endpoint (for [Windows](/azure/virtual-machines/windows/instance-metadata-service) and [Linux](/azure/virtual-machines/linux/instance-metadata-service)), providing the endpoint with the service principal client ID and certificate.
4. After the VM has an identity, use the service principal information to grant the VM access to Azure resources. To call Azure Resource Manager, use Azure Role-Based Access Control (Azure RBAC) to assign the appropriate role to the VM service principal. To call Key Vault, grant your code access to the specific secret or key in Key Vault.
active-directory How To Assign App Role Managed Identity Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-to-assign-app-role-managed-identity-powershell.md
In this article, you learn how to assign a managed identity to an application ro
- If you're unfamiliar with managed identities for Azure resources, check out the [overview section](overview.md). **Be sure to review the [difference between a system-assigned and user-assigned managed identity](overview.md#managed-identity-types)**. - If you don't already have an Azure account, [sign up for a free account](https://azure.microsoft.com/free/) before continuing. - To run the example scripts, you have two options:
- - Use the [Azure Cloud Shell](../../cloud-shell/overview.md), which you can open using the **Try It** button on the top-right corner of code blocks.
+ - Use the [Azure Cloud Shell](/azure/cloud-shell/overview), which you can open using the **Try It** button on the top-right corner of code blocks.
- Run scripts locally by installing the latest version of the [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started). ## Assign a managed identity access to another application's app role
active-directory How To Assign Managed Identity Via Azure Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-to-assign-managed-identity-via-azure-policy.md
# [Preview] Use Azure Policy to assign managed identities
-[Azure Policy](../../governance/policy/overview.md) helps enforce organizational standards and assess compliance at scale. Through its compliance dashboard, Azure policy provides an aggregated view that helps administrators evaluate the overall state of the environment. You have the ability to drill down to the per-resource, per-policy granularity. It also helps bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources. Common use cases for Azure Policy include implementing governance for:
+[Azure Policy](/azure/governance/policy/overview) helps enforce organizational standards and assess compliance at scale. Through its compliance dashboard, Azure policy provides an aggregated view that helps administrators evaluate the overall state of the environment. You have the ability to drill down to the per-resource, per-policy granularity. It also helps bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources. Common use cases for Azure Policy include implementing governance for:
- Resource consistency - Regulatory compliance
For example, if the policy in this document is updating the managed identities o
## Next steps -- [Deploy Azure Monitor Agent](../../azure-monitor/agents/azure-monitor-agent-manage.md#use-azure-policy)
+- [Deploy Azure Monitor Agent](/azure/azure-monitor/agents/azure-monitor-agent-manage#use-azure-policy)
active-directory How To Managed Identity Regional Move https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-to-managed-identity-regional-move.md
Moving User-assigned managed identities across Azure regions isn't supported. Y
## Prepare and move
-1. Copy user-assigned managed identity assigned permissions. You can list [Azure role assignments](../../role-based-access-control/role-assignments-list-powershell.md) but that may not be enough depending on how permissions were granted to the user-assigned managed identity. You should confirm that your solution doesn't depend on permissions granted using a service specific option.
+1. Copy user-assigned managed identity assigned permissions. You can list [Azure role assignments](/azure/role-based-access-control/role-assignments-list-powershell) but that may not be enough depending on how permissions were granted to the user-assigned managed identity. You should confirm that your solution doesn't depend on permissions granted using a service specific option.
1. Create a [new user-assigned managed identity](how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-powershell#create-a-user-assigned-managed-identity-2) at the target region.
-1. Grant the managed identity the same permissions as the original identity that it's replacing, including Group membership. You can review [Assign Azure roles to a managed identity](../../role-based-access-control/role-assignments-portal-managed-identity.md), and [Group membership](../fundamentals/groups-view-azure-portal.md).
+1. Grant the managed identity the same permissions as the original identity that it's replacing, including Group membership. You can review [Assign Azure roles to a managed identity](/azure/role-based-access-control/role-assignments-portal-managed-identity), and [Group membership](../fundamentals/groups-view-azure-portal.md).
1. Specify the new identity in the properties of the resource instance that uses the newly created user assigned managed identity. ## Verify
active-directory How To Use Vm Token https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-to-use-vm-token.md
Using the Azure identity client library is the recommended way to use managed id
## Get a token using the Microsoft.Azure.Services.AppAuthentication library for .NET
-For .NET applications and functions, the simplest way to work with managed identities for Azure resources is through the Microsoft.Azure.Services.AppAuthentication package. This library will also allow you to test your code locally on your development machine. You can test your code using your user account from Visual Studio, the [Azure CLI](/cli/azure), or Active Directory Integrated Authentication. For more on local development options with this library, see the [Microsoft.Azure.Services.AppAuthentication reference](/dotnet/api/overview/azure/service-to-service-authentication). This section shows you how to get started with the library in your code.
+For .NET applications and functions, the simplest way to work with managed identities for Azure resources is through the Microsoft.Azure.Services.AppAuthentication package. This library will also allow you to test your code locally on your development machine. You can test your code using your user account from Visual Studio, the [Azure CLI](/cli/azure/), or Active Directory Integrated Authentication. For more on local development options with this library, see the [Microsoft.Azure.Services.AppAuthentication reference](/dotnet/api/overview/azure/service-to-service-authentication). This section shows you how to get started with the library in your code.
1. Add references to the [Microsoft.Azure.Services.AppAuthentication](https://www.nuget.org/packages/Microsoft.Azure.Services.AppAuthentication) and [Microsoft.Azure.KeyVault](https://www.nuget.org/packages/Microsoft.Azure.KeyVault) NuGet packages to your application.
active-directory How To View Managed Identity Activity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-to-view-managed-identity-activity.md
System-assigned identity:
## Next steps * [Managed identities for Azure resources](./overview.md)
-* [Azure Activity log](../../azure-monitor/essentials/activity-log.md)
+* [Azure Activity log](/azure/azure-monitor/essentials/activity-log)
* [Microsoft Entra sign-in log](../reports-monitoring/concept-sign-ins.md)
active-directory How To View Managed Identity Service Principal Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-to-view-managed-identity-service-principal-cli.md
If you don't already have an Azure account, [sign up for a free account](https:/
- If you're unfamiliar with managed identities for Azure resources, see [What are managed identities for Azure resources?](overview.md). -- Enable [system assigned identity on a virtual machine](./qs-configure-portal-windows-vm.md#system-assigned-managed-identity) or [application](../../app-service/overview-managed-identity.md#add-a-system-assigned-identity).
+- Enable [system assigned identity on a virtual machine](./qs-configure-portal-windows-vm.md#system-assigned-managed-identity) or [application](/azure/app-service/overview-managed-identity#add-a-system-assigned-identity).
[!INCLUDE [azure-cli-prepare-your-environment-no-header.md](~/articles/reusable-content/azure-cli/azure-cli-prepare-your-environment-no-header.md)]
active-directory How To View Managed Identity Service Principal Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-to-view-managed-identity-service-principal-portal.md
In this article, you learn how to view the service principal of a managed identi
- If you're unfamiliar with managed identities for Azure resources, check out the [overview section](overview.md). - If you don't already have an Azure account, [sign up for a free account](https://azure.microsoft.com/free/).-- Enable [system assigned identity on a virtual machine](./qs-configure-portal-windows-vm.md#system-assigned-managed-identity) or [application](../../app-service/overview-managed-identity.md#add-a-system-assigned-identity).
+- Enable [system assigned identity on a virtual machine](./qs-configure-portal-windows-vm.md#system-assigned-managed-identity) or [application](/azure/app-service/overview-managed-identity#add-a-system-assigned-identity).
## View the service principal
active-directory How To View Managed Identity Service Principal Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-to-view-managed-identity-service-principal-powershell.md
In this article, you learn how to view the service principal of a managed identi
- If you're unfamiliar with managed identities for Azure resources, check out the [overview section](overview.md). - If you don't already have an Azure account, [sign up for a free account](https://azure.microsoft.com/free/).-- Enable [system assigned identity on a virtual machine](./qs-configure-portal-windows-vm.md#system-assigned-managed-identity) or [application](../../app-service/overview-managed-identity.md#add-a-system-assigned-identity).
+- Enable [system assigned identity on a virtual machine](./qs-configure-portal-windows-vm.md#system-assigned-managed-identity) or [application](/azure/app-service/overview-managed-identity#add-a-system-assigned-identity).
- To run the example scripts, you have two options:
- - Use the [Azure Cloud Shell](../../cloud-shell/overview.md), which you can open using the **Try It** button on the top right corner of code blocks.
+ - Use the [Azure Cloud Shell](/azure/cloud-shell/overview), which you can open using the **Try It** button on the top right corner of code blocks.
- Run scripts locally by installing the latest version of [Azure PowerShell](/powershell/azure/install-azure-powershell), then sign in to Azure using `Connect-AzAccount`. ## View the service principal
active-directory Howto Assign Access Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/howto-assign-access-cli.md
If you don't already have an Azure account, [sign up for a free account](https:/
After you've enabled managed identity on an Azure resource, such as an [Azure virtual machine](qs-configure-cli-windows-vm.md) or [Azure virtual machine scale set](qs-configure-cli-windows-vmss.md):
-1. In this example, we are giving an Azure virtual machine access to a storage account. First we use [az resource list](/cli/azure/resource/#az-resource-list) to get the service principal for the virtual machine named myVM:
+1. In this example, we are giving an Azure virtual machine access to a storage account. First we use [az resource list](/cli/azure/resource#az-resource-list) to get the service principal for the virtual machine named myVM:
```azurecli-interactive spID=$(az resource list -n myVM --query [*].identity.principalId --out tsv)
active-directory Howto Assign Access Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/howto-assign-access-portal.md
After you've enabled managed identity on an Azure resource, such as an [Azure VM
1. Select **Add** > **Add role assignment** to open the Add role assignment page.
-1. Select the role and managed identity. For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
+1. Select the role and managed identity. For detailed steps, see [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal).
![Add role assignment page in Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png)
active-directory Howto Assign Access Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/howto-assign-access-powershell.md
Once you've configured an Azure resource with a managed identity, you can give t
- If you're unfamiliar with managed identities for Azure resources, check out the [overview section](overview.md). **Be sure to review the [difference between a system-assigned and user-assigned managed identity](overview.md#managed-identity-types)**. - If you don't already have an Azure account, [sign up for a free account](https://azure.microsoft.com/free/) before continuing. - To run the example scripts, you have two options:
- - Use the [Azure Cloud Shell](../../cloud-shell/overview.md), which you can open using the **Try It** button on the top-right corner of code blocks.
+ - Use the [Azure Cloud Shell](/azure/cloud-shell/overview), which you can open using the **Try It** button on the top-right corner of code blocks.
- Run scripts locally by installing the latest version of [Azure PowerShell](/powershell/azure/install-azure-powershell), then sign in to Azure using `Connect-AzAccount`. ## Use Azure RBAC to assign a managed identity access to another resource 1. Enable managed identity on an Azure resource, [such as an Azure VM](qs-configure-powershell-windows-vm.md).
-1. In this example, we are giving an Azure VM access to a storage account. First we use [Get-AzVM](/powershell/module/az.compute/get-azvm) to get the service principal for the VM named `myVM`, which was created when we enabled managed identity. Then, use [New-AzRoleAssignment](/powershell/module/Az.Resources/New-AzRoleAssignment) to give the VM **Reader** access to a storage account called `myStorageAcct`:
+1. In this example, we are giving an Azure VM access to a storage account. First we use [Get-AzVM](/powershell/module/az.compute/get-azvm) to get the service principal for the VM named `myVM`, which was created when we enabled managed identity. Then, use [New-AzRoleAssignment](/powershell/module/az.resources/new-azroleassignment) to give the VM **Reader** access to a storage account called `myStorageAcct`:
```azurepowershell-interactive $spID = (Get-AzVM -ResourceGroupName myRG -Name myVM).identity.principalid
active-directory Known Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/known-issues.md
Workaround for managed identities in a subscription that has been moved to anoth
- For system assigned managed identities: disable and re-enable. - For user assigned managed identities: delete, re-create, and attach them again to the necessary resources (for example, virtual machines)
-For more information, see [Transfer an Azure subscription to a different Microsoft Entra directory](../../role-based-access-control/transfer-subscription.md).
+For more information, see [Transfer an Azure subscription to a different Microsoft Entra directory](/azure/role-based-access-control/transfer-subscription).
## Error during managed identity assignment operations In rare cases, you may see error messages indicating errors related to assignment of managed identities with Azure resources. Some of the example error messages are as follows:
active-directory Managed Identities Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/managed-identities-faq.md
az resource list --query "[?identity.type=='SystemAssigned'].{Name:name, princi
### Which Azure RBAC permissions are required to use a managed identity on a resource? -- System-assigned managed identity: You need write permissions over the resource. For example, for virtual machines you need `Microsoft.Compute/virtualMachines/write`. This action is included in resource specific built-in roles like [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor).-- Assigning user-assigned managed identities to resources: You need write permissions over the resource. For example, for virtual machines you need `Microsoft.Compute/virtualMachines/write`. You'll also need `Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action` action over the user-assigned identity. This action is included in the [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) built-in role.-- Managing user-assigned identities: To create or delete user-assigned managed identities, you need the [Managed Identity Contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) role assignment.-- Managing role assignments for managed identities: You need the [Owner](../../role-based-access-control/built-in-roles.md#all) or [User Access Administrator](../../role-based-access-control/built-in-roles.md#all) role assignment over the resource to which you're granting access. You'll need the [Reader](../../role-based-access-control/built-in-roles.md#all) role assignment to the resource with a system-assigned identity, or to the user-assigned identity that is being given the role assignment. If you don't have read access, you can search by "User, group, or service principal" to find the identity's backing service principal, instead of searching by managed identity while adding the role assignment. [Read more about assigning Azure roles](../../role-based-access-control/role-assignments-portal.md).
+- System-assigned managed identity: You need write permissions over the resource. For example, for virtual machines you need `Microsoft.Compute/virtualMachines/write`. This action is included in resource specific built-in roles like [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor).
+- Assigning user-assigned managed identities to resources: You need write permissions over the resource. For example, for virtual machines you need `Microsoft.Compute/virtualMachines/write`. You'll also need `Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action` action over the user-assigned identity. This action is included in the [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) built-in role.
+- Managing user-assigned identities: To create or delete user-assigned managed identities, you need the [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role assignment.
+- Managing role assignments for managed identities: You need the [Owner](/azure/role-based-access-control/built-in-roles#all) or [User Access Administrator](/azure/role-based-access-control/built-in-roles#all) role assignment over the resource to which you're granting access. You'll need the [Reader](/azure/role-based-access-control/built-in-roles#all) role assignment to the resource with a system-assigned identity, or to the user-assigned identity that is being given the role assignment. If you don't have read access, you can search by "User, group, or service principal" to find the identity's backing service principal, instead of searching by managed identity while adding the role assignment. [Read more about assigning Azure roles](/azure/role-based-access-control/role-assignments-portal).
### How do I prevent the creation of user-assigned managed identities?
-You can keep your users from creating user-assigned managed identities using [Azure Policy](../../governance/policy/overview.md)
+You can keep your users from creating user-assigned managed identities using [Azure Policy](/azure/governance/policy/overview)
1. Sign in to the [Azure portal](https://portal.azure.com) and go to **Policy**. 2. Choose **Definitions**
Managed identities use certificate-based authentication. Each managed identity
### Can the same managed identity be used across multiple regions?
-In short, yes you can use user assigned managed identities in more than one Azure region. The longer answer is that while user assigned managed identities are created as regional resources the associated [service principal](../develop/app-objects-and-service-principals.md#service-principal-object) (SP) created in Microsoft Entra ID is available globally. The service principal can be used from any Azure region and its availability is dependent on the availability of Microsoft Entra ID. For example, if you created a user assigned managed identity in the South-Central region and that region becomes unavailable this issue only impacts [control plane](../../azure-resource-manager/management/control-plane-and-data-plane.md) activities on the managed identity itself. The activities performed by any resources already configured to use the managed identities wouldn't be impacted.
+In short, yes you can use user assigned managed identities in more than one Azure region. The longer answer is that while user assigned managed identities are created as regional resources the associated [service principal](../develop/app-objects-and-service-principals.md#service-principal-object) (SP) created in Microsoft Entra ID is available globally. The service principal can be used from any Azure region and its availability is dependent on the availability of Microsoft Entra ID. For example, if you created a user assigned managed identity in the South-Central region and that region becomes unavailable this issue only impacts [control plane](/azure/azure-resource-manager/management/control-plane-and-data-plane) activities on the managed identity itself. The activities performed by any resources already configured to use the managed identities wouldn't be impacted.
### Does managed identities for Azure resources work with Azure Cloud Services (Classic)?
-Managed identities for Azure resources donΓÇÖt have support for [Azure Cloud Services (classic)](../../cloud-services/cloud-services-choose-me.md) at this time. ΓÇ£
+Managed identities for Azure resources donΓÇÖt have support for [Azure Cloud Services (classic)](/azure/cloud-services/cloud-services-choose-me) at this time. ΓÇ£
### What is the security boundary of managed identities for Azure resources?
No. Managed identities don't currently support cross-directory scenarios.
Managed identities limits have dependencies on Azure service limits, Azure Instance Metadata Service (IMDS) limits, and Microsoft Entra service limits. -- **Azure service limits** define the number of create operations that can be performed at the tenant and subscription levels. User assigned managed identities also have [limitations](../../azure-resource-manager/management/azure-subscription-service-limits.md#managed-identity-limits) around how they may be named.-- **IMDS** In general, requests to IMDS are limited to five requests per second. Requests exceeding this threshold will be rejected with 429 responses. Requests to the Managed Identity category are limited to 20 requests per second and 5 concurrent requests. You can read more at the [Azure Instance Metadata Service (Windows)](../../virtual-machines/windows/instance-metadata-service.md?tabs=windows#managed-identity) article.
+- **Azure service limits** define the number of create operations that can be performed at the tenant and subscription levels. User assigned managed identities also have [limitations](/azure/azure-resource-manager/management/azure-subscription-service-limits#managed-identity-limits) around how they may be named.
+- **IMDS** In general, requests to IMDS are limited to five requests per second. Requests exceeding this threshold will be rejected with 429 responses. Requests to the Managed Identity category are limited to 20 requests per second and 5 concurrent requests. You can read more at the [Azure Instance Metadata Service (Windows)](/azure/virtual-machines/windows/instance-metadata-service?tabs=windows#managed-identity) article.
- **Microsoft Entra service** Each managed identity counts towards the object quota limit in a Microsoft Entra tenant as described in [Microsoft Entra service limits and restrictions](../enterprise-users/directory-service-limits-restrictions.md).
active-directory Managed Identities Status https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/managed-identities-status.md
Managed identities for Azure resources provide Azure services with an automatically managed identity in Microsoft Entra ID. Using a managed identity, you can authenticate to any [service that supports Microsoft Entra authentication](./services-id-authentication-support.md) without managing credentials. We are integrating managed identities for Azure resources and Microsoft Entra authentication across Azure. This page provides links to services' content that can use managed identities to access other Azure resources. Each entry in the table includes a link to service documentation discussing managed identities. >[!IMPORTANT]
-> New technical content is added daily. This list does not include every article that talks about managed identities. Please refer to each service's content set for details on their managed identities support. Resource provider namespace information is available in the article titled [Resource providers for Azure services](../../azure-resource-manager/management/azure-services-resource-providers.md).
+> New technical content is added daily. This list does not include every article that talks about managed identities. Please refer to each service's content set for details on their managed identities support. Resource provider namespace information is available in the article titled [Resource providers for Azure services](/azure/azure-resource-manager/management/azure-services-resource-providers).
## Services supporting managed identities
The following Azure services support managed identities for Azure resources:
| Service Name | Documentation | ||-|
-| API Management | [Use managed identities in Azure API Management](../../api-management/api-management-howto-use-managed-service-identity.md) |
-| Application Gateway | [TLS termination with Key Vault certificates](../../application-gateway/key-vault-certs.md) |
-| Azure App Configuration | [How to use managed identities for Azure App Configuration](../../azure-app-configuration/overview-managed-identity.md) |
-| Azure App Services | [How to use managed identities for App Service and Azure Functions](../../app-service/overview-managed-identity.md) |
-| Azure Arc enabled Kubernetes | [Quickstart: Connect an existing Kubernetes cluster to Azure Arc](../../azure-arc/kubernetes/quickstart-connect-cluster.md) |
-| Azure Arc enabled servers | [Authenticate against Azure resources with Azure Arc-enabled servers](../../azure-arc/servers/managed-identity-authentication.md) |
-| Azure Automanage | [Repair an Automanage Account](../../automanage/repair-automanage-account.md) |
-| Azure Automation | [Azure Automation account authentication overview](../../automation/automation-security-overview.md#managed-identities) |
-| Azure Batch | [Configure customer-managed keys for your Azure Batch account with Azure Key Vault and Managed Identity](../../batch/batch-customer-managed-key.md) </BR> [Configure managed identities in Batch pools](../../batch/managed-identity-pools.md) |
-| Azure Blueprints | [Stages of a blueprint deployment](../../governance/blueprints/concepts/deployment-stages.md) |
-| Azure Cache for Redis | [Managed identity for storage accounts with Azure Cache for Redis](../../azure-cache-for-redis/cache-managed-identity.md) |
-| Azure Communications Gateway | [Deploy Azure Communications Gateway](../../communications-gateway/deploy.md) |
-| Azure Container Apps | [Managed identities in Azure Container Apps](../../container-apps/managed-identity.md) |
-| Azure Container Instance | [How to use managed identities with Azure Container Instances](../../container-instances/container-instances-managed-identity.md) |
-| Azure Container Registry | [Use an Azure-managed identity in ACR Tasks](../../container-registry/container-registry-tasks-authentication-managed-identity.md) |
-| Azure AI services | [Configure customer-managed keys with Azure Key Vault for Azure AI services](../../ai-services/encryption/cognitive-services-encryption-keys-portal.md) |
-| Azure Data Box | [Use customer-managed keys in Azure Key Vault for Azure Data Box](../../databox/data-box-customer-managed-encryption-key-portal.md) |
+| API Management | [Use managed identities in Azure API Management](/azure/api-management/api-management-howto-use-managed-service-identity) |
+| Application Gateway | [TLS termination with Key Vault certificates](/azure/application-gateway/key-vault-certs) |
+| Azure App Configuration | [How to use managed identities for Azure App Configuration](/azure/azure-app-configuration/overview-managed-identity) |
+| Azure App Services | [How to use managed identities for App Service and Azure Functions](/azure/app-service/overview-managed-identity) |
+| Azure Arc enabled Kubernetes | [Quickstart: Connect an existing Kubernetes cluster to Azure Arc](/azure/azure-arc/kubernetes/quickstart-connect-cluster) |
+| Azure Arc enabled servers | [Authenticate against Azure resources with Azure Arc-enabled servers](/azure/azure-arc/servers/managed-identity-authentication) |
+| Azure Automanage | [Repair an Automanage Account](/azure/automanage/repair-automanage-account) |
+| Azure Automation | [Azure Automation account authentication overview](/azure/automation/automation-security-overview#managed-identities) |
+| Azure Batch | [Configure customer-managed keys for your Azure Batch account with Azure Key Vault and Managed Identity](/azure/batch/batch-customer-managed-key) </BR> [Configure managed identities in Batch pools](/azure/batch/managed-identity-pools) |
+| Azure Blueprints | [Stages of a blueprint deployment](/azure/governance/blueprints/concepts/deployment-stages) |
+| Azure Cache for Redis | [Managed identity for storage accounts with Azure Cache for Redis](/azure/azure-cache-for-redis/cache-managed-identity) |
+| Azure Communications Gateway | [Deploy Azure Communications Gateway](/azure/communications-gateway/deploy) |
+| Azure Container Apps | [Managed identities in Azure Container Apps](/azure/container-apps/managed-identity) |
+| Azure Container Instance | [How to use managed identities with Azure Container Instances](/azure/container-instances/container-instances-managed-identity) |
+| Azure Container Registry | [Use an Azure-managed identity in ACR Tasks](/azure/container-registry/container-registry-tasks-authentication-managed-identity) |
+| Azure AI services | [Configure customer-managed keys with Azure Key Vault for Azure AI services](/azure/ai-services/encryption/cognitive-services-encryption-keys-portal) |
+| Azure Data Box | [Use customer-managed keys in Azure Key Vault for Azure Data Box](/azure/databox/data-box-customer-managed-encryption-key-portal) |
| Azure Data Explorer | [Configure managed identities for your Azure Data Explorer cluster](/azure/data-explorer/configure-managed-identities-cluster?tabs=portal) |
-| Azure Data Factory | [Managed identity for Data Factory](../../data-factory/data-factory-service-identity.md) |
-| Azure Data Lake Storage Gen1 | [Customer-managed keys for Azure Storage encryption](../../storage/common/customer-managed-keys-overview.md) |
-| Azure Data Share | [Roles and requirements for Azure Data Share](../../data-share/concepts-roles-permissions.md) |
-| Azure DevTest Labs | [Enable user-assigned managed identities on lab virtual machines in Azure DevTest Labs](../../devtest-labs/enable-managed-identities-lab-vms.md) |
-| Azure Digital Twins | [Enable a managed identity for routing Azure Digital Twins events](../../digital-twins/how-to-enable-managed-identities-portal.md) |
-| Azure Event Grid | [Event delivery with a managed identity](../../event-grid/managed-service-identity.md)
-| Azure Event Hubs | [Authenticate a managed identity with Microsoft Entra ID to access Event Hubs Resources](../../event-hubs/authenticate-managed-identity.md)
-| Azure Image Builder | [Azure Image Builder overview](../../virtual-machines/image-builder-overview.md#permissions) |
-| Azure Import/Export | [Use customer-managed keys in Azure Key Vault for Import/Export service](../../import-export/storage-import-export-encryption-key-portal.md)
-| Azure IoT Hub | [IoT Hub support for virtual networks with Private Link and Managed Identity](../../iot-hub/virtual-network-support.md) |
-| Azure Kubernetes Service (AKS) | [Use managed identities in Azure Kubernetes Service](../../aks/use-managed-identity.md) |
-| Azure Load Testing | [Use managed identities for Azure Load Testing](../../load-testing/how-to-use-a-managed-identity.md) |
-| Azure Logic Apps | [Authenticate access to Azure resources using managed identities in Azure Logic Apps](../../logic-apps/create-managed-service-identity.md) |
-| Azure Log Analytics cluster | [Azure Monitor customer-managed key](../../azure-monitor/logs/customer-managed-keys.md)
+| Azure Data Factory | [Managed identity for Data Factory](/azure/data-factory/data-factory-service-identity) |
+| Azure Data Lake Storage Gen1 | [Customer-managed keys for Azure Storage encryption](/azure/storage/common/customer-managed-keys-overview) |
+| Azure Data Share | [Roles and requirements for Azure Data Share](/azure/data-share/concepts-roles-permissions) |
+| Azure DevTest Labs | [Enable user-assigned managed identities on lab virtual machines in Azure DevTest Labs](/azure/devtest-labs/enable-managed-identities-lab-vms) |
+| Azure Digital Twins | [Enable a managed identity for routing Azure Digital Twins events](/azure/digital-twins/how-to-enable-managed-identities-portal) |
+| Azure Event Grid | [Event delivery with a managed identity](/azure/event-grid/managed-service-identity)
+| Azure Event Hubs | [Authenticate a managed identity with Microsoft Entra ID to access Event Hubs Resources](/azure/event-hubs/authenticate-managed-identity)
+| Azure Image Builder | [Azure Image Builder overview](/azure/virtual-machines/image-builder-overview#permissions) |
+| Azure Import/Export | [Use customer-managed keys in Azure Key Vault for Import/Export service](/azure/import-export/storage-import-export-encryption-key-portal)
+| Azure IoT Hub | [IoT Hub support for virtual networks with Private Link and Managed Identity](/azure/iot-hub/virtual-network-support) |
+| Azure Kubernetes Service (AKS) | [Use managed identities in Azure Kubernetes Service](/azure/aks/use-managed-identity) |
+| Azure Load Testing | [Use managed identities for Azure Load Testing](/azure/load-testing/how-to-use-a-managed-identity) |
+| Azure Logic Apps | [Authenticate access to Azure resources using managed identities in Azure Logic Apps](/azure/logic-apps/create-managed-service-identity) |
+| Azure Log Analytics cluster | [Azure Monitor customer-managed key](/azure/azure-monitor/logs/customer-managed-keys)
| Azure Machine Learning Services | [Use Managed identities with Azure Machine Learning](../../machine-learning/how-to-use-managed-identities.md?tabs=python) |
-| Azure Managed Disk | [Use the Azure portal to enable server-side encryption with customer-managed keys for managed disks](../../virtual-machines/disks-enable-customer-managed-keys-portal.md) |
+| Azure Managed Disk | [Use the Azure portal to enable server-side encryption with customer-managed keys for managed disks](/azure/virtual-machines/disks-enable-customer-managed-keys-portal) |
| Azure Media services | [Managed identities](/azure/media-services/latest/concept-managed-identities) |
-| Azure Monitor | [Azure Monitor customer-managed key](../../azure-monitor/logs/customer-managed-keys.md?tabs=portal) |
-| Azure Policy | [Remediate non-compliant resources with Azure Policy](../../governance/policy/how-to/remediate-resources.md) |
-| Microsoft Purview | [Credentials for source authentication in Microsoft Purview](../../purview/manage-credentials.md) |
-| Azure Resource Mover | [Move resources across regions (from resource group)](../../resource-mover/move-region-within-resource-group.md)
-| Azure Site Recovery | [Replicate machines with private endpoints](../../site-recovery/azure-to-azure-how-to-enable-replication-private-endpoints.md#enable-the-managed-identity-for-the-vault) |
-| Azure Search | [Set up an indexer connection to a data source using a managed identity](../../search/search-howto-managed-identities-data-sources.md) |
-| Azure Service Bus | [Authenticate a managed identity with Microsoft Entra ID to access Azure Service Bus resources](../../service-bus-messaging/service-bus-managed-service-identity.md) |
-| Azure Service Fabric | [Using Managed identities for Azure with Service Fabric](../../service-fabric/concepts-managed-identity.md) |
-| Azure SignalR Service | [Managed identities for Azure SignalR Service](../../azure-signalr/howto-use-managed-identity.md) |
-| Azure Spring Apps | [Enable system-assigned managed identity for an application in Azure Spring Apps](../../spring-apps/how-to-enable-system-assigned-managed-identity.md) |
+| Azure Monitor | [Azure Monitor customer-managed key](/azure/azure-monitor/logs/customer-managed-keys?tabs=portal) |
+| Azure Policy | [Remediate non-compliant resources with Azure Policy](/azure/governance/policy/how-to/remediate-resources) |
+| Microsoft Purview | [Credentials for source authentication in Microsoft Purview](../../purview/manage-credentials.md) |
+| Azure Resource Mover | [Move resources across regions (from resource group)](/azure/resource-mover/move-region-within-resource-group)
+| Azure Site Recovery | [Replicate machines with private endpoints](/azure/site-recovery/azure-to-azure-how-to-enable-replication-private-endpoints#enable-the-managed-identity-for-the-vault) |
+| Azure Search | [Set up an indexer connection to a data source using a managed identity](/azure/search/search-howto-managed-identities-data-sources) |
+| Azure Service Bus | [Authenticate a managed identity with Microsoft Entra ID to access Azure Service Bus resources](/azure/service-bus-messaging/service-bus-managed-service-identity) |
+| Azure Service Fabric | [Using Managed identities for Azure with Service Fabric](/azure/service-fabric/concepts-managed-identity) |
+| Azure SignalR Service | [Managed identities for Azure SignalR Service](/azure/azure-signalr/howto-use-managed-identity) |
+| Azure Spring Apps | [Enable system-assigned managed identity for an application in Azure Spring Apps](/azure/spring-apps/how-to-enable-system-assigned-managed-identity) |
| Azure SQL | [Managed identities in Microsoft Entra for Azure SQL](/azure/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity) | | Azure SQL Managed Instance | [Managed identities in Microsoft Entra for Azure SQL](/azure/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity) |
-| Azure Stack Edge | [Manage Azure Stack Edge secrets using Azure Key Vault](../../databox-online/azure-stack-edge-gpu-activation-key-vault.md#recover-managed-identity-access)
-| Azure Static Web Apps | [Securing authentication secrets in Azure Key Vault](../../static-web-apps/key-vault-secrets.md)
-| Azure Stream Analytics | [Authenticate Stream Analytics to Azure Data Lake Storage Gen1 using managed identities](../../stream-analytics/stream-analytics-managed-identities-adls.md) |
+| Azure Stack Edge | [Manage Azure Stack Edge secrets using Azure Key Vault](/azure/databox-online/azure-stack-edge-gpu-activation-key-vault#recover-managed-identity-access)
+| Azure Static Web Apps | [Securing authentication secrets in Azure Key Vault](/azure/static-web-apps/key-vault-secrets)
+| Azure Stream Analytics | [Authenticate Stream Analytics to Azure Data Lake Storage Gen1 using managed identities](/azure/stream-analytics/stream-analytics-managed-identities-adls) |
| Azure Synapse | [Azure Synapse workspace managed identity](../../synapse-analytics/security/synapse-workspace-managed-identity.md) |
-| Azure VM image builder | [Configure Azure Image Builder Service permissions using Azure CLI](../../virtual-machines/linux/image-builder-permissions-cli.md#using-managed-identity-for-azure-storage-access)|
+| Azure VM image builder | [Configure Azure Image Builder Service permissions using Azure CLI](/azure/virtual-machines/linux/image-builder-permissions-cli#using-managed-identity-for-azure-storage-access)|
| Azure Virtual Machine Scale Sets | [Configure managed identities on virtual machine scale set - Azure CLI](qs-configure-cli-windows-vmss.md) |
-| Azure Virtual Machines | [Secure and use policies on virtual machines in Azure](../../virtual-machines/windows/security-policy.md#managed-identities-for-azure-resources) |
-| Azure Web PubSub Service | [Managed identities for Azure Web PubSub Service](../../azure-web-pubsub/howto-use-managed-identity.md) |
+| Azure Virtual Machines | [Secure and use policies on virtual machines in Azure](/azure/virtual-machines/windows/security-policy#managed-identities-for-azure-resources) |
+| Azure Web PubSub Service | [Managed identities for Azure Web PubSub Service](/azure/azure-web-pubsub/howto-use-managed-identity) |
## Next steps
active-directory Managed Identity Best Practice Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations.md
If you require that each resource has its own identity, or have resources that r
| Scenario| Recommendation|Notes| ||||
-| Rapid creation of resources (for example, ephemeral computing) with managed identities | User-assigned identity | If you attempt to create multiple managed identities in a short space of time ΓÇô for example, deploying multiple virtual machines each with their own system-assigned identity - you may exceed the rate limit for Microsoft Entra object creations, and the request will fail with an HTTP 429 error. <br/><br/>If resources are being created or deleted rapidly, you may also exceed the limit on the number of resources in Microsoft Entra ID if using system-assigned identities. While a deleted system-assigned identity is no longer accessible by any resource, it will count towards your limit until fully purged after 30 days.<br/><br/>Deploying the resources associated with a single user-assigned identity will require the creation of only one Service Principal in Microsoft Entra ID, avoiding the rate limit. Using a single identity that is created in advance will also reduce the risk of replication delays that could occur if multiple resources are created each with their own identity.<br/><br/>Read more about the [Azure subscription service limits](../../azure-resource-manager/management/azure-subscription-service-limits.md#managed-identity-limits). |
+| Rapid creation of resources (for example, ephemeral computing) with managed identities | User-assigned identity | If you attempt to create multiple managed identities in a short space of time ΓÇô for example, deploying multiple virtual machines each with their own system-assigned identity - you may exceed the rate limit for Microsoft Entra object creations, and the request will fail with an HTTP 429 error. <br/><br/>If resources are being created or deleted rapidly, you may also exceed the limit on the number of resources in Microsoft Entra ID if using system-assigned identities. While a deleted system-assigned identity is no longer accessible by any resource, it will count towards your limit until fully purged after 30 days.<br/><br/>Deploying the resources associated with a single user-assigned identity will require the creation of only one Service Principal in Microsoft Entra ID, avoiding the rate limit. Using a single identity that is created in advance will also reduce the risk of replication delays that could occur if multiple resources are created each with their own identity.<br/><br/>Read more about the [Azure subscription service limits](/azure/azure-resource-manager/management/azure-subscription-service-limits#managed-identity-limits). |
| Replicated resources/applications | User-assigned identity | Resources that carry out the same task ΓÇô for example, duplicated web servers or identical functionality running in an app service and in an application on a virtual machine ΓÇô typically require the same permissions. <br/><br/>By using the same user-assigned identity, fewer role assignments are required which reduces the management overhead. The resources don't have to be of the same type. |Compliance| User-assigned identity | If your organization requires that all identity creation must go through an approval process, using a single user-assigned identity across multiple resources will require fewer approvals than system-assigned Identities, which are created as new resources are created. | Access required before a resource is deployed |User-assigned identity| Some resources may require access to certain Azure resources as part of their deployment.<br/><br/>In this case, a system-assigned identity may not be created in time so a pre-existing user-assigned identity should be used.|
In the example below, ΓÇ£Virtual Machine 4ΓÇ¥ has both a user-assigned identity,
## Limits
-View the limits for [managed identities](../../azure-resource-manager/management/azure-subscription-service-limits.md#managed-identity-limits)
-and for [custom roles and role assignments](../../azure-resource-manager/management/azure-subscription-service-limits.md#azure-rbac-limits).
+View the limits for [managed identities](/azure/azure-resource-manager/management/azure-subscription-service-limits#managed-identity-limits)
+and for [custom roles and role assignments](/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-rbac-limits).
## Follow the principle of least privilege when granting access
You'll need to manually delete a user-assigned identity when it's no longer requ
Role assignments aren't automatically deleted when either system-assigned or user-assigned managed identities are deleted. These role assignments should be manually deleted so the limit of role assignments per subscription isn't exceeded. Role assignments that are associated with deleted managed identities
-will be displayed with ΓÇ£Identity not foundΓÇ¥ when viewed in the portal. [Read more](../../role-based-access-control/troubleshooting.md#symptomrole-assignments-with-identity-not-found).
+will be displayed with ΓÇ£Identity not foundΓÇ¥ when viewed in the portal. [Read more](/azure/role-based-access-control/troubleshooting#symptomrole-assignments-with-identity-not-found).
:::image type="content" source="media/managed-identity-best-practice-recommendations/identity-not-found.png" alt-text="Identity not found for role assignment.":::
In both cases, for non-human identities such as Microsoft Entra Applications and
Given that the identity's groups and roles are claims in the access token, any authorization changes do not take effect until the token is refreshed. For a human user that's typically not a problem, because a user can acquire a new access token by logging out and in again (or waiting for the token lifetime to expire, which is 1 hour by default). Managed identity tokens on the other hand are cached by the underlying Azure infrastructure for performance and resiliency purposes: the back-end services for managed identities maintain a cache per resource URI for around 24 hours. This means that it can take several hours for changes to a managed identity's group or role membership to take effect. Today, it is not possible to force a managed identity's token to be refreshed before its expiry. If you change a managed identityΓÇÖs group or role membership to add or remove permissions, you may therefore need to wait several hours for the Azure resource using the identity to have the correct access.
-If this delay is not acceptable for your requirements, consider alternatives to using groups or roles in the token. To ensure that changes to permissions for managed identities take effect quickly, we recommend that you group Azure resources using a [user-assigned managed identity](how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-azcli) with permissions applied directly to the identity, instead of adding to or removing managed identities from a Microsoft Entra group that has permissions. A user-assigned managed identity can be used like a group because it can be assigned to one or more Azure resources to use it. The assignment operation can be controlled using the [Managed identity contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) and [Managed identity operator role](../../role-based-access-control/built-in-roles.md#managed-identity-operator).
+If this delay is not acceptable for your requirements, consider alternatives to using groups or roles in the token. To ensure that changes to permissions for managed identities take effect quickly, we recommend that you group Azure resources using a [user-assigned managed identity](how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-azcli) with permissions applied directly to the identity, instead of adding to or removing managed identities from a Microsoft Entra group that has permissions. A user-assigned managed identity can be used like a group because it can be assigned to one or more Azure resources to use it. The assignment operation can be controlled using the [Managed identity contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) and [Managed identity operator role](/azure/role-based-access-control/built-in-roles#managed-identity-operator).
active-directory Msi Tutorial Linux Vm Access Arm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/msi-tutorial-linux-vm-access-arm.md
In this tutorial, you learn how to:
- An understanding of Managed identities. If you're not familiar with the managed identities for Azure resources feature, see this [overview](overview.md). - An Azure account, [sign up for a free account](https://azure.microsoft.com/free/).-- You also need a Linux Virtual machine. If you need to create a virtual machine for this tutorial, you can follow the article titled [Create a Linux virtual machine with the Azure portal](../../virtual-machines/linux/quick-create-portal.md#create-virtual-machine)
+- You also need a Linux Virtual machine. If you need to create a virtual machine for this tutorial, you can follow the article titled [Create a Linux virtual machine with the Azure portal](/azure/virtual-machines/linux/quick-create-portal#create-virtual-machine)
- To run the example scripts, you have two options:
- - Use the [Azure Cloud Shell](../../cloud-shell/overview.md), which you can open using the **Try It** button on the top-right corner of code blocks.
+ - Use the [Azure Cloud Shell](/azure/cloud-shell/overview), which you can open using the **Try It** button on the top-right corner of code blocks.
- Run scripts locally by installing the latest version of the [Azure CLI](/cli/azure/install-azure-cli), then sign in to Azure using [az login](/cli/azure/reference-index#az-login). ## Create a user-assigned managed identity
To complete these steps, you need an SSH client. If you are using Windows, you c
In this tutorial, you learned how to create a user-assigned managed identity and attach it to a Linux virtual machine to access the Azure Resource Manager API. To learn more about Azure Resource Manager see: > [!div class="nextstepaction"]
->[Azure Resource Manager](../../azure-resource-manager/management/overview.md)
+>[Azure Resource Manager](/azure/azure-resource-manager/management/overview)
active-directory Overview For Developers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/overview-for-developers.md
Your source resource now has a user-assigned identity that it can use to connect
> [!NOTE] > You'll need a role such as "User Access Administrator" or "Owner" for the target resource to add Role assignments. Ensure you're granting the least privilege required for the application to run.
-Now your App Service has a managed identity, you'll need to give the identity the correct permissions. As you're using this identity to interact with Azure Storage, you'll use the [Azure Role Based Access Control (RBAC) system](../../role-based-access-control/overview.md).
+Now your App Service has a managed identity, you'll need to give the identity the correct permissions. As you're using this identity to interact with Azure Storage, you'll use the [Azure Role Based Access Control (RBAC) system](/azure/role-based-access-control/overview).
### [Portal](#tab/portal)
az role assignment create --assignee "<Object/Principal ID of the managed identi
--scope "/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/{providerName}/{resourceType}/{resourceSubType}/{resourceName}" ```
-[Read more about adding role assignments using the Command Line Interface](../../role-based-access-control/role-assignments-cli.md).
+[Read more about adding role assignments using the Command Line Interface](/azure/role-based-access-control/role-assignments-cli).
-Your managed identity now has the correct permissions to access the Azure target resource. [Read more about Azure Role Based Access Control](../../role-based-access-control/overview.md).
+Your managed identity now has the correct permissions to access the Azure target resource. [Read more about Azure Role Based Access Control](/azure/role-based-access-control/overview).
## Using the managed identity in your code
dr.Close();
#### [Java](#tab/java)
-If you use [Azure Spring Apps](../../spring-apps/index.yml), you can connect to Azure SQL Database with a managed identity without needing to make any changes to your code.
+If you use [Azure Spring Apps](/azure/spring-apps/), you can connect to Azure SQL Database with a managed identity without needing to make any changes to your code.
Open the `src/main/resources/application.properties` file, and add `Authentication=ActiveDirectoryMSI;` at the end of the following line. Be sure to use the correct value for `$AZ_DATABASE_NAME` variable.
Open the `src/main/resources/application.properties` file, and add `Authenticati
spring.datasource.url=jdbc:sqlserver://$AZ_DATABASE_NAME.database.windows.net:1433;database=demo;encrypt=true;trustServerCertificate=false;hostNameInCertificate=*.database.windows.net;loginTimeout=30;Authentication=ActiveDirectoryMSI; ```
-Read more about how to [use a managed identity to connect Azure SQL Database to an Azure Spring Apps app](../../spring-apps/connect-managed-identity-to-azure-sql.md).
+Read more about how to [use a managed identity to connect Azure SQL Database to an Azure Spring Apps app](/azure/spring-apps/connect-managed-identity-to-azure-sql).
Tokens should be treated like credentials. Don't expose them to users or other s
## Next steps
-* [How to use managed identities for App Service and Azure Functions](../../app-service/overview-managed-identity.md)
-* [How to use managed identities with Azure Container Instances](../../container-instances/container-instances-managed-identity.md)
+* [How to use managed identities for App Service and Azure Functions](/azure/app-service/overview-managed-identity)
+* [How to use managed identities with Azure Container Instances](/azure/container-instances/container-instances-managed-identity)
* [Implementing managed identities for Microsoft Azure Resources](https://www.pluralsight.com/courses/microsoft-azure-resources-managed-identities-implementing) * Use [workload identity federation for managed identities](../workload-identities/workload-identity-federation.md) to access Microsoft Entra protected resources without managing secrets
active-directory Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/overview.md
A common challenge for developers is the management of secrets, credentials, certificates, and keys used to secure communication between services. Managed identities eliminate the need for developers to manage these credentials.
-While developers can securely store the secrets in [Azure Key Vault](../../key-vault/general/overview.md), services need a way to access Azure Key Vault. Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication. Applications can use managed identities to obtain Microsoft Entra tokens without having to manage any credentials.
+While developers can securely store the secrets in [Azure Key Vault](/azure/key-vault/general/overview), services need a way to access Azure Key Vault. Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication. Applications can use managed identities to obtain Microsoft Entra tokens without having to manage any credentials.
The following video shows how you can use managed identities:</br>
There are two types of managed identities:
- You authorize the managed identity to have access to one or more services. - The name of the system-assigned service principal is always the same as the name of the Azure resource it is created for. For a deployment slot, the name of its system-assigned identity is ```<app-name>/slots/<slot-name>```. -- **User-assigned**. You may also create a managed identity as a standalone Azure resource. You can [create a user-assigned managed identity](how-to-manage-ua-identity-portal.md) and assign it to one or more Azure Resources. When you enable a user-assigned managed identity:
+- **User-assigned**. You may also create a managed identity as a standalone Azure resource. You can [create a user-assigned managed identity](./how-to-manage-ua-identity-portal.md) and assign it to one or more Azure Resources. When you enable a user-assigned managed identity:
- A service principal of a special type is created in Microsoft Entra ID for the identity. The service principal is managed separately from the resources that use it. - User-assigned identities can be used by multiple resources. - You authorize the managed identity to have access to one or more services.
Resources that support system assigned managed identities allow you to:
- Enable or disable managed identities at the resource level. - Use role-based access control (RBAC) to [grant permissions](howto-assign-access-portal.md).-- View the create, read, update, and delete (CRUD) operations in [Azure Activity logs](../../azure-monitor/essentials/activity-log.md).
+- View the create, read, update, and delete (CRUD) operations in [Azure Activity logs](/azure/azure-monitor/essentials/activity-log).
- View sign in activity in Microsoft Entra ID [sign in logs](../reports-monitoring/concept-sign-ins.md). If you choose a user assigned managed identity instead: -- You can [create, read, update, and delete](how-to-manage-ua-identity-portal.md) the identities.
+- You can [create, read, update, and delete](./how-to-manage-ua-identity-portal.md) the identities.
- You can use RBAC role assignments to [grant permissions](howto-assign-access-portal.md). - User assigned managed identities can be used on more than one resource.-- CRUD operations are available for review in [Azure Activity logs](../../azure-monitor/essentials/activity-log.md).
+- CRUD operations are available for review in [Azure Activity logs](/azure/azure-monitor/essentials/activity-log).
- View sign in activity in Microsoft Entra ID [sign in logs](../reports-monitoring/concept-sign-ins.md). Operations on managed identities can be performed by using an Azure Resource Manager template, the Azure portal, Azure CLI, PowerShell, and REST APIs.
Operations on managed identities can be performed by using an Azure Resource Man
* [Developer introduction and guidelines](overview-for-developers.md) * [Use a Windows VM system-assigned managed identity to access Resource Manager](tutorial-windows-vm-access-arm.md) * [Use a Linux VM system-assigned managed identity to access Resource Manager](tutorial-linux-vm-access-arm.md)
-* [How to use managed identities for App Service and Azure Functions](../../app-service/overview-managed-identity.md)
-* [How to use managed identities with Azure Container Instances](../../container-instances/container-instances-managed-identity.md)
+* [How to use managed identities for App Service and Azure Functions](/azure/app-service/overview-managed-identity)
+* [How to use managed identities with Azure Container Instances](/azure/container-instances/container-instances-managed-identity)
* [Implementing managed identities for Microsoft Azure Resources](https://www.pluralsight.com/courses/microsoft-azure-resources-managed-identities-implementing) * Use [workload identity federation for managed identities](../workload-identities/workload-identity-federation.md) to access Microsoft Entra protected resources without managing secrets
active-directory Qs Configure Cli Windows Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/qs-configure-cli-windows-vm.md
In this section, you learn how to enable and disable the system-assigned managed
### Enable system-assigned managed identity during creation of an Azure VM
-To create an Azure VM with the system-assigned managed identity enabled, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
+To create an Azure VM with the system-assigned managed identity enabled, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
-1. Create a [resource group](../../azure-resource-manager/management/overview.md#terminology) for containment and deployment of your VM and its related resources, using [az group create](/cli/azure/group/#az-group-create). You can skip this step if you already have resource group you would like to use instead:
+1. Create a [resource group](/azure/azure-resource-manager/management/overview#terminology) for containment and deployment of your VM and its related resources, using [az group create](/cli/azure/group/#az-group-create). You can skip this step if you already have resource group you would like to use instead:
```azurecli-interactive az group create --name myResourceGroup --location westus
To create an Azure VM with the system-assigned managed identity enabled, your ac
### Enable system-assigned managed identity on an existing Azure VM
-To enable system-assigned managed identity on a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
+To enable system-assigned managed identity on a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
1. If you're using the Azure CLI in a local console, first sign in to Azure using [az login](/cli/azure/reference-index#az-login). Use an account that is associated with the Azure subscription that contains the VM.
To enable system-assigned managed identity on a VM, your account needs the [Virt
az login ```
-2. Use [az vm identity assign](/cli/azure/vm/identity/) with the `identity assign` command enable the system-assigned identity to an existing VM:
+2. Use [az vm identity assign](/cli/azure/vm/identity) with the `identity assign` command enable the system-assigned identity to an existing VM:
```azurecli-interactive az vm identity assign -g myResourceGroup -n myVm
To enable system-assigned managed identity on a VM, your account needs the [Virt
### Disable system-assigned identity from an Azure VM
-To disable system-assigned managed identity on a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
+To disable system-assigned managed identity on a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
If you have a Virtual Machine that no longer needs the system-assigned identity, but still needs user-assigned identities, use the following command:
In this section, you will learn how to add and remove a user-assigned managed id
### Assign a user-assigned managed identity during the creation of an Azure VM
-To assign a user-assigned identity to a VM during its creation, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) and [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) role assignments. No other Microsoft Entra directory role assignments are required.
+To assign a user-assigned identity to a VM during its creation, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) and [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) role assignments. No other Microsoft Entra directory role assignments are required.
-1. You can skip this step if you already have a resource group you would like to use. Create a [resource group](~/articles/azure-resource-manager/management/overview.md#terminology) for containment and deployment of your user-assigned managed identity, using [az group create](/cli/azure/group/#az-group-create). Be sure to replace the `<RESOURCE GROUP>` and `<LOCATION>` parameter values with your own values. :
+1. You can skip this step if you already have a resource group you would like to use. Create a [resource group](~/articles/azure-resource-manager/management/overview.md#terminology) for containment and deployment of your user-assigned managed identity, using [az group create](/cli/azure/group#az-group-create). Be sure to replace the `<RESOURCE GROUP>` and `<LOCATION>` parameter values with your own values. :
```azurecli-interactive az group create --name <RESOURCE GROUP> --location <LOCATION>
To assign a user-assigned identity to a VM during its creation, your account nee
} ```
-3. Create a VM using [az vm create](/cli/azure/vm/#az-vm-create). The following example creates a VM associated with the new user-assigned identity, as specified by the `--assign-identity` parameter, with the specified `--role` and `--scope`. Be sure to replace the `<RESOURCE GROUP>`, `<VM NAME>`, `<USER NAME>`, `<PASSWORD>`, `<USER ASSIGNED IDENTITY NAME>`, `<ROLE>`, and `<SUBSCRIPTION>` parameter values with your own values.
+3. Create a VM using [az vm create](/cli/azure/vm#az-vm-create). The following example creates a VM associated with the new user-assigned identity, as specified by the `--assign-identity` parameter, with the specified `--role` and `--scope`. Be sure to replace the `<RESOURCE GROUP>`, `<VM NAME>`, `<USER NAME>`, `<PASSWORD>`, `<USER ASSIGNED IDENTITY NAME>`, `<ROLE>`, and `<SUBSCRIPTION>` parameter values with your own values.
```azurecli-interactive az vm create --resource-group <RESOURCE GROUP> --name <VM NAME> --image <SKU linux image> --admin-username <USER NAME> --admin-password <PASSWORD> --assign-identity <USER ASSIGNED IDENTITY NAME> --role <ROLE> --scope <SUBSCRIPTION>
To assign a user-assigned identity to a VM during its creation, your account nee
### Assign a user-assigned managed identity to an existing Azure VM
-To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) and [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) role assignments. No other Microsoft Entra directory role assignments are required.
+To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) and [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) role assignments. No other Microsoft Entra directory role assignments are required.
1. Create a user-assigned identity using [az identity create](/cli/azure/identity#az-identity-create). The `-g` parameter specifies the resource group where the user-assigned identity is created, and the `-n` parameter specifies its name. Be sure to replace the `<RESOURCE GROUP>` and `<USER ASSIGNED IDENTITY NAME>` parameter values with your own values:
To assign a user-assigned identity to a VM, your account needs the [Virtual Mach
### Remove a user-assigned managed identity from an Azure VM
-To remove a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment.
+To remove a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment.
If this is the only user-assigned managed identity assigned to the virtual machine, `UserAssigned` will be removed from the identity type value. Be sure to replace the `<RESOURCE GROUP>` and `<VM NAME>` parameter values with your own values. The `<USER ASSIGNED IDENTITY>` will be the user-assigned identity's `name` property, which can be found in the identity section of the virtual machine using `az vm identity show`:
az vm update -n myVM -g myResourceGroup --set identity.type='SystemAssigned' ide
## Next steps - [Managed identities for Azure resources overview](overview.md) - For the full Azure VM creation Quickstarts, see:
- - [Create a Windows virtual machine with CLI](../../virtual-machines/windows/quick-create-cli.md)
- - [Create a Linux virtual machine with CLI](../../virtual-machines/linux/quick-create-cli.md)
+ - [Create a Windows virtual machine with CLI](/azure/virtual-machines/windows/quick-create-cli)
+ - [Create a Linux virtual machine with CLI](/azure/virtual-machines/linux/quick-create-cli)
active-directory Qs Configure Cli Windows Vmss https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/qs-configure-cli-windows-vmss.md
If you don't already have an Azure account, [sign up for a free account](https:/
- To perform the management operations in this article, your account needs the following Azure role-based access control assignments:
- - [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) to create a virtual machine scale set and enable and remove system and/or user-assigned managed identity from a virtual machine scale set.
+ - [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) to create a virtual machine scale set and enable and remove system and/or user-assigned managed identity from a virtual machine scale set.
- - [Managed Identity Contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) role to create a user-assigned managed identity.
+ - [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role to create a user-assigned managed identity.
- - [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) role to assign and remove a user-assigned managed identity from and to a virtual machine scale set.
+ - [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) role to assign and remove a user-assigned managed identity from and to a virtual machine scale set.
> [!NOTE] > No additional Microsoft Entra directory role assignments required.
In this section, you learn how to enable and disable the system-assigned managed
To create a virtual machine scale set with the system-assigned managed identity enabled:
-1. Create a [resource group](../../azure-resource-manager/management/overview.md#terminology) for containment and deployment of your virtual machine scale set and its related resources, using [az group create](/cli/azure/group/#az-group-create). You can skip this step if you already have a resource group you would like to use instead:
+1. Create a [resource group](/azure/azure-resource-manager/management/overview#terminology) for containment and deployment of your virtual machine scale set and its related resources, using [az group create](/cli/azure/group/#az-group-create). You can skip this step if you already have a resource group you would like to use instead:
```azurecli-interactive az group create --name myResourceGroup --location westus
To create a virtual machine scale set with the system-assigned managed identity
### Enable system-assigned managed identity on an existing Azure virtual machine scale set
-If you need to [Enable](/cli/azure/vmss/identity/#az-vmss-identity-assign) the system-assigned managed identity on an existing Azure virtual machine scale set:
+If you need to [Enable](/cli/azure/vmss/identity#az-vmss-identity-assign) the system-assigned managed identity on an existing Azure virtual machine scale set:
```azurecli-interactive az vmss identity assign -g myResourceGroup -n myVMSS
This section walks you through creation of a virtual machine scale set and assig
} ```
-3. [Create](/cli/azure/vmss/#az-vmss-create) a virtual machine scale set. The following example creates a virtual machine scale set associated with the new user-assigned managed identity, as specified by the `--assign-identity` parameter, with the specified `--role` and `--scope`. Be sure to replace the `<RESOURCE GROUP>`, `<VMSS NAME>`, `<USER NAME>`, `<PASSWORD>`, `<USER ASSIGNED IDENTITY>`, `<ROLE>`, and `<SUBSCRIPTION>` parameter values with your own values.
+3. [Create](/cli/azure/vmss#az-vmss-create) a virtual machine scale set. The following example creates a virtual machine scale set associated with the new user-assigned managed identity, as specified by the `--assign-identity` parameter, with the specified `--role` and `--scope`. Be sure to replace the `<RESOURCE GROUP>`, `<VMSS NAME>`, `<USER NAME>`, `<PASSWORD>`, `<USER ASSIGNED IDENTITY>`, `<ROLE>`, and `<SUBSCRIPTION>` parameter values with your own values.
```azurecli-interactive az vmss create --resource-group <RESOURCE GROUP> --name <VMSS NAME> --image <SKU Linux Image> --admin-username <USER NAME> --admin-password <PASSWORD> --assign-identity <USER ASSIGNED IDENTITY> --role <ROLE> --scope <SUBSCRIPTION>
az vmss update -n myVMSS -g myResourceGroup --set identity.type='SystemAssigned'
## Next steps - [Managed identities for Azure resources overview](overview.md)-- For the full Azure virtual machine scale set creation Quickstart, see [Create a Virtual Machine Scale Set with CLI](../../virtual-machines/linux/tutorial-create-vmss.md#create-a-scale-set)
+- For the full Azure virtual machine scale set creation Quickstart, see [Create a Virtual Machine Scale Set with CLI](/azure/virtual-machines/linux/tutorial-create-vmss#create-a-scale-set)
active-directory Qs Configure Portal Windows Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md
In this section, you learn how to enable and disable the system-assigned managed
### Enable system-assigned managed identity during creation of a VM
-To enable system-assigned managed identity on a VM during its creation, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
+To enable system-assigned managed identity on a VM during its creation, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
- Under the **Management** tab in the **Identity** section, switch **Managed service identity** to **On**.
To enable system-assigned managed identity on a VM during its creation, your acc
Refer to the following Quickstarts to create a VM: -- [Create a Windows virtual machine with the Azure portal](../../virtual-machines/windows/quick-create-portal.md#create-virtual-machine) -- [Create a Linux virtual machine with the Azure portal](../../virtual-machines/linux/quick-create-portal.md#create-virtual-machine)
+- [Create a Windows virtual machine with the Azure portal](/azure/virtual-machines/windows/quick-create-portal#create-virtual-machine)
+- [Create a Linux virtual machine with the Azure portal](/azure/virtual-machines/linux/quick-create-portal#create-virtual-machine)
### Enable system-assigned managed identity on an existing VM [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-To enable system-assigned managed identity on a VM that was originally provisioned without it, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
+To enable system-assigned managed identity on a VM that was originally provisioned without it, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
1. Sign in to the [Azure portal](https://portal.azure.com) using an account associated with the Azure subscription that contains the VM.
To enable system-assigned managed identity on a VM that was originally provision
### Remove system-assigned managed identity from a VM
-To remove system-assigned managed identity from a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
+To remove system-assigned managed identity from a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
If you have a Virtual Machine that no longer needs system-assigned managed identity:
If you have a Virtual Machine that no longer needs system-assigned managed ident
### Assign a user-assigned identity during the creation of a VM
-To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) and [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) role assignments. No other Microsoft Entra directory role assignments are required.
+To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) and [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) role assignments. No other Microsoft Entra directory role assignments are required.
Currently, the Azure portal does not support assigning a user-assigned managed identity during the creation of a VM. Instead, refer to one of the following VM creation Quickstart articles to first create a VM, and then proceed to the next section for details on assigning a user-assigned managed identity to the VM: -- [Create a Windows virtual machine with the Azure portal](../../virtual-machines/windows/quick-create-portal.md#create-virtual-machine)-- [Create a Linux virtual machine with the Azure portal](../../virtual-machines/linux/quick-create-portal.md#create-virtual-machine)
+- [Create a Windows virtual machine with the Azure portal](/azure/virtual-machines/windows/quick-create-portal#create-virtual-machine)
+- [Create a Linux virtual machine with the Azure portal](/azure/virtual-machines/linux/quick-create-portal#create-virtual-machine)
### Assign a user-assigned managed identity to an existing VM
-To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) and [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) role assignments. No other Microsoft Entra directory role assignments are required.
+To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) and [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) role assignments. No other Microsoft Entra directory role assignments are required.
1. Sign in to the [Azure portal](https://portal.azure.com) using an account associated with the Azure subscription that contains the VM. 2. Navigate to the desired VM and click **Identity**, **User assigned** and then **\+Add**.
To assign a user-assigned identity to a VM, your account needs the [Virtual Mach
### Remove a user-assigned managed identity from a VM
-To remove a user-assigned identity from a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
+To remove a user-assigned identity from a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
1. Sign in to the [Azure portal](https://portal.azure.com) using an account associated with the Azure subscription that contains the VM. 2. Navigate to the desired VM and select **Identity**, **User assigned**, the name of the user-assigned managed identity you want to delete and then click **Remove** (click **Yes** in the confirmation pane).
active-directory Qs Configure Portal Windows Vmss https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vmss.md
In this article, using the Azure portal, you learn how to perform the following
> [!NOTE] > No additional Microsoft Entra directory role assignments required.
- - [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) to enable and remove system-assigned managed identity from a virtual machine scale set.
+ - [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) to enable and remove system-assigned managed identity from a virtual machine scale set.
## System-assigned managed identity
In this section, you will learn how to enable and disable the system-assigned ma
Currently, the Azure portal does not support enabling system-assigned managed identity during the creation of a virtual machine scale set. Instead, refer to the following virtual machine scale set creation Quickstart article to first create a virtual machine scale set, and then proceed to the next section for details on enabling system-assigned managed identity on a virtual machine scale set: -- [Create a Virtual Machine Scale Set in the Azure portal](../../virtual-machine-scale-sets/quick-create-portal.md)
+- [Create a Virtual Machine Scale Set in the Azure portal](/azure/virtual-machine-scale-sets/quick-create-portal)
### Enable system-assigned managed identity on an existing virtual machine scale set
In this section, you learn how to add and remove a user-assigned managed identit
Currently, the Azure portal does not support assigning a user-assigned managed identity during the creation of a virtual machine scale set. Instead, refer to the following virtual machine scale set creation Quickstart article to first create a virtual machine scale set, and then proceed to the next section for details on assigning a user-assigned managed identity to it: -- [Create a Virtual Machine Scale Set in the Azure portal](../../virtual-machine-scale-sets/quick-create-portal.md)
+- [Create a Virtual Machine Scale Set in the Azure portal](/azure/virtual-machine-scale-sets/quick-create-portal)
### Assign a user-assigned managed identity to an existing virtual machine scale set
active-directory Qs Configure Powershell Windows Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/qs-configure-powershell-windows-vm.md
In this article, using PowerShell, you learn how to perform the following manage
- If you're unfamiliar with managed identities for Azure resources, check out the [overview section](overview.md). **Be sure to review the [difference between a system-assigned and user-assigned managed identity](overview.md#managed-identity-types)**. - If you don't already have an Azure account, [sign up for a free account](https://azure.microsoft.com/free/) before continuing. - To run the example scripts, you have two options:
- - Use the [Azure Cloud Shell](../../cloud-shell/overview.md), which you can open using the **Try It** button on the top-right corner of code blocks.
+ - Use the [Azure Cloud Shell](/azure/cloud-shell/overview), which you can open using the **Try It** button on the top-right corner of code blocks.
- Run scripts locally by installing the latest version of [Azure PowerShell](/powershell/azure/install-azure-powershell), then sign in to Azure using `Connect-AzAccount`. ## System-assigned managed identity
In this section, we go over how to enable and disable the system-assigned manage
### Enable system-assigned managed identity during creation of an Azure VM
-To create an Azure VM with the system-assigned managed identity enabled, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
+To create an Azure VM with the system-assigned managed identity enabled, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
1. Refer to one of the following Azure VM Quickstarts, completing only the necessary sections ("Sign in to Azure", "Create resource group", "Create networking group", "Create the VM").
To create an Azure VM with the system-assigned managed identity enabled, your ac
$vmConfig = New-AzVMConfig -VMName myVM -IdentityType SystemAssigned ... ```
- - [Create a Windows virtual machine using PowerShell](../../virtual-machines/windows/quick-create-powershell.md)
- - [Create a Linux virtual machine using PowerShell](../../virtual-machines/linux/quick-create-powershell.md)
+ - [Create a Windows virtual machine using PowerShell](/azure/virtual-machines/windows/quick-create-powershell)
+ - [Create a Linux virtual machine using PowerShell](/azure/virtual-machines/linux/quick-create-powershell)
### Enable system-assigned managed identity on an existing Azure VM
-To enable system-assigned managed identity on a VM that was originally provisioned without it, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
+To enable system-assigned managed identity on a VM that was originally provisioned without it, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
1. Retrieve the VM properties using the `Get-AzVM` cmdlet. Then to enable a system-assigned managed identity, use the `-IdentityType` switch on the [Update-AzVM](/powershell/module/az.compute/update-azvm) cmdlet:
After you have enabled system assigned identity on a VM, you can add it to a gro
## Disable system-assigned managed identity from an Azure VM
-To disable system-assigned managed identity on a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
+To disable system-assigned managed identity on a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
If you have a Virtual Machine that no longer needs the system-assigned managed identity but still needs user-assigned managed identities, use the following cmdlet:
In this section, you learn how to add and remove a user-assigned managed identit
### Assign a user-assigned managed identity to a VM during creation
-To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) and [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) role assignments. No other Microsoft Entra directory role assignments are required.
+To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) and [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) role assignments. No other Microsoft Entra directory role assignments are required.
1. Refer to one of the following Azure VM Quickstarts, completing only the necessary sections ("Sign in to Azure", "Create resource group", "Create networking group", "Create the VM").
To assign a user-assigned identity to a VM, your account needs the [Virtual Mach
$vmConfig = New-AzVMConfig -VMName <VM NAME> -IdentityType UserAssigned -IdentityID "/subscriptions/<SUBSCRIPTION ID>/resourcegroups/<RESROURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>..." ```
- - [Create a Windows virtual machine using PowerShell](../../virtual-machines/windows/quick-create-powershell.md)
- - [Create a Linux virtual machine using PowerShell](../../virtual-machines/linux/quick-create-powershell.md)
+ - [Create a Windows virtual machine using PowerShell](/azure/virtual-machines/windows/quick-create-powershell)
+ - [Create a Linux virtual machine using PowerShell](/azure/virtual-machines/linux/quick-create-powershell)
### Assign a user-assigned managed identity to an existing Azure VM
-To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) and [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) role assignments. No other Microsoft Entra directory role assignments are required.
+To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) and [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) role assignments. No other Microsoft Entra directory role assignments are required.
1. Create a user-assigned managed identity using the [New-AzUserAssignedIdentity](/powershell/module/az.managedserviceidentity/new-azuserassignedidentity) cmdlet. Note the `Id` in the output because you'll need this information in the next step.
To assign a user-assigned identity to a VM, your account needs the [Virtual Mach
### Remove a user-assigned managed identity from an Azure VM
-To remove a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment.
+To remove a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment.
If your VM has multiple user-assigned managed identities, you can remove all but the last one using the following commands. Be sure to replace the `<RESOURCE GROUP>` and `<VM NAME>` parameter values with your own values. The `<USER ASSIGNED IDENTITY NAME>` is the user-assigned managed identity's name property, which should remain on the VM. This information is discoverable using a query to search for the `Identity` property of the VM object. For example, `$vm.Identity`:
Update-AzVm -ResourceGroupName myResourceGroup -VirtualMachine $vm -IdentityType
- [Managed identities for Azure resources overview](overview.md) - For the full Azure VM creation Quickstarts, see:
- - [Create a Windows virtual machine with PowerShell](../../virtual-machines/windows/quick-create-powershell.md)
- - [Create a Linux virtual machine with PowerShell](../../virtual-machines/linux/quick-create-powershell.md)
+ - [Create a Windows virtual machine with PowerShell](/azure/virtual-machines/windows/quick-create-powershell)
+ - [Create a Linux virtual machine with PowerShell](/azure/virtual-machines/linux/quick-create-powershell)
active-directory Qs Configure Powershell Windows Vmss https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/qs-configure-powershell-windows-vmss.md
In this article, using PowerShell, you learn how to perform the managed identiti
> [!NOTE] > No additional Microsoft Entra directory role assignments required.
- - [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) to create a virtual machine scale set and enable and remove system-assigned managed and/or user-assigned managed identity from a virtual machine scale set.
- - [Managed Identity Contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) role to create a user-assigned managed identity.
- - [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) role to assign and remove a user-assigned managed identity from and to a virtual machine scale set.
+ - [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) to create a virtual machine scale set and enable and remove system-assigned managed and/or user-assigned managed identity from a virtual machine scale set.
+ - [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role to create a user-assigned managed identity.
+ - [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) role to assign and remove a user-assigned managed identity from and to a virtual machine scale set.
- To run the example scripts, you have two options:
- - Use the [Azure Cloud Shell](../../cloud-shell/overview.md), which you can open using the **Try It** button on the top-right corner of code blocks.
+ - Use the [Azure Cloud Shell](/azure/cloud-shell/overview), which you can open using the **Try It** button on the top-right corner of code blocks.
- Run scripts locally by installing the latest version of [Azure PowerShell](/powershell/azure/install-azure-powershell), then sign in to Azure using `Connect-AzAccount`. ## System-assigned managed identity
Update-AzVmss -ResourceGroupName myResourceGroup -Name myVmss -IdentityType "Sys
- [Managed identities for Azure resources overview](overview.md) - For the full Azure VM creation Quickstarts, see:
- - [Create a Windows virtual machine with PowerShell](../../virtual-machines/windows/quick-create-powershell.md)
- - [Create a Linux virtual machine with PowerShell](../../virtual-machines/linux/quick-create-powershell.md)
+ - [Create a Windows virtual machine with PowerShell](/azure/virtual-machines/windows/quick-create-powershell)
+ - [Create a Linux virtual machine with PowerShell](/azure/virtual-machines/linux/quick-create-powershell)
active-directory Qs Configure Rest Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/qs-configure-rest-vm.md
In this section, you learn how to enable and disable system-assigned managed ide
### Enable system-assigned managed identity during creation of an Azure VM
-To create an Azure VM with the system-assigned managed identity enabled, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
+To create an Azure VM with the system-assigned managed identity enabled, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
-1. Create a [resource group](../../azure-resource-manager/management/overview.md#terminology) for containment and deployment of your VM and its related resources, using [az group create](/cli/azure/group/#az-group-create). You can skip this step if you already have resource group you would like to use instead:
+1. Create a [resource group](/azure/azure-resource-manager/management/overview#terminology) for containment and deployment of your VM and its related resources, using [az group create](/cli/azure/group/#az-group-create). You can skip this step if you already have resource group you would like to use instead:
```azurecli-interactive az group create --name myResourceGroup --location westus
To create an Azure VM with the system-assigned managed identity enabled, your ac
### Enable system-assigned identity on an existing Azure VM
-To enable system-assigned managed identity on a VM that was originally provisioned without it, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
+To enable system-assigned managed identity on a VM that was originally provisioned without it, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
1. Retrieve a Bearer access token, which you will use in the next step in the Authorization header to create your VM with a system-assigned managed identity.
To enable system-assigned managed identity on a VM that was originally provision
### Disable system-assigned managed identity from an Azure VM
-To disable system-assigned managed identity on a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
+To disable system-assigned managed identity on a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
1. Retrieve a Bearer access token, which you will use in the next step in the Authorization header to create your VM with a system-assigned managed identity.
In this section, you learn how to add and remove user-assigned managed identity
### Assign a user-assigned managed identity during the creation of an Azure VM
-To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) and [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) role assignments. No other Microsoft Entra directory role assignments are required.
+To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) and [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) role assignments. No other Microsoft Entra directory role assignments are required.
1. Retrieve a Bearer access token, which you will use in the next step in the Authorization header to create your VM with a system-assigned managed identity.
To assign a user-assigned identity to a VM, your account needs the [Virtual Mach
### Assign a user-assigned managed identity to an existing Azure VM
-To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) and [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) role assignments. No other Microsoft Entra directory role assignments are required.
+To assign a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) and [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) role assignments. No other Microsoft Entra directory role assignments are required.
1. Retrieve a Bearer access token, which you will use in the next step in the Authorization header to create your VM with a system-assigned managed identity.
To assign a user-assigned identity to a VM, your account needs the [Virtual Mach
az account get-access-token ```
-2. Create a user-assigned managed identity using the instructions found here, [Create a user-assigned managed identity](how-to-manage-ua-identity-rest.md#create-a-user-assigned-managed-identity).
+2. Create a user-assigned managed identity using the instructions found here, [Create a user-assigned managed identity](how-to-manage-ua-identity-rest.md#create-a-user-assigned-managed-identity).
3. To ensure you don't delete existing user or system-assigned managed identities that are assigned to the VM, you need to list the identity types assigned to the VM by using the following CURL command. If you have managed identities assigned to the virtual machine scale set, they are listed under in the `identity` value.
To assign a user-assigned identity to a VM, your account needs the [Virtual Mach
### Remove a user-assigned managed identity from an Azure VM
-To remove a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment.
+To remove a user-assigned identity to a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment.
1. Retrieve a Bearer access token, which you will use in the next step in the Authorization header to create your VM with a system-assigned managed identity.
active-directory Qs Configure Rest Vmss https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/qs-configure-rest-vmss.md
If you don't already have an Azure account, [sign up for a free account](https:/
- To perform the management operations in this article, your account needs the following Azure role assignments:
- - [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) to create a virtual machine scale set and enable and remove system and/or user-assigned managed identity from a virtual machine scale set.
+ - [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) to create a virtual machine scale set and enable and remove system and/or user-assigned managed identity from a virtual machine scale set.
- - [Managed Identity Contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) role to create a user-assigned managed identity.
+ - [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role to create a user-assigned managed identity.
- - [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) role to assign and remove a user-assigned identity from and to a virtual machine scale set.
+ - [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) role to assign and remove a user-assigned identity from and to a virtual machine scale set.
> [!NOTE] > No additional Microsoft Entra directory role assignments required.
In this section, you learn how to enable and disable system-assigned managed ide
To create a virtual machine scale set with system-assigned managed identity enabled, you need create a virtual machine scale set and retrieve an access token to use CURL to call the Resource Manager endpoint with the system-assigned managed identity type value.
-1. Create a [resource group](../../azure-resource-manager/management/overview.md#terminology) for containment and deployment of your virtual machine scale set and its related resources, using [az group create](/cli/azure/group/#az-group-create). You can skip this step if you already have resource group you would like to use instead:
+1. Create a [resource group](/azure/azure-resource-manager/management/overview#terminology) for containment and deployment of your virtual machine scale set and its related resources, using [az group create](/cli/azure/group/#az-group-create). You can skip this step if you already have resource group you would like to use instead:
```azurecli-interactive az group create --name myResourceGroup --location westus
active-directory Qs Configure Template Windows Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/qs-configure-template-windows-vm.md
In this article, using the Azure Resource Manager deployment template, you learn
## Azure Resource Manager templates
-As with the Azure portal and scripting, [Azure Resource Manager](../../azure-resource-manager/management/overview.md) templates allow you to deploy new or modified resources defined by an Azure resource group. Several options are available for template editing and deployment, both local and portal-based, including:
+As with the Azure portal and scripting, [Azure Resource Manager](/azure/azure-resource-manager/management/overview) templates allow you to deploy new or modified resources defined by an Azure resource group. Several options are available for template editing and deployment, both local and portal-based, including:
- - Using a [custom template from the Azure Marketplace](../../azure-resource-manager/templates/deploy-portal.md#deploy-resources-from-custom-template), which allows you to create a template from scratch, or base it on an existing common or [quickstart template](https://azure.microsoft.com/resources/templates/).
- - Deriving from an existing resource group, by exporting a template from either [the original deployment](../../azure-resource-manager/templates/export-template-portal.md), or from the [current state of the deployment](../../azure-resource-manager/templates/export-template-portal.md).
- - Using a local [JSON editor (such as VS Code)](../../azure-resource-manager/templates/quickstart-create-templates-use-the-portal.md), and then uploading and deploying by using PowerShell or CLI.
- - Using the Visual Studio [Azure Resource Group project](../../azure-resource-manager/templates/create-visual-studio-deployment-project.md) to both create and deploy a template.
+ - Using a [custom template from the Azure Marketplace](/azure/azure-resource-manager/templates/deploy-portal#deploy-resources-from-custom-template), which allows you to create a template from scratch, or base it on an existing common or [quickstart template](https://azure.microsoft.com/resources/templates/).
+ - Deriving from an existing resource group, by exporting a template from either [the original deployment](/azure/azure-resource-manager/templates/export-template-portal), or from the [current state of the deployment](/azure/azure-resource-manager/templates/export-template-portal).
+ - Using a local [JSON editor (such as VS Code)](/azure/azure-resource-manager/templates/quickstart-create-templates-use-the-portal), and then uploading and deploying by using PowerShell or CLI.
+ - Using the Visual Studio [Azure Resource Group project](/azure/azure-resource-manager/templates/create-visual-studio-deployment-project) to both create and deploy a template.
-Regardless of the option you choose, template syntax is the same during initial deployment and redeployment. Enabling a system or user-assigned managed identity on a new or existing VM is done in the same manner. Also, by default, Azure Resource Manager does an [incremental update](../../azure-resource-manager/templates/deployment-modes.md) to deployments.
+Regardless of the option you choose, template syntax is the same during initial deployment and redeployment. Enabling a system or user-assigned managed identity on a new or existing VM is done in the same manner. Also, by default, Azure Resource Manager does an [incremental update](/azure/azure-resource-manager/templates/deployment-modes) to deployments.
## System-assigned managed identity
In this section, you will enable and disable a system-assigned managed identity
### Enable system-assigned managed identity during creation of an Azure VM or on an existing VM
-To enable system-assigned managed identity on a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
+To enable system-assigned managed identity on a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
1. Whether you sign in to Azure locally or via the Azure portal, use an account that is associated with the Azure subscription that contains the VM.
To enable system-assigned managed identity on a VM, your account needs the [Virt
### Assign a role the VM's system-assigned managed identity
-After you enable a system-assigned managed identity on your VM, you may want to grant it a role such as **Reader** access to the resource group in which it was created. You can find detailed information to help you with this step in the [Assign Azure roles using Azure Resource Manager templates](../../role-based-access-control/role-assignments-template.md) article.
+After you enable a system-assigned managed identity on your VM, you may want to grant it a role such as **Reader** access to the resource group in which it was created. You can find detailed information to help you with this step in the [Assign Azure roles using Azure Resource Manager templates](/azure/role-based-access-control/role-assignments-template) article.
### Disable a system-assigned managed identity from an Azure VM
-To remove system-assigned managed identity from a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
+To remove system-assigned managed identity from a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
1. Whether you sign in to Azure locally or via the Azure portal, use an account that is associated with the Azure subscription that contains the VM.
In this section, you assign a user-assigned managed identity to an Azure VM usin
### Assign a user-assigned managed identity to an Azure VM
-To assign a user-assigned identity to a VM, your account needs the [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) role assignment. No other Microsoft Entra directory role assignments are required.
+To assign a user-assigned identity to a VM, your account needs the [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) role assignment. No other Microsoft Entra directory role assignments are required.
1. Under the `resources` element, add the following entry to assign a user-assigned managed identity to your VM. Be sure to replace `<USERASSIGNEDIDENTITY>` with the name of the user-assigned managed identity you created.
To assign a user-assigned identity to a VM, your account needs the [Managed Iden
### Remove a user-assigned managed identity from an Azure VM
-To remove a user-assigned identity from a VM, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
+To remove a user-assigned identity from a VM, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
1. Whether you sign in to Azure locally or via the Azure portal, use an account that is associated with the Azure subscription that contains the VM.
active-directory Qs Configure Template Windows Vmss https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/qs-configure-template-windows-vmss.md
In this article, you learn how to perform the following managed identities for A
> [!NOTE] > No additional Microsoft Entra directory role assignments required.
- - [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) to create a virtual machine scale set and enable and remove system and/or user-assigned managed identity from a virtual machine scale set.
- - [Managed Identity Contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) role to create a user-assigned managed identity.
- - [Managed Identity Operator](../../role-based-access-control/built-in-roles.md#managed-identity-operator) role to assign and remove a user-assigned managed identity from and to a virtual machine scale set.
+ - [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) to create a virtual machine scale set and enable and remove system and/or user-assigned managed identity from a virtual machine scale set.
+ - [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles#managed-identity-contributor) role to create a user-assigned managed identity.
+ - [Managed Identity Operator](/azure/role-based-access-control/built-in-roles#managed-identity-operator) role to assign and remove a user-assigned managed identity from and to a virtual machine scale set.
## Azure Resource Manager templates
-As with the Azure portal and scripting, [Azure Resource Manager](../../azure-resource-manager/management/overview.md) templates provide the ability to deploy new or modified resources defined by an Azure resource group. Several options are available for template editing and deployment, both local and portal-based, including:
+As with the Azure portal and scripting, [Azure Resource Manager](/azure/azure-resource-manager/management/overview) templates provide the ability to deploy new or modified resources defined by an Azure resource group. Several options are available for template editing and deployment, both local and portal-based, including:
- - Using a [custom template from the Azure Marketplace](../../azure-resource-manager/templates/deploy-portal.md#deploy-resources-from-custom-template), which allows you to create a template from scratch, or base it on an existing common or [quickstart template](https://azure.microsoft.com/resources/templates/).
- - Deriving from an existing resource group, by exporting a template from either [the original deployment](../../azure-resource-manager/templates/export-template-portal.md), or from the [current state of the deployment](../../azure-resource-manager/templates/export-template-portal.md).
- - Using a local [JSON editor (such as VS Code)](../../azure-resource-manager/templates/quickstart-create-templates-use-the-portal.md), and then uploading and deploying by using PowerShell or CLI.
- - Using the Visual Studio [Azure Resource Group project](../../azure-resource-manager/templates/create-visual-studio-deployment-project.md) to both create and deploy a template.
+ - Using a [custom template from the Azure Marketplace](/azure/azure-resource-manager/templates/deploy-portal#deploy-resources-from-custom-template), which allows you to create a template from scratch, or base it on an existing common or [quickstart template](https://azure.microsoft.com/resources/templates/).
+ - Deriving from an existing resource group, by exporting a template from either [the original deployment](/azure/azure-resource-manager/templates/export-template-portal), or from the [current state of the deployment](/azure/azure-resource-manager/templates/export-template-portal).
+ - Using a local [JSON editor (such as VS Code)](/azure/azure-resource-manager/templates/quickstart-create-templates-use-the-portal), and then uploading and deploying by using PowerShell or CLI.
+ - Using the Visual Studio [Azure Resource Group project](/azure/azure-resource-manager/templates/create-visual-studio-deployment-project) to both create and deploy a template.
-Regardless of the option you choose, template syntax is the same during initial deployment and redeployment. Enabling managed identities for Azure resources on a new or existing VM is done in the same manner. Also, by default, Azure Resource Manager does an [incremental update](../../azure-resource-manager/templates/deployment-modes.md) to deployments.
+Regardless of the option you choose, template syntax is the same during initial deployment and redeployment. Enabling managed identities for Azure resources on a new or existing VM is done in the same manner. Also, by default, Azure Resource Manager does an [incremental update](/azure/azure-resource-manager/templates/deployment-modes) to deployments.
## System-assigned managed identity
active-directory Services Id Authentication Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/services-id-authentication-support.md
The following services support Microsoft Entra authentication. New services are
| Service Name | Documentation | ||-|
-| API Management | [Authorize developer accounts by using Microsoft Entra ID in Azure API Management](../../api-management/api-management-howto-aad.md) |
-| Azure App Configuration | [Authorize access to Azure App Configuration using Microsoft Entra ID](../../azure-app-configuration/concept-enable-rbac.md) |
-| Azure App Services | [Configure your App Service or Azure Functions app to use Microsoft Entra login](../../app-service/configure-authentication-provider-aad.md) |
-| Azure Batch | [Authenticate Batch service solutions with Active Directory](../../batch/batch-aad-auth.md) |
-| Azure Container Registry | [Authenticate with an Azure container registry](../../container-registry/container-registry-authentication.md) |
-| Azure AI services | [Authenticate requests to Azure AI services](../../ai-services/authentication.md?tabs=powershell#authenticate-with-azure-active-directory) |
-| Azure Communication Services | [Authenticate to Azure Communication Services](../../communication-services/concepts/authentication.md) |
-| Azure Cosmos DB | [Configure role-based access control with Microsoft Entra ID for your Azure Cosmos DB account](../../cosmos-db/how-to-setup-rbac.md) |
-| Azure Databricks | [Authenticate using Microsoft Entra tokens](/azure/databricks/dev-tools/api/latest/aad/)
-| Azure Data Explorer | [How-To Authenticate with Microsoft Entra ID for Azure Data Explorer Access](/azure/data-explorer/kusto/management/access-control/how-to-authenticate-with-aad) |
-| Azure Data Lake Storage Gen1 | [Authentication with Azure Data Lake Storage Gen1 using Microsoft Entra ID](../../data-lake-store/data-lakes-store-authentication-using-azure-active-directory.md) |
-| Azure Database for PostgreSQL | [Use Microsoft Entra ID for authentication with PostgreSQL](../../postgresql/howto-configure-sign-in-aad-authentication.md)
-| Azure Digital Twins | [Set up an Azure Digital Twins instance and authentication (portal)](../../digital-twins/how-to-set-up-instance-portal.md#set-up-user-access-permissions) |
-| Azure Event Hubs | [Authenticate an application with Microsoft Entra ID to access Event Hubs resources](../../event-hubs/authenticate-application.md)
-| Azure IoT Hub | [Control access to IoT Hub](../../iot-hub/iot-hub-devguide-security.md) |
-| Azure Key Vault | [Authentication in Azure Key Vault](../../key-vault/general/authentication.md)
-| Azure Kubernetes Service (AKS) | [Control access to cluster resources using Kubernetes role-based access control and Microsoft Entra identities in Azure Kubernetes Service](../../aks/azure-ad-rbac.md) |
-| Azure Machine Learning Services | [Set up authentication for Azure Machine Learning resources and workflows](../../machine-learning/how-to-setup-authentication.md) |
-| Azure Maps | [Manage authentication in Azure Maps](../../azure-maps/how-to-manage-authentication.md) |
-| Azure Media services | [Access the Azure Media Services API with Microsoft Entra authentication](/azure/media-services/previous/media-services-use-aad-auth-to-access-ams-api) |
-| Azure Monitor | [Microsoft Entra authentication for Application Insights (Preview)](../../azure-monitor/app/azure-ad-authentication.md?tabs=net) |
-| Azure Resource Manager | [Azure security baseline for Azure Resource Manager](/security/benchmark/azure/baselines/resource-manager-security-baseline?toc=/azure/azure-resource-manager/management/toc.json)
-| Azure Service Fabric | [Set up Microsoft Entra ID for client authentication](../../service-fabric/service-fabric-cluster-creation-setup-aad.md) |
-| Azure Service Bus | [Service Bus authentication and authorization](../../service-bus-messaging/service-bus-authentication-and-authorization.md)
-| Azure SignalR Service | [Authorize access with Microsoft Entra ID for Azure SignalR Service](../../azure-signalr/signalr-concept-authorize-azure-active-directory.md) |
+| API Management | [Authorize developer accounts by using Microsoft Entra ID in Azure API Management](/azure/api-management/api-management-howto-aad) |
+| Azure App Configuration | [Authorize access to Azure App Configuration using Microsoft Entra ID](/azure/azure-app-configuration/concept-enable-rbac) |
+| Azure App Services | [Configure your App Service or Azure Functions app to use Microsoft Entra login](/azure/app-service/configure-authentication-provider-aad) |
+| Azure Batch | [Authenticate Batch service solutions with Active Directory](/azure/batch/batch-aad-auth) |
+| Azure Container Registry | [Authenticate with an Azure container registry](/azure/container-registry/container-registry-authentication) |
+| Azure AI services | [Authenticate requests to Azure AI services](/azure/ai-services/authentication?tabs=powershell#authenticate-with-azure-active-directory) |
+| Azure Communication Services | [Authenticate to Azure Communication Services](/azure/communication-services/concepts/authentication) |
+| Azure Cosmos DB | [Configure role-based access control with Microsoft Entra ID for your Azure Cosmos DB account](/azure/cosmos-db/how-to-setup-rbac) |
+| Azure Databricks | [Authenticate using Microsoft Entra tokens](/azure/databricks/dev-tools/auth)
+| Azure Data Explorer | [How-To Authenticate with Microsoft Entra ID for Azure Data Explorer Access](/azure/data-explorer/kusto/api/rest/authenticate-with-msal) |
+| Azure Data Lake Storage Gen1 | [Authentication with Azure Data Lake Storage Gen1 using Microsoft Entra ID](/azure/data-lake-store/data-lakes-store-authentication-using-azure-active-directory) |
+| Azure Database for PostgreSQL | [Use Microsoft Entra ID for authentication with PostgreSQL](/azure/postgresql/howto-configure-sign-in-aad-authentication)
+| Azure Digital Twins | [Set up an Azure Digital Twins instance and authentication (portal)](/azure/digital-twins/how-to-set-up-instance-portal#set-up-user-access-permissions) |
+| Azure Event Hubs | [Authenticate an application with Microsoft Entra ID to access Event Hubs resources](/azure/event-hubs/authenticate-application)
+| Azure IoT Hub | [Control access to IoT Hub](/azure/iot-hub/iot-hub-devguide-security) |
+| Azure Key Vault | [Authentication in Azure Key Vault](/azure/key-vault/general/authentication)
+| Azure Kubernetes Service (AKS) | [Control access to cluster resources using Kubernetes role-based access control and Microsoft Entra identities in Azure Kubernetes Service](/azure/aks/azure-ad-rbac) |
+| Azure Machine Learning Services | [Set up authentication for Azure Machine Learning resources and workflows](/azure/machine-learning/how-to-setup-authentication) |
+| Azure Maps | [Manage authentication in Azure Maps](/azure/azure-maps/how-to-manage-authentication) |
+| Azure Media services | [Access the Azure Media Services API with Microsoft Entra authentication](/previous-versions/media-services/previous/media-services-use-aad-auth-to-access-ams-api) |
+| Azure Monitor | [Microsoft Entra authentication for Application Insights (Preview)](/azure/azure-monitor/app/azure-ad-authentication?tabs=net) |
+| Azure Resource Manager | [Azure security baseline for Azure Resource Manager](/security/benchmark/azure/baselines/azure-resource-manager-security-baseline?toc=/azure/azure-resource-manager/management/toc.json)
+| Azure Service Fabric | [Set up Microsoft Entra ID for client authentication](/azure/service-fabric/service-fabric-cluster-creation-setup-aad) |
+| Azure Service Bus | [Service Bus authentication and authorization](/azure/service-bus-messaging/service-bus-authentication-and-authorization)
+| Azure SignalR Service | [Authorize access with Microsoft Entra ID for Azure SignalR Service](/azure/azure-signalr/signalr-concept-authorize-azure-active-directory) |
| Azure SQL | [Use Microsoft Entra authentication](/azure/azure-sql/database/authentication-aad-overview) | | Azure SQL Managed Instance | [What is Azure SQL Managed Instance?](/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview#azure-active-directory-integration) |
-| Azure Static Web Apps | [Authentication and authorization for Azure Static Web Apps](../../static-web-apps/authentication-authorization.md?tabs=invitations)
-| Azure Storage | [Authorize access to blobs using Microsoft Entra ID](../../storage/blobs/authorize-access-azure-active-directory.md) |
+| Azure Static Web Apps | [Authentication and authorization for Azure Static Web Apps](/azure/static-web-apps/authentication-authorization?tabs=invitations)
+| Azure Storage | [Authorize access to blobs using Microsoft Entra ID](/azure/storage/blobs/authorize-access-azure-active-directory) |
| Azure Virtual Machines | [Secure and use policies on virtual machines in Azure](../devices/howto-vm-sign-in-azure-ad-windows.md) | ## Next steps - [Microsoft Azure operated by 21Vianet developer guide](/azure/china/resources-developer-guide)-- [Compare Azure Government and global Azure](../../azure-government/compare-azure-government-global-azure.md)
+- [Compare Azure Government and global Azure](/azure/azure-government/compare-azure-government-global-azure)
- [Azure services that can use Managed identities to access other services](managed-identities-status.md)
active-directory Tutorial Linux Vm Access Arm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-arm.md
You learn how to:
- An understanding of Managed identities. If you're not familiar with managed identities, see this [overview](overview.md). - An Azure account, [sign up for a free account](https://azure.microsoft.com/free/). - You also need a Linux Virtual machine that has system assigned managed identities enabled. If you have a VM but need to enable [system assigned managed identities](qs-configure-portal-windows-vm.md) you can do it in the identity section of the virtual machine's properties.
- - If you need to create a virtual machine for this tutorial, you can follow the article titled [Create a Linux virtual machine with the Azure portal](../../virtual-machines/linux/quick-create-portal.md#create-virtual-machine)
+ - If you need to create a virtual machine for this tutorial, you can follow the article titled [Create a Linux virtual machine with the Azure portal](/azure/virtual-machines/linux/quick-create-portal#create-virtual-machine)
## Grant access
When you use managed identities for Azure resources, your code can get access to
## Get an access token using the VM's system-assigned managed identity and use it to call Resource Manager
-To complete these steps, you need an SSH client. If you're using Windows, you can use the SSH client in the [Windows Subsystem for Linux](/windows/wsl/about). If you need assistance configuring your SSH client's keys, see [How to Use SSH keys with Windows on Azure](../../virtual-machines/linux/ssh-from-windows.md), or [How to create and use an SSH public and private key pair for Linux VMs in Azure](../../virtual-machines/linux/mac-create-ssh-keys.md).
+To complete these steps, you need an SSH client. If you're using Windows, you can use the SSH client in the [Windows Subsystem for Linux](/windows/wsl/about). If you need assistance configuring your SSH client's keys, see [How to Use SSH keys with Windows on Azure](/azure/virtual-machines/linux/ssh-from-windows), or [How to create and use an SSH public and private key pair for Linux VMs in Azure](/azure/virtual-machines/linux/mac-create-ssh-keys).
1. In the portal, navigate to your Linux VM and in the **Overview**, select **Connect**.
The response back with the specific Resource Group information:
In this quickstart, you learned how to use a system-assigned managed identity to access the Azure Resource Manager API. For more information about Azure Resource Manager, see: > [!div class="nextstepaction"]
->[Azure Resource Manager](../../azure-resource-manager/management/overview.md)
+>[Azure Resource Manager](/azure/azure-resource-manager/management/overview)
>[Create, list or delete a user-assigned managed identity using Azure PowerShell](how-to-manage-ua-identity-powershell.md)
active-directory Tutorial Linux Vm Access Cosmos Db https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-cosmos-db.md
This tutorial shows you how to use a system-assigned managed identity for a Linu
- If you're not familiar with the managed identities for Azure resources feature, see this [overview](overview.md). - If you don't have an Azure account, [sign up for a free account](https://azure.microsoft.com/free/) before you continue.-- To perform the required resource creation and role management, your account needs "Owner" permissions at the appropriate scope (your subscription or resource group). If you need assistance with role assignment, see [Assign Azure roles to manage access to your Azure subscription resources](../../role-based-access-control/role-assignments-portal.md).
+- To perform the required resource creation and role management, your account needs "Owner" permissions at the appropriate scope (your subscription or resource group). If you need assistance with role assignment, see [Assign Azure roles to manage access to your Azure subscription resources](/azure/role-based-access-control/role-assignments-portal).
- To run the example scripts, you have two options:
- - Use the [Azure Cloud Shell](../../cloud-shell/overview.md), which you can open using the **Try It** button on the top right corner of code blocks.
+ - Use the [Azure Cloud Shell](/azure/cloud-shell/overview), which you can open using the **Try It** button on the top right corner of code blocks.
- Run scripts locally by installing the latest version of the [Azure CLI](/cli/azure/install-azure-cli), then sign in to Azure using [az login](/cli/azure/reference-index#az-login). Use an account associated with the Azure subscription in which you'd like to create resources. ## Create an Azure Cosmos DB account
The response includes the details for the role assignment created:
For the remainder of the tutorial, work from the virtual machine.
-To complete these steps, you need an SSH client. If you are using Windows, you can use the SSH client in the [Windows Subsystem for Linux](/windows/wsl/install-win10). If you need assistance configuring your SSH client's keys, see [How to Use SSH keys with Windows on Azure](../../virtual-machines/linux/ssh-from-windows.md), or [How to create and use an SSH public and private key pair for Linux VMs in Azure](../../virtual-machines/linux/mac-create-ssh-keys.md).
+To complete these steps, you need an SSH client. If you are using Windows, you can use the SSH client in the [Windows Subsystem for Linux](/windows/wsl/install). If you need assistance configuring your SSH client's keys, see [How to Use SSH keys with Windows on Azure](/azure/virtual-machines/linux/ssh-from-windows), or [How to create and use an SSH public and private key pair for Linux VMs in Azure](/azure/virtual-machines/linux/mac-create-ssh-keys).
1. In the Azure portal, navigate to **Virtual Machines**, go to your Linux virtual machine, then from the **Overview** page click **Connect** at the top. Copy the string to connect to your VM. 2. Connect to your VM using your SSH client.
Now that you have the access key for the Azure Cosmos DB account, you can pass i
In this tutorial, you learned how to use a system-assigned managed identity on a Linux virtual machine to access Azure Cosmos DB. To learn more about Azure Cosmos DB, see: > [!div class="nextstepaction"]
->[Azure Cosmos DB overview](../../cosmos-db/introduction.md)
+>[Azure Cosmos DB overview](/azure/cosmos-db/introduction)
active-directory Tutorial Linux Vm Access Datalake https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-datalake.md
In this tutorial, you learn how to:
## Grant access
-This section shows how to grant your VM access to files and folders in Azure Data Lake Store. For this step, you can use an existing Data Lake Store instance or create a new one. To create a Data Lake Store instance by using the Azure portal, follow the [Azure Data Lake Store quickstart](../../data-lake-store/data-lake-store-get-started-portal.md). There are also quickstarts that use Azure CLI and Azure PowerShell in the [Azure Data Lake Store documentation](../../data-lake-store/data-lake-store-overview.md).
+This section shows how to grant your VM access to files and folders in Azure Data Lake Store. For this step, you can use an existing Data Lake Store instance or create a new one. To create a Data Lake Store instance by using the Azure portal, follow the [Azure Data Lake Store quickstart](/azure/data-lake-store/data-lake-store-get-started-portal). There are also quickstarts that use Azure CLI and Azure PowerShell in the [Azure Data Lake Store documentation](/azure/data-lake-store/data-lake-store-overview).
In Data Lake Store, create a new folder and grant our Linux VM system-assigned managed identity permission to read, write, and execute files in that folder:
In Data Lake Store, create a new folder and grant our Linux VM system-assigned m
10. Similar to step 5, select **Add**. In the **Select** box, enter the name of your VM. Select your VM from the search results, and then select **Select**. 11. Similar to step 6, select **Select Permissions**. Select **Read**, **Write**, and **Execute**, add to **This folder**, and add as **An access permission entry and a default permission entry**. Select **Ok**. The permission should be added successfully.
-Managed identities for Azure resources can now perform all operations on files in the folder that you created. For more information on managing access to Data Lake Store, see [Access Control in Data Lake Store](../../data-lake-store/data-lake-store-access-control.md).
+Managed identities for Azure resources can now perform all operations on files in the folder that you created. For more information on managing access to Data Lake Store, see [Access Control in Data Lake Store](/azure/data-lake-store/data-lake-store-access-control).
## Get an access token
-This section shows how to obtain an access token and call the Data Lake Store file system. Azure Data Lake Store natively supports Microsoft Entra authentication, so it can directly accept access tokens obtained via using managed identities for Azure resources. To authenticate to the Data Lake Store file system, you send an access token issued by Microsoft Entra ID to your Data Lake Store file system endpoint. The access token is in an authorization header in the format "Bearer \<ACCESS_TOKEN_VALUE\>". To learn more about Data Lake Store support for Microsoft Entra authentication, see [Authentication with Data Lake Store using Microsoft Entra ID](../../data-lake-store/data-lakes-store-authentication-using-azure-active-directory.md).
+This section shows how to obtain an access token and call the Data Lake Store file system. Azure Data Lake Store natively supports Microsoft Entra authentication, so it can directly accept access tokens obtained via using managed identities for Azure resources. To authenticate to the Data Lake Store file system, you send an access token issued by Microsoft Entra ID to your Data Lake Store file system endpoint. The access token is in an authorization header in the format "Bearer \<ACCESS_TOKEN_VALUE\>". To learn more about Data Lake Store support for Microsoft Entra authentication, see [Authentication with Data Lake Store using Microsoft Entra ID](/azure/data-lake-store/data-lakes-store-authentication-using-azure-active-directory).
In this tutorial, you authenticate to the REST API for the Data Lake Store file system by using cURL to make REST requests. > [!NOTE] > The client SDKs for the Data Lake Store file system do not yet support managed identities for Azure resources.
-To complete these steps, you need an SSH client. If you are using Windows, you can use the SSH client in the [Windows Subsystem for Linux](/windows/wsl/about). If you need assistance configuring your SSH client's keys, see [How to use SSH keys with Windows on Azure](../../virtual-machines/linux/ssh-from-windows.md) or [How to create and use an SSH public and private key pair for Linux VMs in Azure](../../virtual-machines/linux/mac-create-ssh-keys.md).
+To complete these steps, you need an SSH client. If you are using Windows, you can use the SSH client in the [Windows Subsystem for Linux](/windows/wsl/about). If you need assistance configuring your SSH client's keys, see [How to use SSH keys with Windows on Azure](/azure/virtual-machines/linux/ssh-from-windows) or [How to create and use an SSH public and private key pair for Linux VMs in Azure](/azure/virtual-machines/linux/mac-create-ssh-keys).
1. In the portal, browse to your Linux VM. In **Overview**, select **Connect**. 2. Connect to the VM by using the SSH client of your choice.
By using other APIs for the Data Lake Store file system, you can append to files
In this tutorial, you learned how to use a Linux VM system-assigned managed identity to access an Azure Data Lake Store. To learn more about Azure Data Lake Store see: > [!div class="nextstepaction"]
->[Azure Data Lake Store](../../data-lake-store/data-lake-store-overview.md)
+>[Azure Data Lake Store](/azure/data-lake-store/data-lake-store-overview)
active-directory Tutorial Linux Vm Access Nonaad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-nonaad.md
[!INCLUDE [preview-notice](../../../includes/active-directory-msi-preview-notice.md)]
-This tutorial shows you how a Linux virtual machine (VM) can use a system-assigned managed identity to access [Azure Key Vault](../../key-vault/general/overview.md). Serving as a bootstrap, Key Vault makes it possible for your client application to then use a secret to access resources not secured by Microsoft Entra ID. Managed Service Identities are automatically managed by Azure and enable you to authenticate to services that support Microsoft Entra authentication, without including authentication information in your code.
+This tutorial shows you how a Linux virtual machine (VM) can use a system-assigned managed identity to access [Azure Key Vault](/azure/key-vault/general/overview). Serving as a bootstrap, Key Vault makes it possible for your client application to then use a secret to access resources not secured by Microsoft Entra ID. Managed Service Identities are automatically managed by Azure and enable you to authenticate to services that support Microsoft Entra authentication, without including authentication information in your code.
You learn how to:
You learn how to:
- A basic understanding of Managed identities. If you're not familiar with the managed identities for Azure resources feature, see this [overview](overview.md). - An Azure account, [sign up for a free account](https://azure.microsoft.com/free/).-- "Owner" permissions at the appropriate scope (your subscription or resource group) to perform required resource creation and role management steps. If you need assistance with role assignment, see [Assign Azure roles to manage access to your Azure subscription resources](../../role-based-access-control/role-assignments-portal.md).
+- "Owner" permissions at the appropriate scope (your subscription or resource group) to perform required resource creation and role management steps. If you need assistance with role assignment, see [Assign Azure roles to manage access to your Azure subscription resources](/azure/role-based-access-control/role-assignments-portal).
- You also need a Linux Virtual machine that has system assigned managed identities enabled.
- - If you need to create a virtual machine for this tutorial, you can follow the article titled [Create a Linux virtual machine with the Azure portal](../../virtual-machines/linux/quick-create-portal.md#create-virtual-machine)
+ - If you need to create a virtual machine for this tutorial, you can follow the article titled [Create a Linux virtual machine with the Azure portal](/azure/virtual-machines/linux/quick-create-portal#create-virtual-machine)
## Create a Key Vault  
The managed identity used by the virtual machine needs to be granted access to r
## Access data
-To complete these steps, you need an SSH client.  If you are using Windows, you can use the SSH client in the [Windows Subsystem for Linux](/windows/wsl/about). If you need assistance configuring your SSH client's keys, see [How to Use SSH keys with Windows on Azure](../../virtual-machines/linux/ssh-from-windows.md), or [How to create and use an SSH public and private key pair for Linux VMs in Azure](../../virtual-machines/linux/mac-create-ssh-keys.md).
+To complete these steps, you need an SSH client.  If you are using Windows, you can use the SSH client in the [Windows Subsystem for Linux](/windows/wsl/about). If you need assistance configuring your SSH client's keys, see [How to Use SSH keys with Windows on Azure](/azure/virtual-machines/linux/ssh-from-windows), or [How to create and use an SSH public and private key pair for Linux VMs in Azure](/azure/virtual-machines/linux/mac-create-ssh-keys).
>[!IMPORTANT] > All Azure SDKs support the Azure.Identity library that makes it easy to acquire Microsoft Entra tokens to access target services. Learn more about [Azure SDKs](https://azure.microsoft.com/downloads/) and leverage the Azure.Identity library.
Once you've retrieved the secret from the Key Vault, you can use it to authentic
When you want to clean up the resources, sign in to the [Azure portal](https://portal.azure.com), select **Resource groups**, locate, and select the resource group that was created in the process of this tutorial (such as `mi-test`), and then use the **Delete resource group** command.
-Alternatively you may also do this via [PowerShell or the CLI](../../azure-resource-manager/management/delete-resource-group.md)
+Alternatively you may also do this via [PowerShell or the CLI](/azure/azure-resource-manager/management/delete-resource-group)
## Next steps In this tutorial, you learned how to use a Linux VM system-assigned managed identity to access Azure Key Vault. To learn more about Azure Key Vault see: > [!div class="nextstepaction"]
->[Azure Key Vault](../../key-vault/general/overview.md)
+>[Azure Key Vault](/azure/key-vault/general/overview)
active-directory Tutorial Linux Vm Access Storage Access Key https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-storage-access-key.md
Later we will upload and download a file to the new storage account. Because fil
## Grant your VM's system-assigned managed identity access to use storage account access keys
-Azure Storage does not natively support Microsoft Entra authentication. However, you can use your VM's system-assigned managed identity to retrieve a storage SAS from Resource Manager, then use the SAS to access storage. In this step, you grant your VM's system-assigned managed identity access to your storage account SAS. Grant access by assigning the [Storage Account Contributor](../../role-based-access-control/built-in-roles.md#storage-account-contributor) role to the managed-identity at the scope of the resource group that contains your storage account.
+Azure Storage does not natively support Microsoft Entra authentication. However, you can use your VM's system-assigned managed identity to retrieve a storage SAS from Resource Manager, then use the SAS to access storage. In this step, you grant your VM's system-assigned managed identity access to your storage account SAS. Grant access by assigning the [Storage Account Contributor](/azure/role-based-access-control/built-in-roles#storage-account-contributor) role to the managed-identity at the scope of the resource group that contains your storage account.
-For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
+For detailed steps, see [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal).
>[!NOTE]
-> For more information on the various roles that you can use to grant permissions to storage review [Authorize access to blobs and queues using Microsoft Entra ID.](../../storage/blobs/authorize-access-azure-active-directory.md#assign-azure-roles-for-access-rights)
+> For more information on the various roles that you can use to grant permissions to storage review [Authorize access to blobs and queues using Microsoft Entra ID.](/azure/storage/blobs/authorize-access-azure-active-directory#assign-azure-roles-for-access-rights)
## Get an access token using the VM's identity and use it to call Azure Resource Manager For the remainder of the tutorial, we will work from the VM we created earlier.
-To complete these steps, you will need an SSH client. If you are using Windows, you can use the SSH client in the [Windows Subsystem for Linux](/windows/wsl/install-win10). If you need assistance configuring your SSH client's keys, see [How to Use SSH keys with Windows on Azure](../../virtual-machines/linux/ssh-from-windows.md), or [How to create and use an SSH public and private key pair for Linux VMs in Azure](../../virtual-machines/linux/mac-create-ssh-keys.md).
+To complete these steps, you will need an SSH client. If you are using Windows, you can use the SSH client in the [Windows Subsystem for Linux](/windows/wsl/install-win10). If you need assistance configuring your SSH client's keys, see [How to Use SSH keys with Windows on Azure](/azure/virtual-machines/linux/ssh-from-windows), or [How to create and use an SSH public and private key pair for Linux VMs in Azure](/azure/virtual-machines/linux/mac-create-ssh-keys).
1. In the Azure portal, navigate to **Virtual Machines**, go to your Linux virtual machine, then from the **Overview** page click **Connect** at the top. Copy the string to connect to your VM. 2. Connect to your VM using your SSH client.
Response:
In this tutorial, you learned how to use a Linux VM system-assigned managed identity to access Azure Storage using an access key. To learn more about Azure Storage access keys see: > [!div class="nextstepaction"]
->[Manage your storage access keys](../../storage/common/storage-account-create.md)
+>[Manage your storage access keys](/azure/storage/common/storage-account-create)
active-directory Tutorial Linux Vm Access Storage Sas https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-storage-sas.md
[!INCLUDE [preview-notice](../../../includes/active-directory-msi-preview-notice.md)]
-This tutorial shows you how to use a system-assigned managed identity for a Linux virtual machine (VM) to obtain a storage Shared Access Signature (SAS) credential. Specifically, a [Service SAS credential](../../storage/common/storage-sas-overview.md?toc=/azure/storage/blobs/toc.json#types-of-shared-access-signatures).
+This tutorial shows you how to use a system-assigned managed identity for a Linux virtual machine (VM) to obtain a storage Shared Access Signature (SAS) credential. Specifically, a [Service SAS credential](/azure/storage/common/storage-sas-overview?toc=/azure/storage/blobs/toc.json#types-of-shared-access-signatures).
> [!NOTE] > The SAS key generated in this tutorial will not be restricted/bound to the VM.
Later we'll upload and download a file to the new storage account. Because files
## Grant your VM's system-assigned managed identity access to use a storage SAS
-Azure Storage natively supports Microsoft Entra authentication, so you can use your VM's system-assigned managed identity to retrieve a storage SAS from Resource Manager, then use the SAS to access storage. In this step, you grant your VM's system-assigned managed identity access to your storage account SAS. Assign the [Storage Account Contributor](../../role-based-access-control/built-in-roles.md#storage-account-contributor) role to the managed-identity at the scope of the resource group that contains your storage account.
+Azure Storage natively supports Microsoft Entra authentication, so you can use your VM's system-assigned managed identity to retrieve a storage SAS from Resource Manager, then use the SAS to access storage. In this step, you grant your VM's system-assigned managed identity access to your storage account SAS. Assign the [Storage Account Contributor](/azure/role-based-access-control/built-in-roles#storage-account-contributor) role to the managed-identity at the scope of the resource group that contains your storage account.
-For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
+For detailed steps, see [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal).
>[!NOTE]
-> For more information on the various roles that you can use to grant permissions to storage review [Authorize access to blobs and queues using Microsoft Entra ID.](../../storage/blobs/authorize-access-azure-active-directory.md#assign-azure-roles-for-access-rights)
+> For more information on the various roles that you can use to grant permissions to storage review [Authorize access to blobs and queues using Microsoft Entra ID.](/azure/storage/blobs/authorize-access-azure-active-directory#assign-azure-roles-for-access-rights)
## Get an access token using the VM's identity and use it to call Azure Resource Manager
For the remainder of the tutorial, we'll work from the VM we created earlier.
You need an SSH client to complete these steps. If you're using Windows, you can use the SSH client in the [Windows Subsystem for Linux](/windows/wsl/install-win10). If you need assistance configuring your SSH client's keys, see:
- - [How to Use SSH keys with Windows on Azure](../../virtual-machines/linux/ssh-from-windows.md)
- - [How to create and use an SSH public and private key pair for Linux VMs in Azure](../../virtual-machines/linux/mac-create-ssh-keys.md).
+ - [How to Use SSH keys with Windows on Azure](/azure/virtual-machines/linux/ssh-from-windows)
+ - [How to create and use an SSH public and private key pair for Linux VMs in Azure](/azure/virtual-machines/linux/mac-create-ssh-keys).
Now that you have your SSH client continue to the steps below:
For this request, we'll use the following HTTP request parameters to create the
} ```
-These parameters are included in the POST body of the request for the SAS credential. For more information on the parameters for creating a SAS credential, see the [List Service SAS REST reference](/rest/api/storagerp/storageaccounts/listservicesas).
+These parameters are included in the POST body of the request for the SAS credential. For more information on the parameters for creating a SAS credential, see the [List Service SAS REST reference](/rest/api/storagerp/storage-accounts/list-service-sas).
Use the following CURL request to get the SAS credential. Be sure to replace the `<SUBSCRIPTION ID>`, `<RESOURCE GROUP>`, `<STORAGE ACCOUNT NAME>`, `<CONTAINER NAME>`, and `<EXPIRATION TIME>` parameter values with your own values. Replace the `<ACCESS TOKEN>` value with the access token you retrieved earlier:
Response:
In this tutorial, you learned how to use a Linux VM system-assigned managed identity to access Azure Storage using a SAS credential. To learn more about Azure Storage SAS, see: > [!div class="nextstepaction"]
->[Using shared access signatures (SAS)](../../storage/common/storage-sas-overview.md)
+>[Using shared access signatures (SAS)](/azure/storage/common/storage-sas-overview)
active-directory Tutorial Linux Vm Access Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-storage.md
Files require blob storage so you need to create a blob container in which to st
## Grant your VM access to an Azure Storage container
-You can use the VM's managed identity to retrieve the data in the Azure storage blob. Managed identities for Azure resources, can be used to authenticate to resources that support Microsoft Entra authentication. Grant access by assigning the [storage-blob-data-reader](../../role-based-access-control/built-in-roles.md#storage-blob-data-reader) role to the managed-identity at the scope of the resource group that contains your storage account.
+You can use the VM's managed identity to retrieve the data in the Azure storage blob. Managed identities for Azure resources, can be used to authenticate to resources that support Microsoft Entra authentication. Grant access by assigning the [storage-blob-data-reader](/azure/role-based-access-control/built-in-roles#storage-blob-data-reader) role to the managed-identity at the scope of the resource group that contains your storage account.
-For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
+For detailed steps, see [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal).
>[!NOTE]
-> For more information on the various roles that you can use to grant permissions to storage review [Authorize access to blobs and queues using Microsoft Entra ID](../../storage/blobs/authorize-access-azure-active-directory.md#assign-azure-roles-for-access-rights)
+> For more information on the various roles that you can use to grant permissions to storage review [Authorize access to blobs and queues using Microsoft Entra ID](/azure/storage/blobs/authorize-access-azure-active-directory#assign-azure-roles-for-access-rights)
## Get an access token and use it to call Azure Storage Azure Storage natively supports Microsoft Entra authentication, so it can directly accept access tokens obtained using a Managed Identity. This is part of Azure Storage's integration with Microsoft Entra ID, and is different from supplying credentials on the connection string.
curl "https://<STORAGE ACCOUNT>.blob.core.windows.net/<CONTAINER NAME>/<FILE NAM
In this tutorial, you learned how enable a Linux VM system-assigned managed identity to access Azure Storage. To learn more about Azure Storage see: > [!div class="nextstepaction"]
-> [Azure Storage](../../storage/common/storage-introduction.md)
+> [Azure Storage](/azure/storage/common/storage-introduction)
active-directory Tutorial Vm Managed Identities Cosmos https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-vm-managed-identities-cosmos.md
ms.devlang: azurecli
# How to use managed identities to connect to Azure Cosmos DB from an Azure virtual machine
-In this article, we set up a virtual machine to use managed identities to connect to Azure Cosmos DB. [Azure Cosmos DB](../../cosmos-db/introduction.md) is a fully managed NoSQL database for modern app development. [Managed identities for Azure resources](overview.md) allow your applications to authenticate when accessing services that support Microsoft Entra authentication using an identity managed by Azure.
+In this article, we set up a virtual machine to use managed identities to connect to Azure Cosmos DB. [Azure Cosmos DB](/azure/cosmos-db/introduction) is a fully managed NoSQL database for modern app development. [Managed identities for Azure resources](overview.md) allow your applications to authenticate when accessing services that support Microsoft Entra authentication using an identity managed by Azure.
## Prerequisites
In this article, we set up a virtual machine to use managed identities to connec
Create a resource group called **mi-test**. We use this resource group for all resources used in this tutorial. -- [Create a resource group using the Azure portal](../../azure-resource-manager/management/manage-resource-groups-portal.md#create-resource-groups)-- [Create a resource group using the CLI](../../azure-resource-manager/management/manage-resource-groups-cli.md#create-resource-groups)-- [Create a resource group using PowerShell](../../azure-resource-manager/management/manage-resource-groups-powershell.md#create-resource-groups)
+- [Create a resource group using the Azure portal](/azure/azure-resource-manager/management/manage-resource-groups-portal#create-resource-groups)
+- [Create a resource group using the CLI](/azure/azure-resource-manager/management/manage-resource-groups-cli#create-resource-groups)
+- [Create a resource group using PowerShell](/azure/azure-resource-manager/management/manage-resource-groups-powershell#create-resource-groups)
## Create an Azure VM with a managed identity
For this tutorial, you need an Azure virtual machine(VM). Create a virtual machi
### Create a VM with a system-assigned managed identity
-To create an Azure VM with the system-assigned managed identity enabled, your account needs the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Microsoft Entra role assignments are required.
+To create an Azure VM with the system-assigned managed identity enabled, your account needs the [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) role assignment. No other Microsoft Entra role assignments are required.
# [Portal](#tab/azure-portal)
To create an Azure VM with the system-assigned managed identity enabled, your ac
For more information, review the Azure virtual machines documentation: -- [Linux](../../virtual-machines/linux/quick-create-portal.md)-- [Windows](../../virtual-machines/windows/quick-create-portal.md)
+- [Linux](/azure/virtual-machines/linux/quick-create-portal)
+- [Windows](/azure/virtual-machines/windows/quick-create-portal)
# [PowerShell](#tab/azure-powershell)
New-AzVm `
-OpenPorts 80,3389 ``` -- [Quickstart: Create a Windows virtual machine in Azure with PowerShell](../../virtual-machines/windows/quick-create-powershell.md)-- [Quickstart: Create a Linux virtual machine in Azure with PowerShell](../../virtual-machines/linux/quick-create-powershell.md)
+- [Quickstart: Create a Windows virtual machine in Azure with PowerShell](/azure/virtual-machines/windows/quick-create-powershell)
+- [Quickstart: Create a Linux virtual machine in Azure with PowerShell](/azure/virtual-machines/linux/quick-create-powershell)
# [Azure CLI](#tab/azure-cli)
Create a VM using [Azure CLI vm create command](/cli/azure/vm/#az-vm-create). Th
az vm create --resource-group myResourceGroup --name myVM --image win2016datacenter --generate-ssh-keys --assign-identity --admin-username azureuser --admin-password myPassword12 ``` -- [Create a Linux virtual machine with a system assigned managed identity](../../virtual-machines/linux/quick-create-cli.md)-- [Create a Windows virtual machine with a system assigned managed identity](../../virtual-machines/windows/quick-create-cli.md)
+- [Create a Linux virtual machine with a system assigned managed identity](/azure/virtual-machines/linux/quick-create-cli)
+- [Create a Windows virtual machine with a system assigned managed identity](/azure/virtual-machines/windows/quick-create-cli)
# [Resource Manager Template](#tab/azure-resource-manager)
Under the resources element, add the following entry to assign a user-assigned m
## Create an Azure Cosmos DB account
-Now that we have a VM with either a user-assigned managed identity or a system-assigned managed identity we need an Azure Cosmos DB account available where you have administrative rights. If you need to create an Azure Cosmos DB account for this tutorial, the [Azure Cosmos DB quickstart](../..//cosmos-db/sql/create-cosmosdb-resources-portal.md) provides detailed steps on how to do that.
+Now that we have a VM with either a user-assigned managed identity or a system-assigned managed identity we need an Azure Cosmos DB account available where you have administrative rights. If you need to create an Azure Cosmos DB account for this tutorial, the [Azure Cosmos DB quickstart](/azure/cosmos-db/sql/create-cosmosdb-resources-portal) provides detailed steps on how to do that.
>[!NOTE] > Managed identities may be used to access any Azure resource that supports Microsoft Entra authentication. This tutorial assumes that your Azure Cosmos DB account will be configured as shown below.
Now that we have a VM with either a user-assigned managed identity or a system-a
|Subscription|Subscription name|Select the Azure subscription that you want to use for this Azure Cosmos DB account. | |Resource Group|Resource group name|Select **mi-test**, or select **Create new**, then enter a unique name for the new resource group. | |Account Name|A unique name|Enter a name to identify your Azure Cosmos DB account. Because *documents.azure.com* is appended to the name that you provide to create your URI, use a unique name.<br><br>The name can only contain lowercase letters, numbers, and the hyphen (-) character. It must be between 3-44 characters in length.|
- |API|The type of account to create|Select **Azure Cosmos DB for NoSQL** to create a document database and query by using SQL syntax. <br><br>[Learn more about the SQL API](../../cosmos-db/introduction.md).|
+ |API|The type of account to create|Select **Azure Cosmos DB for NoSQL** to create a document database and query by using SQL syntax. <br><br>[Learn more about the SQL API](/azure/cosmos-db/introduction).|
|Location|The region closest to your users|Select a geographic location to host your Azure Cosmos DB account. Use the location that is closest to your users to give them the fastest access to the data.| > [!NOTE]
Now that we have a VM with either a user-assigned managed identity or a system-a
At this point, we should have both a virtual machine configured with a managed identity and an Azure Cosmos DB account. Before we continue, we need to grant the managed identity a couple of different roles. -- First grant access to the Azure Cosmos DB management plane using [Azure RBAC](../../cosmos-db/role-based-access-control.md). The managed identity needs to have the DocumentDB Account Contributor role assigned to create Databases and containers.
+- First grant access to the Azure Cosmos DB management plane using [Azure RBAC](/azure/cosmos-db/role-based-access-control). The managed identity needs to have the DocumentDB Account Contributor role assigned to create Databases and containers.
-- You also need to grant the managed identity a contributor role using [Azure Cosmos DB RBAC](../../cosmos-db/how-to-setup-rbac.md). You can see specific steps below.
+- You also need to grant the managed identity a contributor role using [Azure Cosmos DB RBAC](/azure/cosmos-db/how-to-setup-rbac). You can see specific steps below.
> [!NOTE] > We will use the **Cosmos DB Built-in Data contributor** role. To grant access, you need to associate the role definition with the identity. In our case, the managed identity associated with our virtual machine.
Initialize your Azure Cosmos DB client:
CosmosClient client = new CosmosClient("<account-endpoint>", new ManagedIdentityCredential()); ```
-Then [read and write data](../../cosmos-db/sql/sql-api-dotnet-v3sdk-samples.md).
+Then [read and write data](/azure/cosmos-db/sql/sql-api-dotnet-v3sdk-samples).
### Java
Initialize your Azure Cosmos DB client:
CosmosAsyncClient Client = new CosmosClientBuilder().endpoint("<account-endpoint>") .credential(new ManagedIdentityCredential()) .build(); ```
-Then read and write data as described in [these samples](../../cosmos-db/sql/sql-api-java-sdk-samples.md)
+Then read and write data as described in [these samples](/azure/cosmos-db/sql/sql-api-java-sdk-samples)
### JavaScript
Initialize your Azure Cosmos DB client:
const client = new CosmosClient({ "<account-endpoint>", aadCredentials: new ManagedIdentityCredential() }); ```
-Then read and write data as described in [these samples](../../cosmos-db/sql/sql-api-nodejs-samples.md)
+Then read and write data as described in [these samples](/azure/cosmos-db/sql/sql-api-nodejs-samples)
## Clean up steps
Learn more about managed identities for Azure resources:
Learn more about Azure Cosmos DB: -- [Azure Cosmos DB resource model](../../cosmos-db/resource-model.md)-- [Tutorial: Build a .NET console app to manage data in an Azure Cosmos DB for NoSQL account](../../cosmos-db/sql/sql-api-get-started.md)
+- [Azure Cosmos DB resource model](/azure/cosmos-db/resource-model)
+- [Tutorial: Build a .NET console app to manage data in an Azure Cosmos DB for NoSQL account](/azure/cosmos-db/sql/sql-api-get-started)
active-directory Tutorial Vm Windows Access Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-vm-windows-access-storage.md
This section shows how to grant your VM access to an Azure Storage container. Yo
1. Navigate back to your newly created storage account. 1. Select **Access control (IAM)**. 1. Select **Add** > **Add role assignment** to open the Add role assignment page.
-1. Assign the following role. For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
+1. Assign the following role. For detailed steps, see [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal).
| Setting | Value | | | |
The response contains the contents of the file:
In this tutorial, you learned how enable a Windows VM's system-assigned identity to access Azure Storage. To learn more about Azure Storage, see: > [!div class="nextstepaction"]
-> [Azure Storage](../../storage/common/storage-introduction.md)
+> [Azure Storage](/azure/storage/common/storage-introduction)
active-directory Tutorial Windows Vm Access Arm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-arm.md
This tutorial shows you how to access the Azure Resource Manager API using a Win
- A basic understanding of Managed identities. If you're not familiar with the managed identities for Azure resources feature, see this [overview](overview.md). - An Azure account, [sign up for a free account](https://azure.microsoft.com/free/).-- "Owner" permissions at the appropriate scope (your subscription or resource group) to perform required resource creation and role management steps. If you need assistance with role assignment, see [Assign Azure roles to manage access to your Azure subscription resources](../../role-based-access-control/role-assignments-portal.md).
+- "Owner" permissions at the appropriate scope (your subscription or resource group) to perform required resource creation and role management steps. If you need assistance with role assignment, see [Assign Azure roles to manage access to your Azure subscription resources](/azure/role-based-access-control/role-assignments-portal).
- You also need a Windows Virtual machine that has system assigned managed identities enabled. - If you need to create a virtual machine for this tutorial, you can follow the article titled [Create a virtual machine with system-assigned identity enabled](./qs-configure-portal-windows-vm.md#system-assigned-managed-identity)
This tutorial shows you how to access the Azure Resource Manager API using a Win
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-Using managed identities for Azure resources, your application can get access tokens to authenticate to resources that support Microsoft Entra authentication. The Azure Resource Manager API supports Microsoft Entra authentication. We grant this VM's identity access to a resource in Azure Resource Manager, in this case a Resource Group. We assign the [Reader](../../role-based-access-control/built-in-roles.md#reader) role to the managed-identity at the scope of the resource group.
+Using managed identities for Azure resources, your application can get access tokens to authenticate to resources that support Microsoft Entra authentication. The Azure Resource Manager API supports Microsoft Entra authentication. We grant this VM's identity access to a resource in Azure Resource Manager, in this case a Resource Group. We assign the [Reader](/azure/role-based-access-control/built-in-roles#reader) role to the managed-identity at the scope of the resource group.
1. Sign in to the [Azure portal](https://portal.azure.com) with your administrator account. 1. Navigate to the tab for **Resource Groups**.
You'll need to use **PowerShell** in this portion. If you donΓÇÖt have **PowerS
In this quickstart, you learned how to use a system-assigned managed identity to access the Azure Resource Manager API. To learn more about Azure Resource Manager see: > [!div class="nextstepaction"]
->[Azure Resource Manager](../../azure-resource-manager/management/overview.md)
+>[Azure Resource Manager](/azure/azure-resource-manager/management/overview)
active-directory Tutorial Windows Vm Access Cosmos Db https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-cosmos-db.md
This tutorial shows you how to use a system-assigned managed identity for a Wind
- If you're not familiar with the managed identities for Azure resources feature, see this [overview](overview.md). - If you don't have an Azure account, [sign up for a free account](https://azure.microsoft.com/free/) before you continue.-- To perform the required resource creation and role management, your account needs "Owner" permissions at the appropriate scope (your subscription or resource group). If you need assistance with role assignment, see [Assign Azure roles to manage access to your Azure subscription resources](../../role-based-access-control/role-assignments-portal.md).
+- To perform the required resource creation and role management, your account needs "Owner" permissions at the appropriate scope (your subscription or resource group). If you need assistance with role assignment, see [Assign Azure roles to manage access to your Azure subscription resources](/azure/role-based-access-control/role-assignments-portal).
- Install the latest version of [Azure PowerShell](/powershell/azure/install-azure-powershell) - You also need a Windows Virtual machine that has system assigned managed identities enabled. - If you need to create a virtual machine for this tutorial, you can follow the article titled [Create a virtual machine with system-assigned identity enabled](./qs-configure-portal-windows-vm.md#system-assigned-managed-identity)
New-AzRoleAssignment -ObjectId $spID -RoleDefinitionName "Cosmos DB Account Read
``` >[!NOTE]
-> Keep in mind that if you are unable to perform an operation you may not have the right permissions. If you want write access to keys you need to use an Azure role such as DocumentDB Account Contributor or create a custom role. For more information review [Azure role-based access control in Azure Cosmos DB](../../cosmos-db/role-based-access-control.md)
+> Keep in mind that if you are unable to perform an operation you may not have the right permissions. If you want write access to keys you need to use an Azure role such as DocumentDB Account Contributor or create a custom role. For more information review [Azure role-based access control in Azure Cosmos DB](/azure/cosmos-db/role-based-access-control)
## Access data
This section shows how to get access keys from Azure Resource Manager to make Az
- Replace the `<ACCESS TOKEN>` value with the access token you retrieved earlier. >[!NOTE]
->If you want to retrieve read/write keys, use key operation type `listKeys`. If you want to retrieve read-only keys, use the key operation type `readonlykeys`. If you are unable to use 'listkeys' verify that you assigned the [appropriate role](../../role-based-access-control/built-in-roles.md#cosmos-db-account-reader-role) to the managed identity.
+>If you want to retrieve read/write keys, use key operation type `listKeys`. If you want to retrieve read-only keys, use the key operation type `readonlykeys`. If you are unable to use 'listkeys' verify that you assigned the [appropriate role](/azure/role-based-access-control/built-in-roles#cosmos-db-account-reader-role) to the managed identity.
```powershell Invoke-WebRequest -Uri 'https://management.azure.com/subscriptions/<SUBSCRIPTION-ID>/resourceGroups/<RESOURCE-GROUP>/providers/Microsoft.DocumentDb/databaseAccounts/<COSMOS DB ACCOUNT NAME>/readonlykeys/?api-version=2016-03-31' -Method POST -Headers @{Authorization="Bearer $ARMToken"}
Now that you have the access key for the Azure Cosmos DB account you can pass it
In this tutorial, you learned how to use a Windows VM system-assigned identity to access Azure Cosmos DB. To learn more about Azure Cosmos DB, see: