Updates from: 03/11/2023 02:22:34
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Analytics With Application Insights https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/analytics-with-application-insights.md
When you use Application Insights, consider the following:
## Create an Application Insights resource
-When you use Application Insights with Azure AD B2C, all you need to do is create a resource and get the instrumentation key. For information, see [Create an Application Insights resource](../azure-monitor/app/create-new-resource.md).
+When you use Application Insights with Azure AD B2C, all you need to do is create a resource and get the instrumentation key. For information, see [Create an Application Insights resource](/previous-versions/azure/azure-monitor/app/create-new-resource).
1. Sign in to the [Azure portal](https://portal.azure.com/). 1. Make sure you're using the directory that has your Azure AD subscription, and not your Azure AD B2C directory. Select the **Directories + subscriptions** icon in the portal toolbar.
active-directory-b2c Partner Bloksec https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-bloksec.md
Title: Tutorial to configure Azure Active Directory B2C with BlokSec
+ Title: Tutorial to configure Azure Active Directory B2C with BlokSec for passwordless authentication
description: Learn how to integrate Azure AD B2C authentication with BlokSec for Passwordless authentication -+ - Previously updated : 09/20/2021 Last updated : 03/09/2023 zone_pivot_groups: b2c-policy-type
zone_pivot_groups: b2c-policy-type
# Tutorial: Configure Azure Active Directory B2C with BlokSec for passwordless authentication ---
-In this sample tutorial, learn how to integrate Azure Active Directory (AD) B2C authentication with [BlokSec](https://bloksec.com/). BlokSec simplifies the end-user login experience by providing customers passwordless authentication and tokenless multifactor authentication (MFA). BlokSec protects customers against identity-centric cyber-attacks such as password stuffing, phishing, and man-in-the-middle attacks.
-
-## Scenario description
-
-BlokSec integration includes the following components:
--- **Azure AD B2C** ΓÇô Configured as the authorization server/identity provider for any B2C application.
+## Before you begin
-- **BlokSec Decentralized Identity Router** ΓÇô Acts as a gateway for services that wish to apply BlokSecΓÇÖs DIaaSΓäó to route authentication and authorization requests to end usersΓÇÖ Personal Identity Provider (PIdP) applications; configured as an OpenID Connect (OIDC) identity provider in Azure AD B2C.
+Azure Active Directory B2C has two methods to define user interactions with applications: predefined user flows or configurable custom policies.
-- **BlokSec SDK-based mobile app** ΓÇô Acts as the usersΓÇÖ PIdP in the decentralized authentication scenario. The freely downloadable [BlokSec yuID](https://play.google.com/store/apps/details?id=com.bloksec) application can be used if your organization prefers not to develop your own mobile applications using the BlokSec SDKs.
-The following architecture diagram shows the implementation.
-
-![image shows the architecture diagram](./media/partner-bloksec/partner-bloksec-architecture-diagram.png)
+>[!NOTE]
+>In Azure Active Directory B2C, custom policies primarily address complex scenarios. For most scenarios, we recommend built-in user flows.</br> See, [User flows and custom policies overview](./user-flow-overview.md)
-|Steps| Description|
-|:|:-|
-|1.| User attempts to log in to an Azure AD B2C application and is forwarded to Azure AD B2CΓÇÖs combined sign-in and sign-up policy.|
-|2.| Azure AD B2C redirects the user to the BlokSec decentralized identity router using the OIDC authorization code flow.|
-|3.| The BlokSec decentralized router sends a push notification to the userΓÇÖs mobile app including all context details of the authentication and authorization request.|
-|4.| The user reviews the authentication challenge, if accepted the user is prompted for biometry such as fingerprint or facial scan as available on their device, proving the userΓÇÖs identity.|
-|5.| The response is digitally signed with the userΓÇÖs unique digital key. Final authentication response provides proof of possession, presence, and consent. The respond is returned to the BlokSec decentralized identity router.|
-|6.| The BlokSec decentralized identity router verifies the digital signature against the userΓÇÖs immutable unique public key that is stored in a distributed ledger, then replies to Azure AD B2C with the authentication result.|
-|7.| Based on the authentication result user is granted/denied access.|
+## Azure AD B2C and BlokSec
-## Onboard to BlokSec
+Learn how to integrate Azure Active Directory B2C (Azure AD B2C) authentication with BlokSec Decentralized Identity Router. The BlokSec solution simplifies user sign-in with passwordless authentication and tokenless multi-factor authentication. The solution protects customers from identity-related attacks such as password stuffing, phishing, and man-in-the-middle.
-Request a demo tenant with BlokSec by filling out [the form](https://bloksec.com/). In the message field indicates that you would like to onboard with Azure AD B2C. Download and install the free BlokSec yuID mobile app from the app store. Once your demo tenant has been prepared, you'll receive an email. On your mobile device where the BlokSec application is installed, select the link to register your admin account with your yuID app.
+To learn more, go to bloksec.com: [BlokSec Technologies Inc.](https://bloksec.com/)
+## Scenario description
-## Prerequisites
+BlokSec integration includes the following components:
-To get started, you'll need:
+* **Azure AD B2C** ΓÇô authorization server and identity provider (IdP) for B2C applications
+* **BlokSec Decentralized Identity Router** ΓÇô gateway for services that apply BlokSec DIaaS to route authentication and authorization requests to user Personal Identity Provider (PIdP) applications
+ * It's an OpenID Connect (OIDC) identity provider in Azure AD B2C
+* **BlokSec SDK-based mobile app** ΓÇô user PIdP in the decentralized authentication scenario.
+ * If you're not using the BlokSec SDK, go to Google Play for the free [BlokSec yuID](https://play.google.com/store/apps/details?id=com.bloksec)
-- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+The following architecture diagram illustrates the sign-up, sign-in flow in the BlokSec solution implementation.
-- An [Azure AD B2C tenant](./tutorial-create-tenant.md) that's linked to your Azure subscription.
+ ![Diagram of the sign-up, sign-in flow in the BlokSec solution implementation.](./media/partner-bloksec/partner-bloksec-architecture-diagram.png)
-- A BlokSec [trial account](https://bloksec.com/).
+1. User signs in to an Azure AD B2C application and is forwarded to Azure AD B2C sign-in and sign-up policy
+2. Azure AD B2C redirects user to the BlokSec decentralized identity router using the OIDC authorization code flow.
+3. The BlokSec router sends a push notification to the user mobile app with authentication and authorization request details.
+4. User reviews the authentication challenge. An accepted user is prompted for biometry such as fingerprint or facial scan.
+5. The response is digitally signed with the user's unique digital key. The authentication response provides proof of possession, presence, and consent. The respond returns to the router.
+6. The router verifies the digital signature against the userΓÇÖs immutable unique public key stored in a distributed ledger. The router replies to Azure AD B2C with the authentication result.
+8. User is granted or denied access.
-- If you haven't already done so, [register](./tutorial-register-applications.md) a web application.
+## Enable BlokSec
+1. Go to bloksec.com and select **Request a demo** tenant.
+2. In the message field, indicate you want to integrate with Azure AD B2C.
+3. Download and install the free BlokSec yuID mobile app.
+4. After the demo tenant is prepared, an email arrives.
+5. On the mobile device with the BlokSec application, select the link to register your admin account with your yuID app.
## Prerequisites
-To get started, you'll need:
--- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).--- An [Azure AD B2C tenant](./tutorial-create-tenant.md) that's linked to your Azure subscription.--- A BlokSec [trial account](https://bloksec.com/).
+To get started, you need:
-- If you haven't already done so, [register](./tutorial-register-applications.md) a web application.
+* An Azure AD subscription
+ * If you don't have one, get an [Azfree account](https://azure.microsoft.com/free/)
+* An [Azure AD B2C tenant](./tutorial-create-tenant.md) linked to the Azure subscription
+* A BlokSec [demo](https://bloksec.com/)
+* Register a web application
+ * [Tutorial: Register a web application in Azure AD B2C](./tutorial-register-applications.md)
-- Complete the steps in the [**Get started with custom policies in Azure Active Directory B2C**](./tutorial-create-user-flows.md?pivots=b2c-custom-policy).
+See also, [Tutorial: Create user flows and custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy)
-### Part 1 - Create an application registration in BlokSec
-1. Sign in to the BlokSec admin portal. A link will be included as part of your account registration email received when you onboard to BlokSec.
+### Create an application registration in BlokSec
-2. On the main dashboard, select **Add Application > Create Custom**
+In the account registration email from BlokSec, find the link to the BlokSec admin console.
-3. Complete the application details as follows and submit:
-
- |Property |Value |
- |||
- | Name |Azure AD B2C or your desired application name|
- |SSO type | OIDC|
- |Logo URI |[https://bloksec.io/assets/AzureB2C.png](https://bloksec.io/assets/AzureB2C.png) a link to the image of your choice|
- |Redirect URIs | https://**your-B2C-tenant-name**.b2clogin.com/**your-B2C-tenant-name**.onmicrosoft.com/oauth2/authresp<BR>**For Example**: 'https://fabrikam.b2clogin.com/fabrikam.onmicrosoft.com/oauth2/authresp' <BR><BR>If you use a custom domain, enter https://**your-domain-name**/**your-tenant-name**.onmicrosoft.com/oauth2/authresp. <BR> Replace your-domain-name with your custom domain, and your-tenant-name with the name of your tenant. |
- |Post log out redirect URIs |https://**your-B2C-tenant-name**.b2clogin.com/**your-B2C-tenant-name**.onmicrosoft.com/**{policy}**/oauth2/v2.0/logout <BR> [Send a sign-out request](./openid-connect.md#send-a-sign-out-request). |
-
-4. Once saved, select the newly created Azure AD B2C application to open the application configuration, select **Generate App Secret**.
+1. Sign in to the BlokSec admin console.
+2. On the main dashboard, select **Add Application > Create Custom**.
+3. For **Name**, enter Azure AD B2C or an application name.
+4. For **SSO type**, select **OIDC**.
+5. For **Logo URI**, enter a link to logo image.
+6. For **Redirect URIs**, use `https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp`. For example, `https://fabrikam.b2clogin.com/fabrikam.onmicrosoft.com/oauth2/authresp`. For a custom domain, enter `https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp`.
+7. For **Post log out redirect URIs**, enter `https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/{policy}/oauth2/v2.0/logout`.
+8. Select the created Azure AD B2C application to open the application configuration.
+9. Select **Generate App Secret**.
+
+Learn more: [Send a sign out request](./openid-connect.md#send-a-sign-out-request).
>[!NOTE]
->You'll need application ID and application secret later to configure the Identity provider in Azure AD B2C.
+>You need application ID and application secret to configure the identity provider (IdP) in Azure AD B2C.
+### Add a new identity provider in Azure AD B2C
-### Part 2 - Add a new Identity provider in Azure AD B2C
+For the following instructions, use the directory that contains your Azure AD B2C tenant.
-1. Sign-in to the [Azure portal](https://portal.azure.com/#home) as the global administrator of your Azure AD B2C tenant.
-1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.
-1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.
-1. Choose **All services** in the top-left corner of the Azure portal, then search for and select **Azure AD B2C**.
-1. Navigate to **Dashboard** > **Azure Active Directory B2C** > **Identity providers**.
-1. Select New **OpenID Connect Provider**.
-1. Select **Add**.
+1. Sign-in to the [Azure portal](https://portal.azure.com/#home) as Global Administrator of your Azure AD B2C tenant.
+2. In the portal toolbar, select **Directories + subscriptions**.
+3. On the **Portal settings, Directories + subscriptions** page, in the **Directory name** list, find your Azure AD B2C directory.
+4. Select **Switch**.
+5. In the top-left corner of the Azure portal, select **All services**.
+6. Search for and select **Azure AD B2C**.
+7. Navigate to **Dashboard** > **Azure Active Directory B2C** > **Identity providers**.
+8. Select **New OpenID Connect Provider**.
+9. Select **Add**.
-### Part 3 - Configure an Identity provider
+### Configure an identity provider
1. Select **Identity provider type > OpenID Connect**-
-1. Fill out the form to set up the Identity provider:
-
-|Property |Value |
-|:|:|
-|Name |Enter BlokSec yuID ΓÇô Passwordless or a name of your choice|
-|Metadata URL| `https://api.bloksec.io/oidc/.well-known/openid-configuration` |
-|Client ID|The application ID from the BlokSec admin UI captured in **Part 1**|
-|Client Secret|The application Secret from the BlokSec admin UI captured in **Part 1**|
-|Scope|OpenID email profile|
-|Response type|Code|
-|Domain hint|yuID|
-
-1. Select **OK**.
-
-1. Select **Map this identity providerΓÇÖs claims**.
-
-1. Fill out the form to map the Identity provider:
-
-|Property |Value |
-|:|:|
-|User ID|sub|
-|Display name|name|
-|Given name|given_name|
-|Surname|family_name|
-|Email|email|
-
-1. Select **Save** to complete the setup for your new OIDC Identity provider.
-
-### Part 4 - User registration
-
-1. Sign-in to BlokSec admin console with the credential provided earlier.
-
-1. Navigate to Azure AD B2C application that was created earlier. Select the gear icon at the top-right, and then select **Create Account**.
-
-1. Enter the userΓÇÖs information in the Create Account form, making note of the Account Name, and select **Submit**.
-
-The user will receive an **account registration email** at the provided email address. Have the user follow the registration link on the mobile device where the BlokSec yuID app is installed,
-
-### Part 5 - Create a user flow policy
-
-You should now see BlokSec as a new OIDC Identity provider listed within your B2C identity providers.
+2. For **Name**, enter **BlokSec yuID Passwordless** or another name.
+3. For **Metadata URL**, enter `https://api.bloksec.io/oidc/.well-known/openid-configuration`.
+4. For **Client IDV**, enter the application ID from the BlokSec admin UI.
+5. For **Client Secret**, enter the application Secret from the BlokSec admin UI.
+6. For **Scope**, select **OpenID email profile**.
+7. For **Response type**, select **Code**.
+8. For **Domain hint**, select **yuID**.
+9. Select **OK**.
+10. Select **Map this identity providerΓÇÖs claims**.
+11. For **User ID**, select **sub**.
+12. For **Display name**, select **name**.
+13. For **Given name**, use **given_name**.
+14. For **Surname**, use **family_name**.
+15. For **Email**, use **email**.
+16. Select **Save**.
+
+### User registration
+
+1. Sign in to the BlokSec admin console with the provided credential.
+2. Navigate to the Azure AD B2C application created earlier.
+3. In the top-right, select the **gear** icon.
+4. Select **Create Account**.
+5. In **Create Account**, enter user information. Note the Account Name.
+6. Select **Submit**.
+
+The user receives an account registration email at the provided email address. Instruct the user to select the registration link on the mobile device with the BlokSec yuID app.
+
+### Create a user flow policy
+
+For the following instructions, ensure BlokSec is a new OIDC identity provider (IdP).
1. In your Azure AD B2C tenant, under **Policies**, select **User flows**. -
-1. Select **New user flow**
-
-1. Select **Sign up and sign in** > **Version** > **Create**.
-
-1. Enter a **Name** for your policy.
-
-1. In the Identity providers section, select your newly created BlokSec Identity provider.
-
-1. Select **None** for Local Accounts to disable email and password-based authentication.
-
-1. Select **Run user flow**
-
-1. In the form, enter the Replying URL, such as `https://jwt.ms`.
-
-1. The browser will be redirected to the BlokSec login page. Enter the account name registered during User registration. The user will receive a push notification to their mobile device where the BlokSec yuID application is installed; upon opening the notification, the user will be presented with an authentication challenge
-
-1. Once the authentication challenge is accepted, the browser will redirect the user to the replying URL.
-
-## Next steps
-
-For additional information, review the following articles:
--- [Custom policies in Azure AD B2C](./custom-policy-overview.md)--- [Get started with custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy)--
+2. Select **New user flow**.
+3. Select **Sign up and sign in** > **Version** > **Create**.
+4. Enter a policy **Name**.
+5. In the identity providers section, select the created BlokSec identity provider.
+6. For Local Account, select **None**. This action disables email and password-based authentication.
+7. Select **Run user flow**
+8. In the form, enter the Replying URL, such as `https://jwt.ms`.
+9. The browser is redirected to the BlokSec sign-in page.
+10. Enter the account name from user registration.
+11. The user receives a push notification on the mobile device with the BlokSec yuID application.
+12. The user opens the notification, and the authentication challenge appears.
+13. If authentication is accepted, the browser redirects the user to the replying URL.
>[!NOTE]
->In Azure Active Directory B2C, [**custom policies**](./user-flow-overview.md) are designed primarily to address complex scenarios. For most scenarios, we recommend that you use built-in [**user flows**](./user-flow-overview.md).
+>In Azure Active Directory B2C, custom policies primarily address complex scenarios. For most scenarios, we recommend built-in user flows.</br> See, [User flows and custom policies overview](./user-flow-overview.md)
-### Part 2 - Create a policy key
+### Create a policy key
-Store the client secret that you previously recorded in your Azure AD B2C tenant.
+Store the client secret you noted in your Azure AD B2C tenant. For the following instructions, use the directory with your Azure AD B2C tenant.
1. Sign in to the [Azure portal](https://portal.azure.com/).
-1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.
-1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.
-1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**.
-1. On the Overview page, select **Identity Experience Framework**.
-1. Select **Policy Keys** and then select **Add**.
-1. For **Options**, choose `Manual`.
-1. Enter a **Name** for the policy key. For example, `BlokSecAppSecret`. The prefix `B2C_1A_` is added automatically to the name of your key.
-1. In **Secret**, enter your client secret that you previously recorded.
-1. For **Key usage**, select `Signature`.
-1. Select **Create**.
-
-### Part 3 - Configure BlokSec as an Identity provider
-
-To enable users to sign in using BlokSec decentralized identity, you need to define BlokSec as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify a specific user has authenticated using biometry such as fingerprint or facial scan as available on their device, proving the userΓÇÖs identity.
-
-You can define BlokSec as a claims provider by adding it to the **ClaimsProvider** element in the extension file of your policy
+2. In the portal toolbar, select **Directories + subscriptions**.
+3. On the **Portal settings, Directories + subscriptions** page, in the **Directory name** list, find your Azure AD B2C directory.
+4. Select **Switch**.
+5. In the top-left corner of the Azure portal, select **All services**
+6. Search for and select **Azure AD B2C**.
+7. On the **Overview** page, select **Identity Experience Framework**.
+8. Select **Policy Keys**.
+9. Select **Add**.
+10. For **Options**, choose **Manual**.
+11. Enter a policy **Name** for the policy key. For example, `BlokSecAppSecret`. The prefix `B2C_1A_` is added to the key name.
+12. In **Secret**, enter the client secret you noted.
+13. For **Key usage**, select **Signature**.
+14. Select **Create**.
+
+### Configure BlokSec as an identity provider
+
+To enable users to sign in using BlokSec decentralized identity, define BlokSec as a claims provider. This action ensures Azure AD B2C communicates with it through an endpoint. Azure AD B2C uses endpoint claims to verify users authenticate identity by using biometry, such as fingerprint or facial scan.
+
+To define BlokSec as a claims provider, add it to the **ClaimsProvider** element in the policy extension file.
1. Open the `TrustFrameworkExtensions.xml`.-
-2. Find the **ClaimsProviders** element. If it dosen't exist, add it under the root element.
-
-3. Add a new **ClaimsProvider** as follows:
+2. Find the **ClaimsProviders** element. If the element doesn't appear, add it under the root element.
+3. To add a new **ClaimsProvider**:
```xml <ClaimsProvider>
You can define BlokSec as a claims provider by adding it to the **ClaimsProvider
``` 4. Set **client_id** to the application ID from the application registration.
+5. Select **Save**.
-5. Save the file.
-
-### Part 4 - Add a user journey
-
-At this point, the identity provider has been set up, but it's not yet available in any of the sign-in pages. If you don't have your own custom user journey, create a duplicate of an existing template user journey, otherwise continue to the next step.
-
-1. Open the `TrustFrameworkBase.xml` file from the starter pack.
+### Add a user journey
-2. Find and copy the entire contents of the **UserJourneys** element that includes ID=`SignUpOrSignIn`.
+Use the following instructions if the identity provider is set up, but not in any sign-in page. If you don't have a custom user journey, copy a template user journey.
+1. From the starter pack, open the `TrustFrameworkBase.xml` file.
+2. Find and copy the contents of the **UserJourneys** element that includes ID=`SignUpOrSignIn`.
+3. Open the `TrustFrameworkExtensions.xml`.
+4. Find the **UserJourneys** element. If the element doesn't appear, add one.
+5. Paste the contents of the **UserJourney** element you copied as a child of the **UserJourneys** element.
+6. Rename the user journey ID. For example, ID=`CustomSignUpSignIn`.
-3. Open the `TrustFrameworkExtensions.xml` and find the **UserJourneys** element. If the element doesn't exist, add one.
+### Add the identity provider to a user journey
-4. Paste the entire content of the **UserJourney** element that you copied as a child of the **UserJourneys** element.
+If you have a user journey, add the new identity provider to it. First add a sign-in button, then link it to an action, which is the technical profile you created.
-5. Rename the ID of the user journey. For example, ID=`CustomSignUpSignIn`.
+1. In the user journey, locate the orchestration step element that includes Type=`CombinedSignInAndSignUp`, or Type=`ClaimsProviderSelection`. It's usually the first orchestration step. The **ClaimsProviderSelections** element contains a list of identity providers for user sign-in. The order of the elements controls the order of the sign-in buttons the user sees.
+2. Add a **ClaimsProviderSelection** XML element.
+3. Set the value of **TargetClaimsExchangeId** to a friendly name.
+4. In the next orchestration step, add a **ClaimsExchange** element.
+5. Set the **Id** to the value of the target claims exchange ID.
+6. Update the value of **TechnicalProfileReferenceId** to the ID of the technical profile you created.
-### Part 5 - Add the identity provider to a user journey
-
-Now that you have a user journey, add the new identity provider to the user journey. First add a sign-in button, then link the button to an action. The action is the technical profile you created earlier.
-
-1. Find the orchestration step element that includes Type=`CombinedSignInAndSignUp`, or Type=`ClaimsProviderSelection` in the user journey. It's usually the first orchestration step. The **ClaimsProviderSelections** element contains a list of identity providers that a user can sign in with. The order of the elements controls the order of the sign-in buttons presented to the user. Add a **ClaimsProviderSelection** XML element. Set the value of **TargetClaimsExchangeId** to a friendly name.
-
-2. In the next orchestration step, add a **ClaimsExchange** element. Set the **Id** to the value of the target claims exchange ID. Update the value of **TechnicalProfileReferenceId** to the ID of the technical profile you created earlier.
-
-The following XML demonstrates the first two orchestration steps of a user journey with the identity provider:
+The following XML demonstrates the first two user-journey orchestration steps with the identity provider:
```xml <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
The following XML demonstrates the first two orchestration steps of a user journ
</OrchestrationStep> ```
-### Part 6 - Configure the relying party policy
+### Configure the relying party policy
-The relying party policy, for example [SignUpSignIn.xml](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/master/SocialAndLocalAccounts/SignUpOrSignin.xml), specifies the user journey which Azure AD B2C will execute. Find the **DefaultUserJourney** element within relying party. Update the **ReferenceId** to match the user journey ID, in which you added the identity provider.
+The relying party policy, for example [SignUpSignIn.xml](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/master/SocialAndLocalAccounts/SignUpOrSignin.xml), specifies the user journey Azure AD B2C executes.
+
+1. Find the **DefaultUserJourney** element in relying party.
+2. Update the **ReferenceId** to match the user journey ID, in which you added the identity provider.
In the following example, for the `CustomSignUpOrSignIn` user journey, the ReferenceId is set to `CustomSignUpOrSignIn`.
In the following example, for the `CustomSignUpOrSignIn` user journey, the Refer
... </RelyingParty> ```
+### Upload the custom policy
-### Part 7 - Upload the custom policy
+For the following instructions, use the directory with your Azure AD B2C tenant.
1. Sign in to the [Azure portal](https://portal.azure.com/#home).
-1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.
-1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.
-1. In the [Azure portal](https://portal.azure.com/#home), search for and select **Azure AD B2C**.
-1. Under Policies, select **Identity Experience Framework**.
-Select **Upload Custom Policy**, and then upload the two policy files that you changed, in the following order: the extension policy, for example `TrustFrameworkExtensions.xml`, then the relying party policy, such as `SignUpSignIn.xml`.
+2. In the portal toolbar, select the **Directories + subscriptions**.
+3. On the **Portal settings, Directories + subscriptions** page, in the **Directory name** list, find your Azure AD B2C directory
+4. Select **Switch**.
+5. In the Azure portal, search for and select **Azure AD B2C**.
+6. Under **Policies**, select **Identity Experience Framework**.
+7. Select **Upload Custom Policy**.
+8. Upload the two policy files you changed in the following order:
+
+ * Extension policy, for example `TrustFrameworkExtensions.xml`
+ * Relying party policy, such as `SignUpSignIn.xml`
-### Part 8 - Test your custom policy
+### Test the custom policy
1. Select your relying party policy, for example `B2C_1A_signup_signin`.
-1. For **Application**, select a web application that you [previously registered](./tutorial-register-applications.md). The **Reply URL** should show `https://jwt.ms`.
-1. Select the **Run now** button.
-1. From the sign-up or sign-in page, select **Google** to sign in with Google account.
+1. For **Application**, select a web application you registered.
+2. The **Reply URL** appears as `https://jwt.ms`.
+3. Select **Run now**.
+4. From the sign-up or sign-in page, select **Google** to sign in with Google account.
+5. The browser is redirected to `https://jwt.ms`. See the token contents returned by Azure AD B2C.
-If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.
+Learn more: [Tutorial: Register a web application in Azure Active Directory B2C](./tutorial-register-applications.md)
## Next steps
-For additional information, review the following articles:
--- [Custom policies in Azure AD B2C](./custom-policy-overview.md)--- [Get started with custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy)
+* [Azure AD B2C custom policy overview](./custom-policy-overview.md)
+* [Tutorial: Create user flows and custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy)
active-directory-b2c Partner Eid Me https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-eid-me.md
Title: Configure Azure Active Directory B2C with eID-Me
+ Title: Configure Azure Active Directory B2C with Bluink eID-Me for identity verification
description: Learn how to integrate Azure AD B2C authentication with eID-Me for identity verification
Previously updated : 1/30/2022 Last updated : 03/10/2023 zone_pivot_groups: b2c-policy-type
-# Configure eID-Me with Azure Active Directory B2C for identity verification
+# Configure Azure Active Directory B2C with Bluink eID-Me for identity verification
+## Before you begin
+Azure Active Directory B2C (Azure AD B2C) has two methods to define users interaction with applications: predefined user flows, or configurable custom policies.
+Custom policies address complex scenarios. For most scenarios, we recommend user flows. See, [User flows and custom policies overview](./user-flow-overview.md)
-In this sample article, we provide guidance on how to integrate Azure Active Directory B2C (Azure AD B2C) authentication with [eID-Me](https://bluink.ca). eID-Me is an identity verification and decentralized digital identity solution for Canadian citizens. With eID-Me, Azure AD B2C tenants can strongly verify the identity of their users, obtain verified identity claims during sign up and sign in, and support multifactor authentication (MFA) and password-free sign-in using a secure digital identity. It enables organizations to meet Identity Assurance Level (IAL) 2 and Know Your Customer (KYC) requirements. This solution provides users secure sign-up and sign in experience while reducing fraud.
+## Integrate Azure AD B2C authentication with eID-Me
+Learn to integrate Azure AD B2C authentication with Bluink eID-Me, an identity verification and decentralized digital identity solution for Canadian citizens. With eID-Me, Azure AD B2C tenants verify user identity, obtain verified sign-up and sign-in identity claims. Integration supports multi-factor authentication and passwordless sign-in with a secure digital identity. Organizations can meet Identity Assurance Level (IAL) 2 and Know Your Customer (KYC) requirements.
+To learn more, go to bluink.ca: [Bluink Ltd](https://bluink.ca)
## Prerequisites
-To get started, you'll need:
+To get started, you need:
-- [A Relying Party account with eID-Me](https://bluink.ca/eid-me/solutions/id-verification#contact-form).
+* A Relying Party account with eID-Me
+ * Go to bluink.ca to [learn more](https://bluink.ca/eid-me/solutions/id-verification#contact-form) and request a demo
+* An Azure subscription
+ * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free)
+* An Azure AD B2C tenant linked to the Azure subscription
+ * See, [Tutorial: Create an Azure AD B2C tenant](tutorial-create-tenant.md)
+* A trial or production version of the eID-Me Digital ID App
+ * Go to bluink.ca to [Download the eID-Me Digital ID App](https://bluink.ca/eid-me/download)
-- An Azure subscription. If you don't have one, get a [free
-account](https://azure.microsoft.com/free).
--- An [Azure AD B2C tenant](tutorial-create-tenant.md) that is linked to your Azure subscription.--- A [trial or production version](https://bluink.ca/eid-me/download) of eID-Me smartphone apps for users.--- Complete the steps in the article [get started with custom policies in Azure Active Directory B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy).-
+See also, [Tutorial: Create user flows and custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy).
## Scenario description eID-Me integrates with Azure AD B2C as an OpenID Connect (OIDC) identity provider. The following components comprise the eID-Me solution with Azure AD B2C:
+* **Azure AD B2C tenant** - configured as a relying party in eID-Me enables eID-Me to trust an Azure AD B2C tenant for sign-up and sign-in
+* **Azure AD B2C tenant application** - the assumption is tenants need an Azure AD B2C tenant application
+ * The application receives identity claims received by Azure AD B2C during transaction
+* **eID-Me smartphone apps** - Azure AD B2C tenant users need the app for iOS or Android
+* **Issued eID-Me digital identities** - from eID-Me identity proofing
+ * Users are issued a digital identity to the digital wallet in the app. Valid identity documents are required.
-- **An Azure AD B2C tenant**: Your Azure AD B2C tenant need be configured as a Relying Party in eID-Me. This allows the eID-Me identity provider to trust your Azure AD B2C tenant for sign up and sign in.---- **An Azure AD B2C tenant application**: Although not strictly required, it's assumed that tenants need to have an Azure AD B2C tenant application. The application can receive identity claims received by Azure AD B2C during an eID-Me transaction.---- **eID-Me smartphone apps**: Users of your Azure AD B2C tenant need to have the eID-Me smartphone app for iOS or Android.---- **Issued eID-Me digital identities**: Before using eID-Me, users need to successfully go through the eID-Me identity proofing process. They need to have been issued a digital identity to the digital wallet within the app. This process is done from home and usually takes minutes provided the users have valid identity documents.
+The eID-Me apps authenticate users during transactions. The X509 public key authentication provides passwordless MFA, using a private signing key in the eID-Me digital identity.
+The following diagram illustrates eID-Me identity proofing, which occurs outside Azure AD B2C flows.
-The eID-Me apps also provide strong authentication of the user during any transaction. X509 public key authentication using a private signing key contained within the eID-Me digital identity provides passwordless MFA.
+ ![Diagram of the identity proofing flow in eID-Me.](./media/partner-eid-me/partner-eid-me-identity-proofing.png)
-The following diagram shows the identity proofing process, which occurs outside of Azure AD B2C flows.
-![Screenshot shows the architecture of an identity proofing process flow in eID-Me](./media/partner-eid-me/partner-eid-me-identity-proofing.png)
+1. User uploads a selfie to the eID-Me smartphone application.
+2. User scans and uploads a government issued identification document, such as passport or driver license, to the eID-Me smartphone application.
+3. eID-Me submits data to the identity service for verification.
+4. User is issued a digital identity, which is saved in the application.
-| Steps | Description |
-| :- | :-- |
-| 1. | User uploads a selfie capture into the eID-Me smartphone application. |
-| 2. | User scans and uploads a government issued identification document such as Passport or Driver license into the eID-Me smartphone application. |
-| 3. | The eID-Me smartphone application submits this data to eID-Me identity service for verification. |
-| 4. | A digital identity is issued to the user and saved in the application. |
+The following diagram illustrates Azure AD B2C integration with eID-Me.
-The following architecture diagram shows the implementation.
+ ![Diagram of Azure AD B2C integration with eID-Me.](./media/partner-eid-me/partner-eid-me-architecture-diagram.png)
-![Screenshot shows the architecture of an Azure AD B2C integration with eID-Me](./media/partner-eid-me/partner-eid-me-architecture-diagram.png)
-| Steps | Description |
-| :- | :-- |
-| 1. | User opens Azure AD B2C's sign in page, and then signs in or signs up by entering their username. |
-| 2. | User is forwarded to Azure AD B2CΓÇÖs combined sign-in and sign-up policy. |
-| 3. | Azure AD B2C redirects the user to the eID-Me identity router using the OIDC authorization code flow. |
-| 4. | The eID-Me router sends a push notification to the userΓÇÖs mobile app including all context details of the authentication and authorization request. |
-| 5. | The user reviews the authentication challenge; if accepted the user is prompted for identity claims, proving the userΓÇÖs identity. |
-| 6. | The challenge response is returned to the eID-Me router. |
-| 7. | The eID-Me router then replies to Azure AD B2C with the authentication result. |
-| 8. | Response from Azure AD B2C is sent as an ID token to the application. |
-| 9. | Based on the authentication result, the user is granted or denied access. |
+1. User opens the Azure AD B2C sign-in page and signs in or signs up with a username.
+2. User forwarded to Azure AD B2C sign-in and sign-up policy.
+3. Azure AD B2C redirects the user to the eID-Me identity router using the OIDC authorization code flow.
+4. The router sends push notification to the user mobile app with authentication and authorization request details.
+5. The user authentication challenge appears, then a prompt for identity claims appears.
+6. The challenge response goes to the router.
+7. The router replies to Azure AD B2C with an authentication result.
+8. Azure AD B2C ID token response goes to the application.
+9. User is granted or denied access.
+## Get started with eID-Me
-## Onboard with eID-Me
+Go to the bluink.ca [Contact Us](https://bluink.ca/contact) page to request a demo with the goal of configuring a test or production environment to set up Azure AD B2C tenants as a relying party. Tenants determine identity claims needed from consumers that sign up with eID-Me.
-[Contact eID-Me](https://bluink.ca/contact) and configure a test or production environment to set up Azure AD B2C tenants as a Relying Party. Tenants must determine what identity claims they'll need from their consumers as they sign up using eID-Me.
+## Configure an application in eID-Me
-## Step 1: Configure an application in eID-Me
+To configure your tenant application as an eID-ME relying party in eID-Me, supply the following information:
-To configure your tenant application as a Relying Party in eID-Me the following information should be supplied to eID-Me:
-
-| Property | Description |
-| : | : |
-| Name | Azure AD B2C/your desired application name |
-| Domain | name.onmicrosoft.com |
-| Redirect URIs | https://jwt.ms |
-| Redirect URLs | `https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp`<br>For Example: `https://fabrikam.b2clogin.com/fabrikam.onmicrosoft.com/oauth2/authresp`<br>If you use a custom domain, enter https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp.<br> Replace your-domain-name with your custom domain, and your-tenant-name with the name of your tenant. |
-| URL for application home page | Will be displayed to the end user |
-| URL for application privacy policy | Will be displayed to the end user |
-
-eID-Me will provide a Client ID and a Client Secret once the Relying Party has been configured with eID-Me.
+| Property | Description|
+| - | |
+| Name | Azure AD B2C, or another application name |
+| Domain| name.onmicrosoft.com|
+| Redirect URIs| https://jwt.ms|
+| Redirect URLs| `https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp`<br>For Example: `https://fabrikam.b2clogin.com/fabrikam.onmicrosoft.com/oauth2/authresp`<br>For a custom domain, enter https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp.|
+| Application home page URL| Appears to the end user|
+| Application privacy policy URL| Appears to the end user|
>[!NOTE]
->You'll need Client ID and Client secret later to configure the Identity provider in Azure AD B2C.
--
-## Step 2: Add a new Identity provider in Azure AD B2C
-
-1. Sign in to the [Azure portal](https://portal.azure.com/#home) as the global administrator of your Azure AD B2C tenant.
-
-2. Make sure you're using the directory that contains your Azure AD B2C tenant by selecting the **Directory + subscription** filter in the top menu and choosing the directory that contains your tenant.
-
-3. Choose **All services** in the top-left corner of the Azure portal, search for and select **Azure AD B2C**.
-
-4. Navigate to **Dashboard** > **Azure Active Directory B2C** > **Identity providers**.
-
-5. Select **New OpenID Connect Provider**.
+>When the relying party is configurede, ID-Me provides a Client ID and a Client Secret. Note the Client ID and Client Secret to configure the identity provider (IdP) in Azure AD B2C.
-6. Select **Add**.
+## Add a new Identity provider in Azure AD B2C
-## Step 3: Configure an Identity provider
+For the following instructions, use the directory with the Azure AD B2C tenant.
-To configure an identity provider, follow these steps:
+1. Sign in to the [Azure portal](https://portal.azure.com/#home) as Global Administrator of the Azure AD B2C tenant.
+2. In the top menu, select **Directory + subscription**.
+3. Select the directory with the tenant.
+4. In the top-left corner of the Azure portal, select **All services**.
+5. Search for and select **Azure AD B2C**.
+6. Navigate to **Dashboard** > **Azure Active Directory B2C** > **Identity providers**.
+7. Select **New OpenID Connect Provider**.
+8. Select **Add**.
-1. Select **Identity provider type** > **OpenID Connect**
+## Configure an identity provider
-2. Fill out the form to set up the Identity provider:
+To configure an identity provider:
- | Property | Value |
- | : | :- |
- | Name | Enter eID-Me Passwordless/a name of your choice |
- | Client ID | Provided by eID-Me |
- | Client Secret | Provided by eID-Me |
- | Scope | openid email profile |
- | Response type | code |
- | Response mode | form post |
+1. Select **Identity provider type** > **OpenID Connect**.
+2. In the identity provider form, for **Name**, enter **eID-Me Passwordless** or another name.
+3. For **Client ID**, enter the Client ID from eID-Me.
+4. For **Client Secret**, enter the Client Secret from eID-Me.
+5. For **Scope**, select **openid email profile**.
+6. For **Response type**, select **code**.
+7. For **Response mode**, select **form post**.
+8. Select **OK**.
+9. Select **Map this identity providerΓÇÖs claims**.
+10. For **User ID**, use **sub**.
+11. For **Display name**, use **name**.
+12. For **Given name**, use **given_name**.
+13. For **Surname**, use **family_name**.
+14. For **Email**, use **email**.
+15. Select **Save**.
-3. Select **OK**.
+## Configure multi-factor authentication
-4. Select **Map this identity providerΓÇÖs claims**.
+eID-Me is a multi-factor authenticator, therefore user-flow multi-factor authentication configuration isn't needed.
-5. Fill out the form to map the Identity provider:
+## Create a user flow policy
- | Property | Value |
- | :-- | :- |
- | User ID | sub |
- | Display name | name |
- | Given name | given_name |
- | Surname | family_name |
- | Email | email |
-
-6. Select **Save** to complete the setup for your new OIDC Identity provider.
-
-## Step 4: Configure multi-factor authentication
-
-eID-Me is a decentralized digital identity with strong two-factor user authentication built in. Since eID-Me is already a multi-factor authenticator, you don't need to configure any multi-factor authentication settings in your user flows when using eID-Me. eID-Me offers a fast and simple user experience, which also eliminates the need for any additional passwords.
-
-## Step 5: Create a user flow policy
-
-You should now see eID-Me as a new OIDC Identity provider listed within your B2C identity providers.
-
-1. In your Azure AD B2C tenant, under **Policies**, select **User flows**.
-
-2. Select **New user flow**
+For the following instructions, eID-Me appears as a new OIDC identity provider in B2C identity providers.
+1. In the Azure AD B2C tenant, under **Policies**, select **User flows**.
+2. Select **New user flow**.
3. Select **Sign up and sign in** > **Version** > **Create**.-
-4. Enter a **Name** for your policy.
-
-5. In the Identity providers section, select your newly created eID-Me Identity provider.
-
-6. Select **None** for Local Accounts to disable email and password-based authentication.
-
-7. Select **Run user flow**
-
-8. In the form, enter the Replying URL, such as `https://jwt.ms`.
-
-9. The browser will be redirected to the eID-Me sign-in page. Enter the account name registered during User registration. The user will receive a push notification to their mobile device where the eID-Me application is installed; upon opening the notification, the user will be presented with an authentication challenge
-
-10. Once the authentication challenge is accepted, the browser will redirect the user to the replying URL.
-
-## Next steps
-
-For additional information, review the following articles:
--- [eID-Me and Azure AD B2C integration guide](https://bluink.ca/eid-me/azure-b2c-integration-guide)--- [Custom policies in Azure AD B2C](./custom-policy-overview.md)--- [Get started with custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy)--
+4. Enter a policy **Name**.
+5. In **Identity providers**, select the created eID-Me identity provider.
+6. For **Local Accounts**, select **None**. The selection disables email and password authentication.
+7. Select **Run user flow**.
+8. Enter a **Replying URL**, such as `https://jwt.ms`.
+9. The browser redirects to the eID-Me sign-in page.
+10. Enter the account name from user registration.
+11. The user receives push notification on the mobile device with eID-Me.
+12. An authentication challenge appears.
+13. The challenge is accepted and the browser redirects to the replying URL.
>[!NOTE]
->In Azure AD B2C, [**custom policies**](./user-flow-overview.md) are designed primarily to address complex scenarios. For most scenarios, we recommend that you use built-in [**user flows**](./user-flow-overview.md).
+>Azure Active Directory B2C (Azure AD B2C) has two methods to define users interaction with applications: predefined user flows, or configurable custom policies.
+Custom policies address complex scenarios. For most scenarios, we recommend user flows. See, [User flows and custom policies overview](./user-flow-overview.md)
-## Step 2: Create a policy key
+## Create a policy key
-Store the client secret that you previously recorded in your Azure AD B2C tenant.
+Store the Client Secret you recorded in your Azure AD B2C tenant. For the following instructions, use the directory with the Azure AD B2C tenant.
1. Sign in to the [Azure portal](https://portal.azure.com/).-
-2. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.
-
-3. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.
-
-4. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**.
-
-5. On the Overview page, select **Identity Experience Framework**.
-
-6. Select **Policy Keys** and then select **Add**.
-
-7. For **Options**, choose `Manual`.
-
-8. Enter a **Name** for the policy key. For example, `eIDMeClientSecret`. The prefix `B2C_1A_` is added automatically to the name of your key.
-
-9. In **Secret**, enter your client secret that you previously recorded.
-
-10. For **Key usage**, select `Signature`.
-
-11. Select **Create**.
-
-## Step 3: Configure eID-Me as an Identity provider
-
-To enable users to sign in using eID-Me decentralized identity, you need to define eID-Me as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify a specific user has authenticated using digital ID available on their device, proving the userΓÇÖs identity.
-
-You can define eID-Me as a claims provider by adding it to the **ClaimsProvider** element in the extension file of your policy
+2. In the portal toolbar, select the **Directories + subscriptions**.
+3. On the **Portal settings, Directories + subscriptions** page, in the **Directory name** list, locate your Azure AD B2C directory.
+4. Select **Switch**.
+5. In the top-left corner of the Azure portal, select **All services**.
+6. Search for and select **Azure AD B2C**.
+7. On the Overview page, select **Identity Experience Framework**.
+8. Select **Policy Keys**.
+9. Select **Add**.
+10. For **Options**, choose **Manual**.
+11. Enter a **Name** for the policy key. For example, `eIDMeClientSecret`. The prefix `B2C_1A_` is added to the key name.
+12. In **Secret**, enter the Client Secret you noted.
+13. For **Key usage**, select **Signature**.
+14. Select **Create**.
+
+## Configure eID-Me as an Identity provider
+
+Define eID-Me as a claims provider to enable users to sign in with eID-Me. Azure AD B2C communicates with it, through an endpoint. The endpoint provides claims used by Azure AD B2C to verify user authentication with a digital ID on their device.
+
+To define eID-Me as a claims provider, add it to the **ClaimsProvider** element in the policy extension file.
1. Open the `TrustFrameworkExtensions.xml`.-
-2. Find the **ClaimsProviders** element. If it doesn't exist, add it under the root element.
-
-3. Add a new **ClaimsProvider** as follows:
+2. Find the **ClaimsProviders** element. If it doesn't appear, add it under the root element.
+3. Add a new **ClaimsProvider**:
```xml <ClaimsProvider>
You can define eID-Me as a claims provider by adding it to the **ClaimsProvider*
</ClaimsProvider> ```
-4. Set **eid_me_rp_client_id** with your eID-Me Relying Party Client ID.
+4. For **eid_me_rp_client_id** enter the eID-Me relying-party Client ID.
+5. Select **Save**.
-5. Save the file.
+### Supported identity claims
-There are additional identity claims that eID-Me supports and can be added.
+You can add more identity claims that eID-Me supports.
-1. Open the `TrustFrameworksExtension.xml`
+1. Open the `TrustFrameworksExtension.xml`.
+2. Find the `BuildingBlocks` element.
-2. Find the `BuildingBlocks` element. This is where additional identity claims that eID-Me supports can be added. Full lists of supported eID-Me identity claims with descriptions are mentioned at `http://www.oid-info.com/get/1.3.6.1.4.1.50715` with the OIDC identifiers used here [https://eid-me.bluink.ca/.well-known/openid-configuration](https://eid-me.bluink.ca/.well-known/openid-configuration).
+> [!NOTE]
+> Find supported eID-Me identity claims lists on [OID repository](http://www.oid-info.com/get/1.3.6.1.4.1.50715) with OIDC identifiers on [well-known/openid-configuration](https://eid-me.bluink.ca/.well-known/openid-configuration).
```xml <BuildingBlocks>
There are additional identity claims that eID-Me supports and can be added.
```
-## Step 4: Add a user journey
-
-At this point, the identity provider has been set up, but it's not yet available in any of the sign-in pages. If you don't have your own custom user journey, create a duplicate of an existing template user journey, otherwise continue to the next step.
+## Add a user journey
-1. Open the `TrustFrameworkBase.xml` file from the starter pack.
+For the following instructions, the identity provider is set up, but not in any sign-in pages. If you don't have a custom user journey, copy a template user journey.
-2. Find and copy the entire contents of the **UserJourneys** element that includes ID=`SignUpOrSignIn`.
+1. From the starter pack, open the `TrustFrameworkBase.xml` file.
+2. Locate and copy the contents of the **UserJourneys** element that includes ID=`SignUpOrSignIn`.
+3. Open the `TrustFrameworkExtensions.xml`.
+4. Locate the **UserJourneys** element. If the element doesn't appear, add one.
+5. Paste the contents of the **UserJourney** element as a child of the **UserJourneys** element.
+6. Rename the user journey ID, for example, ID=`CustomSignUpSignIn`.
-3. Open the `TrustFrameworkExtensions.xml` and find the **UserJourneys** element. If the element doesn't exist, add one.
+## Add the identity provider to a user journey
-4. Paste the entire content of the **UserJourney** element that you copied as a child of the **UserJourneys** element.
+Add the new identity provider to the user journey.
-5. Rename the ID of the user journey. For example, ID=`CustomSignUpSignIn`
+1. In the user journey, locate the orchestration step element with Type=`CombinedSignInAndSignUp`, or Type=`ClaimsProviderSelection`. It's usually the first orchestration step. The **ClaimsProviderSelections** element has a list of identity providers users sign in with. The order of the elements controls the order of the sign-in buttons the user sees.
+2. Add a **ClaimsProviderSelection** XML element.
+3. Set the **TargetClaimsExchangeId** value to a friendly name.
+4. In the next orchestration step, add a **ClaimsExchange** element.
+5. Set the **Id** to the target claims exchange ID value.
+6. Update the v**TechnicalProfileReferenceId** value to the technical profile ID you created.
-## Step 5: Add the identity provider to a user journey
-
-Now that you have a user journey, add the new identity provider to the user journey.
-
-1. Find the orchestration step element that includes Type=`CombinedSignInAndSignUp`, or Type=`ClaimsProviderSelection` in the user journey. It's usually the first orchestration step. The **ClaimsProviderSelections** element contains a list of identity providers that a user can sign in with. The order of the elements controls the order of the sign-in buttons presented to the user. Add a **ClaimsProviderSelection** XML element. Set the value of **TargetClaimsExchangeId** to a friendly name.
-
-2. In the next orchestration step, add a **ClaimsExchange** element. Set the **Id** to the value of the target claims exchange ID. Update the value of **TechnicalProfileReferenceId** to the ID of the technical profile you created earlier.
-
- The following XML demonstrates **7** orchestration steps of a user journey with the identity provider:
+The following XML demonstrates seven user journey orchestration steps with the identity provider:
```xml <UserJourney Id="eIDME-SignUpOrSignIn">
Now that you have a user journey, add the new identity provider to the user jour
```
-## Step 6: Configure the relying party policy
+## Configure the relying party policy
-The relying party policy specifies the user journey which Azure AD B2C will execute. You can also control what claims are passed to your application by adjusting the **OutputClaims** element of the **eID-Me-OIDC-Signup** TechnicalProfile element. In this sample, the application will receive the userΓÇÖs postal code, locality, region, IAL, portrait, middle name, and birth date. It also receives the boolean **signupConditionsSatisfied** claim, which indicates whether an account has been created or not:
+The relying party policy specifies the user journey Azure AD B2C executes. You can control claims passed to your application. Adjust the **OutputClaims** element of the **eID-Me-OIDC-Signup** TechnicalProfile element. In the following sample, the application receives user postal code, locality, region, IAL, portrait, middle name, and birth date. It receives the boolean **signupConditionsSatisfied** claim, which indicates whether an account was created.
```xml <RelyingParty>
The relying party policy specifies the user journey which Azure AD B2C will exec
```
-## Step 7: Upload the custom policy
-
-1. Sign in to the [Azure portal](https://portal.azure.com/#home).
-
-2. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.
-
-3. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.
-
-4. In the [Azure portal](https://portal.azure.com/#home), search for and select **Azure AD B2C**.
-
-5. Under Policies, select **Identity Experience Framework**.
-Select **Upload Custom Policy**, and then upload the two policy files that you changed, in the following order: the extension policy, for example `TrustFrameworkBase.xml`, then the relying party policy, such as `SignUp.xml`.
+## Upload the custom policy
-## Step 8: Test your custom policy
+For the following instructions, use the directory with the Azure AD B2C tenant.
-1. Select your relying party policy, for example `B2C_1A_signup`.
-
-2. For **Application**, select a web application that you [previously registered](./tutorial-register-applications.md). The **Reply URL** should show `https://jwt.ms`.
-
-3. Select the **Run now** button.
-
-4. The sign-up policy should invoke eID-Me immediately. If sign-in is used, then select eID-Me to sign in with eID-Me.
-
-If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.
+1. Sign in to the [Azure portal](https://portal.azure.com/#home).
+2. In the portal toolbar, select the **Directories + subscriptions**.
+3. On the **Portal settings, Directories + subscriptions** page, in the **Directory name** list, locate the Azure AD B2C directory.
+4. Select **Switch**.
+5. In the Azure portal, search for and select **Azure AD B2C**.
+6. Under **Policies**, select **Identity Experience Framework**.
+7. Select **Upload Custom Policy**.
+8. Upload the two policy files you changed in the following order:
+
+ * The extension policy, for example `TrustFrameworkBase.xml`
+ * The relying party policy, for example `SignUp.xml`
+
+## Test the custom policy
+
+1. Select the relying party policy, for example `B2C_1A_signup`.
+2. For **Application**, select a web application you registered.
+3. The **Reply URL** is `https://jwt.ms`.
+4. Select **Run now**.
+5. The sign-up policy invokes eID-Me.
+6. For sign-in, select **eID-Me**.
+7. The browser redirects to `https://jwt.ms`.
+8. The token contents returned by Azure AD B2C appear.
+
+Learn more: [Tutorial: Register a web application in Azure AD B2C](./tutorial-register-applications.md)
## Next steps
-For additional information, review the following articles:
--- [Custom policies in Azure AD B2C](./custom-policy-overview.md)--- [Get started with custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy)--- [Sample code to integrate Azure AD B2C with eID-Me](https://github.com/bluink-stephen/eID-Me_Azure_AD_B2C)--- [eID-Me and Azure AD B2C integration guide](https://bluink.ca/eid-me/azure-b2c-integration-guide)
+* [Azure AD B2C custom policy overview](./custom-policy-overview.md)
+* [Tutorial: Create user flows and custom policies in Azure Active Directory B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy)
+* [A Custom Policy Template and Sample ASP.NET Core Web app for integrating eID-Me with Azure AD B2C](https://github.com/bluink-stephen/eID-Me_Azure_AD_B2C)
+* Go to bluink.ca for the [Azure AD B2C ID Verification Integration Guide | eID-Me](https://bluink.ca/eid-me/azure-b2c-integration-guide)
active-directory-b2c Partner Gallery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-gallery.md
Microsoft partners with the following ISVs for MFA and Passwordless authenticati
| ![Screenshot of a nevis logo](./medi) enables passwordless authentication and provides a mobile-first, fully branded end-user experience with Nevis Access app for strong customer authentication and to comply with PSD2 transaction requirements. | | ![Screenshot of a nok nok logo](./medi) provides passwordless authentication and enables FIDO certified multifactor authentication such as FIDO UAF, FIDO U2F, WebAuthn, and FIDO2 for mobile and web applications. Using Nok Nok customers can improve their security posture while balancing user experience. |![Screenshot of a bindid logo](./medi) solution BindID is a passwordless authentication service that uses strong FIDO2 biometric authentication for a reliable omni-channel authentication experience, which ensures a smooth login experience for customers across every device and channel eliminating fraud, phishing, and credential reuse. |
-| ![Screenshot of a trusona logo](./medi) integration helps you sign in securely and enables passwordless authentication, MFA, and digital license scanning. |
+| ![Screenshot of a trusona logo](./medi) integration helps you sign in securely and enables a tap-and-go passwordless authentication. |
| ![Screenshot of a twilio logo.](./medi) provides multiple solutions to enable MFA through SMS one-time password (OTP), time-based one-time password (TOTP), and push notifications, and to comply with SCA requirements for PSD2. | | ![Screenshot of a typingDNA logo](./medi) enables strong customer authentication by analyzing a userΓÇÖs typing pattern. It helps companies enable a silent MFA and comply with SCA requirements for PSD2. | | ![Screenshot of a whoiam logo](./medi) is a Branded Identity Management System (BRIMS) application that enables organizations to verify their user base by voice, SMS, and email. |
active-directory-b2c Partner Idemia https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-idemia.md
Title: Configure IDEMIA with Azure Active Directory B2C (Preview)
+ Title: Configure IDEMIA Mobile ID with Azure Active Directory B2C
-description: Learn how to integrate Azure AD B2C authentication with IDEMIA for relying party to consume IDEMIA or US State issued mobile IDs
+description: Learn to integrate Azure AD B2C authentication with IDEMIA Mobile ID for a relying party to consume Mobile ID, or US state-issued mobile IDs
-+ Previously updated : 10/21/2021 Last updated : 03/10/2023 zone_pivot_groups: b2c-policy-type
-# Tutorial: Configure IDEMIA with Azure Active Directory B2C for relying party to consume IDEMIA or US State issued mobile identity credentials (Preview)
+# Tutorial: Configure IDEMIA Mobile ID with Azure Active Directory B2C
+## Before you begin
-This feature is available only for custom policies. For setup steps, select **Custom policy** in the preceding selector.
+Azure Active Directory B2C (Azure AD B2C) has two methods to define users interaction with applications: predefined user flows or configurable custom policies. See, [User flows and custom policies overview](./user-flow-overview.md)
--
-In this sample tutorial, learn how to integrate Azure Active Directory (Azure AD) B2C with [IDEMIA](https://www.idemia.com/). IDEMIA is a passwordless authentication provider, which provides real-time consent-based services with biometric authentication like face ID and fingerprinting eliminating fraud and credential reuse. IDEMIAΓÇÖs Mobile ID allows citizens to benefit from a government-issued trusted digital ID, as a complement to their physical ID. This application is used to verify identity by using a self-selected PIN or touch ID/face ID. Mobile ID allows citizens to control their identities by allowing them to share only the information needed for a transaction and enables fraud protection.
+## Integrate Azure AD B2C with IDEMIA Mobile ID
+IDEMIA provides biometric authentication services like face ID and fingerprinting, which reduces fraud and credential reuse. With Mobile ID, citizens benefit from a trusted, government-issued digital ID, as a complement to their physical ID. Mobile ID verifies identity by using a self-selected PIN, touch ID, or face ID. Citizens control their identities by sharing information needed for a transaction. Many state departments of motor vehicles (DMVs) use Mobile ID.
+To learn more, go to idemia.com: [IDEMIA](https://www.idemia.com/)
## Scenario description
-IDEMIA integration includes the following components:
--- **Azure AD B2C** ΓÇô The authorization server, responsible for verifying the userΓÇÖs credentials, also known as the Identity Provider (IdP).--- **IDEMIA mID** - OpenID Connect (OIDC) provider configured as [Azure AD B2C external provider](add-identity-provider.md)--- **[IDEMIA mID application](https://idemia-mobile-id.com/)** - A trusted, government-issued digital identity. Mobile ID is a digital version of your driverΓÇÖs license or state-issued ID that lives in an app on your phone. [IDEMIA](https://idemia-mobile-id.com/).
+Mobile ID integration includes the following components:
-IDEMIA provides mID for many US State departments of motor vehicles (DMVs).
+* **Azure AD B2C** ΓÇô authorization server that verifies user credentials
+ * It's also known as the identity provider (IdP)
+* **IDEMIA Mobile ID** - OpenID Connect (OIDC) provider configured as an Azure AD B2C external provider
+ * See, [Add an identity provider to your Azure AD B2C tenant](add-identity-provider.md)
+* **IDEMIA Mobile ID application** - a digital version of a driverΓÇÖs license, or state-issued ID, in an app on your phone
+ * See, [IDEMIA Mobile ID](https://idemia-mobile-id.com/)
-The mID is a digitizing of an identification document into a strong mobile identity token that is highly portable for verification and that serves as an index for authorization **mID Services**. The mID Service allows the DMVs to proof identities of individuals by using credential document authentication using their issued drivers licenses and biometric **selfie**-to-credential facial recognition matching services.
+Mobile ID is a digitized identification document, a portable mobile identity token that DMVs use to verify individual identities. The signed digitized ID is stored on user mobile phones as an identity on the edge. The signed credentials ease access to identity services such as proof of age, financial know your customer, account access, etc.
-Once created, the mID is stored on the end user's mobile phone as a digitally signed **identity on the edge**. The end users are now able to use that signed credential for access to other identity sensitive services such as proof of age, financial know your customer, account accessΓÇÖs where security is paramount.
+The following diagram illustrates the sign-up and sign-in user flows with Mobile ID.
-The offer to Microsoft is the support of these services as the Relying party (RP) that will use a State issued mID to provide services using the attributes sent by the owner of the mID.
+![Diagram of the sign-up and sign-in user flows with Mobile ID.](./media/partner-idemia/idemia-architecture-diagram.png)
-The following diagram shows the implementation for web or on-premises scenarios:
+1. User visits the Azure AD B2C sign-in page (the replying party), with their device and Mobile ID, to conduct a transaction.
+2. Azure AD B2C performs an ID check. It redirects the user to the IDEMIA router with an OIDC authorization code flow.
+3. The router sends a biometric challenge to the userΓÇÖs mobile app with authentication and authorization request details.
+4. Depending on security, the user might be prompted provide more details: input a PIN, take a live selfie, or both.
+5. The authentication response provides proof of possession, presence, and consent. The response returns to the router.
+6. The router verifies user information and replies to Azure AD B2C with the result.
+7. The user is granted or denied access.
-![Screenshot shows the on-premises verification](./media/partner-idemia/idemia-architecture-diagram.png)
+## Enable Mobile ID
-| Step | Description |
-|:--|:--|
-| 1. | User visits the Azure AD B2C login page, which is the replying party in this case on their device to conduct a transaction and logs in via their mID app. |
-| 2. | Azure AD B2C requires an ID check and for that redirects the user to the IDEMIA router using the OIDC authorization code flow|
-| 3. | The IDEMIA router sends a biometric challenge to the userΓÇÖs mobile app including all context details of the authentication and authorization request.|
-| 4. | Depending on the level of security needed, the user may require to provide additional details, input their PIN, take a live selfie, or both.|
-| 5. | Final authentication response provides proof of possession, presence, and consent. The response is returned to the IDEMIA router.|
-| 6. | IDEMIA router verifies the information provided by the user and replies to Azure AD B2C with the authentication result.|
-|7. | Based on the authentication result user is granted/denied access. |
+To get started, go to the idemia.com [Get in touch](https://www.idemia.com/get-touch/) page to request a demo. In the request form text field, indicate your interest in Azure AD B2C integration.
-## Onboard with IDEMIA
+## Integrate Mobile ID with Azure AD B2C
-Get in touch with [IDEMIA](https://www.idemia.com/get-touch/) to request a demo. While filling out the request form, in the message field indicate that you want to onboard with Azure AD B2C.
-
-## Integrate IDEMIA with Azure AD B2C
+Use the following sections to prepare for and perform integration processes.
## Prerequisites
-To get started, you'll need:
--- Access to end users that have an IDEMIA - US state issued Mobile ID credential (mID) or during the test phase, the mID demo application provided by [IDEMIA](https://www.idemia.com/).--- An Azure AD subscription. If you don't have one, get a [free account](https://azure.microsoft.com/free/).--- An [Azure AD B2C tenant](tutorial-create-tenant.md) that is linked to your Azure subscription.--- Your business web application registered in Azure AD B2C tenant. For testing purposes you can configure https://jwt.ms, a Microsoft-owned web application that displays the decoded contents of a token.
+To get started, you need:
->[!NOTE]
->The contents of the token never leave your browser.
+* Access to users with an IDEMIA, US state issued Mobile ID credential (mID)
+ * Or during the test phase, the mID demo application from IDEMIA
+* An Azure AD subscription
+ * If you don't have one, get anΓÇ»[Azure free account](https://azure.microsoft.com/free/)
+* An [Azure AD B2C tenant](tutorial-create-tenant.md) linked to the Azure subscription
+* Your business web application registered in an Azure AD B2C tenant
+ * For testing, configure https://jwt.ms, a Microsoft web application with decoded token contents
+ >[!NOTE]
+ >The token contents don't leave your browser.
-### Part 1 - Submit a Relying Party application on-boarding for mID
+### Submit a relying party application for mID
-As part of your integration with IDEMIA, you'll be provided with the following information:
+During Mobile ID integration, the following information is provided.
| Property | Description | |:|:-|
-| Application Name | Azure AD B2C or your desired application name |
-| Client_ID | This is the unique identifier provided by the IdP |
-| Client Secret | Password the relying party application will use to authenticate with the IDEMIA IdP |
-| Metadata endpoint | A URL that points to a token issuer configuration document, which is also known as an OpenID well-known configuration endpoint. |
-|Redirect URIs | `https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp`<br>For example, `https://fabrikam.b2clogin.com/fabrikam.onmicrosoft.com/oauth2/authresp`<br><br>If you use a custom domain, enter `https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp`.<br>Replace your-domain-name with your custom domain, and your-tenant-name with the name of your tenant. |
-|Post log out redirect URIs | `https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/{policy}/oauth2/v2.0/logout`<br>Send a sign-out request. |
+| Application Name | Azure AD B2C, or another application name |
+| Client_ID | The unique identifier from the identity provider (IdP) |
+| Client Secret | Password the relying party application uses to authenticate with the IDEMIA IdP |
+| Metadata endpoint | A URL pointing to a token issuer configuration document, also known as an OpenID well-known configuration endpoint |
+|Redirect URIs | `https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp`<br>For example, `https://fabrikam.b2clogin.com/fabrikam.onmicrosoft.com/oauth2/authresp`<br><br>If you use a custom domain, enter `https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp`.|
+|Post sign out redirect URIs | `https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/{policy}/oauth2/v2.0/logout`<br>Send a sign out request. |
->[!NOTE]
->You'll need IDEMIA client ID and client secret later to configure the IdP in Azure AD B2C.
+ >[!NOTE]
+ >You need the Client ID and Client Secret later to configure the IdP in Azure AD B2C.
-### Part 2 - Create a policy key
+### Create a policy key
-Store the IDEMIA client secret that you previously recorded in your Azure AD B2C tenant.
+Store the noted IDEMIA Client Secret in your Azure AD B2C tenant. For the following instructions, use the directory with your Azure AD B2C tenant.
1. Sign in to the [Azure portal](https://portal.azure.com/).-
-2. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.
-
-3. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.
-
-4. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**.
-
-5. On the **Overview** page, select **Identity Experience Framework**.
-
-6. Select **Policy Keys** and then select **Add**.
-
-7. For **Options**, choose **Manual**.
-
-8. Enter a **Name** for the policy key. For example, IdemiaAppSecret. The prefix B2C_1A_ is added automatically to the name of your key.
-
-9. In **Secret**, enter your client secret that you previously recorded.
-
-10. For **Key** usage, select **Signature**.
-
-11. Select **Create**.
-
-### Part 3 - Configure IDEMIA as an External IdP
-
-To enable users to sign in using IDEMIA mobile ID passwordless identity, you need to define IDEMIA as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify a specific user has authenticated using biometry such as fingerprint or facial scan as available on their device, proving the userΓÇÖs identity.
-You can define IDEMIA as a claims provider by adding it to the **ClaimsProvider** element in the extension file of your policy.
+2. In the portal toolbar, select **Directories + subscriptions**.
+3. On the **Portal settings, Directories + subscriptions** page, in the **Directory name** list find your Azure AD B2C directory
+4. Select **Switch**.
+5. In the top-left corner of Azure portal, select **All services**.
+6. Search for and select **Azure AD B2C**.
+7. On the **Overview** page, select **Identity Experience Framework**.
+8. Select **Policy Keys**.
+9. Select **Add**.
+10. For **Options**, choose **Manual**.
+11. Enter a **Name** for the policy key. For example, `IdemiaAppSecret`. The prefix `B2C_1A_` is added to the key name.
+12. In **Secret**, enter the Client Secret you noted.
+13. For **Key** usage, select **Signature**.
+14. Select **Create**.
+
+### Configure Mobile ID as an External IdP
+
+To enable users to sign in with Mobile ID, define IDEMIA as a claims provider. This action ensures Azure AD B2C communicates through an endpoint, which provides claims Azure AD B2C uses to verify user authentication with biometry.
+
+To define IDEMIA as a claims provider, add it to the **ClaimsProvider** element in the policy extension file.
```PowerShell <TechnicalProfile Id="Idemia-Oauth2">
You can define IDEMIA as a claims provider by adding it to the **ClaimsProvider*
Set client_id to the application ID from the application registration. |Property | Description|
-|:|:-|
-|Scope| For OpenID Connect (OIDC) the minimum requirement is that the scope parameter be set to **openid**. Additional scopes may be appended as a space-delimited list.|
-|redirect_uri | This defines where the user agent sends the authorization code back to Azure AD B2C.|
-|response_type| For the authorization code flow, this is set to **code**|
-|acr_values| This parameter controls the authentication methods that the user is required to perform during the authentication process. |
+|||
+|Scope| For OpenID Connect (OIDC), the minimum requirement is set scope parameter to **openid**. Append more scopes as a space-delimited list.|
+|redirect_uri | This location is where the user agent sends the authorization code to Azure AD B2C.|
+|response_type| For the authorization code flow, select **code**|
+|acr_values| This parameter controls the authentication methods the user must perform during authentication. |
-One of the following values must be selected:
+Select one of the following values:
|Parameter value| Effect on user authentication process |
-|:|:-|
-|`loa-2`| Crypto-based Azure AD Multi-Factor Authentication only|
-|`loa-3`| Crypto-based Azure AD Multi-Factor Authentication plus one additional factor|
-|`loa-4`| Crypto-based Azure AD Multi-Factor Authentication with the requirement that the user must also perform pin-based and biometric authentication |
+|||
+|`loa-2`| Crypto-based Azure AD Multi-Factor Authentication (MFA) only|
+|`loa-3`| Crypto-based MFA, plus another factor|
+|`loa-4`| Crypto-based MFA, plus the user performs PIN and biometric authentication |
-The **/userinfo** endpoint provides the claims for the scope(s) requested in the authorization request. For the **<mt_scope>** this includes such claims as First Name, Last Name, and Driver's License Number, among other items.
-The claims set for any given scope are published in the **scope_to_claims_mapping** section of the discovery API.
-Azure AD B2C requests claims from the claims endpoint and returns those claims in the OutputClaims element. You may need to map the name of the claim defined in your policy to the name defined in the IdP making sure to define the claim type in the [ClaimSchema element](claimsschema.md):
+The **/userinfo** endpoint provides the claims for the scope(s) requested in the authorization request. For the **<mt_scope>**, there are claims like First Name, Last Name, and Driver's License Number, among other items.
+The claims set for a scope are published in the **scope_to_claims_mapping** section of the discovery API.
+Azure AD B2C requests claims from the claims endpoint and returns them in the OutputClaims element. You might need to map the claim name in your policy to the name in the IdP. Define the claim type in the [ClaimSchema element](claimsschema.md):
```PowerShell <ClaimType Id="documentId">
Azure AD B2C requests claims from the claims endpoint and returns those claims i
</ClaimType> ```
-### Part 4 - Add a user journey
-
-At this point, the IdP has been set up, but it's not yet available in any of the sign-in pages. If you don't have your own custom user journey, create a duplicate of an existing template user journey, otherwise continue to the next step.
-
-1. Open the `TrustFrameworkBase.xml` file from the starter pack.
-
-2. Find and copy the entire contents of the **UserJourneys** element that includes `ID=SignUpOrSignIn`.
+### Add a user journey
-3. Open the `TrustFrameworkExtensions.xml` and find the **UserJourneys** element. If the element doesn't exist, add one.
+For these instructions, the IdP is set up, but it's not in any sign-in page. If you don't have a custom user journey, copy a template user journey.
-4. Paste the entire content of the **UserJourney** element that you copied as a child of the UserJourneys element.
+1. From the starter pack, open the `TrustFrameworkBase.xml` file.
+2. Locate and copy the contents of the `UserJourneys` element, which includes `ID=SignUpOrSignIn`.
+3. Open the `TrustFrameworkExtensions.xml`.
+4. Locate the **UserJourneys** element. If there's no element, add one.
+5. Paste the contents of the **UserJourney** element as a child of the UserJourneys element.
+6. Rename the user journey ID. For example, `ID=CustomSignUpSignIn`.
-5. Rename the ID of the user journey. For example, `ID=CustomSignUpSignIn`.
+### Add the IdP to a user journey
-### Part 5 - Add the IdP to a user journey
+If there's a user journey, add the new IdP to it. First add a sign-in button, then link it to an action, which is the technical profile you created.
-Now that you have a user journey, add the new IdP to the user journey. First add a sign-in button, then link the button to an action. The action is the technical profile you created earlier.
-
-1. Find the orchestration step element that includes Type=`CombinedSignInAndSignUp`, or Type=`ClaimsProviderSelection` in the user journey. It's usually the first orchestration step. The **ClaimsProviderSelections** element contains a list of IdPs that a user can sign in with. The order of the elements controls the order of the sign-in buttons presented to the user. Add a **ClaimsProviderSelection** XML element. Set the value of **TargetClaimsExchangeId** to a friendly name.
-
-2. In the next orchestration step, add a **ClaimsExchange** element. Set the **Id** to the value of the target claims exchange ID. Update the value of **TechnicalProfileReferenceId** to the ID of the technical profile you created earlier.
+1. In the user journey, locate the orchestration step element with Type=`CombinedSignInAndSignUp`, or Type=`ClaimsProviderSelection`. It's usually the first orchestration step. The **ClaimsProviderSelections** element has an IdP list users sign in with. The order of the elements controls is the order of the sign-in buttons the user sees.
+2. Add a **ClaimsProviderSelection** XML element.
+3. Set the **TargetClaimsExchangeId** value to a friendly name.
+4. Add a **ClaimsExchange** element.
+5. Set the **Id** to the value of the target claims exchange ID.
+6. Update the **TechnicalProfileReferenceId** value to the technical profile ID you created.
The following XML demonstrates the first two orchestration steps of a user journey with the IdP:
The following XML demonstrates the first two orchestration steps of a user journ
</OrchestrationStep> ```
-### Part 6 - Configure the relying party policy
+### Configure the relying party policy
+
+The relying party policy, for example [SignUpSignIn.xml](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/master/SocialAndLocalAccounts/SignUpOrSignin.xml), specifies the user journey the Azure AD B2C executes.
-The relying party policy, for example [SignUpSignIn.xml](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/master/SocialAndLocalAccounts/SignUpOrSignin.xml), specifies the user journey which Azure AD B2C will execute. Find the **DefaultUserJourney** element within relying party. Update the **ReferenceId** to match the user journey ID, in which you added the IdP.
+1. Find the **DefaultUserJourney** element in relying party.
+2. Update the **ReferenceId** to match the user journey ID, in which you added the IdP.
In the following example, for the `CustomSignUpOrSignIn` user journey, the **ReferenceId** is set to `CustomSignUpOrSignIn`.
In the following example, for the `CustomSignUpOrSignIn` user journey, the **Ref
</RelyingParty> ```
-### Part 7 - Upload the custom policy
-
-1. Sign in to the [Azure portal](https://portal.azure.com/#home).
-
-2. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.
-
-3. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.
+### Upload the custom policy
-4. In the [Azure portal](https://portal.azure.com/#home), search for and select **Azure AD B2C**.
+For the following instructions, use the directory with your Azure AD B2C tenant.
-5. Under Policies, select **Identity Experience Framework**.
+1. Sign in to the [Azure portal](https://portal.azure.com/#home).
+2. In the portal toolbar, select the **Directories + subscriptions**.
+3. On the **Portal settings, Directories + subscriptions** page, in the **Directory name** list, find your Azure AD B2C directory.
+4. Select **Switch**.
+5. In the Azure portal, search for and select **Azure AD B2C**.
+6. Under **Policies**, select **Identity Experience Framework**.
+7. Select **Upload Custom Policy**.
+8. Upload the two policy files you changed, in the following order:
-Select **Upload Custom Policy**, and then upload the two policy files that you changed, in the following order: the extension policy, for example `TrustFrameworkExtensions.xml`, then the relying party policy, such as `SignUpSignIn.xml`.
+ * The extension policy, for example `TrustFrameworkExtensions.xml`
+ * The relying party policy, such as `SignUpSignIn.xml`
-### Part 8 - Test your custom policy
+### Test your custom policy
1. Select your relying party policy, for example `B2C_1A_signup_signin`.
+2. For **Application**, select a web application you registered.
+3. `https://jwt.ms`appears for **Reply URL**.
+4. Select **Run now**.
+5. From the sign-up or sign-in page, select **IDEMIA**.
+6. The browser is redirected to `https://jwt.ms`. See the token contents returned by Azure AD B2C.
-2. For **Application**, select a web application that you [previously registered](./tutorial-register-applications.md). The **Reply URL** should show `https://jwt.ms`.
-
-3. Select the **Run now** button.
-
-4. From the sign-up or sign-in page, select **IDEMIA** to sign in with an IDEMIA - US State issued mID (Mobile ID Credential).
-
-If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.
+Learn more: [Tutorial: Register a web application in Azure AD B2C](./tutorial-register-applications.md)
## Next steps
-For additional information, review the following articles:
--- [Custom policies in Azure AD B2C](custom-policy-overview.md)--- [Get started with custom policies in Azure AD B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy)--- [Learn more about IDEMIA mID](https://www.idemia.com/mobile-id)-
+* [Azure AD B2C custom policy overview](custom-policy-overview.md)
+* [Tutorial: Create user flows and custom policies in Azure AD B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy)
+* Go to idemia.com for [Mobile ID: Proving your identity with greater privacy](https://www.idemia.com/mobile-id)
active-directory-b2c Partner Trusona https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-trusona.md
Title: Trusona and Azure Active Directory B2C
+ Title: Trusona Authentication Cloud with Azure AD B2C
-description: Learn how to add Trusona as an identity provider on Azure AD B2C to enable passwordless authentication.
+description: Learn how to add Trusona Authentication Cloud as an identity provider on Azure AD B2C to enable a "tap-and-go" passwordless authentication
---++ Previously updated : 09/20/2021- Last updated : 03/10/2023+
+zone_pivot_groups: b2c-policy-type
-# Integrating Trusona with Azure Active Directory B2C
+# Configure Trusona Authentication Cloud with Azure Active Directory B2C
+
+In this sample tutorial, you'll learn how to integrate Azure Active Directory (Azure AD B2C) authentication with [Trusona Authentication Cloud](https://www.trusona.com/customers/authentication-cloud). It's a cloud-based service enabling users to authenticate with a **tap-and-go** experience, without the need for any kind of mobile authenticator app.
+
+Benefits of integrating Trusona Authentication Cloud with Azure AD B2C include:
+- Deliver strong authentication with a better user experience
+ - Happier users who spend more online
+ - Lower attrition and abandonment, increased revenues
+ - Higher retention, lifetime value (LTV)
-Trusona is an independent software vendor (ISV) provider that helps secure sign-in by enabling passwordless authentication, multi-factor authentication, and digital license scanning. In this article, you'll learn how to add Trusona as an identity provider in Azure AD B2C to enable passwordless authentication.
+- Lower cost of running the business
+ - Reduced account takeovers and account sharing
+ - Reduced fraud and fewer manual fraud analysis actions
+ - Reduced spend on outsourcing manual reviews
+
+- Eliminate passwords
+ - No more password resets
+ - Reduced call center complaints
+ - Fast, simple, frictionless logins using passkeys
## Prerequisites
-To get started, you'll need:
+To get started, you need:
+
+- A Trusona Authentication Cloud trial account. To request an account, [contact Trusona](mailto:info@trusona.com).
+- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+- [An Azure AD B2C tenant](tutorial-create-tenant.md) that is linked to your Azure subscription.
+
+- Complete the steps in the article [get started with custom policies in Azure AD B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy).
+
-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* [An Azure AD B2C tenant](tutorial-create-tenant.md) that is linked to your Azure subscription.
-* A [trial account](https://www.trusona.com/) at Trusona
## Scenario description
-In this scenario, Trusona acts as an identity provider for Azure AD B2C to enable passwordless authentication. The following components make up the solution:
+Web Authentication standard - WebAuthn implements modern operating systems and browsers to support authentication via finger print, Windows hello, or external FIDO devices such as USB, Bluetooth and OTP.
-* An Azure AD B2C combined sign-in and sign-up policy
-* Trusona added to Azure AD B2C as an identity provider
-* The downloadable Trusona app
+In this scenario, Trusona acts as an Identity Provider (IdP) for Azure AD B2C to enable passwordless authentication. The following components make up the solution:
+- An Azure AD B2C combined sign-in and sign-up policy.
+- Trusona Authentication Cloud added to Azure AD B2C as an IdP.
-![Trusona architecture diagram](media/partner-trusona/trusona-architecture-diagram.png)
+![Screenshot shows Trusona architecture diagram.](./media/partner-trusona/trusona-auth-cloud-architecture.png)
-| Step | Description |
-|||
-|1 | A user attempts to sign in to or sign up with the application. The user is authenticated via the Azure AD B2C sign-up and sign-in policy. During sign-up, the user's previously verified email address from the Trusona app is used. |
-|2 | Azure B2C redirects the user to the Trusona OpenID Connect (OIDC) identity provider. |
-|3 | For desktop PC-based logins, Trusona displays a unique, stateless, animated, and dynamic QR code for scanning with the Trusona app. For mobile-based logins, Trusona uses a "deep link" to open the Trusona app. These two methods are used for device and ultimately user discovery. |
-|4 | The user scans the displayed QR code with the Trusona app. |
-|5 | The user's account is found in the Trusona cloud service and the authentication is prepared. |
-|6 | The Trusona cloud service issues an authentication challenge to the user via a push notification sent to the Trusona app:<br>a. The user is prompted with the authentication challenge. <br> b. The user chooses to accept or reject the challenge. <br> c. The user is asked to use OS security (for example, biometric, passcode, PIN, or pattern) to confirm and sign the challenge with a private key in the Secure Enclave/Trusted Execution environment. <br> d. The Trusona app generates a dynamic anti-replay payload based on the parameters of the authentication in real time. <br> e. The entire response is signed (for a second time) by a private key in the Secure Enclave/Trusted Execution environment and returned to the Trusona cloud service for verification. |
-|7 | The Trusona cloud service redirects the user back to the initiating application with an id_token. Azure AD B2C verifies the id_token using Trusona's published OpenID configuration as configured during identity provider setup. |
-| | |
+| Steps | Description |
+|:|:|
+|1. | A user attempts to sign in to the web application via their browser.|
+|2.| The web application redirects to Azure AD B2C sign-up and sign-in policy.|
+|3. | Azure AD B2C redirects the user for authentication to the Trusona Authentication Cloud OpenID Connect (OIDC) IdP.|
+|4. | The user is presented with a sign-in web page that asks for their username ΓÇô typically an email address.|
+|5. | The user enters their email address and selects the **Continue** button. If the user's account isn't found in the Trusona Authentication Cloud, then a response is sent to the browser that initiates a WebAuthn registration process on the device. Otherwise a response is sent to the browser that begins a WebAuthn authentication process.|
+|6. | The user is asked to select a credential to use. The passkey is associated with the domain of the web application or a hardware security key. Once the user selects a credential, the OS requests the user to use a biometric, passcode, or PIN to confirm their identity. This unlocks the Secure Enclave/Trusted Execution environment, which generates an authentication assertion signed by the private key associated with the selected credential.|
+|7. | The authentication assertion is returned to the Trusona cloud service for verification.|
+|8. | Once verified, Trusona Authentication Cloud (IdP) creates an OIDC ID token and then forwards it to Azure AD B2C (Service Provider). Azure AD B2C validates the signature of the token and the issuer against the values in the TrusonaΓÇÖs OpenID discovery document. These details were configured during IdP setup. Once verified, Azure AD B2C issues an OIDC id_token (depending on the scope) and redirects the user back to the initiating application with the token.
+|9. | The web application (or the developer libraries it uses to implement authentication) retrieves the token and verifies the authenticity of the Azure AD B2C token. If thatΓÇÖs the case, it extracts the claims and pass them to the web application to consume.
+|10. | Upon verification, user is granted/denied access. |
-## Onboard with Trusona
+## Step 1: Onboard with Trusona Authentication Cloud
-1. Fill out the [form](https://www.trusona.com/) to create a Trusona account and get started.
+1. Sign in to the [Trusona Portal](https://portal.trusona.io).
+2. From the left navigation panel, select **Settings**
+3. In the Settings menu, select the slider to **Enable OIDC**.
+4. Select the appropriate **Inputs** and provide the **Redirect URL** `https://{your-tenant-name}.b2clogin.com/{your-tenant-name}.onmicrosoft.com/oauth2/authresp`.
+5. **Generate** a secret key and **Copy** the key for use in your Azure AD B2C setup.
-1. Download the Trusona mobile app from the app store. Install the app and register your email.
+ > [!NOTE]
+ >1. The Trusona portal supports self-service registration. Upon registering you will be assigned to a Trusona account with read-only rights. Afterwards, Trusona will assign you to the correct account and elevate your rights to read-write based upon your organizationΓÇÖs access control policy for portal users.
+ >2. Azure Active DirectoryΓÇÖs initial domain name is used as the client redirect host.
-1. Verify your email through the secure "magic link" sent by the software.
+ [![Screenshot shows Trusona Authentication Cloud portal settings.](./media/partner-trusona/trusona-auth-cloud-oidc-settings.png)](./media/partner-trusona/trusona-auth-cloud-oidc-settings.png#lightbox)
-1. Go to the [Trusona DeveloperΓÇÖs dashboard](https://dashboard.trusona.com) for self-service.
+## Step 2: Register a web application in Azure AD B2C
-1. Select **IΓÇÖm Ready** and authenticate yourself with your Trusona app.
+Before your applications can interact with Azure AD B2C, they must be registered in your customer tenant. This tutorial shows you how to register a Web Application using the Azure portal. For testing purposes like this tutorial, you're registering `https://jwt.ms`, a Microsoft-owned web application that displays the decoded contents of a token (the contents of the token never leave your browser).
+To register a web application in your Azure AD B2C tenant, use our new unified app registration experience.
-1. From the left navigation panel, choose **OIDC Integrations**.
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.
+1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.
+1. In the Azure portal, search for and select **Azure AD B2C**.
+1. Select **App registrations**, and then select **New registration**.
+1. Enter a **Name** for the application. For example, *jwt ms*.
+1. Under **Supported account types**, select **Accounts in any identity provider or organizational directory (for authenticating users with user flows)**.
+1. Under **Redirect URI**, select **Web**, and then enter `https://jwt.ms` in the URL text box.
-1. Select **Create OpenID Connect Integration**.
+ The redirect URI is the endpoint to which the authorization server, Azure AD B2C in this case sends the user to. After completing its interaction with the user, an access token or authorization code is sent upon successful authorization. In a production application, it's typically a publicly accessible endpoint where your app is running, like `https://contoso.com/auth-response`. For testing purposes like this tutorial, you can set it to `https://jwt.ms`, a Microsoft-owned web application that displays the decoded contents of a token (the contents of the token never leave your browser). During app development, you might add the endpoint where your application listens locally, like `https://localhost:5000`. You can add and modify redirect URIs in your registered applications at any time.
-1. Provide a **Name** of your choice and use the domain information previously provided (for example, Contoso) in the **Client Redirect Host field**.
+ The following restrictions apply to redirect URIs:
- > [!NOTE]
- > Azure Active DirectoryΓÇÖs initial domain name is used as the Client Redirect host.
+ * The reply URL must begin with the scheme `https`, unless you use a localhost redirect URL.
+ * The reply URL is case-sensitive. Its case must match the case of the URL path of your running application. For example, if your application includes as part of its path `.../abc/response-oidc`, don't specify `.../ABC/response-oidc` in the reply URL. Because the web browser treats paths as case-sensitive, cookies associated with `.../abc/response-oidc` may be excluded if redirected to the case-mismatched `.../ABC/response-oidc` URL.
+ * The reply URL should include or exclude the trailing forward slash as your application expects it. For example, `https://contoso.com/auth-response` and `https://contoso.com/auth-response/` might be treated as nonmatching URLs in your application.
+
+1. Under **Permissions**, select the **Grant admin consent to openid and offline_access permissions** check box.
+1. Select **Register**.
-1. Follow the instructions in the [Trusona integration guide](https://docs.trusona.com/integrations/aad-b2c-integration/). When prompted, use the initial domain name (for example, Contoso) referred in the previous step.
+### Enable ID token implicit grant
+If you register this app and configure it with `https://jwt.ms/` app for testing a user flow or custom policy, you need to enable the implicit grant flow in the app registration:
-## Integrate with Azure AD B2C
+1. In the left menu, under **Manage**, select **Authentication**.
-### Add a new identity provider
+1. Under **Implicit grant and hybrid flows**, select **ID tokens (used for implicit and hybrid flows)** check boxes.
-> [!NOTE]
-> If you don't have one already, [create an Azure AD B2C tenant](tutorial-create-tenant.md) that is linked to your Azure subscription.
+1. Select **Save**.
++
+## Step 3: Configure Trusona Authentication Cloud as an IdP in Azure AD B2C
1. Sign in to the [Azure portal](https://portal.azure.com/) as the global administrator of your Azure AD B2C tenant.+ 1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.+ 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.+ 1. Choose **All services** in the top-left corner of the Azure portal, search for and select **Azure AD B2C**.+ 1. Navigate to **Dashboard** > **Azure Active Directory B2C** > **Identity providers**.+ 1. Select **Identity providers**.+ 1. Select **Add**.
-### Configure an identity provider
+### Configure an IdP
1. Select **Identity provider type** > **OpenID Connect (Preview)**.
-1. Fill out the form to set up the identity provider:
+1. Fill out the form to set up the IdP:
| Property | Value | | : | : |
- | Metadata URL | `https://gateway.trusona.net/oidc/.well-known/openid-configuration`|
- | Client ID | Will be emailed to you from Trusona |
+ | Metadata URL | `https://authcloud.trusona.net/.well-known/openid-configuration`|
+ | Client ID |available on the Trusona Authentication Cloud portal |
+ | Client secret | available on the Trusona Authentication Cloud portal |
| Scope | OpenID profile email |
- | Response type | Id_token |
- | Response mode | Form_post |
+ | Response type | code |
+ | Response mode | form_post |
1. Select **OK**. 1. Select **Map this identity providerΓÇÖs claims**.
-1. Fill out the form to map the identity provider:
+1. Fill out the form to map the IdP:
| Property | Value | | : | : |
- | UserID | Sub |
+ | UserID | sub |
| Display name | nickname | | Given name | given_name |
- | Surname | Family_name |
+ | Surname | family_name |
| Response mode | email |
-1. Select **OK** to complete the setup for your new OIDC identity Provider.
+1. Select **OK** to complete the setup for your new OIDC IdP.
-### Create a user flow policy
+## Step 4: Create a user flow policy
-You should now see Trusona as a **new OpenID Connect Identity Provider** listed within your B2C identity providers.
+You should now see Trusona as a **new OpenID Connect Identity Provider** listed within your B2C IdPs.
1. In your Azure AD B2C tenant, under **Policies**, select **User flows**.
You should now see Trusona as a **new OpenID Connect Identity Provider** listed
1. Enter a **Name** for your policy.
-1. In the **Identity providers** section, select your newly created **Trusona Identity Provider**.
+1. In the **Identity providers** section, select your newly created **Trusona Authentication Cloud-Identity Provider**.
> [!NOTE] > Because Trusona is inherently multi-factor, it's best to leave multi-factor authentication disabled.
You should now see Trusona as a **new OpenID Connect Identity Provider** listed
1. Select **OK**.
-### Test the policy
+## Step 5: Test your user flow
1. Select the policy you created. 1. Select **Run user flow**, and then select the settings:
- 1. **Application**: Select the registered app.
+ a. **Application**: Select the registered app, for example, jwt ms.
- 1. **Reply URL**: Select the redirect URL.
+ b. **Reply URL**: Select the redirect URL, for example, `https://jwt.ms`.
-1. Select **Run user flow**. You should be redirected to the Trusona OIDC gateway. On the Trusona gateway, scan the displayed Secure QR code with the Trusona app or with a custom app using the Trusona mobile SDK.
+2. Select **Run user flow**. You should be redirected to the Trusona Authentication Cloud. The user is presented with a sign-in web page that asks for their username ΓÇô typically an email address. If the user's account isn't found in Trusona Authentication Cloud, then a response is sent to the browser that initiates a WebAuthn registration process on the device. Otherwise a response is sent to the browser that begins a WebAuthn authentication process. The user is asked to select a credential to use. The passkey is associated with the domain of the web application or a hardware security key. Once the user selects a credential, the OS requests the user to use a biometric, passcode, or PIN to confirm their identity. This unlocks the Secure Enclave/Trusted Execution environment, which generates an authentication assertion signed by the private key associated with the selected credential. Azure AD B2C validates the Trusona authentication response and issues an OIDC token. It redirects the user back to the initiating application, for example, `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.
++
+## Step 3: Create Trusona Authentication Cloud policy key
+
+Store the client secret that you previously generated in [step 1](#step-1-onboard-with-trusona-authentication-cloud) in your Azure AD B2C tenant.
+
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+
+1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.
+
+1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.
+
+1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**.
+
+1. On the Overview page, select **Identity Experience Framework**.
+
+1. Select **Policy Keys** and then select **Add**.
+
+1. For **Options**, choose **Manual**.
+
+1. Enter a **Name** for the policy key. For example, `TrusonaTacClientSecret`. The prefix `B2C_1A_` is added automatically to the name of your key.
+
+1. In **Secret**, enter your client secret that you previously recorded.
+
+1. For **Key usage**, select `Signature`.
+
+1. Select **Create**.
+
+## Step 4: Configure Trusona Authentication Cloud as an IdP
+
+>[!TIP]
+>You should have the Azure AD B2C policy configured at this point. If not, follow the [instructions](tutorial-create-user-flows.md?pivots=b2c-custom-policy#custom-policy-starter-pack) on how to set up your Azure AD B2C tenant and configure policies.
+
+To enable users to sign in using Trusona Authentication Cloud, you need to define Trusona as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify a specific user has authenticated using a passkey or a hardware security key available on their device, proving the userΓÇÖs identity.
+
+Use the following steps to add Trusona as a claims provider:
+
+1. Get the custom policy starter packs from GitHub, then update the XML files in the LocalAccounts starter pack with your Azure AD B2C tenant name:
+
+ 1. [Download the .zip file](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/archive/master.zip) or clone the repository:
+ ```
+ git clone https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack
+ ```
+
+ 1. In all of the files in the **LocalAccounts** directory, replace the string `yourtenant` with the name of your Azure AD B2C tenant. For example, if the name of your B2C tenant is `contoso`, all instances of `yourtenant.onmicrosoft.com` become `contoso.onmicrosoft.com`.
+
+1. Open the `LocalAccounts/TrustFrameworkExtensions.xml`.
+
+1. Find the **ClaimsProviders** element. If it doesn't exist, add it under the root element, `TrustFrameworkPolicy`.
+
+1. Add a new **ClaimsProvider** similar to the one shown as follows:
+
+```xml
+<ClaimsProvider>
+ <Domain>TrusonaTAC</Domain>
+ <DisplayName>Trusona TAC</DisplayName>
+ <TechnicalProfiles>
+ <TechnicalProfile Id="TrusonaTAC-OpenIdConnect">
+ <DisplayName>TrusonaTAC</DisplayName>
+ <Description>Login with your Trusona TAC account</Description>
+ <Protocol Name="OpenIdConnect" />
+ <Metadata>
+ <Item Key="METADATA">https://authcloud.trusona.net/.well-known/openid-configuration</Item>
+ <Item Key="scope">openid profile email</Item>
+ <!-- Update the Client ID to the Trusona Authentication Cloud Application ID -->
+ <Item Key="client_id">00000000-0000-0000-0000-000000000000</Item>
+ <Item Key="response_types">code</Item>
+ <Item Key="response_mode">form_post</Item>
+ <Item Key="HttpBinding">POST</Item>
+ <Item Key="UsePolicyInRedirectUri">false</Item>
+ <Item Key="IncludeClaimResolvingInClaimsHandling">true</Item>
+ <!-- trying to add additional claim-->
+ <!--Insert b2c-extensions-app application ID here, for example: 11111111-1111-1111-1111-111111111111-->
+ <Item Key="11111111-1111-1111-1111-111111111111"></Item>
+ <!--Insert b2c-extensions-app application ObjectId here, for example: 22222222-2222-2222-2222-222222222222-->
+ <Item Key="11111111-1111-1111-1111-111111111111"></Item>
+ <!-- The key allows you to specify each of the Azure AD tenants that can be used to sign in. Update the GUIDs for each tenant. -->
+ <!--<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/187f16e9-81ab-4516-8db7-1c8ef94ffeca,https://login.microsoftonline.com/11111111-1111-1111-1111-111111111111</Item>-->
+ <!-- The commented key specifies that users from any tenant can sign-in. Uncomment if you would like anyone with an Azure AD account to be able to sign in. -->
+ <Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item>
+
+ </Metadata>
+ <CryptographicKeys>
+ <!-- Update the Client Secret to the Trusona Authentication Cloud Client Secret Name -->
+ <Key Id="client_secret" StorageReferenceId="B2C_1A_TrusonaTacSecret" />
+ </CryptographicKeys>
+ <OutputClaims>
+ <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />
+ <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
+ <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
+ <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" DefaultValue="https://authcloud.trusona.net/" />
+ <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />
+ <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
+ <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
+ <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
+ <OutputClaim ClaimTypeReferenceId="email" />
+ </OutputClaims>
+ <OutputClaimsTransformations>
+ <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
+ <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
+ <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
+ <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
+ </OutputClaimsTransformations>
+ <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
+ </TechnicalProfile>
+ </TechnicalProfiles>
+</ClaimsProvider>
+```
++
+1. Set **client_id** with the Trusona Authentication Cloud application ID that you previously recorded in [step 1](#step-1-onboard-with-trusona-authentication-cloud).
+
+1. Update **client_secret** section with the name of the policy key created in [Step 3](#step-3-create-trusona-authentication-cloud-policy-key). For example, `B2C_1A_TrusonaTacClientSecret`:
+
+ ```xml
+ <Key Id="client_secret" StorageReferenceId="B2C_1A_TrusonaTacClientSecret" />
+ ```
+1. Save the changes.
+
+## Step 5: Add a user journey
+
+At this point, you've set up the IdP, but it's not yet available in any of the sign-in pages. If you've your own custom user journey continue to [Step 6](#step-6-add-the-idp-to-a-user-journey), otherwise, create a duplicate of an existing template user journey as follows:
+
+1. Open the `LocalAccounts/TrustFrameworkBase.xml` file from the starter pack.
+
+2. Find and copy the entire contents of the **UserJourney** element that includes `Id=SignUpOrSignIn`.
+
+3. Open the `LocalAccounts/TrustFrameworkExtensions.xml` and find the **UserJourneys** element. If the element doesn't exist, add one.
+
+4. Paste the entire content of the UserJourney element that you copied as a child of the UserJourneys element.
+
+5. Rename the `Id` of the user journey. For example, `Id=TrusonaTacSUSI`.
+
+## Step 6: Add the IdP to a user journey
+
+Now that you have a user journey, add the new IdP to the user journey.
+
+1. Find the orchestration step element that includes `Type=CombinedSignInAndSignUp`, or `Type=ClaimsProviderSelection` in the user journey. It's usually the first orchestration step. The **ClaimsProviderSelections** element contains a list of IdPs that a user can sign in with. The order of the elements controls the order of the sign-in buttons presented to the user. Add a **ClaimsProviderSelection** XML element. Set the value of **TargetClaimsExchangeId** to a friendly name, such as `TrusonaTacExchange`.
+
+1. In the next orchestration step, add a **ClaimsExchange** element. Set the **Id** to the value of the target claims exchange ID. Update the value of **TechnicalProfileReferenceId** to the ID of the technical profile you created earlier while adding the claims provider, for example, `TrusonaTAC-OpenIdConnect`.
+
+The following XML demonstrates orchestration steps of a user journey with the identity provider:
+
+```xml
+ <UserJourney Id="TrusonaTacSUSI">
+ <OrchestrationSteps>
+ <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
+ <ClaimsProviderSelections>
+ <ClaimsProviderSelection TargetClaimsExchangeId="TrusonaTacExchange" />
+ <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
+ </ClaimsProviderSelections>
+ <ClaimsExchanges>
+ <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
+ </ClaimsExchanges>
+ </OrchestrationStep>
+ <!-- Check if the user has selected to sign in using one of the social providers -->
+ <OrchestrationStep Order="2" Type="ClaimsExchange">
+ <Preconditions>
+ <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
+ <Value>objectId</Value>
+ <Action>SkipThisOrchestrationStep</Action>
+ </Precondition>
+ </Preconditions>
+ <ClaimsExchanges>
+ <ClaimsExchange Id="TrusonaTacExchange" TechnicalProfileReferenceId="TrusonaTAC-OpenIdConnect" />
+ <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
+ </ClaimsExchanges>
+ </OrchestrationStep>
+ <OrchestrationStep Order="3" Type="ClaimsExchange">
+ <Preconditions>
+ <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
+ <Value>authenticationSource</Value>
+ <Value>localAccountAuthentication</Value>
+ <Action>SkipThisOrchestrationStep</Action>
+ </Precondition>
+ </Preconditions>
+ <ClaimsExchanges>
+ <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
+ </ClaimsExchanges>
+ </OrchestrationStep>
+ <!-- Show self-asserted page only if the directory does not have the user account already (we do not have an objectId). This can only happen when authentication happened using a social IDP. If local account was created or authentication done using ESTS in step 2, then an user account must exist in the directory by this time. -->
+ <OrchestrationStep Order="4" Type="ClaimsExchange">
+ <Preconditions>
+ <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
+ <Value>objectId</Value>
+ <Action>SkipThisOrchestrationStep</Action>
+ </Precondition>
+ </Preconditions>
+ <ClaimsExchanges>
+ <ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social" />
+ </ClaimsExchanges>
+ </OrchestrationStep>
+ <!-- This step reads any user attributes that we may not have received when authenticating using ESTS so they can be sent in the token. -->
+ <OrchestrationStep Order="5" Type="ClaimsExchange">
+ <Preconditions>
+ <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
+ <Value>authenticationSource</Value>
+ <Value>socialIdpAuthentication</Value>
+ <Action>SkipThisOrchestrationStep</Action>
+ </Precondition>
+ </Preconditions>
+ <ClaimsExchanges>
+ <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
+ </ClaimsExchanges>
+ </OrchestrationStep>
+ <!-- The previous step (SelfAsserted-Social) could have been skipped if there were no attributes to collect from the user. So, in that case, create the user in the directory if one does not already exist (verified using objectId which would be set from the last step if account was created in the directory. -->
+ <OrchestrationStep Order="6" Type="ClaimsExchange">
+ <Preconditions>
+ <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
+ <Value>objectId</Value>
+ <Action>SkipThisOrchestrationStep</Action>
+ </Precondition>
+ </Preconditions>
+ <ClaimsExchanges>
+ <ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
+ </ClaimsExchanges>
+ </OrchestrationStep>
+ <OrchestrationStep Order="7" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
+ </OrchestrationSteps>
+ <ClientDefinition ReferenceId="DefaultWeb" />
+ </UserJourney>
+```
+Learn more about [User Journeys](custom-policy-overview.md#user-journeys).
+
+## Step 7: Configure the relying party policy
+
+The relying party policy, for example [SignUpSignIn.xml](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/main/LocalAccounts/SignUpOrSignin.xml), specifies the user journey which Azure AD B2C executes. Find the **DefaultUserJourney** element within relying party. Update the **ReferenceId** to match the user journey ID, in which you added the identity provider.
+
+In the following example, for the `Trusona Authentication Cloud` user journey, the **ReferenceId** is set to `TrusonaTacSUSI`:
+
+```xml
+ <RelyingParty>
+ <DefaultUserJourney ReferenceId="TrusonaTacSUSI" />
+ <TechnicalProfile Id="PolicyProfile">
+ <DisplayName>PolicyProfile</DisplayName>
+ <Protocol Name="OpenIdConnect" />
+ <OutputClaims>
+ <OutputClaim ClaimTypeReferenceId="displayName" />
+ <OutputClaim ClaimTypeReferenceId="givenName" />
+ <OutputClaim ClaimTypeReferenceId="surname" />
+ <OutputClaim ClaimTypeReferenceId="email" />
+ <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
+ <OutputClaim ClaimTypeReferenceId="identityProvider" />
+ <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
+ <OutputClaim ClaimTypeReferenceId="correlationId" DefaultValue="{Context:CorrelationId}" />
+ </OutputClaims>
+ <SubjectNamingInfo ClaimType="sub" />
+ </TechnicalProfile>
+ </RelyingParty>
+
+```
+
+## Step 8: Upload the custom policy
+
+1. Sign in to the [Azure portal](https://portal.azure.com/#home).
+
+1. Make sure you're using the directory that contains your Azure AD B2C tenant:
+
+ a. Select the **Directories + subscriptions** icon in the portal toolbar.
+
+ b. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.
+
+1. In the [Azure portal](https://portal.azure.com/#home), search for and select **Azure AD B2C**.
+
+1. Under Policies, select **Identity Experience Framework**.
+
+1. Select **Upload Custom Policy**, and then upload the two policy files that you changed, in the following order: the extension policy, for example `TrustFrameworkExtensions.xml`, then the relying party policy, such as `SignUpOrSignin.xml`.
+
+## Step 9: Test your custom policy
+
+1. In your Azure AD B2C tenant, under **Policies**, select **Identity Experience Framework**.
+
+1. Under **Custom policies**, select **TrusonaTacSUSI**.
+
+1. For **Application**, select the web application that you previously registered as part of this article's prerequisites. for example `jwt ms`. The **Reply URL** should show `https://jwt.ms`.
+
+1. Select **Run now**. Your browser should be redirected to the Trusona Authentication Cloud sign-in page.
+
+2. A sign in screen is shown; at the bottom should be a button to use **Trusona Authentication Cloud** authentication.
+
+1. You should be redirected to Trusona Authentication Cloud. The user is presented with a sign-in web page that asks for their username ΓÇô typically an email address. If the user's account isn't found in the Trusona Authentication Cloud, then a response is sent to the browser that initiates a WebAuthn registration process on the device. Otherwise a response is sent to the browser that begins a WebAuthn authentication process. The user is asked to select a credential to use. The passkey is associated with the domain of the web application or a hardware security key. Once the user selects a credential, the OS requests the user to use a biometric, passcode, or PIN to confirm their identity. This unlocks the Secure Enclave/Trusted Execution environment, which generates an authentication assertion signed by the private key associated with the selected credential.
+
+1. If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.
+
-1. After you scan the Secure QR code, you should be redirected to the Reply URL you defined.
## Next steps + For additional information, review the following articles:
+- [Azure AD B2C docs](solution-articles.md)
+
+- [Ask your question on Stackoverflow](https://stackoverflow.com/questions/tagged/azure-ad-b2c)
+
+- [Azure AD B2C Samples](https://stackoverflow.com/questions/tagged/azure-ad-b2c)
+
+- [Azure AD B2C YouTube training playlist](https://www.youtube.com/playlist?list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0)
+ - [Custom policies in Azure AD B2C](custom-policy-overview.md) -- [Get started with custom policies in AAD B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy)
+- [Get started with custom policies in Azure AD B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy)
active-directory-domain-services Migrate From Classic Vnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/migrate-from-classic-vnet.md
Previously updated : 01/29/2023 Last updated : 03/10/2023
Before you begin the migration process, complete the following initial checks an
The following network security group Inbound rules are required for the managed domain to provide authentication and management services. Don't edit or delete these network security group rules for the virtual network subnet your managed domain is deployed into.
- | Inbound port number | Protocol | Source | Destination | Action | Required | Purpose |
- |:--:|:--:|:-:|:--:|::|:--:|:--|
- | 5986 | TCP | AzureActiveDirectoryDomainServices | Any | Allow | Yes | Management of your domain. |
- | 3389 | TCP | CorpNetSaw | Any | Allow | Optional | Debugging for support. |
- | 636 | TCP | AzureActiveDirectoryDomainServices | Inbound | Allow | Optional | Secure LDAP. |
+ | Source | Source service tag | Source port ranges | Destination | Service | Destination port ranges | Protocol | Action | Required | Purpose |
+ |:--:|:-:|::|:-:|:-:|:--:|:--:|::|:--:|:--|
+ | Service tag | AzureActiveDirectoryDomainServices | * | Any | WinRM | 5986 | TCP | Allow | Yes | Management of your domain |
+ | Service tag | CorpNetSaw | * | Any | WinRM | 3389 | TCP | Allow | Optional | Debugging for support |
+ | Service tag | AzureActiveDirectoryDomainServices | * | Any | WinRM | 636 | TCP | Allow | Optional | Secure LDAP |
Make a note of this target resource group, target virtual network, and target virtual network subnet. These resource names are used during the migration process.
active-directory Configure Automatic User Provisioning Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/configure-automatic-user-provisioning-portal.md
This article describes the general steps for managing automatic user account pro
## Finding your apps in the portal
-Use the Azure Active Directory portal to view and manage all applications that are configured for single sign-on in a directory. Enterprise apps are apps that are deployed and used within your organization. Follow these steps to view and manage your enterprise applications:
+Use the Azure portal to view and manage all applications that are configured for single sign-on in a directory. Enterprise apps are apps that are deployed and used within your organization. Follow these steps to view and manage your enterprise applications:
-1. Open the [Azure Active Directory portal](https://aad.portal.azure.com).
-1. Select **Enterprise applications** from the left pane. A list of all configured apps is shown, including apps that were added from the gallery.
+1. Open the [Azure portal](https://portal.azure.com).
+1. Browse to **Azure Active Directory** > **Enterprise applications**.
+1. A list of all configured apps is shown, including apps that were added from the gallery.
1. Select any app to load its resource pane, where you can view reports and manage app settings. 1. Select **Provisioning** to manage user account provisioning settings for the selected app.
active-directory Customize Application Attributes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/customize-application-attributes.md
You can customize the default attribute-mappings according to your business need
Follow these steps to access the **Mappings** feature of user provisioning:
-1. Sign in to the [Azure Active Directory portal](https://aad.portal.azure.com).
-1. Select **Enterprise applications** from the left pane. A list of all configured apps is shown, including apps that were added from the gallery.
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Browse to **Azure Active Directory** > **Enterprise applications**.
+1. A list of all configured apps is shown, including apps that were added from the gallery.
1. Select any app to load its app management pane, where you can view reports and manage app settings. 1. Select **Provisioning** to manage user account provisioning settings for the selected app. 1. Expand **Mappings** to view and edit the user attributes that flow between Azure AD and the target application. If the target application supports it, this section lets you optionally configure provisioning of groups and user accounts.
When you are editing the list of supported attributes, the following properties
#### Provisioning a custom extension attribute to a SCIM compliant application The SCIM RFC defines a core user and group schema, while also allowing for extensions to the schema to meet your application's needs. To add a custom attribute to a SCIM application:
- 1. Sign in to the [Azure Active Directory portal](https://aad.portal.azure.com), select **Enterprise Applications**, select your application, and then select **Provisioning**.
+ 1. Sign in to the [Azure portal](https://portal.azure.com), select **Enterprise Applications**, select your application, and then select **Provisioning**.
2. Under **Mappings**, select the object (user or group) for which you'd like to add a custom attribute. 3. At the bottom of the page, select **Show advanced options**. 4. Select **Edit attribute list for AppName**.
active-directory On Premises Application Provisioning Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-application-provisioning-architecture.md
Since ECMA Connector Host currently only supports the USER object type, the OBJE
### User creation workflow
-1. The Azure AD provisioning service queries the ECMA Connector Host to see if the user exists. It uses the **matching attribute** as the filter. This attribute is defined in the Azure AD portal under Enterprise applications -> On-premises provisioning -> provisioning -> attribute matching. It is denoted by the 1 for matching precedence.
+1. The Azure AD provisioning service queries the ECMA Connector Host to see if the user exists. It uses the **matching attribute** as the filter. This attribute is defined in the Azure portal under Enterprise applications -> On-premises provisioning -> provisioning -> attribute matching. It is denoted by the 1 for matching precedence.
You can define one or more matching attribute(s) and prioritize them based on the precedence. Should you want to change the matching attribute you can also do so. [![Matching attribute](.\media\on-premises-application-provisioning-architecture\match-1.png)](.\media\on-premises-application-provisioning-architecture\match-1.png#lightbox)
active-directory Plan Auto User Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/plan-auto-user-provisioning.md
Widen the rollout to larger groups of users by increasing the scope of the group
## Plan application connections and administration
-Use the Azure AD portal to view and manage all the applications that support provisioning. See [Finding your apps in the portal](../app-provisioning/configure-automatic-user-provisioning-portal.md).
+Use the Azure portal to view and manage all the applications that support provisioning. See [Finding your apps in the portal](../app-provisioning/configure-automatic-user-provisioning-portal.md).
### Determine the type of connector to use
active-directory Plan Cloud Hr Provision https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/plan-cloud-hr-provision.md
To facilitate Azure AD provisioning workflows between the cloud HR app and Activ
For example, the following image lists the Workday connector apps that are available in the Azure AD app gallery.
-![Azure Active Directory portal app gallery](media/plan-cloud-hr-provision/plan-cloudhr-provisioning-img2.png)
+![Azure portal app gallery](media/plan-cloud-hr-provision/plan-cloudhr-provisioning-img2.png)
### Decision flow chart
active-directory Use Scim To Provision Users And Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md
Previously updated : 03/09/2023 Last updated : 03/10/2023
In the sample code, the request is translated into a call to the CreateAsync met
Task<Resource> CreateAsync(IRequest<Resource> request); ```
-In a request to a user provisioning, the value of the resource argument is an instance of the Microsoft.SCIM.Core2EnterpriseUser class, defined in the Microsoft.SCIM.Schemas library. If the request to provision the user succeeds, then the implementation of the method is expected to return an instance of the Microsoft.SCIM.Core2EnterpriseUser class, with the value of the Identifier property set to the unique identifier of the newly provisioned user.
+In a request for user provisioning, the value of the resource argument is an instance of the Microsoft.SCIM.Core2EnterpriseUser class. This class is defined in the Microsoft.SCIM.Schemas library. If the request to provision the user succeeds, then the implementation of the method is expected to return an instance of the Microsoft.SCIM.Core2EnterpriseUser class. The value of the `Identifier` property is set to the unique identifier of the newly provisioned user.
***Example 3. Query the current state of a user***
-To update a user known to exist in an identity store fronted by an SCIM, Azure AD proceeds by requesting the current state of that user from the service with a request such as:
+Azure AD requests the current state of the specified user from the service with a request such as:
``` GET ~/scim/Users/54D382A4-2050-4C03-94D1-E769F1D15682 HTTP/1.1
In the sample code, the request is translated into a call to the RetrieveAsync m
Task<Resource> RetrieveAsync(IRequest<IResourceRetrievalParameters> request); ```
-In the example of a request to retrieve the current state of a user, the values of the properties of the object provided as the value of the parameters argument are as follows:
+In the example of a request, to retrieve the current state of a user, the values of the properties of the object provided as the value of the parameters argument are as follows:
* Identifier: "54D382A4-2050-4C03-94D1-E769F1D15682" * SchemaIdentifier: `urn:ietf:params:scim:schemas:extension:enterprise:2.0:User`
In the sample code, the request is translated into a call to the UpdateAsync met
Task UpdateAsync(IRequest<IPatch> request); ```
-In the example of a request to update a user, the object provided as the value of the patch argument has these property values:
+In the example of a request, to update a user, the object provided as the value of the patch argument has these property values:
|Argument|Value| |-|-|
Applications that support the SCIM profile described in this article can be conn
**To connect an application that supports SCIM:**
-1. Sign in to the [Azure AD portal](https://aad.portal.azure.com). You can get access a free trial for Azure AD with P2 licenses by signing up for the [developer program](https://developer.microsoft.com/microsoft-365/dev-program))
-1. Select **Enterprise applications** from the left pane. A list of all configured apps is shown, including apps that were added from the gallery.
+1. Sign in to the [Azure portal](https://portal.azure.com). You can get access a free trial for Azure AD with P2 licenses by signing up for the [developer program](https://developer.microsoft.com/microsoft-365/dev-program))
+1. Browse to **Azure Active Directory** > **Enterprise applications**.
+1. A list of all configured apps is shown, including apps that were added from the gallery.
1. Select **+ New application** > **+ Create your own application**. 1. Enter a name for your application, choose the option "*integrate any other application you don't find in the gallery*" and select **Add** to create an app object. The new app is added to the list of enterprise applications and opens to its app management screen.
The provisioning service supports the [authorization code grant](https://tools.i
> [!NOTE] > OAuth v1 is not supported due to exposure of the client secret. OAuth v2 is supported.
-Best practices (recommended, but not required):
-* Support multiple redirect URLs. Administrators can configure provisioning from both "portal.azure.com" and "aad.portal.azure.com". Supporting multiple redirect URLs will ensure that users can authorize access from either portal.
-* Support multiple secrets for easy renewal, without downtime.
+It is recommended, but not required, that you support multiple secrets for easy renewal without downtime.
#### How to set up OAuth code grant flow
active-directory Application Proxy Config Problem https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-config-problem.md
Title: Problem creating an Azure Active Directory Application Proxy application
-description: How to troubleshoot issues creating Application Proxy applications in the Azure Active Directory Admin portal
+description: How to troubleshoot issues creating Application Proxy applications in the Azure portal
active-directory Application Proxy Configure Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-custom-domain.md
To create and verify a custom domain:
1. Go to your domain registrar and create a new TXT record for your domain, based on your copied DNS information. 1. After you register the domain, on the domain's page in Azure Active Directory, select **Verify**. Once the domain status is **Verified**, you can use the domain across all your Azure AD configurations, including Application Proxy.
-For more detailed instructions, see [Add your custom domain name using the Azure Active Directory portal](../fundamentals/add-custom-domain.md).
+For more detailed instructions, see [Add your custom domain name using the Azure portal](../fundamentals/add-custom-domain.md).
### Configure an app to use a custom domain
active-directory Application Proxy Configure Custom Home Page https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-custom-home-page.md
You can set the home page URL either through the Azure portal or by using PowerS
## Change the home page in the Azure portal
-To change the home page URL of your app through the Azure AD portal, follow these steps:
+To change the home page URL of your app through the Azure portal, follow these steps:
1. Sign in to the [Azure portal](https://portal.azure.com/) as an administrator. 1. Select **Azure Active Directory**, and then **App registrations**. The list of registered apps appears.
active-directory Application Proxy Configure Native Client Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-native-client-application.md
Publish your proxy application as you would any other application and assign use
You now need to register your application in Azure AD, as follows:
-1. Sign in to the [Azure Active Directory portal](https://aad.portal.azure.com/). The **Dashboard** for the **Azure Active Directory admin center** appears.
-1. In the sidebar, select **Azure Active Directory**. The **Azure Active Directory** overview page appears.
-1. In the Azure AD overview sidebar, select **App registrations**. The list of all app registrations appears.
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Browse to **Azure Active Directory** > **App registrations**. The list of all app registrations appears.
1. Select **New registration**. The **Register an application** page appears. ![Create a new app registration in the Azure portal](./media/application-proxy-configure-native-client-application/create.png)
if (authResult != null)
} ```
-The required info in the sample code can be found in the Azure AD portal, as follows:
+The required info in the sample code can be found in the Azure portal, as follows:
-| Info required | How to find it in the Azure AD portal |
+| Info required | How to find it in the Azure portal |
| | | | \<Tenant ID> | **Azure Active Directory** > **Properties** > **Directory ID** | | \<App ID of the Native app> | **Application registration** > *your native application* > **Overview** > **Application ID** |
active-directory Application Proxy Configure Single Sign On With Headers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-single-sign-on-with-headers.md
The following table lists common capabilities required for header-based authenti
:::image type="content" source="./media/application-proxy-configure-single-sign-on-with-headers/how-it-works-updated.png" alt-text="How header-based single sign-on works with Application Proxy." lightbox="./media/application-proxy-configure-single-sign-on-with-headers/how-it-works-updated.png":::
-1. The Admin customizes the attribute mappings required by the application in the Azure AD portal.
+1. The Admin customizes the attribute mappings required by the application in the Azure portal.
2. When a user accesses the app, Application Proxy ensures the user is authenticated by Azure AD 3. The Application Proxy cloud service is aware of the attributes required. So the service fetches the corresponding claims from the ID token received during authentication. The service then translates the values into the required HTTP headers as part of the request to the Connector. 4. The request is then passed along to the Connector, which is then passed to the backend application.
active-directory Application Proxy Deployment Plan https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-deployment-plan.md
However, users still need to carry out day to day privileged operations, so enfo
### Reporting and monitoring
-Azure AD provides additional insights into your organizationΓÇÖs application usage and operational health through [audit logs and reports](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context). Application Proxy also makes it very easy to monitor connectors from the Azure AD portal and Windows Event Logs.
+Azure AD provides additional insights into your organizationΓÇÖs application usage and operational health through [audit logs and reports](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context). Application Proxy also makes it very easy to monitor connectors from the Azure portal and Windows Event Logs.
#### Application audit logs
These logs provide detailed information about logins to applications configured
#### Application Proxy Connector monitoring
-The connectors and the service take care of all the high availability tasks. You can monitor the status of your connectors from the Application Proxy page in the Azure AD Portal. For more information about connector maintainence see [Understand Azure AD Application Proxy Connectors](./application-proxy-connectors.md#maintenance).
+The connectors and the service take care of all the high availability tasks. You can monitor the status of your connectors from the Application Proxy page in the Azure portal. For more information about connector maintainence see [Understand Azure AD Application Proxy Connectors](./application-proxy-connectors.md#maintenance).
![Example: Azure AD Application Proxy connectors](./media/application-proxy-connectors/app-proxy-connectors.png)
active-directory Application Proxy Ping Access Publishing Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-ping-access-publishing-guide.md
If you've enabled Application Proxy enabled and installed a connector already, y
The Application Proxy connector is a Windows Server service that directs the traffic from your remote employees to your published applications. For more detailed installation instructions, see [Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory](../app-proxy/application-proxy-add-on-premises-application.md).
-1. Sign in to the [Azure Active Directory portal](https://aad.portal.azure.com/) as an application administrator. The **Azure Active Directory admin center** page appears.
-1. Select **Azure Active Directory** > **Application proxy** > **Download connector service**. The **Application Proxy Connector Download** page appears.
+1. Sign in to the [Azure portal](https://portal.azure.com) as an Application Administrator.
+1. Browse to **Azure Active Directory** > **Application proxy** > **Download connector service**. The **Application Proxy Connector Download** page appears.
![Application proxy connector download](./media/application-proxy-configure-single-sign-on-with-ping-access/application-proxy-connector-download.png)
You'll first have to publish your application. This action involves:
To publish your own on-premises application:
-1. If you didn't in the last section, sign in to the [Azure Active Directory portal](https://aad.portal.azure.com/) as an application administrator.
-1. Select **Enterprise applications** > **New application** > **Add an on-premises application**. The **Add your own on-premises application** page appears.
+1. If you didn't in the last section, sign in to the [Azure portal](https://portal.azure.com) as an Application Administrator.
+1. Browse to **Enterprise applications** > **New application** > **Add an on-premises application**. The **Add your own on-premises application** page appears.
![Add your own on-premises application](./media/application-proxy-configure-single-sign-on-with-ping-access/add-your-own-on-premises-application.png) 1. Fill out the required fields with information about your new application. Use the guidance below for the settings.
Now assign a user for application testing and choose header-based single sign-on
Then make sure your redirect URL is set to your external URL:
-1. From the **Azure Active Directory admin center** sidebar, select **Azure Active Directory** > **App registrations**. A list of applications appears.
+1. From the **Azure portal**, browse to **Azure Active Directory** > **App registrations**. A list of applications appears.
1. Select your application. 1. Select the link next to **Redirect URIs**, showing the number of redirect URIs set up for web and public clients. The **\<application name> - Authentication** page appears. 1. Check whether the external URL that you assigned to your application earlier is in the **Redirect URIs** list. If it isn't, add the external URL now, using a redirect URI type of **Web**, and select **Save**.
You need to collect these three pieces of information (all GUIDs) to set up your
To collect this information:
-1. From the **Azure Active Directory admin center** sidebar, select **Azure Active Directory** > **App registrations**. A list of applications appears.
+1. From the **Azure portal**, browse to **Azure Active Directory** > **App registrations**. A list of applications appears.
1. Select your application. The **App registrations** page for your application appears. ![Registration overview for an application](./media/application-proxy-configure-single-sign-on-with-ping-access/registration-overview-for-an-application.png)
To collect this information:
**Update the `acceptMappedClaims` field:**
-1. Sign in to the [Azure Active Directory portal](https://aad.portal.azure.com/) as an application administrator.
-1. Select **Azure Active Directory** > **App registrations**. A list of applications appears.
+1. Sign in to the [Azure portal](https://portal.azure.com) as an Application Administrator.
+1. Browse to **Azure Active Directory** > **App registrations**. A list of applications appears.
1. Select your application. 1. From the sidebar of the **App registrations** page for your application, select **Manifest**. The manifest JSON code for your application's registration appears. 1. Search for the `acceptMappedClaims` field, and change the value to `True`.
Now that you've completed all the Azure Active Directory setup steps, you can mo
The detailed steps for the PingAccess part of this scenario continue in the Ping Identity documentation. Follow the instructions in [Configuring PingAccess for Azure AD](https://docs.pingidentity.com/access/sources/dita/topic?category=pingaccess&Releasestatus_ce=Current&resourceid=pa_configuring_apps_for_azure) on the Ping Identity web site and download the [latest version of PingAccess](https://www.pingidentity.com/en/lp/azure-download.html).
-Those steps help you install PingAccess and set up a PingAccess account (if you don't already have one). Then, to create an Azure AD OpenID Connect (OIDC) connection, you set up a token provider with the **Directory (tenant) ID** value that you copied from the Azure AD portal. Next, to create a web session on PingAccess, you use the **Application (client) ID** and `PingAccess key` values. After that, you can set up identity mapping and create a virtual host, site, and application.
+Those steps help you install PingAccess and set up a PingAccess account (if you don't already have one). Then, to create an Azure AD OpenID Connect (OIDC) connection, you set up a token provider with the **Directory (tenant) ID** value that you copied from the Azure portal. Next, to create a web session on PingAccess, you use the **Application (client) ID** and `PingAccess key` values. After that, you can set up identity mapping and create a virtual host, site, and application.
### Test your application
active-directory Concept Authentication Operator Assistance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-operator-assistance.md
For example, let's say a customer in U.S has an office phone number 425-555-1234
If the setting is **Off**, the system will automatically dial extensions as part of the phone number. Your admin can still specify individual users who should be enabled for operator assistance by prefixing the extension with ΓÇÿ@ΓÇÖ. For example, 425-555-1234x@5678 would indicate that operator assistance should be used, even though the setting is **Off**.
-You can check the status of this feature in your own tenant by navigating to the [Azure AD portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade), then in the left pane, click **Security** > **MFA** > **Phone call settings**. Check **Operator required to transfer extensions** to see if the setting is **On** or **Off**.
+You can check the status of this feature in your own tenant by navigating to the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade), then in the left pane, click **Security** > **MFA** > **Phone call settings**. Check **Operator required to transfer extensions** to see if the setting is **On** or **Off**.
![Screenshot of operator assistance settings](./media/concept-authentication-operator-assistance/settings.png)
active-directory Concept Certificate Based Authentication Certificateuserids https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-certificateuserids.md
For sync'd users, AD users with role **Hybrid Identity Administrator** can write
Tenant admins can use the following steps Azure portal to update certificate user IDs for a user account:
-1. In the Azure AD portal, click **All users (preview)**.
+1. In the Azure portal, click **All users (preview)**.
:::image type="content" border="true" source="./media/concept-certificate-based-authentication-certificateuserids/user.png" alt-text="Screenshot of test user account.":::
active-directory Concepts Azure Multi Factor Authentication Prompts Session Lifetime https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md
Under each sign-in log, go to the **Authentication Details** tab and explore **S
To configure or review the *Remain signed-in* option, complete the following steps:
-1. In the Azure AD portal, search for and select *Azure Active Directory*.
+1. In the Azure portal, search for and select *Azure Active Directory*.
1. Select **Company Branding**, then for each locale, choose **Show option to remain signed in**. 1. Choose *Yes*, then select **Save**. To remember multifactor authentication settings on trusted devices, complete the following steps:
-1. In the Azure AD portal, search for and select *Azure Active Directory*.
+1. In the Azure portal, search for and select *Azure Active Directory*.
1. Select **Security**, then **MFA**. 1. Under **Configure**, select **Additional cloud-based MFA settings**. 1. In the *Multi-factor authentication service settings* page, scroll to **remember multi-factor authentication settings**. Disable the setting by unchecking the checkbox. To configure Conditional Access policies for sign-in frequency and persistent browser session, complete the following steps:
-1. In the Azure AD portal, search for and select *Azure Active Directory*.
+1. In the Azure portal, search for and select *Azure Active Directory*.
1. Select **Security**, then **Conditional Access**. 1. Configure a policy using the recommended session management options detailed in this article.
active-directory How To Mfa Additional Context https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-additional-context.md
Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
#### Example of how to enable application name and geographic location for separate groups In **featureSettings**, change **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** from **default** to **enabled.**
-Inside the **includeTarget** for each featureSetting, change the **id** from **all_users** to the ObjectID of the group from the Azure AD portal.
+Inside the **includeTarget** for each featureSetting, change the **id** from **all_users** to the ObjectID of the group from the Azure portal.
You need to PATCH the entire schema to prevent overwriting any previous configuration. We recommend that you do a GET first, and then update only the relevant fields and then PATCH. The following example shows an update to **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** under **featureSettings**.
GET https://graph.microsoft.com/v1.0/authenticationMethodsPolicy/authenticationM
#### Example of how to disable application name and only enable geographic location In **featureSettings**, change the state of **displayAppInformationRequiredState** to **default** or **disabled** and **displayLocationInformationRequiredState** to **enabled.**
-Inside the **includeTarget** for each featureSetting, change the **id** from **all_users** to the ObjectID of the group from the Azure AD portal.
+Inside the **includeTarget** for each featureSetting, change the **id** from **all_users** to the ObjectID of the group from the Azure portal.
You need to PATCH the entire schema to prevent overwriting any previous configuration. We recommend that you do a GET first, and then update only the relevant fields and then PATCH. The following example shows an update to **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** under **featureSettings**.
Only users who are enabled for Microsoft Authenticator under Microsoft Authentic
#### Example of how to exclude a group from application name and geographic location In **featureSettings**, change the states of **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** from **default** to **enabled.**
-Inside the **includeTarget** for each featureSetting, change the **id** from **all_users** to the ObjectID of the group from the Azure AD portal.
+Inside the **includeTarget** for each featureSetting, change the **id** from **all_users** to the ObjectID of the group from the Azure portal.
-In addition, for each of the features, you'll change the id of the excludeTarget to the ObjectID of the group from the Azure AD portal. This change excludes that group from seeing application name or geographic location.
+In addition, for each of the features, you'll change the id of the excludeTarget to the ObjectID of the group from the Azure portal. This change excludes that group from seeing application name or geographic location.
You need to PATCH the entire schema to prevent overwriting any previous configuration. We recommend that you do a GET first, and then update only the relevant fields and then PATCH. The following example shows an update to **displayAppInformationRequiredState** and **displayLocationInformationRequiredState** under **featureSettings**.
To turn off additional context, you'll need to PATCH **displayAppInformationRequ
## Enable additional context in the portal
-To enable application name or geographic location in the Azure AD portal, complete the following steps:
+To enable application name or geographic location in the Azure portal, complete the following steps:
-1. In the Azure AD portal, click **Security** > **Authentication methods** > **Microsoft Authenticator**.
+1. In the Azure portal, click **Security** > **Authentication methods** > **Microsoft Authenticator**.
1. On the **Basics** tab, click **Yes** and **All users** to enable the policy for everyone, and change **Authentication mode** to **Any**. Only users who are enabled for Microsoft Authenticator here can be included in the policy to show the application name or geographic location of the sign-in, or excluded from it. Users who aren't enabled for Microsoft Authenticator can't see application name or geographic location.
active-directory How To Mfa Number Match https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-number-match.md
In the upcoming Microsoft Authenticator release in January 2023 for iOS, there w
## Enable number matching in the portal
-To enable number matching in the Azure AD portal, complete the following steps:
+To enable number matching in the Azure portal, complete the following steps:
-1. In the Azure AD portal, click **Security** > **Authentication methods** > **Microsoft Authenticator**.
+1. In the Azure portal, click **Security** > **Authentication methods** > **Microsoft Authenticator**.
1. On the **Enable and Target** tab, click **Yes** and **All users** to enable the policy for everyone or add selected users and groups. Set the **Authentication mode** for these users/groups to **Any** or **Push**. Only users who are enabled for Microsoft Authenticator here can be included in the policy to require number matching for sign-in, or excluded from it. Users who aren't enabled for Microsoft Authenticator can't see the feature.
GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationM
### Example of how to enable number matching for a single group In **featureSettings**, you'll need to change the **numberMatchingRequiredState** value from **default** to **enabled.**
-Inside the **includeTarget**, you'll need to change the **id** from **all_users** to the ObjectID of the group from the Azure AD portal.
+Inside the **includeTarget**, you'll need to change the **id** from **all_users** to the ObjectID of the group from the Azure portal.
To remove an excluded group from number matching, change the **id** of the **excludeTarget** to `00000000-0000-0000-0000-000000000000`. You need to PATCH the entire configuration to prevent overwriting any previous configuration. We recommend that you do a GET first, and then update only the relevant fields and then PATCH. The example below only shows the update to the **numberMatchingRequiredState**.
active-directory How To Mfa Registration Campaign https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-registration-campaign.md
In addition to choosing who can be nudged, you can define how many days a user c
## Enable the registration campaign policy using the portal
-To enable a registration campaign in the Azure AD portal, complete the following steps:
+To enable a registration campaign in the Azure portal, complete the following steps:
-1. In the Azure AD portal, click **Security** > **Authentication methods** > **Registration campaign**.
+1. In the Azure portal, click **Security** > **Authentication methods** > **Registration campaign**.
1. For **State**, click **Enabled**, select any users or groups to exclude from the registration campaign, and then click **Save**. ![Screenshot of enabling a registration campaign.](./media/how-to-nudge-authenticator-app/registration-campaign.png)
active-directory How To Mfa Server Migration Utility https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-server-migration-utility.md
You'll also need access to the following URLs:
- `https://graph.microsoft.com/*` (or `https://graph.microsoft.us/*` for government cloud customers) - `https://login.microsoftonline.com/*` (or `https://login.microsoftonline.us/*` for government cloud customers)
-The script will instruct you to grant admin consent to the newly created application. Navigate to the URL provided, or within the Azure AD portal, click **Application Registrations**, find and select the **MFA Server Migration Utility** app, click on **API permissions** and then granting the appropriate permissions.
+The script will instruct you to grant admin consent to the newly created application. Navigate to the URL provided, or within the Azure portal, click **Application Registrations**, find and select the **MFA Server Migration Utility** app, click on **API permissions** and then granting the appropriate permissions.
:::image type="content" border="true" source="./media/how-to-mfa-server-migration-utility/permissions.png" alt-text="Screenshot of permissions.":::
active-directory Howto Authentication Passwordless Deployment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-passwordless-deployment.md
The following are sample test cases for passwordless authentication with the Aut
| User can register the Authenticator app.| User can register app from https://aka.ms/mysecurityinfo. | | User can enable phone sign-in| Phone sign-in configured for work account. | | User can access an app with phone sign-in.| User goes through phone sign-in flow and reaches application. |
-| Test rolling back phone sign-in registration by turning off passwordless sign-in in the Authenticator app. Do this within the Authentication methods screen in the Azure AD portal| Previously enabled users unable to use passwordless sign-in from the Authenticator app. |
+| Test rolling back phone sign-in registration by turning off passwordless sign-in in the Authenticator app. Do this within the Authentication methods screen in the Azure portal| Previously enabled users unable to use passwordless sign-in from the Authenticator app. |
| Removing phone sign-in from the Authenticator app| Work account no longer available on the Authenticator app. |
Here are the sample test cases for passwordless authentication with security key
| The user can register FIDO2 device at aka.ms/mysecurityinfo using Firefox| Registration should succeed | | The user can sign in to OneDrive online using FIDO2 device using Microsoft Edge| Sign-in should succeed | | The user can sign in to OneDrive online using FIDO2 device using Firefox| Sign-in should succeed |
-| Test rolling back FIDO2 device registration by turning off FIDO2 Security Keys within the Authentication method window in the Azure Active Directory portal| Users will: <li> be prompted to sign in using their security key <li> successfully sign in and see an error: "Your company policy requires that you use a different method to sign in". <li>be able to select a different method and successfully sign in. Close the window and sign in again to verify they do not see the same error message. |
+| Test rolling back FIDO2 device registration by turning off FIDO2 Security Keys within the Authentication method window in the Azure portal| Users will: <li> be prompted to sign in using their security key <li> successfully sign in and see an error: "Your company policy requires that you use a different method to sign in". <li>be able to select a different method and successfully sign in. Close the window and sign in again to verify they do not see the same error message. |
### Troubleshoot security key sign-in
active-directory Howto Authentication Passwordless Security Key https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-passwordless-security-key.md
There are some optional settings on the **Configure** tab to help manage how sec
To remove a FIDO2 key associated with a user account, delete the key from the userΓÇÖs authentication method.
-1. Sign in to the Azure AD portal and search for the user account from which the FIDO key is to be removed.
+1. Sign in to the Azure portal and search for the user account from which the FIDO key is to be removed.
1. Select **Authentication methods** > right-click **FIDO2 security key** and click **Delete**. ![View Authentication Method details](media/howto-authentication-passwordless-deployment/security-key-view-details.png)
active-directory Howto Authentication Temporary Access Pass https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-temporary-access-pass.md
The token lifetime (session token, refresh token, access token, etc.) obtained v
Under the **Authentication methods** for a user, the **Detail** column shows when the Temporary Access Pass expired. You can delete an expired Temporary Access Pass using the following steps:
-1. In the Azure AD portal, browse to **Users**, select a user, such as *Tap User*, then choose **Authentication methods**.
+1. In the Azure portal, browse to **Users**, select a user, such as *Tap User*, then choose **Authentication methods**.
1. On the right-hand side of the **Temporary Access Pass** authentication method shown in the list, select **Delete**. You can also use PowerShell:
active-directory Howto Mfa Mfasettings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-mfasettings.md
To use your own custom messages, complete the following steps:
## MFA service settings
-Settings for app passwords, trusted IPs, verification options, and remembering multi-factor authentication on trusted devices are available in the service settings. This is a legacy portal. It isn't part of the regular Azure AD portal.
+Settings for app passwords, trusted IPs, verification options, and remembering multi-factor authentication on trusted devices are available in the service settings. This is a legacy portal. It isn't part of the regular Azure portal.
You can access service settings from the Azure portal by going to **Azure Active Directory** > **Security** > **Multifactor authentication** > **Getting started** > **Configure** > **Additional cloud-based MFA settings**. A window or tab opens with additional service settings options.
active-directory Howto Mfa Nps Extension https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension.md
import-module MSOnline
Connect-MsolService New-MsolServicePrincipal -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -DisplayName "Azure Multi-Factor Auth Client" ```
-Once done , go to https://aad.portal.azure.com > "Enterprise Applications" > Search for "Azure Multi-Factor Auth Client" > Check properties for this app > Confirm if the service principal is enabled or disabled > Click on the application entry > Go to Properties of the app > If the option "Enabled for users to sign-in? is set to No in Properties of this app , please set it to Yes.
+Once done , go to the [Azure portal](https://portal.azure.com) > **Azure Active Directory** > **Enterprise Applications** > Search for "Azure Multi-Factor Auth Client" > Check properties for this app > Confirm if the service principal is enabled or disabled > Click on the application entry > Go to Properties of the app > If the option "Enabled for users to sign-in? is set to No in Properties of this app , please set it to Yes.
Run the `AzureMfaNpsExtnConfigSetup.ps1` script again and it should not return the `Service principal was not found` error.
active-directory Howto Sspr Deployment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-sspr-deployment.md
You can also refer to [Complete out an Azure AD self-service password reset pilo
### Plan support
-While SSPR does not typically create user issues, it is important to prepare support staff to deal with issues that may arise. While an administrator can reset the password for end users through the Azure AD portal, it is better to help resolve the issue via a self-service support process.
+While SSPR does not typically create user issues, it is important to prepare support staff to deal with issues that may arise. While an administrator can reset the password for end users through the Azure portal, it is better to help resolve the issue via a self-service support process.
To enable your support team's success, you can create a FAQ based on questions you receive from your users. Here are a few examples:
active-directory Onboard Enable Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-enable-tenant.md
To enable Permissions Management in your organization:
1. Go to [Entra services](https://entra.microsoft.com) and use your credentials to sign in to [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview). 1. If you aren't already authenticated, sign in as a global administrator user. 1. If needed, activate the global administrator role in your Azure AD tenant.
- 1. In the Azure AD portal, select **Permissions Management**, and then select the link to purchase a license or begin a trial.
+ 1. In the Azure portal, select **Permissions Management**, and then select the link to purchase a license or begin a trial.
> [!NOTE] > There are two ways to enable a trial or a full product license, self-service and volume licensing.
active-directory How To Prerequisites https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/how-to-prerequisites.md
For steps on how to upgrade an existing agent to use a gMSA account see [group M
For more information on how to prepare your Active Directory for group Managed Service Account, see [group Managed Service Accounts Overview](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).
-### In the Azure Active Directory admin center
+### In the Azure portal
1. Create a cloud-only hybrid identity administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant if your on-premises services fail or become unavailable. Learn about how to [add a cloud-only hybrid identity administrator account](../fundamentals/add-users-azure-active-directory.md). Finishing this step is critical to ensure that you don't get locked out of your tenant. 1. Add one or more [custom domain names](../fundamentals/add-custom-domain.md) to your Azure AD tenant. Your users can sign in with one of these domain names.
If there's a firewall between your servers and Azure AD, configure the following
| | | | **80** | Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate. | | **443** | Handles all outbound communication with the service. |
- | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed in the Azure AD portal. |
+ | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed in the Azure portal. |
- If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service. - If your firewall or proxy allows you to specify safe suffixes, add connections:
active-directory Tutorial Existing Forest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/tutorial-existing-forest.md
You can use the environment you create in this tutorial for testing or for getti
In this scenario, there's an existing forest synced using Azure AD Connect sync to an Azure AD tenant. And you have a new forest that you want to sync to the same Azure AD tenant. You'll set up cloud sync for the new forest. ## Prerequisites
-### In the Azure Active Directory admin center
+### In the Azure portal
1. Create a cloud-only global administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant should your on-premises services fail or become unavailable. Learn about [adding a cloud-only global administrator account](../fundamentals/add-users-azure-active-directory.md). Completing this step is critical to ensure that you don't get locked out of your tenant. 2. Add one or more [custom domain names](../fundamentals/add-custom-domain.md) to your Azure AD tenant. Your users can sign in with one of these domain names.
In this scenario, there's an existing forest synced using Azure AD Connect sync
| | | | **80** | Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate | | **443** | Handles all outbound communication with the service |
- | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed on the Azure AD portal. |
+ | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed on the Azure portal. |
If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service. - If your firewall or proxy allows you to specify safe suffixes, then add connections to **\*.msappproxy.net** and **\*.servicebus.windows.net**. If not, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.
If you're using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md
## Configure Azure AD Connect cloud sync Use the following steps to configure provisioning
-1. Sign in to the Azure AD portal.
+1. Sign in to the Azure portal.
2. Select **Azure Active Directory** 3. Select **Azure AD Connect** 4. Select **Manage cloud sync**
active-directory Tutorial Single Forest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/tutorial-single-forest.md
You can use the environment you create in this tutorial for testing or for getti
## Prerequisites
-### In the Azure Active Directory admin center
+### In the Azure portal
1. Create a cloud-only global administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant should your on-premises services fail or become unavailable. Learn about [adding a cloud-only global administrator account](../fundamentals/add-users-azure-active-directory.md). Completing this step is critical to ensure that you don't get locked out of your tenant. 2. Add one or more [custom domain names](../fundamentals/add-custom-domain.md) to your Azure AD tenant. Your users can sign in with one of these domain names.
You can use the environment you create in this tutorial for testing or for getti
| | | | **80** | Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate | | **443** | Handles all outbound communication with the service |
- | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed on the Azure AD portal. |
+ | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed on the Azure portal. |
If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service. - If your firewall or proxy allows you to specify safe suffixes, then add connections t to **\*.msappproxy.net** and **\*.servicebus.windows.net**. If not, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.
If you're using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md
Use the following steps to configure and start the provisioning:
-1. Sign in to the Azure AD portal.
+1. Sign in to the Azure portal.
1. Select **Azure Active Directory** 1. Select **Azure AD Connect** 1. Select **Manage cloud sync**
active-directory Block Legacy Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/block-legacy-authentication.md
The following messaging protocols support legacy authentication:
- Universal Outlook - Used by the Mail and Calendar app for Windows 10. - Other clients - Other protocols identified as utilizing legacy authentication.
-For more information about these authentication protocols and services, see [Sign-in activity reports in the Azure Active Directory portal](../reports-monitoring/concept-sign-ins.md#filter-sign-in-activities).
+For more information about these authentication protocols and services, see [Sign-in activity reports in the Azure portal](../reports-monitoring/concept-sign-ins.md#filter-sign-in-activities).
### Identify legacy authentication use
active-directory Concept Conditional Access Policy Common https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-policy-common.md
Organizations can select individual policy templates and:
- [Block access by location](howto-conditional-access-policy-location.md) - [Block access except specific apps](howto-conditional-access-policy-block-access.md)
+## User exclusions
[!INCLUDE [active-directory-policy-exclusions](../../../includes/active-directory-policy-exclude-user.md)] ## Next steps
active-directory Howto Conditional Access Policy Admin Mfa https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa.md
Microsoft recommends you require MFA on the following roles at a minimum, based
Organizations can choose to include or exclude roles as they see fit.
+## User exclusions
[!INCLUDE [active-directory-policy-exclusions](../../../includes/active-directory-policy-exclude-user.md)] [!INCLUDE [active-directory-policy-deploy-template](../../../includes/active-directory-policy-deploy-template.md)]
active-directory Howto Conditional Access Policy All Users Mfa https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa.md
As Alex Weinert, the Directory of Identity Security at Microsoft, mentions in hi
The guidance in this article will help your organization create an MFA policy for your environment.
+## User exclusions
[!INCLUDE [active-directory-policy-exclusions](../../../includes/active-directory-policy-exclude-user.md)] ## Application exclusions
active-directory Howto Conditional Access Policy Azure Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-azure-management.md
These tools can provide highly privileged access to resources that can make the
To protect these privileged resources, Microsoft recommends requiring multifactor authentication for any user accessing these resources. In Azure AD, these tools are grouped together in a suite called [Microsoft Azure Management](concept-conditional-access-cloud-apps.md#microsoft-azure-management). For Azure Government, this suite should be the Azure Government Cloud Management API app.
+## User exclusions
[!INCLUDE [active-directory-policy-exclusions](../../../includes/active-directory-policy-exclude-user.md)] [!INCLUDE [active-directory-policy-deploy-template](../../../includes/active-directory-policy-deploy-template.md)]
active-directory Howto Conditional Access Policy Block Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-block-access.md
For organizations with a conservative cloud migration approach, the block all po
Policies like these can have unintended side effects. Proper testing and validation are vital before enabling. Administrators should utilize tools such as [Conditional Access report-only mode](concept-conditional-access-report-only.md) and [the What If tool in Conditional Access](what-if-tool.md) when making changes.
+## User exclusions
[!INCLUDE [active-directory-policy-exclusions](../../../includes/active-directory-policy-exclude-user.md)] ## Create a Conditional Access policy
active-directory Howto Conditional Access Policy Compliant Device Admin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-compliant-device-admin.md
Microsoft recommends you require enable this policy for the following roles at a
Organizations can choose to include or exclude roles as they see fit.
+## User exclusions
[!INCLUDE [active-directory-policy-exclusions](../../../includes/active-directory-policy-exclude-user.md)] [!INCLUDE [active-directory-policy-deploy-template](../../../includes/active-directory-policy-deploy-template.md)]
active-directory Howto Conditional Access Policy Compliant Device https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-compliant-device.md
Policy compliance information is sent to Azure AD where Conditional Access decid
Requiring a hybrid Azure AD joined device is dependent on your devices already being hybrid Azure AD joined. For more information, see the article [Configure hybrid Azure AD join](../devices/howto-hybrid-azure-ad-join.md).
+## User exclusions
[!INCLUDE [active-directory-policy-exclusions](../../../includes/active-directory-policy-exclude-user.md)] [!INCLUDE [active-directory-policy-deploy-template](../../../includes/active-directory-policy-deploy-template.md)]
active-directory Howto Policy App Enforced Restriction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-policy-app-enforced-restriction.md
Block or limit access to SharePoint, OneDrive, and Exchange content from unmanaged devices.
+## User exclusions
[!INCLUDE [active-directory-policy-exclusions](../../../includes/active-directory-policy-exclude-user.md)] [!INCLUDE [active-directory-policy-deploy-template](../../../includes/active-directory-policy-deploy-template.md)]
active-directory Howto Policy Guest Mfa https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-policy-guest-mfa.md
Require guest users perform multifactor authentication when accessing your organization's resources.
+## User exclusions
[!INCLUDE [active-directory-policy-exclusions](../../../includes/active-directory-policy-exclude-user.md)] [!INCLUDE [active-directory-policy-deploy-template](../../../includes/active-directory-policy-deploy-template.md)]
active-directory Howto Policy Persistent Browser Session https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-policy-persistent-browser-session.md
Protect user access on unmanaged devices by preventing browser sessions from remaining signed in after the browser is closed and setting a sign-in frequency to 1 hour.
+## User exclusions
[!INCLUDE [active-directory-policy-exclusions](../../../includes/active-directory-policy-exclude-user.md)] [!INCLUDE [active-directory-policy-deploy-template](../../../includes/active-directory-policy-deploy-template.md)]
active-directory Howto Policy Unknown Unsupported Device https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-policy-unknown-unsupported-device.md
Users will be blocked from accessing company resources when the device type is unknown or unsupported.
+## User exclusions
[!INCLUDE [active-directory-policy-exclusions](../../../includes/active-directory-policy-exclude-user.md)] [!INCLUDE [active-directory-policy-deploy-template](../../../includes/active-directory-policy-deploy-template.md)]
active-directory Plan Conditional Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/plan-conditional-access.md
Previously updated : 08/11/2022 Last updated : 03/09/2023
# Plan a Conditional Access deployment
-Planning your Conditional Access deployment is critical to achieving your organization's access strategy for apps and resources.
+Planning your Conditional Access deployment is critical to achieving your organization's access strategy for apps and resources. Conditional Access policies provide great configuration flexibility. However, this flexibility also means you should plan carefully to avoid undesirable results.
[Azure Active Directory (Azure AD) Conditional Access](overview.md) analyses signals such as user, device, and location to automate decisions and enforce organizational access policies for resources. Conditional Access policies allow you to build conditions that manage security controls that can block access, require multifactor authentication, or restrict the userΓÇÖs session when needed and stay out of the userΓÇÖs way when not. With this evaluation and enforcement, Conditional Access defines the basis of [MicrosoftΓÇÖs Zero Trust security posture management](https://www.microsoft.com/security/business/zero-trust).
-![Conditional Access overview](./media/plan-conditional-access/conditional-access-overview-how-it-works.png)
+![Diagram showing a high level Conditional Access overview](./media/plan-conditional-access/conditional-access-overview-how-it-works.png)
Microsoft provides [security defaults](../fundamentals/concept-fundamentals-security-defaults.md) that ensure a basic level of security enabled in tenants that don't have Azure AD Premium. With Conditional Access, you can create policies that provide the same protection as security defaults, but with granularity. Conditional Access and security defaults aren't meant to be combined as creating Conditional Access policies will prevent you from enabling security defaults.
-### Prerequisites
-
-* A working Azure AD tenant with Azure AD Premium or trial license enabled. If needed, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-* An account with privileges to create Conditional Access policies.
-* A test user (non-administrator) that allows you to verify policies work as expected before you impact real users. If you need to create a user, see [Quickstart: Add new users to Azure Active Directory](../fundamentals/add-users-azure-active-directory.md).
+## Prerequisites
+
+* A working Azure AD tenant with Azure AD Premium P1, P2, or trial license enabled. If needed, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+ * Azure AD Premium P2 is required to include Identity Protection risk in Conditional Access policies.
+* Administrators who interact with Conditional Access must have one or more of the following role assignments depending on the tasks they're performing. To follow the [Zero Trust principle of least privilege](/security/zero-trust/), consider using [Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md) to just-in-time activate privileged role assignments.
+ * Read Conditional Access policies and configurations
+ * [Security Reader](../roles/permissions-reference.md#security-reader)
+ * [Global Reader](../roles/permissions-reference.md#global-reader)
+ * Create or modify Conditional Access policies
+ * [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator)
+ * [Security Administrator](../roles/permissions-reference.md#security-administrator)
+* A test user (non-administrator) that allows you to verify policies work as expected before deploying to real users. If you need to create a user, see [Quickstart: Add new users to Azure Active Directory](../fundamentals/add-users-azure-active-directory.md).
* A group that the non-administrator user is a member of. If you need to create a group, see [Create a group and add members in Azure Active Directory](../fundamentals/active-directory-groups-create-azure-portal.md).
-#### Permissions
+### Communicating change
-Conditional Access policies can be created or modified by anyone assigned the following roles:
+Communication is critical to the success of any new functionality. You should proactively communicate with your users how their experience will change, when it will change, and how to get support if they experience issues.
-- Conditional Access Administrator -- Security Administrator-- Global Administrator
+## Conditional Access policy components
-Conditional Access policies can be read by anyone assigned the following roles:
+Conditional Access policies answer questions about who can access your resources, what resources they can access, and under what conditions. Policies can be designed to grant access, limit access with session controls, or to block access. You [build a Conditional Access policy](concept-conditional-access-policies.md) by defining the if-then statements like:
-- Security Reader-- Global Reader
+| If an assignment is met | Apply the access controls |
+| | |
+| If you're a user in Finance accessing the Payroll application | Require multifactor authentication and a compliant device |
+| If you aren't a member of Finance accessing the Payroll application | Block access |
+| If your user risk is high | Require a multifactor authentication and a secure password change |
-## Understand Conditional Access policy components
+### User exclusions
-Policies answer questions about who should access your resources, what resources they should access, and under what conditions. Policies can be designed to grant access, limit access with session controls, or to block access. You [build a Conditional Access policy](concept-conditional-access-policies.md) by defining the if-then statements: **If an assignment is met, then apply the access controls**.
### Ask the right questions Here are some common questions about [Assignments and Access Controls](concept-conditional-access-cloud-apps.md). Document the answers to questions for each policy before building it out.
-**Users or workload identities**
+#### Users or workload identities
-* Which users, groups, directory roles and workload identities will be included in or excluded from the policy?
+* Which users, groups, directory roles, or workload identities will be included in or excluded from the policy?
* What emergency access accounts or groups should be excluded from policy?
-**Cloud apps or actions**
+#### Cloud apps or actions
Will this policy apply to any application, user action, or authentication context? If yes-
-* What application(s) will the policy apply to?
+* What application(s) or services will the policy apply to?
* What user actions will be subject to this policy? * What authentication contexts will this policy be applied to?
-**Conditions**
+#### Conditions
* Which device platforms will be included in or excluded from the policy?
-* What are the organizationΓÇÖs trusted locations?
-* What locations will be included in or excluded from the policy?
+* What are the organizationΓÇÖs known network locations?
+ * What locations will be included in or excluded from the policy?
* What client app types will be included in or excluded from the policy?
-* Do you have policies that would drive excluding Azure AD joined devices or Hybrid Azure AD joined devices from policies?
-* If using [Identity Protection](../identity-protection/concept-identity-protection-risks.md), do you want to incorporate sign-in risk protection?
+* Do you need to target specific device attributes?
+* If using [Identity Protection](../identity-protection/concept-identity-protection-risks.md), do you want to incorporate sign-in or user risk?
+
+##### User and sign-in risk
+
+For organizations with Azure AD Premium P2 licenses, they can include user and sign-in risk in their Conditional Access policies. These additions can help reduce the friction of security measures by requiring multifactor authentication or secure password change only when a user or sign-in is considered risky.
-**Grant or Block**
+For more information about risk and its use in policy, see the article [What is risk](../identity-protection/concept-identity-protection-risks.md).
+
+#### Block or grant controls
Do you want to grant access to resources by requiring one or more of the following?
-* Require MFA
-* Require device to be marked as compliant
-* Require hybrid Azure AD joined device
-* Require approved client app
-* Require app protection policy
-* Require password change
-* Use Terms of Use
+* Multifactor authentication
+* Device marked as compliant
+* Using a hybrid Azure AD joined device
+* Using an approved client app
+* App protection policy applied
+* Password change
+* Terms of Use accepted
+
+**Block access** is a powerful control that you should apply with appropriate knowledge. Policies with block statements can have unintended side effects. Proper testing and validation are vital before you enable the control at scale. Administrators should use tools such as [Conditional Access report-only mode](concept-conditional-access-report-only.md) and [the What If tool in Conditional Access](what-if-tool.md) when making changes.
-**Session control**
+#### Session controls
Do you want to enforce any of the following access controls on cloud apps?
Do you want to enforce any of the following access controls on cloud apps?
* Use persistent browser sessions * Customize continuous access evaluation
-### Access token issuance
+### Combining policies
-[Access tokens](../develop/access-tokens.md) grant or deny access based on whether the user making a request has been authorized and authenticated. If the requestor can prove they're who they claim to be, they can access the protected resources or functionality.
+When creating and assigning policies, you must take into account how access tokens work. [Access tokens](../develop/access-tokens.md) grant or deny access based on whether the users making a request have been authorized and authenticated. If the requestor can prove they're who they claim to be, they can access the protected resources or functionality.
-![Access token issuance diagram](media/plan-conditional-access/CA-policy-token-issuance.png)
+**Access tokens are issued by default if a Conditional Access policy condition does not trigger an access control**.
-**Access tokens are by default issued if a Conditional Access policy condition does not trigger an access control**.
+This policy doesnΓÇÖt prevent the app having its own ability to block access.
-This doesnΓÇÖt prevent the app to have separate authorization to block access. For example, consider a policy where:
+For example, consider a simplified policy example where:
+
+Users: FINANCE GROUP <br>
+Accessing: PAYROLL APP <br>
+Access control: Multifactor authentication<br>
- * IF user is in finance team, THEN force MFA to access their payroll app.
- * IF a user not in finance team attempts to access the payroll app, the user will be issued an access token.
- * To ensure users outside of finance group can't access the payroll app, a separate policy should be created to block all other users. If all users except for finance team and emergency access accounts group, accessing payroll app, then block access.
+- User A is in the FINANCE GROUP, they're required to perform multifactor authentication to access the **PAYROLL APP**.
+- User B is **not** in the FINANCE GROUP, is issued an access token and is allowed to access the **PAYROLL APP** without performing multifactor authentication.
+
+To ensure users outside of finance group can't access the payroll app, a separate policy could be created to block all other users, like the following simplified policy:
-## Follow best practices
+Users: Include All Users / Exclude FINANCE GROUP <br>
+Accessing: PAYROLL APP <br>
+Access control: Block access <br>
-Conditional Access provides you with great configuration flexibility. However, great flexibility also means you should carefully review each configuration policy before releasing it to avoid undesirable results.
+Now when User B attempts to access the **PAYROLL APP** they're blocked.
-### Set up emergency access accounts
+![Diagram showing access token issuance](media/plan-conditional-access/CA-policy-token-issuance.png)
-**If you misconfigure a policy, it can lock the organizations out of the Azure portal**.
+## Recommendations
-Mitigate the impact of accidental administrator lockout by creating two or more [emergency access accounts](../roles/security-emergency-access.md) in your organization. Create a user account dedicated to policy administration and excluded from all your policies.
+Taking into account our learnings in the use of Conditional Access and supporting other customers, here are a few recommendations based on our learnings.
### Apply Conditional Access policies to every app
-**Ensure that every app has at least one Conditional Access policy applied**. From a security perspective it's better to create a policy that encompasses **All cloud apps**, and then exclude applications that you don't want the policy to apply to. This ensures you don't need to update Conditional Access policies every time you onboard a new application.
+**Ensure that every app has at least one Conditional Access policy applied**. From a security perspective it's better to create a policy that encompasses **All cloud apps**, and then exclude applications that you don't want the policy to apply to. This practice ensures you don't need to update Conditional Access policies every time you onboard a new application.
-> [!IMPORTANT]
+> [!TIP]
> Be very careful in using block and all apps in a single policy. This could lock admins out of the Azure portal, and exclusions cannot be configured for important endpoints such as Microsoft Graph. ### Minimize the number of Conditional Access policies Creating a policy for each app isnΓÇÖt efficient and leads to difficult administration. Conditional Access has a limit of 195 policies per-tenant. We recommend that you **analyze your apps and group them into applications that have the same resource requirements for the same users**. For example, if all Microsoft 365 apps or all HR apps have the same requirements for the same users, create a single policy and include all the apps to which it applies.
-### Set up report-only mode
+### Configure report-only mode
-It can be difficult to predict the number and names of users affected by common deployment initiatives such as:
+By default, each policy created from template is created in report-only mode. We recommended organizations test and monitor usage, to ensure the intended result, before turning on each policy.
-* Blocking legacy authentication
-* Requiring MFA
-* Implementing sign-in risk policies
+[Enable policies in report-only mode](howto-conditional-access-insights-reporting.md). Once you save a policy in report-only mode, you can see the effect on real-time sign-ins in the sign-in logs. From the sign-in logs, select an event and navigate to the **Report-only** tab to see the result of each report-only policy.
-[Report-only mode ](concept-conditional-access-report-only.md) allows administrators to evaluate the impact of Conditional Access policies before enabling them in their environment. **First configure your policies in report-only mode and let it run for an interval before enforcing it in your environment**.
+You can view the aggregate affects of your Conditional Access policies in the **Insights and Reporting workbook**. To access the workbook, you need an Azure Monitor subscription and you'll need to [stream your sign-in logs to a log analytics workspace](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md).
### Plan for disruption
-If you rely on a single access control such as MFA or a network location to secure your IT systems, you're susceptible to access failures if that single access control becomes unavailable or misconfigured.
+If you rely on a single access control such as multifactor authentication or a network location to secure your IT systems, you're susceptible to access failures if that single access control becomes unavailable or misconfigured.
-**To reduce the risk of lockout during unforeseen disruptions, [plan strategies](../authentication/concept-resilient-controls.md) to adopt for your organization**.
+**To reduce the risk of lockout during unforeseen disruptions, [plan resilience strategies](../authentication/concept-resilient-controls.md) for your organization**.
### Set naming standards for your policies
If you rely on a single access control such as MFA or a network location to secu
* Who it applies to * When it applies (if applicable)
-![Screenshot that shows the naming standards for policies.](media/plan-conditional-access/11.png)
+![Diagram showing the example naming standards for policies.](media/plan-conditional-access/11.png)
-**Example**; A policy to require MFA for marketing users accessing the Dynamics CRP app from external networks might be:
+**Example**: A policy to require MFA for marketing users accessing the Dynamics CRP app from external networks might be:
-![Naming standard](media/plan-conditional-access/naming-example.png)
+![Diagram showing a naming standard](media/plan-conditional-access/naming-example.png)
A descriptive name helps you to keep an overview of your Conditional Access implementation. The Sequence Number is helpful if you need to reference a policy in a conversation. For example, when you talk to an administrator on the phone, you can ask them to open policy CA01 to solve an issue.
In addition to your active policies, implement disabled policies that act as sec
* The name of disruption it should apply to. * An ordering sequence number to help the administrator to know in which order policies should be enabled.
-**Example**
-
-The following name indicates that this policy is the first of four policies to enable if there's an MFA disruption:
+**Example**: The following name indicates that this policy is the first of four policies to enable if there's an MFA disruption:
* EM01 - ENABLE IN EMERGENCY: MFA Disruption [1/4] - Exchange SharePoint: Require hybrid Azure AD join For VIP users.
The following name indicates that this policy is the first of four policies to e
Azure active directory allows you to create [named locations](location-condition.md). Create the list of countries that are allowed, and then create a network block policy with these "allowed countries" as an exclusion. This is less overhead for customers who are based in smaller geographic locations. **Be sure to exempt your emergency access accounts from this policy**.
-## Deploy Conditional Access policy
-
-When new policies are ready, deploy your Conditional Access policies in phases.
+## Deploy Conditional Access policies
-### Build your Conditional Access policy
+When you're ready, deploy your Conditional Access policies in phases.
-Refer to common [Conditional Access policies](concept-conditional-access-policy-common.md) for a head start. A convenient way will be to use the Conditional Access template that comes with Microsoft recommendations. Make sure you exclude your emergency access accounts.
+### Build your Conditional Access policies
-### Evaluate the policy impact
+Refer to [Conditional Access policy templates](concept-conditional-access-policy-common.md) and [Common security policies for Microsoft 365 organizations](/microsoft-365/security/office-365-security/identity-access-policies) for a head start. These templates are convenient way to deploy Microsoft recommendations. Make sure you exclude your emergency access accounts.
-Before you see the impact of your Conditional Access policy in your production environment, we recommend that you use the following two tools to run the simulation.
+#### Evaluate the policy impact
-#### Set up report-only mode
+We recommend that you use the following tools to evaluate the effect of your policies both before and after making changes. A simulated run gives you a good idea of the effect a Conditional Access policy has, it doesn't replace an actual test run in a properly configured development environment.
-By default, each policy is created in report-only mode, we recommended organizations test and monitor usage, to ensure intended result, before turning on each policy.
+- [Report-only mode](concept-conditional-access-report-only.md) and the Conditional Access insights and Reporting workbook.
+- The [What If tool](concept-conditional-access-policies.md)
-[Enable the policy in report-only mode](howto-conditional-access-insights-reporting.md). Once you save the policy in report-only mode, you can see the impact on real-time sign-ins in the sign-in logs. From the sign-in logs, select an event and navigate to the Report-only tab to see the result of each report-only policy.
-
-You can view the aggregate impact of your Conditional Access policies in the Insights and Reporting workbook. To access the workbook, you need an Azure Monitor subscription and you'll need to [stream your sign-in logs to a log analytics workspace](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md) .
-
-#### Simulate sign-ins using the What If tool
-
-Another way to validate your Conditional Access policy is by using the [What If tool](troubleshoot-conditional-access-what-if.md), which simulates which policies would apply to a user signing in under hypothetical circumstances. Select the sign-in attributes you want to test (such as user, application, device platform, and location) and see which policies would apply.
-
-> [!NOTE]
-> While a simulated run gives you a good idea of the impact a Conditional Access policy has, it does not replace an actual test run.
-
-### Test your policy
+### Test your policies
**Ensure you test the exclusion criteria of a policy**. For example, you may exclude a user or group from a policy that requires MFA. Test if the excluded users are prompted for MFA, because the combination of other policies might require MFA for those users.
-Perform each test in your test plan with test users. The test plan is important to have a comparison between the expected results and the actual results. The following table outlines example test cases. Adjust the scenarios and expected results based on how your Conditional Access policies are configured.
+Perform each test in your test plan with test users. The test plan is important to have a comparison between the expected results and the actual results. The following table outlines some example test cases. Adjust the scenarios and expected results based on how your Conditional Access policies are configured.
-| Policy| Scenario| Expected Result |
-| - | - | - |
-| [Risky sign-ins](../identity-protection/howto-identity-protection-configure-risk-policies.md)| User signs into App using an unapproved browser| Calculates a risk score based on the probability that the sign-in wasn't performed by the user. Requires user to self-remediate using MFA |
-| [Device management](require-managed-devices.md)| Authorized user attempts to sign in from an authorized device| Access granted |
-| [Device management](require-managed-devices.md)| Authorized user attempts to sign in from an unauthorized device| Access blocked |
-| [Password change for risky users](../identity-protection/howto-identity-protection-configure-risk-policies.md)| Authorized user attempts to sign in with compromised credentials (high risk sign in)| User is prompted to change password or access is blocked based on your policy |
+| Policy | Scenario | Expected Result |
+||||
+| [Risky sign-ins](../identity-protection/howto-identity-protection-configure-risk-policies.md) | User signs into App using an unapproved browser | Calculates a risk score based on the probability that the sign-in wasn't performed by the user. Requires user to self-remediate using MFA |
+| [Device management](require-managed-devices.md) | Authorized user attempts to sign in from an authorized device | Access granted |
+| [Device management](require-managed-devices.md) | Authorized user attempts to sign in from an unauthorized device | Access blocked |
+| [Password change for risky users](../identity-protection/howto-identity-protection-configure-risk-policies.md) | Authorized user attempts to sign in with compromised credentials (high risk sign-in) | User is prompted to change password or access is blocked based on your policy |
### Deploy in production
-After confirming impact using **report-only mode**, an administrator can move the **Enable policy** toggle from **Report-only** to **On**.
+After you confirm impact using **report-only mode**, an administrator can move the **Enable policy** toggle from **Report-only** to **On**.
-### Roll back policies
+#### Roll back policies
In case you need to roll back your newly implemented policies, use one or more of the following options: * **Disable the policy.** Disabling a policy makes sure it doesn't apply when a user tries to sign in. You can always come back and enable the policy when you would like to use it.-
- ![enable policy image](media/plan-conditional-access/enable-policy.png)
- * **Exclude a user or group from a policy.** If a user is unable to access the app, you can choose to exclude the user from the policy.
- ![exclude users and groups](media/plan-conditional-access/exclude-users-groups.png)
-
-> [!NOTE]
-> This option should be used sparingly, only in situations where the user is trusted. The user should be added back into the policy or group as soon as possible.
+ > [!CAUTION]
+ > **Exclusions should be used sparingly**, only in situations where the user is trusted. Users should be added back into the policy or group as soon as possible.
-* **Delete the policy.** If the policy is no longer required, [delete](../authentication/tutorial-enable-azure-mfa.md?bc=%2fazure%2factive-directory%2fconditional-access%2fbreadcrumb%2ftoc.json&toc=%2fazure%2factive-directory%2fconditional-access%2ftoc.json) it.
+* If a policy is disabled and no longer required, **delete it**.
-## Troubleshoot Conditional Access policy
+## Troubleshoot Conditional Access policies
-When a user is having an issue with a Conditional Access policy, collect the following information to facilitate troubleshooting.
+If a user has an issue with a Conditional Access policy, collect the following information to facilitate troubleshooting.
* User Principal Name * User display name
When a user is having an issue with a Conditional Access policy, collect the fol
* Time stamp (approximate is ok) * Target application * Client application type (browser vs client)
-* Correlation ID (this is unique to the sign-in)
+* Correlation ID (this ID is unique to the sign-in)
If the user received a message with a More details link, they can collect most of this information for you.
-![CanΓÇÖt get to app error message](media/plan-conditional-access/cant-get-to-app.png)
+![Screenshots of an example error message and more details](media/plan-conditional-access/cant-get-to-app.png)
Once you've collected the information, See the following resources:
active-directory Troubleshoot Conditional Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/troubleshoot-conditional-access.md
If you're locked out of the Azure portal due to an incorrect setting in a Condit
## Next steps - [Use the What If tool to troubleshoot Conditional Access policies](what-if-tool.md)-- [Sign-in activity reports in the Azure Active Directory portal](../reports-monitoring/concept-sign-ins.md)
+- [Sign-in activity reports in the Azure portal](../reports-monitoring/concept-sign-ins.md)
- [Troubleshooting Conditional Access using the What If tool](troubleshoot-conditional-access-what-if.md)
active-directory Howto Get List Of All Active Directory Auth Library Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-get-list-of-all-active-directory-auth-library-apps.md
Support for Active Directory Authentication Library (ADAL) will end in December,
## Sign-ins workbook
-Workbooks are a set of queries that collect and visualize information that is available in Azure Active Directory (Azure AD) logs. [Learn more about the sign-in logs schema here](../reports-monitoring/reference-azure-monitor-sign-ins-log-schema.md). The Sign-ins workbook in the Azure AD admin portal now has a table to assist you in determining which applications use ADAL and how often they are used. First, weΓÇÖll detail how to access the workbook before showing the visualization for the list of applications.
+Workbooks are a set of queries that collect and visualize information that is available in Azure Active Directory (Azure AD) logs. [Learn more about the sign-in logs schema here](../reports-monitoring/reference-azure-monitor-sign-ins-log-schema.md). The Sign-ins workbook in the Azure portal now has a table to assist you in determining which applications use ADAL and how often they are used. First, weΓÇÖll detail how to access the workbook before showing the visualization for the list of applications.
## Step 1: Send Azure AD sign-in events to Azure Monitor
Once you've integrated your Azure AD sign-in and audit logs with Azure Monitor a
1. Navigate to **Azure Active Directory** > **Monitoring** > **Workbooks** 1. In the **Usage** section, open the **Sign-ins** workbook
- :::image type="content" source="media/howto-get-list-of-all-active-directory-auth-library-apps/sign-in-workbook.png" alt-text="Screenshot of the Azure Active Directory portal workbooks interface highlighting the sign-ins workbook.":::
+ :::image type="content" source="media/howto-get-list-of-all-active-directory-auth-library-apps/sign-in-workbook.png" alt-text="Screenshot of the Azure portal workbooks interface highlighting the sign-ins workbook.":::
## Step 3: Identify apps that use ADAL
active-directory Sample V2 Code https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/sample-v2-code.md
Previously updated : 03/29/2022 Last updated : 03/10/2023
The following samples illustrate web applications that sign in users. Some sampl
> | Language/<br/>Platform | Code sample(s)<br/> on GitHub | Auth<br/> libraries | Auth flow | > | - | | - | -- | > | ASP.NET Core| ASP.NET Core Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/1-WebApp-OIDC/README.md) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/1-WebApp-OIDC/1-5-B2C/README.md) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-1-Call-MSGraph/README.md) <br/> &#8226; [Customize token cache](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-2-TokenCache/README.md) <br/> &#8226; [Call Graph (multi-tenant)](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-3-Multi-Tenant/README.md) <br/> &#8226; [Call Azure REST APIs](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/3-WebApp-multi-APIs/README.md) <br/> &#8226; [Protect web API](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-1-MyOrg/README.md) <br/> &#8226; [Protect web API (B2C)](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-2-B2C/README.md) <br/> &#8226; [Protect multi-tenant web API](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-3-AnyOrg/Readme.md) <br/> &#8226; [Use App Roles for access control](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/5-WebApp-AuthZ/5-1-Roles/README.md) <br/> &#8226; [Use Security Groups for access control](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/5-WebApp-AuthZ/5-2-Groups/README.md) <br/> &#8226; [Deploy to Azure Storage and App Service](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/6-Deploy-to-Azure/README.md) | &#8226; MSAL.NET<br/> &#8226; Microsoft.Identity.Web | &#8226; OpenID connect <br/> &#8226; Authorization code <br/> &#8226; On-Behalf-Of|
-> | Blazor | Blazor Server Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-OIDC/MyOrg) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-OIDC/B2C) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-graph-user/Call-MSGraph) <br/> &#8226; [Call web API](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-your-API/MyOrg) <br/> &#8226; [Call web API (B2C)](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-your-API/B2C) | MSAL.NET | Authorization code Grant Flow|
+> | Blazor | Blazor Server Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-OIDC/MyOrg) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-OIDC/B2C) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-graph-user/Call-MSGraph) <br/> &#8226; [Call web API](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-your-API/MyOrg) <br/> &#8226; [Call web API (B2C)](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-your-API/B2C) | MSAL.NET | Implicit/Hybrid flow|
> | ASP.NET Core|[Advanced Token Cache Scenarios](https://github.com/Azure-Samples/ms-identity-dotnet-advanced-token-cache) | &#8226; MSAL.NET <br/> &#8226; Microsoft.Identity.Web | On-Behalf-Of (OBO) | > | ASP.NET Core|[Use the Conditional Access auth context to perform step\-up authentication](https://github.com/Azure-Samples/ms-identity-dotnetcore-ca-auth-context-app/blob/main/README.md) | &#8226; MSAL.NET <br/> &#8226; Microsoft.Identity.Web | Authorization code | > | ASP.NET Core|[Active Directory FS to Azure AD migration](https://github.com/Azure-Samples/ms-identity-dotnet-adfs-to-aad) | MSAL.NET | &#8226; SAML <br/> &#8226; OpenID connect |
active-directory Supported Accounts Validation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/supported-accounts-validation.md
# Validation differences by supported account types (signInAudience)
-When registering an application with the Microsoft identity platform for developers, you're asked to select which account types your application supports. In the application object and manifest, this property is `signInAudience`.
+When registering an application with the Microsoft identity platform for developers, you're asked to select which account types your application supports. You can refer to the **Help me choose** link under **Supported account types** during the registration process. The value you select for this property has implications on other app object properties.
-The options include the following values:
+After the application has been registered, you can check or change the account type that the application supports at any time. Under the **Manage** pane of your application, search for **Manifest** and find the `signInAudience` value. The different account types, and the corresponding `signInAudience` are shown in the following table:
-- **AzureADMyOrg**: Only accounts in the organizational directory where the app is registered (single-tenant).-- **AzureADMultipleOrgs**: Accounts in any organizational directory (multi-tenant).-- **AzureADandPersonalMicrosoftAccount**: Accounts in any organizational directory (multi-tenant) and personal Microsoft accounts (for example, Skype, Xbox, and Outlook.com).
+| Supported account types (Register an application) | `signInAudience` (Manifest) |
+||--|
+| Accounts in this organizational directory only (Single tenant) | `AzureADMyOrg` |
+| Accounts in any organizational directory (Any Azure AD directory - Multitenant) | `AzureADMultipleOrgs` |
+| Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) | `AzureADandPersonalMicrosoftAccount` |
-For registered applications, you can find the value for supported account types on the **Authentication** section of an application. You can also find it under the `signInAudience` property in the **Manifest**.
+If you change this property you may need to change other properties first.
-The value you select for this property has implications on other app object properties. As a result, if you change this property you may need to change other properties first.
+## Validation differences
See the following table for the validation differences of various properties for different supported account types.
active-directory Troubleshoot Publisher Verification https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/troubleshoot-publisher-verification.md
Below are some common issues that may occur during the process.
4. Navigate to the [partner profile page](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) where the MPN ID and primary account contact will be listed. - **I donΓÇÖt know who my Azure AD Global Administrator (also known as company admin or tenant admin) is, how do I find them? What about the Application Administrator or Cloud Application Administrator?**
- 1. Sign in to the [Azure AD Portal](https://aad.portal.azure.com) using a user account in your organization's primary tenant.
- 2. Navigate to [Role Management](https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators).
+ 1. Sign in to the [Azure portal](https://portal.azure.com) using a user account in your organization's primary tenant.
+ 1. Browse to **Azure Active Directory** > [Roles and administrators](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators).
3. Select the desired admin role. 4. The list of users assigned that role will be displayed.
Below are some common issues that may occur during the process.
2. Go to the [MPN tenant management page](https://partner.microsoft.com/dashboard/account/v3/tenantmanagement) and confirm that the tenant the app is registered in and that you're signing with a user account from is on the list of associated tenants. To add another tenant, follow the instructions [here](/partner-center/multi-tenant-account). Be aware that all Global Admins of any tenant you add will be granted Global Administrator privileges on your Partner Center account. 3. Go to the [MPN User Management page](https://partner.microsoft.com/pcv/users) and confirm the user you're signing in as is either a Global Administrator, MPN Admin, or Accounts Admin. To add a user to a role in Partner Center, follow the instructions [here](/partner-center/create-user-accounts-and-set-permissions). -- **When I sign into the Azure AD portal, I do not see any apps registered. Why?**
+- **When I sign into the Azure portal, I do not see any apps registered. Why?**
Your app registrations may have been created using a different user account in this tenant, a personal/consumer account, or in a different tenant. Ensure you're signed in with the correct account in the tenant where your app registrations were created. - **I'm getting an error related to multi-factor authentication. What should I do?**
active-directory Azuread Joined Devices Frx https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/azuread-joined-devices-frx.md
To verify whether a device is joined to your Azure AD, review the **Access work
## Next steps -- For more information about managing devices in the Azure AD portal, see [managing devices using the Azure portal](device-management-azure-portal.md).
+- For more information about managing devices in the Azure portal, see [managing devices using the Azure portal](device-management-azure-portal.md).
- [What is Microsoft Intune?](/mem/intune/fundamentals/what-is-intune) - [Overview of Windows Autopilot](/mem/autopilot/windows-autopilot) - [Passwordless authentication options for Azure Active Directory](../authentication/concept-authentication-passwordless.md)
active-directory Enterprise State Roaming Enable https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/enterprise-state-roaming-enable.md
The country/region value is set as part of the Azure AD directory creation proce
Follow these steps to view a per-user device sync status report.
-1. Sign in to [Azure AD admin center](https://aad.portal.azure.com/).
-1. Select **Azure Active Directory** > **Users** > **All users**.
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+1. Browse to **Azure Active Directory** > **Users** > **All users**.
1. Select the user, and then select **Devices**. 1. Select **View devices syncing settings and app data** to show sync status. 1. Devices syncing for the user are shown and can be downloaded.
active-directory Enterprise State Roaming Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/enterprise-state-roaming-troubleshooting.md
Enterprise State Roaming requires the device to be registered with Azure AD. Alt
**Potential issue**: **WamDefaultSet** and **AzureAdJoined** both have ΓÇ£NOΓÇ¥ in the field value, the device was domain-joined and registered with Azure AD, and the device doesn't sync. If it's showing this, the device may need to wait for policy to be applied or the authentication for the device failed when connecting to Azure AD. The user may have to wait a few hours for the policy to be applied. Other troubleshooting steps may include retrying autoregistration by signing out and back in, or launching the task in Task Scheduler. In some cases, running ΓÇ£*dsregcmd.exe /leave*ΓÇ¥ in an elevated command prompt window, rebooting, and trying registration again may help with this issue.
-**Potential issue**: The field for **SettingsUrl** is empty and the device doesn't sync. The user may have last logged in to the device before Enterprise State Roaming was enabled in the Azure Active Directory Portal. Restart the device and have the user login. Optionally, in the portal, try having the IT Admin navigate to **Azure Active Directory** > **Devices** > **Enterprise State Roaming** disable and re-enable **Users may sync settings and app data across devices**. Once re-enabled, restart the device and have the user login. If this doesn't resolve the issue, **SettingsUrl** may be empty if there's a bad device certificate. In this case, running ΓÇ£*dsregcmd.exe /leave*ΓÇ¥ in an elevated command prompt window, rebooting, and trying registration again may help with this issue.
+**Potential issue**: The field for **SettingsUrl** is empty and the device doesn't sync. The user may have last logged in to the device before Enterprise State Roaming was enabled in the Azure portal. Restart the device and have the user login. Optionally, in the portal, try having the IT Admin navigate to **Azure Active Directory** > **Devices** > **Enterprise State Roaming** disable and re-enable **Users may sync settings and app data across devices**. Once re-enabled, restart the device and have the user login. If this doesn't resolve the issue, **SettingsUrl** may be empty if there's a bad device certificate. In this case, running ΓÇ£*dsregcmd.exe /leave*ΓÇ¥ in an elevated command prompt window, rebooting, and trying registration again may help with this issue.
## Enterprise State Roaming and multifactor authentication Under certain conditions, Enterprise State Roaming can fail to sync data if Azure AD Multifactor Authentication is configured. For more information on these symptoms, see the support document [KB3193683](https://support.microsoft.com/kb/3193683).
-**Potential issue**: If your device is configured to require Multifactor Authentication on the Azure Active Directory portal, you may fail to sync settings while signing in to a Windows 10 or newer device using a password. This type of Multifactor Authentication configuration is intended to protect an Azure administrator account. Admin users may still be able to sync by signing in to their Windows 10 or newer devices with their Windows Hello for Business PIN or by completing Multifactor Authentication while accessing other Azure services like Microsoft 365.
+**Potential issue**: If your device is configured to require Multifactor Authentication on the Azure portal, you may fail to sync settings while signing in to a Windows 10 or newer device using a password. This type of Multifactor Authentication configuration is intended to protect an Azure administrator account. Admin users may still be able to sync by signing in to their Windows 10 or newer devices with their Windows Hello for Business PIN or by completing Multifactor Authentication while accessing other Azure services like Microsoft 365.
**Potential issue**: Sync can fail if the admin configures the Active Directory Federation Services Multifactor Authentication Conditional Access policy and the access token on the device expires. Ensure that you sign in and sign out using the Windows Hello for Business PIN or complete Multifactor Authentication while accessing other Azure services like Microsoft 365.
active-directory Hybrid Azuread Join Manual https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/hybrid-azuread-join-manual.md
The following script helps you with the creation of the issuance transform rules
#### Remarks * This script appends the rules to the existing rules. Don't run the script twice, because the set of rules would be added twice. Make sure that no corresponding rules exist for these claims (under the corresponding conditions) before running the script again.
-* If you have multiple verified domain names (as shown in the Azure AD portal or via the **Get-MsolDomain** cmdlet), set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing **issuerid** claim that might have been created by Azure AD Connect or via other means. Here's an example for this rule:
+* If you have multiple verified domain names (as shown in the Azure portal or via the **Get-MsolDomain** cmdlet), set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing **issuerid** claim that might have been created by Azure AD Connect or via other means. Here's an example for this rule:
``` c:[Type == "http://schemas.xmlsoap.org/claims/UPN"]
active-directory Directory Delegated Administration Primer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/directory-delegated-administration-primer.md
Managing permissions for external partners is a key part of your security postur
Delegated administration relationships enable technicians at a Microsoft CSP to administer Microsoft services such as Microsoft 365, Dynamics 365, and Azure on behalf of your organization. These technicians administer these services for you using the same roles and permissions as your organization's own administrators. These roles are assigned to security groups in the CSPΓÇÖs Azure AD tenant, which is why CSP technicians donΓÇÖt need user accounts in your tenant in order to administer services for you.
-There are two types of delegated administration relationships that are visible in the Azure AD admin portal experience. The newer type of delegated admin relationship is known as Granular Delegated Admin Permission. The older type of relationship is known as Delegated Admin Permission. You can see both types of relationship if you sign in to the Azure AD admin portal and then select **Delegated administration**.
+There are two types of delegated administration relationships that are visible in the Azure portal experience. The newer type of delegated admin relationship is known as Granular Delegated Admin Permission. The older type of relationship is known as Delegated Admin Permission. You can see both types of relationship if you sign in to the Azure portal and then select **Delegated administration**.
## Granular delegated admin permission
When a Microsoft CSP creates a GDAP relationship request for your tenant, a GDAP
* The roles that the partner needs to delegate to their technicians * The expiration date
-If you have any GDAP relationships in your tenant, you will see a notification banner on the **Delegated Administration** page in the Azure AD admin portal. Select the notification banner to see and manage GDAP relationships in the **Partners** page in Microsoft Admin Center.
+If you have any GDAP relationships in your tenant, you will see a notification banner on the **Delegated Administration** page in the Azure portal. Select the notification banner to see and manage GDAP relationships in the **Partners** page in Microsoft Admin Center.
## Delegated admin permission When a Microsoft CSP creates a DAP relationship request for your tenant, a GDAP relationship is created in the tenant when a global administrator approves the request. All DAP relationships enable the CSP to delegate Global administrator and Helpdesk administrator roles to their technicians. Unlike a GDAP relationship, a DAP relationship persists until they are revoked either by you or by your CSP.
-If you have any DAP relationships in your tenant, you will see them in the list on the Delegated Administration page in the Azure AD admin portal. To remove a DAP relationship for a CSP, follow the link to the Partners page in the Microsoft Admin Center.
+If you have any DAP relationships in your tenant, you will see them in the list on the Delegated Administration page in the Azure portal. To remove a DAP relationship for a CSP, follow the link to the Partners page in the Microsoft Admin Center.
## Next steps
active-directory Directory Delete Howto https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/directory-delete-howto.md
Check the following conditions:
## Delete the organization
-1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com) with an account that is the global administrator for your organization.
+1. Sign in to the [Azure portal](https://portal.azure.com) with an account that is the Global Administrator for your organization.
1. Select **Azure Active Directory**. 1. On a tenant's **Overview** page, select **Manage tenants**.
You can use the Microsoft admin center to put a subscription into the **Deprovis
Now the subscription state has changed to **Disabled**, and the subscription is marked for deletion. The subscription enters the **Deprovisioned** state 72 hours later.
-1. After you've deleted a subscription in your organization and 72 hours have elapsed, sign in to the Azure AD admin center again. Confirm that no required actions or subscriptions are blocking your organization deletion. You should be able to successfully delete your Azure AD organization.
+1. After you've deleted a subscription in your organization and 72 hours have elapsed, sign in to the Azure portal again. Confirm that no required actions or subscriptions are blocking your organization deletion. You should be able to successfully delete your Azure AD organization.
![Screenshot that shows resources that have passed a subscription check.](./media/directory-delete-howto/delete-checks-passed.png)
Product state | Data | Access to data
## Delete a self-service sign-up product
-You can put a self-service sign-up product like Microsoft Power BI or Azure RMS into a **Delete** state to be immediately deleted in the Azure AD portal:
+You can put a self-service sign-up product like Microsoft Power BI or Azure RMS into a **Delete** state to be immediately deleted in the Azure portal:
-1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) with an account that is a global administrator in the organization. If you're trying to delete the Contoso organization that has the initial default domain `contoso.onmicrosoft.com`, sign in with a UPN such as `admin@contoso.onmicrosoft.com`.
+1. Sign in to the [Azure portal](https://portal.azure.com/) with an account that is a global administrator in the organization. If you're trying to delete the Contoso organization that has the initial default domain `contoso.onmicrosoft.com`, sign in with a UPN such as `admin@contoso.onmicrosoft.com`.
+1. Browse to **Azure Active Directory**.
1. Select **Licenses**, and then select **Self-service sign-up products**. You can see all the self-service sign-up products separately from the seat-based subscriptions. Choose the product that you want to permanently delete. Here's an example in Microsoft Power BI:
You can put a self-service sign-up product like Microsoft Power BI or Azure RMS
![Screenshot that shows the list of self-service sign-up products and a pane that confirms the deletion of a self-service sign-up product.](./media/directory-delete-howto/product-deleted.png)
-1. After you've deleted all the products, sign in to the Azure AD admin center again. Confirm that no required actions or products are blocking your organization deletion. You should be able to successfully delete your Azure AD organization.
+1. After you've deleted all the products, sign in to the Azure portal again. Confirm that no required actions or products are blocking your organization deletion. You should be able to successfully delete your Azure AD organization.
![Screenshot that shows status information for resources.](./media/directory-delete-howto/delete-checks-passed.png)
active-directory Domains Admin Takeover https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/domains-admin-takeover.md
When you complete the preceding steps, you are now the global administrator of t
5. If you have any users or groups in Microsoft 365 that reference the removed domain name, they must be renamed to the .onmicrosoft.com domain. If you force delete the domain name, all users are automatically renamed, in this example to *user\@fourthcoffeexyz.onmicrosoft.com*.
-6. Sign in to the [Azure AD admin center](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) with an account that is the Global Administrator for the Azure AD organization.
+6. Sign in to the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) with an account that is the Global Administrator for the Azure AD organization.
7. Select **Custom domain names**, then add the domain name. You'll have to enter the DNS TXT records to verify ownership of the domain name.
active-directory Domains Manage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/domains-manage.md
To delete a custom domain name, you must first ensure that no resources in your
You must change or delete any such resource in your Azure AD organization before you can delete the custom domain name.
-> [!Note]
+> [!NOTE]
> To delete the custom domain, use a Global Administrator account that is based on either the default domain (onmicrosoft.com) or a different custom domain (mydomainname.com). ## ForceDelete option
-You can **ForceDelete** a domain name in the [Azure AD Admin Center](https://aad.portal.azure.com) or using [Microsoft Graph API](/graph/api/domain-forcedelete). These options use an asynchronous operation and update all references from the custom domain name like ΓÇ£user@contoso.comΓÇ¥ to the initial default domain name such as ΓÇ£user@contoso.onmicrosoft.com.ΓÇ¥
+You can **ForceDelete** a domain name in the [Azure portal](https://portal.azure.com) or using [Microsoft Graph API](/graph/api/domain-forcedelete). These options use an asynchronous operation and update all references from the custom domain name like ΓÇ£user@contoso.comΓÇ¥ to the initial default domain name such as ΓÇ£user@contoso.onmicrosoft.com.ΓÇ¥
To call **ForceDelete** in the Azure portal, you must ensure that there are fewer than 1000 references to the domain name, and any references where Exchange is the provisioning service must be updated or removed in the [Exchange Admin Center](https://outlook.office365.com/ecp/). This includes Exchange Mail-Enabled Security Groups and distributed lists. For more information, see [Removing mail-enabled security groups](/Exchange/recipients/mail-enabled-security-groups#Remove%20mail-enabled%20security%20groups&preserve-view=true). Also, the **ForceDelete** operation won't succeed if either of the following is true:
active-directory Domains Verify Custom Subdomain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/domains-verify-custom-subdomain.md
After a root domain is added to Azure Active Directory (Azure AD), part of Microsoft Entra, all subsequent subdomains added to that root in your Azure AD organization automatically inherit the authentication setting from the root domain. However, if you want to manage domain authentication settings independently from the root domain settings, you can now with the Microsoft Graph API. For example, if you have a federated root domain such as contoso.com, this article can help you verify a subdomain such as child.contoso.com as managed instead of federated.
-In the Azure AD portal, when the parent domain is federated and the admin tries to verify a managed subdomain on the **Custom domain names** page, you'll get a 'Failed to add domain' error with the reason "One or more properties contains invalid values." If you try to add this subdomain from the Microsoft 365 admin center, you will receive a similar error. For more information about the error, see [A child domain doesn't inherit parent domain changes in Office 365, Azure, or Intune](/office365/troubleshoot/administration/child-domain-fails-inherit-parent-domain-changes).
+In the Azure portal, when the parent domain is federated and the admin tries to verify a managed subdomain on the **Custom domain names** page, you'll get a 'Failed to add domain' error with the reason "One or more properties contains invalid values." If you try to add this subdomain from the Microsoft 365 admin center, you will receive a similar error. For more information about the error, see [A child domain doesn't inherit parent domain changes in Office 365, Azure, or Intune](/office365/troubleshoot/administration/child-domain-fails-inherit-parent-domain-changes).
Because subdomains inherit the authentication type of the root domain by default, you must promote the subdomain to a root domain in Azure AD using the Microsoft Graph so you can set the authentication type to your desired type.
active-directory Groups Assign Sensitivity Labels https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-assign-sensitivity-labels.md
You will also need to synchronize your sensitivity labels to Azure AD. For instr
## Assign a label to a new group in Azure portal
-1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com).
-1. Select **Groups**, and then select **New group**.
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Browse to **Azure Active Directory** > **Groups**, and then select **New group**.
1. On the **New Group** page, select **Office 365**, and then fill out the required information for the new group and select a sensitivity label from the list. ![Assign a sensitivity label in the New groups page](./media/groups-assign-sensitivity-labels/new-group-page.png)
Your group is created and the site and group settings associated with the select
## Assign a label to an existing group in Azure portal
-1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com) with a Groups admin account, or as a group owner.
-1. Select **Groups**.
+1. Sign in to the [Azure portal](https://portal.azure.com) with a Groups admin account, or as a group owner.
+1. Browse to **Azure Active Directory** > **Groups**.
1. From the **All groups** page, select the group that you want to label. 1. On the selected group's page, select **Properties** and select a sensitivity label from the list.
Your group is created and the site and group settings associated with the select
## Remove a label from an existing group in Azure portal
-1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com) with a Global Administrator or Groups admin account, or as a group owner.
-1. Select **Groups**.
+1. Sign in to the [Azure portal](https://portal.azure.com) with a Global Administrator or Groups admin account, or as a group owner.
+1. Browse to **Azure Active Directory** > **Groups**.
1. From the **All groups** page, select the group that you want to remove the label from. 1. On the **Group** page, select **Properties**. 1. Select **Remove**.
If the label you are looking for is not in the list, this could be the case for
Labels can be swapped at any time using the same steps as assigning a label to an existing group, as follows:
-1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com) with a Global or Group administrator account or as group owner.
-1. Select **Groups**.
+1. Sign in to the [Azure portal](https://portal.azure.com) with a Global or Group administrator account or as group owner.
+1. Browse to **Azure Active Directory** > **Groups**.
1. From the **All groups** page, select the group that you want to label. 1. On the selected group's page, select **Properties** and select a new sensitivity label from the list. 1. Select **Save**.
active-directory Groups Bulk Download Members https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-bulk-download-members.md
Title: Bulk download group membership list - Azure Active Directory portal | Microsoft Docs
+ Title: Bulk download group membership list - Azure portal | Microsoft Docs
description: Add users in bulk in the Azure admin center.
active-directory Groups Bulk Download https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-bulk-download.md
Title: Download a list of groups in the Azure Active Directory portal | Microsoft Docs
+ Title: Download a list of groups in the Azure portal | Microsoft Docs
description: Download group properties in bulk in the Azure admin center in Azure Active Directory.
active-directory Groups Bulk Import Members https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-bulk-import-members.md
Title: Bulk upload to add or create members of a group - Azure Active Directory | Microsoft Docs
-description: Add group members in bulk in the Azure Active Directory admin center.
+description: Add group members in bulk in the Azure portal.
active-directory Groups Change Type https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-change-type.md
Title: Change static group membership to dynamic - Azure AD | Microsoft Docs
-description: Learn how to convert existing groups from static to dynamic membership using either Azure AD Admin center or PowerShell cmdlets.
+description: Learn how to convert existing groups from static to dynamic membership using either Azure portal or PowerShell cmdlets.
documentationcenter: ''
# Change static group membership to dynamic in Azure Active Directory
-You can change a group's membership from static to dynamic (or vice-versa) In Azure Active Directory (Azure AD), part of Microsoft Entra. Azure AD keeps the same group name and ID in the system, so all existing references to the group are still valid. If you create a new group instead, you would need to update those references. Dynamic group membership eliminates management overhead adding and removing users. This article tells you how to convert existing groups from static to dynamic membership using either Azure AD Admin center or PowerShell cmdlets.
+You can change a group's membership from static to dynamic (or vice-versa) In Azure Active Directory (Azure AD), part of Microsoft Entra. Azure AD keeps the same group name and ID in the system, so all existing references to the group are still valid. If you create a new group instead, you would need to update those references. Dynamic group membership eliminates management overhead adding and removing users. This article tells you how to convert existing groups from static to dynamic membership using either Azure portal or PowerShell cmdlets.
> [!WARNING] > When changing an existing static group to a dynamic group, all existing members are removed from the group, and then the membership rule is processed to add new members. If the group is used to control access to apps or resources, be aware that the original members might lose access until the membership rule is fully processed.
You can change a group's membership from static to dynamic (or vice-versa) In Az
## Change the membership type for a group
-1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com) with an account that is a global administrator, user administrator, or groups administrator in your Azure AD organization.
-2. Select **Groups**.
+1. Sign in to the [Azure portal](https://portal.azure.com) with an account that is a Global Administrator, User Administrator, or Groups Administrator in your Azure AD organization.
+2. Browse to **Azure Active Directory** > **Groups**.
3. From the **All groups** list, open the group that you want to change. 4. Select **Properties**. 5. On the **Properties** page for the group, select a **Membership type** of either Assigned (static), Dynamic User, or Dynamic Device, depending on your desired membership type. For dynamic membership, you can use the rule builder to select options for a simple rule or write a membership rule yourself.
active-directory Groups Create Rule https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-create-rule.md
For examples of syntax, supported properties, operators, and values for a member
## To create a group membership rule
-1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com) with an account that is in the Global administrator, Intune administrator, or User administrator role in the Azure AD organization.
-1. Search for and select **Groups**.
+1. Sign in to the [Azure portal](https://portal.azure.com) with an account that is in the Global Administrator, Intune Administrator, or User Administrator role in the Azure AD organization.
+1. Browse to **Azure Active Directory** > **Groups**.
1. Select **All groups**, and select **New group**. ![Screenshot showing how to select the "add new group" action](./media/groups-create-rule/create-new-group-azure-active-directory.png)
If the rule you entered isn't valid, an explanation of why the rule couldn't be
## To update an existing rule
-1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com) with an account that is in the Global administrator, Group administrator, Intune administrator, or User administrator role in the Azure AD organization.
-1. Select **Groups** > **All groups**.
+1. Sign in to the [Azure portal](https://portal.azure.com) with an account that is in the Global Administrator, Group Administrator, Intune Administrator, or User Administrator role in the Azure AD organization.
+1. Browse to **Azure Active Directory** > **Groups** > **All groups**.
1. Select a group to open its profile. 1. On the profile page for the group, select **Dynamic membership rules**. The rule builder supports up to five expressions. To add more than five expressions, you must use the text box.
active-directory Groups Dynamic Rule Member Of https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-dynamic-rule-member-of.md
Only administrators in the Global Administrator, Intune Administrator, or User A
## Getting started
-This feature can be used in the Azure AD portal, Microsoft Graph, and in PowerShell. Because memberOf isn't yet supported in the rule builder, you must enter your rule in the rule editor.
+This feature can be used in the Azure portal, Microsoft Graph, and in PowerShell. Because memberOf isn't yet supported in the rule builder, you must enter your rule in the rule editor.
### Steps to create a memberOf dynamic group
active-directory Groups Lifecycle https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-lifecycle.md
For more information on permissions to restore a deleted group, see [Restore a d
## Set group expiration
-1. Open the [Azure AD admin center](https://aad.portal.azure.com) with an account that is a global administrator in your Azure AD organization.
+1. Open the [Azure portal](https://portal.azure.com) with an account that is a Global Administrator in your Azure AD organization.
-2. Select **Groups**, then select **Expiration** to open the expiration settings.
+2. Browse to **Azure Active Directory** > **Groups**, then select **Expiration** to open the expiration settings.
![Expiration settings for groups](./media/groups-lifecycle/expiration-settings.png)
active-directory Groups Naming Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-naming-policy.md
Some administrator roles are exempted from these policies, across all group work
## Configure naming policy in Azure portal
-1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com) with a Group Administrator account.
-1. Select **Groups**, then select **Naming policy** to open the Naming policy page.
+1. Sign in to the [Azure portal](https://portal.azure.com) with a Group Administrator account.
+1. Browse to **Azure Active Directory** > **Groups**, then select **Naming policy** to open the Naming policy page.
![open the Naming policy page in the admin center](./media/groups-naming-policy/policy.png)
After you set a group naming policy in Azure AD, when a user creates a group in
Workload | Compliance -- | -
-Azure Active Directory portals | The Azure AD portal and the Access Panel portal show the naming policy enforced name when the user types in a group name when creating or editing a group. When a user enters a custom blocked word, an error message with the blocked word is displayed so that the user can remove it.
+Azure portal | The Azure portal and the Access Panel portal show the naming policy enforced name when the user types in a group name when creating or editing a group. When a user enters a custom blocked word, an error message with the blocked word is displayed so that the user can remove it.
Outlook Web Access (OWA) | Outlook Web Access shows the naming policy enforced name when the user types a group name or group alias. When a user enters a custom blocked word, an error message is shown in the UI along with the blocked word so that the user can remove it. Outlook Desktop | Groups created in Outlook desktop are compliant with the naming policy settings. Outlook desktop app doesn't yet show the preview of the enforced group name and doesn't return the custom blocked word errors when the user enters the group name. However, the naming policy is automatically applied when creating or editing a group, and users see error messages if there are custom blocked words in the group name or alias. Microsoft Teams | Microsoft Teams shows the group naming policy enforced name when the user enters a team name. When a user enters a custom blocked word, an error message is shown along with the blocked word so that the user can remove it.
active-directory Groups Quickstart Naming Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-quickstart-naming-policy.md
If you don't have an Azure subscription, [create a free account](https://azure.m
## Configure the group naming policy in the Azure portal
-1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com) with a User administrator account.
-1. Select **Groups**, then select **Naming policy** to open the Naming policy page.
+1. Sign in to the [Azure portal](https://portal.azure.com) with a User Administrator account.
+1. Browse to **Azure Active Directory** > **Groups**, then select **Naming policy** to open the Naming policy page.
![open the Naming policy page in the admin center](./media/groups-quickstart-naming-policy/policy.png)
active-directory Groups Restore Deleted https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-restore-deleted.md
User | Can restore any deleted Microsoft 365 group that they own
## View and manage the deleted Microsoft 365 groups that are available to restore
-1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com) with a User administrator account.
+1. Sign in to the [Azure portal](https://portal.azure.com) with a User Administrator account.
-2. Select **Groups**, then select **Deleted groups** to view the deleted groups that are available to restore.
+2. Browse to **Azure Active Directory** > **Groups**, then select **Deleted groups** to view the deleted groups that are available to restore.
![view groups that are available to restore](./media/groups-restore-deleted/deleted-groups3.png)
active-directory Groups Saasapps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-saasapps.md
Using Azure Active Directory (Azure AD), part of Microsoft Entra, with an Azure
## To assign access for a user or group to a SaaS application
-1. In the [Azure AD admin center](https://aad.portal.azure.com), select **Enterprise applications**.
-2. Select an application that you added from the Application Gallery to open it.
-3. Select **Users and groups**, and then select **Add user**.
-4. On **Add Assignment**, select **Users and groups** to open the **Users and groups** selection list.
-6. Select as many groups or users as you want, then click or tap **Select** to add them to the **Add Assignment** list. You can also assign a role to a user at this stage.
-7. Select **Assign** to assign the users or groups to the selected enterprise application.
+1. In the [Azure portal](https://portal.azure.com).
+1. Browse to **Azure Active Directory** > **Enterprise applications**.
+1. Select an application that you added from the Application Gallery to open it.
+1. Select **Users and groups**, and then select **Add user**.
+1. On **Add Assignment**, select **Users and groups** to open the **Users and groups** selection list.
+1. Select as many groups or users as you want, then click or tap **Select** to add them to the **Add Assignment** list. You can also assign a role to a user at this stage.
+1. Select **Assign** to assign the users or groups to the selected enterprise application.
## Next steps These articles provide additional information on Azure Active Directory.
active-directory Groups Self Service Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-self-service-management.md
Groups created in | Security group default behavior | Microsoft 365 group defaul
## Make a group available for user self-service
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com) with an account that's been assigned the Global Administrator or Groups Administrator role for the directory.
+1. Sign in to the [Azure portal](https://portal.azure.com) with an account that's been assigned the Global Administrator or Groups Administrator role for the directory.
-1. Select **Groups**, and then select **General** settings.
+1. Browse to **Azure Active Directory** > **Groups**, and then select **General** settings.
![Azure Active Directory groups general settings.](./media/groups-self-service-management/groups-settings-general.png)
active-directory Groups Write Back Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-write-back-portal.md
Title: Group writeback portal operations (preview) in Azure Active Directory
-description: The access points for group writeback to on-premises Active Directory in the Azure Active Directory admin center.
+description: The access points for group writeback to on-premises Active Directory in the Azure portal.
keywords:
-# Group writeback in the Azure Active Directory admin center (preview)
+# Group writeback in the Azure portal (preview)
-Group writeback is a valuable tool for administrators of Azure Active Directory (Azure AD) tenants being synced with on-premises Active Directory groups. Microsoft is now previewing new capabilities for group writeback for tenants with an Azure AD Premium license and Azure AD Connect version 2021 December release or later. In this preview, once you have [enabled Azure AD Connect group writeback](..//hybrid/how-to-connect-group-writeback-v2.md), you can specify in the Azure AD admin center which groups you want to write back and what youΓÇÖd like each group to write back as. You can write Microsoft 365 groups back to on-premises Active Directory as Distribution, Mail-enabled Security, or Security groups, and write Security groups back as Security groups. Groups are written back with a scope of universalΓÇï.
+Group writeback is a valuable tool for administrators of Azure Active Directory (Azure AD) tenants being synced with on-premises Active Directory groups. Microsoft is now previewing new capabilities for group writeback for tenants with an Azure AD Premium license and Azure AD Connect version 2021 December release or later. In this preview, once you have [enabled Azure AD Connect group writeback](..//hybrid/how-to-connect-group-writeback-v2.md), you can specify in the Azure portal which groups you want to write back and what youΓÇÖd like each group to write back as. You can write Microsoft 365 groups back to on-premises Active Directory as Distribution, Mail-enabled Security, or Security groups, and write Security groups back as Security groups. Groups are written back with a scope of universalΓÇï.
>[!NOTE] > If you were previously writing Microsoft 365 groups back to on-premises Active Directory as universal distribution groups, they will appear in the Azure portal as not enabled for writeback in both the **Groups** page and in the properties page for a group. These pages display a new property introduced for the preview, ΓÇ£writeback enabledΓÇ¥. This property is not set by the current version of group writeback to ensure backward compatibility with the legacy version of group writeback and to avoid breaking existing customer setups.
active-directory Licensing Groups Assign https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-groups-assign.md
In this example, the Azure AD organization contains a security group called **HR
## Step 1: Assign the required licenses
-1. Sign in to the [**Azure AD admin center**](https://aad.portal.azure.com) with a license administrator account. To manage licenses, the account must be a license administrator, user administrator, or global administrator.
+1. Sign in to the [Azure portal](https://portal.azure.com) with a license administrator account. To manage licenses, the account must be a License Administrator, User Administrator, or Global Administrator.
-1. Select **Licenses** to open a page where you can see and manage all licensable products in the organization.
+1. Browse to **Azure Active Directory** > **Licenses** to open a page where you can see and manage all licensable products in the organization.
1. Under **All products**, select both Office 365 Enterprise E5 and Enterprise Mobility + Security E3 by selecting the product names. To start the assignment, select **Assign** at the top of the page.
active-directory Linkedin Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/linkedin-integration.md
# Integrate LinkedIn account connections in Azure Active Directory
-You can allow users in your organization to access their LinkedIn connections within some Microsoft apps. No data is shared until users consent to connect their accounts. You can integrate your organization in the [admin center](https://aad.portal.azure.com) for Azure Active Directory (Azure AD), part of Microsoft Entra.
+You can allow users in your organization to access their LinkedIn connections within some Microsoft apps. No data is shared until users consent to connect their accounts. You can integrate your organization with Azure Active Directory (Azure AD), part of Microsoft Entra.
> [!IMPORTANT] > The LinkedIn account connections setting is currently being rolled out to Azure AD organizations. When it is rolled out to your organization, it is enabled by default.
You can allow users in your organization to access their LinkedIn connections wi
You can enable LinkedIn account connections for only the users you want to have access, from your entire organization to only selected users in your organization.
-1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com/) with an account that's a Global Administrator for the Azure AD organization.
-1. Select **Users**.
+1. Sign in to the [Azure portal](https://portal.azure.com/) with an account that's a Global Administrator for the Azure AD organization.
+1. Browse to **Azure Active Directory** > **Users**.
1. On the **Users** page, select **User settings**. 1. Under **LinkedIn account connections**, allow users to connect their accounts to access their LinkedIn connections within some Microsoft apps. No data is shared until users consent to connect their accounts.
We have replaced the 'Selected' option that specifies a list of users with the o
1. Get the current list of individual users 1. Move the currently enabled individual users to a group
-1. Use the group from the previous as the selected group in the LinkedIn account connections setting in the Azure AD admin center.
+1. Use the group from the previous as the selected group in the LinkedIn account connections setting in the Azure portal.
> [!NOTE] > Even if you don't move your currently selected individual users to a group, they can still see LinkedIn information in Microsoft apps.
We have replaced the 'Selected' option that specifies a list of users with the o
foreach($user in $users} { Add-AzureADGroupMember -ObjectId $groupId -RefObjectId $user ; Write-Host $i Added $user ; $i++ ; Start-Sleep -Milliseconds 10 } ```
-To use the group from step two as the selected group in the LinkedIn account connections setting in the Azure AD admin center, see [Enable LinkedIn account connections in the Azure portal](#enable-linkedin-account-connections-in-the-azure-portal).
+To use the group from step two as the selected group in the LinkedIn account connections setting in the Azure portal, see [Enable LinkedIn account connections in the Azure portal](#enable-linkedin-account-connections-in-the-azure-portal).
## Use Group Policy to enable LinkedIn account connections
This group policy affects only Office 2016 apps for a local computer. If users d
* [LinkedIn help center](https://www.linkedin.com/help/linkedin)
-* [View your current LinkedIn integration setting in the Azure portal](https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/UserManagementMenuBlade/UserSettings)
+* [View your current LinkedIn integration setting in the Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserManagementMenuBlade/UserSettings)
active-directory Users Bulk Add https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-bulk-add.md
Title: Bulk create users in the Azure Active Directory portal | Microsoft Docs
-description: Add users in bulk in the Azure AD admin center in Azure Active Directory
+ Title: Bulk create users in the Azure portal | Microsoft Docs
+description: Add users in bulk in the Azure portal in Azure Active Directory
# Bulk create users in Azure Active Directory
-Azure Active Directory (Azure AD), part of Microsoft Entra, supports bulk user create and delete operations and supports downloading lists of users. Just fill out comma-separated values (CSV) template you can download from the Azure AD portal.
+Azure Active Directory (Azure AD), part of Microsoft Entra, supports bulk user create and delete operations and supports downloading lists of users. Just fill out comma-separated values (CSV) template you can download from the Azure portal.
## Required permissions
The rows in a downloaded CSV template are as follows:
## To create users in bulk
-1. [Sign in to your Azure AD organization](https://aad.portal.azure.com) with an account that is a User administrator in the organization.
-1. In Azure AD, select **Users** > **Bulk create**.
+1. [Sign in to the Azure portal](https://portal.azure.com) with an account that is a User Administrator in the organization.
+1. Browse to **Azure Active Directory** > **Users** > **Bulk create**.
1. On the **Bulk create user** page, select **Download** to receive a valid comma-separated values (CSV) file of user properties, and then add users you want to create. ![Select a local CSV file in which you list the users you want to add](./media/users-bulk-add/upload-button.png)
Next, you can check to see that the users you created exist in the Azure AD orga
## Verify users in the Azure portal
-1. [Sign in to the Azure AD admin center](https://aad.portal.azure.com) with an account that is a User administrator in the organization.
-1. In the navigation pane, select **Azure Active Directory**.
-1. Under **Manage**, select **Users**.
+1. [Sign in to the Azure portal](https://portal.azure.com) with an account that is a User Administrator in the organization.
+1. Browse to **Azure Active Directory** > **Users**.
1. Under **Show**, select **All users** and verify that the users you created are listed. ### Verify users with PowerShell
active-directory Users Bulk Delete https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-bulk-delete.md
Title: Bulk delete users in the Azure Active Directory portal | Microsoft Docs
+ Title: Bulk delete users in the Azure portal | Microsoft Docs
description: Delete users in bulk in the Azure admin center in Azure Active Directory
The rows in a downloaded CSV template are as follows:
## To bulk delete users
-1. [Sign in to your Azure AD organization](https://aad.portal.azure.com) with an account that is a User administrator in the organization.
-1. In Azure AD, select **Users** > **Bulk operations** > **Bulk delete**.
+1. [Sign in to the Azure portal](https://portal.azure.com) with an account that is a User Administrator in the organization.
+1. Browse to **Azure Active Directory** > **Users** > **Bulk operations** > **Bulk delete**.
1. On the **Bulk delete user** page, select **Download** to download the latest version of the CSV template. 1. Open the CSV file and add a line for each user you want to delete. The only required value is **User principal name**. Save the file. 1. On the **Bulk delete user** page, under **Upload your csv file**, browse to the file. When you select the file and click submit, validation of the CSV file starts.
active-directory Users Bulk Download https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-bulk-download.md
Title: Download a list of users in the Azure Active Directory portal | Microsoft Docs
+ Title: Download a list of users in the Azure portal | Microsoft Docs
description: Download user records in bulk in the Azure admin center in Azure Active Directory.
-# Download a list of users in Azure Active Directory portal
+# Download a list of users in Azure portal
Azure Active Directory (Azure AD), part of Microsoft Entra, supports bulk user list download operations.
Both admin and non-admin users can download user lists.
## To download a list of users
-1. [Sign in to your Azure AD organization](https://aad.portal.azure.com).
+1. [Sign in to the Azure portal](https://portal.azure.com).
2. Navigate to **Azure Active Directory** > **Users**. 3. In Azure AD, select **Users** > **Download users**. By default, all user profiles are exported. 4. On the **Download users** page, select **Start** to receive a CSV file listing user profile properties. If there are errors, you can download and view the results file on the **Bulk operation results** page. The file contains the reason for each error.
active-directory Users Bulk Restore https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-bulk-restore.md
Title: Bulk restore deleted users in the Azure Active Directory portal | Microsoft Docs
-description: Restore deleted users in bulk in the Azure AD admin center in Azure Active Directory
+ Title: Bulk restore deleted users in the Azure portal | Microsoft Docs
+description: Restore deleted users in bulk in the Azure portal in Azure Active Directory
The rows in a downloaded CSV template are as follows:
## To bulk restore users
-1. [Sign in to your Azure AD organization](https://aad.portal.azure.com) with an account that is a User administrator in the Azure AD organization.
-1. In Azure AD, select **Users** > **Deleted**.
+1. [Sign in to the Azure portal](https://portal.azure.com) with an account that is a User Administrator in the Azure AD organization.
+1. Browse to **Azure Active Directory** > **Users** > **Deleted**.
1. On the **Deleted users** page, select **Bulk restore** to upload a valid CSV file of properties of the users to restore. ![Select the bulk restore command on the Deleted users page](./media/users-bulk-restore/bulk-restore.png)
Next, you can check to see that the users you restored exist in the Azure AD org
## View restored users in the Azure portal
-1. [Sign in to the Azure AD admin center](https://aad.portal.azure.com) with an account that is a User administrator in the organization.
+1. [Sign in to the Azure portal](https://portal.azure.com) with an account that is a User Administrator in the organization.
1. In the navigation pane, select **Azure Active Directory**. 1. Under **Manage**, select **Users**. 1. Under **Show**, select **All users** and verify that the users you restored are listed.
active-directory Users Custom Security Attributes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-custom-security-attributes.md
To assign or remove custom security attributes for a user in your Azure AD tenan
## Assign custom security attributes to a user
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Make sure that you have defined custom security attributes. For more information, see [Add or deactivate custom security attributes in Azure AD](../fundamentals/custom-security-attributes-add.md).
To assign or remove custom security attributes for a user in your Azure AD tenan
## Update custom security attribute assignment values for a user
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory** > **Users**.
To assign or remove custom security attributes for a user in your Azure AD tenan
You can filter the list of custom security attributes assigned to users on the All users page.
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory** > **Users**.
You can filter the list of custom security attributes assigned to users on the A
## Remove custom security attribute assignments from a user
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory** > **Users**.
active-directory Users Restrict Guest Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-restrict-guest-permissions.md
You must be in the Global Administrator role to configure guest user access. The
WeΓÇÖve made changes to the existing Azure portal controls for guest user permissions.
-1. Sign in to the [Azure AD admin center](https://aad.portal.azure.com) with Global administrator permissions.
-1. On the **Azure Active Directory** overview page for your organization, select **User settings**.
+1. Sign in to the [Azure portal](https://portal.azure.com) with Global Administrator permissions.
+1. Browse to **Azure Active Directory** > **User settings**.
1. Under **External users**, select **Manage external collaboration settings**. 1. On the **External collaboration settings** page, select **Guest user access is restricted to properties and memberships of their own directory objects** option.
active-directory B2b Direct Connect Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/b2b-direct-connect-overview.md
B2B direct connect users collaborate via a mutual connection between two organiz
Within the context of Teams, there are differences in how resources can be shared depending on whether youΓÇÖre collaborating with someone using B2B direct connect or B2B collaboration. -- With B2B direct connect, you add the external user to a shared channel within a team. This user can access the resources within the shared channel, but they donΓÇÖt have access to the entire team or any other resources outside the shared channel. For example, they donΓÇÖt have access to the Azure AD admin portal. They do, however, have access to My apps portal. B2B direct connect users donΓÇÖt have a presence in your Azure AD organization, so these users are managed in the Teams client by the shared channel owner. For details, see the [Assign team owners and members in Microsoft Teams](/microsoftteams/assign-roles-permissions).
+- With B2B direct connect, you add the external user to a shared channel within a team. This user can access the resources within the shared channel, but they donΓÇÖt have access to the entire team or any other resources outside the shared channel. For example, they donΓÇÖt have access to the Azure portal. They do, however, have access to My apps portal. B2B direct connect users donΓÇÖt have a presence in your Azure AD organization, so these users are managed in the Teams client by the shared channel owner. For details, see the [Assign team owners and members in Microsoft Teams](/microsoftteams/assign-roles-permissions).
- With B2B collaboration, you can invite the guest user to a team. The B2B collaboration guest user signs into the resource tenant using the email address that was used to invite them. Their access is determined by the permissions assigned to guest users in the resource tenant. Guest users canΓÇÖt see or participate in any shared channels in the team.
active-directory B2b Quickstart Invite Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/b2b-quickstart-invite-powershell.md
# Quickstart: Add a guest user with PowerShell
-There are many ways you can invite external partners to your apps and services with Azure Active Directory B2B collaboration. In the previous quickstart, you saw how to add guest users directly in the Azure Active Directory admin portal. You can also use PowerShell to add guest users, either one at a time or in bulk. In this quickstart, youΓÇÖll use the New-MgInvitation command to add one guest user to your Azure tenant.
+There are many ways you can invite external partners to your apps and services with Azure Active Directory B2B collaboration. In the previous quickstart, you saw how to add guest users directly in the Azure portal. You can also use PowerShell to add guest users, either one at a time or in bulk. In this quickstart, youΓÇÖll use the New-MgInvitation command to add one guest user to your Azure tenant.
If you donΓÇÖt have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
active-directory Cross Cloud Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/cross-cloud-settings.md
Previously updated : 02/14/2023 Last updated : 03/03/2023
After each organization has completed these steps, Azure AD B2B collaboration be
- **Decide on inbound and outbound access settings for the partner.** Selecting a cloud in your Microsoft cloud settings doesn't automatically enable B2B collaboration. Once you enable another Microsoft Azure cloud, all B2B collaboration is blocked by default for organizations in that cloud. You'll need to add the tenant you want to collaborate with to your Organizational settings. At that point, your default settings go into effect for that tenant only. You can allow the default settings to remain in effect. Or, you can modify the inbound and outbound settings for the organization. - **Obtain any required object IDs or app IDs.** If you want to apply access settings to specific users, groups, or applications in the partner organization, you'll need to contact the organization for information before configuring your settings. Obtain their user object IDs, group object IDs, or application IDs (*client app IDs* or *resource app IDs*) so you can target your settings correctly.
+> [!NOTE]
+> Users from another Microsoft cloud must be invited using their user principal name (UPN). [Email as sign-in](/azure/active-directory/authentication/howto-authentication-use-email-signin#b2b-guest-user-sign-in-with-an-email-address) is not currently supported when collaborating with users from another Microsoft cloud.
+ ## Enable the cloud in your Microsoft cloud settings In your Microsoft cloud settings, enable the Microsoft Azure cloud you want to collaborate with.
The following scenarios are supported when collaborating with an organization fr
- Use B2B collaboration to [share Power BI content to a user in the partner tenant](/power-bi/enterprise/service-admin-azure-ad-b2b#cross-cloud-b2b). - Apply Conditional Access policies to the B2B collaboration user and opt to trust multi-factor authentication or device claims (compliant claims and hybrid Azure AD joined claims) from the userΓÇÖs home tenant.
+> [!NOTE]
+> Enabling the [SharePoint and OneDrive integration with Azure AD B2B](/sharepoint/sharepoint-azureb2b-integration) will provide the best experience for inviting users from another Microsoft cloud within SharePoint and OneDrive.
+ ## Next steps See [Configure external collaboration settings](external-collaboration-settings-configure.md) for B2B collaboration with non-Azure AD identities, social identities, and non-IT managed external accounts.
active-directory Direct Federation Adfs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/direct-federation-adfs.md
An AD FS server must already be set up and functioning before you begin this pro
10. Select **OK**. The AD FS server is now configured for federation using WS-Fed. ## Next steps
-Next, you'll [configure SAML/WS-Fed IdP federation in Azure AD](direct-federation.md#step-3-configure-samlws-fed-idp-federation-in-azure-ad) either in the Azure AD portal or by using the Microsoft Graph API.
+Next, you'll [configure SAML/WS-Fed IdP federation in Azure AD](direct-federation.md#step-3-configure-samlws-fed-idp-federation-in-azure-ad) either in the Azure portal or by using the Microsoft Graph API.
active-directory Direct Federation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/direct-federation.md
Required claims for the WS-Fed token issued by the IdP:
## Step 3: Configure SAML/WS-Fed IdP federation in Azure AD
-Next, you'll configure federation with the IdP configured in step 1 in Azure AD. You can use either the Azure AD portal or the [Microsoft Graph API](/graph/api/resources/samlorwsfedexternaldomainfederation?view=graph-rest-beta&preserve-view=true). It might take 5-10 minutes before the federation policy takes effect. During this time, don't attempt to redeem an invitation for the federation domain. The following attributes are required:
+Next, you'll configure federation with the IdP configured in step 1 in Azure AD. You can use either the Azure portal or the [Microsoft Graph API](/graph/api/resources/samlorwsfedexternaldomainfederation?view=graph-rest-beta&preserve-view=true). It might take 5-10 minutes before the federation policy takes effect. During this time, don't attempt to redeem an invitation for the federation domain. The following attributes are required:
- Issuer URI of the partner's IdP - Passive authentication endpoint of partner IdP (only https is supported) - Certificate
-### To configure federation in the Azure AD portal
+### To configure federation in the Azure portal
1. Sign in to the [Azure portal](https://portal.azure.com/) as an External Identity Provider Administrator or a Global Administrator. 2. In the left pane, select **Azure Active Directory**.
On the **All identity providers** page, you can view the list of SAML/WS-Fed ide
## How do I remove federation? You can remove your federation configuration. If you do, federation guest users who have already redeemed their invitations won't be able to sign in. But you can give them access to your resources again by [resetting their redemption status](reset-redemption-status.md).
-To remove a configuration for an IdP in the Azure AD portal:
+To remove a configuration for an IdP in the Azure portal:
1. Go to the [Azure portal](https://portal.azure.com/). In the left pane, select **Azure Active Directory**. 1. Select **External Identities**.
active-directory Facebook Federation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/facebook-federation.md
To use a Facebook account as an [identity provider](identity-providers.md), you
1. To make your Facebook application available to Azure AD, select the **App Mode** selector at the top of the page and turn it **Live** to make the Application public. ## Configure a Facebook account as an identity provider
-Now you'll set the Facebook client ID and client secret, either by entering it in the Azure AD portal or by using PowerShell. You can test your Facebook configuration by signing up via a user flow on an app enabled for self-service sign-up.
+Now you'll set the Facebook client ID and client secret, either by entering it in the Azure portal or by using PowerShell. You can test your Facebook configuration by signing up via a user flow on an app enabled for self-service sign-up.
-### To configure Facebook federation in the Azure AD portal
+### To configure Facebook federation in the Azure portal
1. Sign in to the [Azure portal](https://portal.azure.com) as an External Identity Provider Administrator or a Global Administrator. 2. Under **Azure services**, select **Azure Active Directory**. 3. In the left menu, select **External Identities**.
Now you'll set the Facebook client ID and client secret, either by entering it i
## How do I remove Facebook federation? You can delete your Facebook federation setup. If you do so, any users who have signed up through user flows with their Facebook accounts will no longer be able to sign in.
-### To delete Facebook federation in the Azure AD portal:
+### To delete Facebook federation in the Azure portal:
1. Sign in to the [Azure portal](https://portal.azure.com) as the global administrator of your Azure AD tenant. 2. Under **Azure services**, select **Azure Active Directory**. 3. In the left menu, select **External Identities**.
active-directory Google Federation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/google-federation.md
You'll now set the Google client ID and client secret. You can use the Azure por
You can delete your Google federation setup. If you do so, Google guest users who have already redeemed their invitation won't be able to sign in. But you can give them access to your resources again by [resetting their redemption status](reset-redemption-status.md).
-**To delete Google federation in the Azure AD portal**
+**To delete Google federation in the Azure portal**
1. Go to the [Azure portal](https://portal.azure.com). On the left pane, select **Azure Active Directory**. 2. Select **External Identities**. 3. Select **All identity providers**.
active-directory What Is B2b https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/what-is-b2b.md
B2B collaboration is enabled by default, but comprehensive admin settings let yo
- Use [Microsoft cloud settings](cross-cloud-settings.md) to establish mutual B2B collaboration between the Microsoft Azure global cloud and [Microsoft Azure Government](../../azure-government/index.yml) or [Microsoft Azure China 21Vianet](/azure/china).
-## Easily invite guest users from the Azure AD portal
+## Easily invite guest users from the Azure portal
As an administrator, you can easily add guest users to your organization in the Azure portal.
active-directory 4 Secure Access Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/4-secure-access-groups.md
You can create Azure AD security groups and Microsoft 365 Groups in the Azure po
| Considerations |Manual and dynamic Azure AD security groups| Microsoft 365 Groups | | - | - | - | | The group contains| Users<br>Groups<br>Service principals<br>Devices| Users only |
-| Where the group is created| Azure AD portal<br>Microsoft 365 portal, if mail-enabled)<br>PowerShell<br>Microsoft Graph<br>End user portal| Microsoft 365 portal<br>Azure AD portal<br>PowerShell<br>Microsoft Graph<br>In Microsoft 365 applications |
+| Where the group is created| Azure portal<br>Microsoft 365 portal, if mail-enabled)<br>PowerShell<br>Microsoft Graph<br>End user portal| Microsoft 365 portal<br>Azure portal<br>PowerShell<br>Microsoft Graph<br>In Microsoft 365 applications |
| Who creates, by default| Administrators <br>Users| Administrators<br>Users | | Who is added, by default| Internal users (tenant members) and guest users | Tenant members and guests from an organization | | Access is granted to| Resources to which it's assigned.| Group-related resources:<br>(Group mailbox, site, team, chats, and other Microsoft 365 resources)<br>Other resources to which group is added |
Learn more:
### Mail-enabled security group
-To create a mail-enabled security group, go to the [Microsoft 365 admin center](https://admin.microsoft.com/). Enable a security group for mail during creation. You canΓÇÖt enable it later. You can't create the group in the Azure AD portal.
+To create a mail-enabled security group, go to the [Microsoft 365 admin center](https://admin.microsoft.com/). Enable a security group for mail during creation. You canΓÇÖt enable it later. You can't create the group in the Azure portal.
### Hybrid organizations and Azure AD security groups
active-directory 9 Secure Access Teams Sharepoint https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/9-secure-access-teams-sharepoint.md
Sharing in Microsoft 365 is partially governed by the **External Identities, Ext
Learn more:
-* [Azure Active Directory admin center](https://aad.portal.azure.com/)
+* [Azure portal](https://portal.azure.com/)
* [External Identities in Azure AD](../external-identities/external-identities-overview.md) ### Guest user access Guest users are invited to have access to resources.
-1. Go to the Azure Active Directory admin center.
-2. Select **All Services**.
-3. Under **Categories**, select **Identity**.
-4. From the list, select **External Identities**.
-5. Select **External collaboration settings**.
-6. Find the **Guest user access** options.
-7. To prevent guest-user access to other guest-user details, and to prevent enumeration of group membership, select **Guest users have limited access to properties and memberships of directory objects**.
+1. Sign in to the **Azure portal**
+1. Browse to **Azure Active Directory** > **External Identities** > **External collaboration settings**.
+1. Find the **Guest user access** options.
+1. To prevent guest-user access to other guest-user details, and to prevent enumeration of group membership, select **Guest users have limited access to properties and memberships of directory objects**.
### Guest invite settings
If you enable Azure AD B2B integration, then SharePoint and OneDrive sharing is
### Sharing policies in SharePoint and OneDrive
-In the Azure AD admin center, you can use the External Sharing settings for SharePoint and OneDrive to help configure sharing policies. OneDrive restrictions can't be more permissive than SharePoint settings.
+In the Azure portal, you can use the External Sharing settings for SharePoint and OneDrive to help configure sharing policies. OneDrive restrictions can't be more permissive than SharePoint settings.
Learn more: [External sharing overview](/sharepoint/external-sharing-overview)
active-directory Active Directory Groups View Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/active-directory-groups-view-azure-portal.md
If you donΓÇÖt have an Azure subscription, create a [free account](https://azure
Before you begin, youΓÇÖll need to: -- Create an Azure Active Directory tenant. For more information, see [Access the Azure Active Directory portal and create a new tenant](active-directory-access-create-new-tenant.md).
+- Create an Azure Active Directory tenant. For more information, see [Access the Azure portal and create a new tenant](active-directory-access-create-new-tenant.md).
## Sign in to the Azure portal
active-directory Add Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/add-custom-domain.md
-# Add your custom domain name using the Azure Active Directory portal
+# Add your custom domain name using the Azure portal
Azure Active Directory (Azure AD) tenants come with an initial domain name, *\<domainname>.onmicrosoft.com*. You can't change or delete the initial domain name, but you can add your organization's names. Adding custom domain names helps you to create user names that are familiar to your users, such as *alain\@contoso.com*.
active-directory Add Users Azure Active Directory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/add-users-azure-active-directory.md
You can create a new user for your organization or invite an external user from
- **Identity:** Add a user name and display name for the user. **User name** and **Name** are required and can't contain accent characters. You can also add a first and last name.
- The domain part of the user name must use either the initial default domain name, *\<yourdomainname>.onmicrosoft.com*, or a custom domain name, such as *contoso.com*. For more information about how to create a custom domain name, see [Add your custom domain name using the Azure Active Directory portal](add-custom-domain.md).
+ The domain part of the user name must use either the initial default domain name, *\<yourdomainname>.onmicrosoft.com*, or a custom domain name, such as *contoso.com*. For more information about how to create a custom domain name, see [Add your custom domain name using the Azure portal](add-custom-domain.md).
- **Groups and roles:** Optional. Add the user to one or more existing groups. Group membership can be set at any time. For more information about adding users to groups, see the [manage groups article](how-to-manage-groups.md).
If you have an environment with both Azure Active Directory (cloud) and Windows
## Delete a user
-You can delete an existing user using Azure Active Directory portal.
+You can delete an existing user using Azure portal.
- You must have a Global Administrator, Privileged Authentication Administrator or User Administrator role assignment to delete users in your organization. - Global Admins and Privileged Authentication Admins can delete any users including other admins.
active-directory Concept Learn About Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/concept-learn-about-groups.md
Azure AD lets you use groups to manage access to applications, data, and resourc
- SharePoint sites - On-premises resources
-Some groups can't be managed in the Azure AD portal:
+Some groups can't be managed in the Azure portal:
- Groups synced from on-premises Active Directory can be managed only in on-premises Active Directory. - Distribution lists and mail-enabled security groups are managed only in Exchange admin center or Microsoft 365 admin center. You must sign in to Exchange admin center or Microsoft 365 admin center to manage these groups.
active-directory Custom Security Attributes Add https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/custom-security-attributes-add.md
To add or deactivate custom security attributes, you must have:
An attribute set is a collection of related attributes. All custom security attributes must be part of an attribute set. Attribute sets cannot be renamed or deleted.
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Click **Azure Active Directory** > **Custom security attributes (Preview)**.
An attribute set is a collection of related attributes. All custom security attr
## Add a custom security attribute
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Click **Azure Active Directory** > **Custom security attributes (Preview)**.
An attribute set is a collection of related attributes. All custom security attr
Once you add a new custom security attribute, you can later edit some of the properties. Some properties are immutable and cannot be changed.
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Click **Azure Active Directory** > **Custom security attributes (Preview)**.
Once you add a new custom security attribute, you can later edit some of the pro
Once you add a custom security attribute, you can't delete it. However, you can deactivate a custom security attribute.
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Click **Azure Active Directory** > **Custom security attributes (Preview)**.
active-directory Custom Security Attributes Manage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/custom-security-attributes-manage.md
To grant access to the appropriate people, follow these steps to assign one of t
#### Azure portal
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Click **Azure Active Directory**.
Content-type: application/json
#### Azure portal
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Click **Azure Active Directory**.
active-directory License Users Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/license-users-groups.md
-# Assign or remove licenses in the Azure Active Directory portal
+# Assign or remove licenses in the Azure portal
Many Azure Active Directory (Azure AD) services require you to license each of your users or groups (and associated members) for that service. Only users with active licenses will be able to access and use the licensed Azure AD services for which that's true. Licenses are applied per tenant and don't transfer to other tenants.
active-directory Recover From Deletions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/recover-from-deletions.md
Users enter the soft-delete state anytime the user object is deleted by using th
The most frequent scenarios for user deletion are:
-* An administrator intentionally deletes a user in the Azure AD portal in response to a request or as part of routine user maintenance.
+* An administrator intentionally deletes a user in the Azure portal in response to a request or as part of routine user maintenance.
* An automation script in Microsoft Graph or PowerShell triggers the deletion. For example, you might have a script that removes users who haven't signed in for a specified time. * A user is moved out of scope for synchronization with Azure AD Connect. * A user is removed from an HR system and is deprovisioned via an automated workflow.
active-directory Recover From Misconfigurations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/recover-from-misconfigurations.md
Conditional Access policies are created on the **Conditional Access** page in th
### User and password reset configuration changes
-User settings changes are made on the Azure AD portal **User settings** page. Password reset changes are made on the **Password reset** page. Changes made on these pages are captured in the Audit log as detailed in the following table.
+User settings changes are made on the Azure portal **User settings** page. Password reset changes are made on the **Password reset** page. Changes made on these pages are captured in the Audit log as detailed in the following table.
| Service filter| Activities| Potential impacts | | - | - | - |
User settings changes are made on the Azure AD portal **User settings** page. Pa
### External identities configuration changes
-You can make changes to these settings on the **External identities** or **External collaboration** settings pages in the Azure AD portal.
+You can make changes to these settings on the **External identities** or **External collaboration** settings pages in the Azure portal.
| Service filter| Activities| Potential impacts | | - | - | - |
active-directory Recoverability Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/recoverability-overview.md
Deletions and misconfigurations have different impacts on your tenant.
The impact of deletions depends on the object type.
-Users, Microsoft 365 Groups, and applications can be soft deleted. Soft-deleted items are sent to the Azure AD recycle bin. While in the recycle bin, items aren't available for use. However, they retain all their properties and can be restored via a Microsoft Graph API call or in the Azure AD portal. Items in the soft-delete state that aren't restored within 30 days are permanently, or hard, deleted.
+Users, Microsoft 365 Groups, and applications can be soft deleted. Soft-deleted items are sent to the Azure AD recycle bin. While in the recycle bin, items aren't available for use. However, they retain all their properties and can be restored via a Microsoft Graph API call or in the Azure portal. Items in the soft-delete state that aren't restored within 30 days are permanently, or hard, deleted.
![Diagram that shows that users, Microsoft 365 Groups, and applications are soft deleted and then hard deleted after 30 days.](media/recoverability/overview-deletes.png)
active-directory Secure With Azure Ad Fundamentals https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/secure-with-azure-ad-fundamentals.md
Azure AD also provides a portal and the Microsoft Graph API to allow organizatio
Azure AD also provides information on the actions that are being performed within Azure AD, and reports on security risks. For more information, see [Azure Active Directory reports and monitoring](../reports-monitoring/index.yml).
-**Auditing**. Auditing provides traceability through logs for all changes done by specific features within Azure AD. Examples of activities found in audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles, and policies. Reporting in Azure AD enables you to audit sign-in activities, risky sign-ins, and users flagged for risk. For more information, see [Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md).
+**Auditing**. Auditing provides traceability through logs for all changes done by specific features within Azure AD. Examples of activities found in audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles, and policies. Reporting in Azure AD enables you to audit sign-in activities, risky sign-ins, and users flagged for risk. For more information, see [Audit activity reports in the Azure portal](../reports-monitoring/concept-audit-logs.md).
**Access certification**. Access certification is the process to prove that a user is entitled to have access to a resource at a point in time. Azure AD Access Reviews continually review the memberships of groups or applications and provide insight to determine whether access is required or should be removed. This enables organizations to effectively manage group memberships, access to enterprise applications, and role assignments to make sure only the right people have continued access. For more information, see [What are Azure AD access reviews?](../governance/access-reviews-overview.md)
active-directory Secure With Azure Ad Resource Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/secure-with-azure-ad-resource-management.md
When a requirement exists to deploy IaaS workloads to Azure that require identit
**Network Requirements**: These virtual machines will need to access Azure AD for authentication so you must ensure that the virtual machines network configuration permits outbound access to Azure AD endpoints on 443. See the documentation for [Windows](../devices/howto-vm-sign-in-azure-ad-windows.md) and [Linux](../devices/howto-vm-sign-in-azure-ad-linux.md) for more information.
-**Role-based Access Control (RBAC)**: Two RBAC roles are available to provide the appropriate level of access to these virtual machines. These RBAC roles can be configured via the Azure AD Portal or via the Azure Cloud Shell Experience. For more information, see [Configure role assignments for the VM](../devices/howto-vm-sign-in-azure-ad-windows.md).
+**Role-based Access Control (RBAC)**: Two RBAC roles are available to provide the appropriate level of access to these virtual machines. These RBAC roles can be configured via the Azure portal or via the Azure Cloud Shell Experience. For more information, see [Configure role assignments for the VM](../devices/howto-vm-sign-in-azure-ad-windows.md).
* **Virtual machine administrator logon**: Users with this role assigned to them can log into an Azure virtual machine with administrator privileges.
active-directory Security Operations Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/security-operations-introduction.md
Microsoft has many products and services that enable you to customize your IT en
* Cloud-based Azure environments * [Monitor sign-ins with the Azure AD sign-in log](../reports-monitoring/concept-all-sign-ins.md)
- * [Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)
+ * [Audit activity reports in the Azure portal](../reports-monitoring/concept-audit-logs.md)
* [Investigate risk with Azure Active Directory Identity Protection](../identity-protection/howto-identity-protection-investigate-risk.md) * [Connect Azure AD Identity Protection data to Microsoft Sentinel](../../sentinel/data-connectors/azure-active-directory-identity-protection.md)
active-directory Service Accounts Governing Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/service-accounts-governing-azure.md
Monitor your service accounts to ensure usage patterns are correct, and that the
Use one of the following monitoring methods:
-* Azure AD Sign-In Logs in the Azure AD portal
+* Azure AD Sign-In Logs in the Azure portal
* Export the Azure AD Sign-In Logs to * [Azure Storage documentation](../../storage/index.yml) * [Azure Event Hubs documentation](../../event-hubs/index.yml), or
active-directory Whats New Archive https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-archive.md
For more information about how to better secure your organization by using autom
**Product capability:** Platform
-Azure Service Health supports service outage notifications to Tenant Admins for Azure Active Directory issues. These outages will also appear on the Azure AD Admin Portal Overview page with appropriate links to Azure Service Health. Outage events will be able to be seen by built-in Tenant Administrator Roles. We'll continue to send outage notifications to subscriptions within a tenant for transition. More information is available at: [What are Service Health notifications in Azure Active Directory?](../reports-monitoring/overview-service-health-notifications.md).
+Azure Service Health supports service outage notifications to Tenant Admins for Azure Active Directory issues. These outages will also appear on the Azure portal Overview page with appropriate links to Azure Service Health. Outage events will be able to be seen by built-in Tenant Administrator Roles. We'll continue to send outage notifications to subscriptions within a tenant for transition. More information is available at: [What are Service Health notifications in Azure Active Directory?](../reports-monitoring/overview-service-health-notifications.md).
An improved app discovery view for My Apps is in public preview. The preview sho
-### Public Preview - New Azure AD Portal All Devices list
+### Public Preview - New Azure portal All Devices list
**Type:** Changed feature **Service category:** Device Registration and Management
An improved app discovery view for My Apps is in public preview. The preview sho
-We're enhancing the All Devices list in the Azure AD Portal to make it easier to filter and manage your devices. Improvements include:
+We're enhancing the All Devices list in the Azure portal to make it easier to filter and manage your devices. Improvements include:
All Devices List:
We highly recommend enabling this new protection when using Azure AD Multi-Facto
-### Public Preview - New Azure AD Portal All Users list and User Profile UI
+### Public Preview - New Azure portal All Users list and User Profile UI
**Type:** Changed feature **Service category:** User Management **Product capability:** User Management
-We're enhancing the All Users list and User Profile in the Azure AD Portal to make it easier to find and manage your users. Improvements include:
+We're enhancing the All Users list and User Profile in the Azure portal to make it easier to find and manage your users. Improvements include:
All Users List:
For more information on how to use this feature, see: [Dynamic membership rule f
**Product capability:** Platform
-Azure Service Health will soon support service outage notifications to Tenant Admins for Azure Active Directory issues soon. These outages will also appear on the Azure AD admin portal overview page with appropriate links to Azure Service Health. Outage events will be able to be seen by built-in Tenant Administrator Roles. We'll continue to send outage notifications to subscriptions within a tenant for transition. More information will be available when this capability is released. The expected release is for June 2022.
+Azure Service Health will soon support service outage notifications to Tenant Admins for Azure Active Directory issues soon. These outages will also appear on the Azure portal overview page with appropriate links to Azure Service Health. Outage events will be able to be seen by built-in Tenant Administrator Roles. We'll continue to send outage notifications to subscriptions within a tenant for transition. More information will be available when this capability is released. The expected release is for June 2022.
With Continuous access evaluation (CAE), critical security events and policies a
**Service category:** User Management **Product capability:** User Management
-The Azure AD portal has been updated to make it easier to find users in the All users and Deleted users pages. Changes in the preview include:
+The Azure portal has been updated to make it easier to find users in the All users and Deleted users pages. Changes in the preview include:
- More visible user properties including object ID, directory sync status, creation type, and identity issuer. - **Search now** allows substring search and combined search of names, emails, and object IDs.
For more information, read [Automate user provisioning to SaaS applications with
**Service category:** RBAC **Product capability:** Access Control
-10 Azure AD built-in roles have been renamed so that they're aligned across the [Microsoft 365 admin center](/microsoft-365/admin/microsoft-365-admin-center-preview), [Azure AD portal](https://portal.azure.com/), and [Microsoft Graph](https://developer.microsoft.com/graph/). To learn more about the new roles, refer to [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md#all-roles).
+10 Azure AD built-in roles have been renamed so that they're aligned across the [Microsoft 365 admin center](/microsoft-365/admin/microsoft-365-admin-center-preview), [Azure portal](https://portal.azure.com/), and [Microsoft Graph](https://developer.microsoft.com/graph/). To learn more about the new roles, refer to [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md#all-roles).
![Table showing role names in MS Graph API and the Azure portal, and the proposed final name across API, Azure portal, and Mac.](media/whats-new/roles-table-rbac.png)
To learn more, refer to [Customize and configure shared devices for frontline wo
**Service category:** App Provisioning **Product capability:** Identity Lifecycle Management
-Customers can download the provisioning logs as a CSV or JSON file through the UI and via graph API. To learn more, refer to [Provisioning reports in the Azure Active Directory portal](../reports-monitoring/concept-provisioning-logs.md).
+Customers can download the provisioning logs as a CSV or JSON file through the UI and via graph API. To learn more, refer to [Provisioning reports in the Azure portal](../reports-monitoring/concept-provisioning-logs.md).
You can now allow application owners to monitor activity by the provisioning ser
**Service category:** Azure roles **Product capability:** Access Control
-Some Azure Active Directory (AD) built-in roles have names that differ from those that appear in Microsoft 365 admin center, the Azure AD portal, and Microsoft Graph. This inconsistency can cause problems in automated processes. With this update, we're renaming 10 role names to make them consistent. The following table has the new role names:
+Some Azure Active Directory (AD) built-in roles have names that differ from those that appear in Microsoft 365 admin center, the Azure portal, and Microsoft Graph. This inconsistency can cause problems in automated processes. With this update, we're renaming 10 role names to make them consistent. The following table has the new role names:
![Table showing role names in MS Graph API and the Azure portal, and the proposed new role name in M365 Admin Center, Azure portal, and API.](media/whats-new/azure-role.png)
Azure AD Connect Cloud Provisioning public preview refresh features two major en
When IT admins or end users read BitLocker recovery key(s) they have access to, Azure Active Directory now generates an audit log that captures who accessed the recovery key. The same audit provides details of the device the BitLocker key was associated with.
-End users can [access their recovery keys via My Account](https://support.microsoft.com/account-billing/manage-your-work-or-school-account-connected-devices-from-the-devices-page-6b5a735d-0a7f-4e94-8cfd-f5da6bc13d4e#view-a-bitlocker-key). IT admins can access recovery keys via the [BitLocker recovery key API](/graph/api/resources/bitlockerrecoverykey) or via the Azure AD Portal. To learn more, see [View or copy BitLocker keys in the Azure AD Portal](../devices/device-management-azure-portal.md#view-or-copy-bitlocker-keys).
+End users can [access their recovery keys via My Account](https://support.microsoft.com/account-billing/manage-your-work-or-school-account-connected-devices-from-the-devices-page-6b5a735d-0a7f-4e94-8cfd-f5da6bc13d4e#view-a-bitlocker-key). IT admins can access recovery keys via the [BitLocker recovery key API](/graph/api/resources/bitlockerrecoverykey) or via the Azure portal. To learn more, see [View or copy BitLocker keys in the Azure portal](../devices/device-management-azure-portal.md#view-or-copy-bitlocker-keys).
Administrators can now require that users requesting an access package answer ad
**Product capability:** User Management
-The Azure AD portal has been updated to make it easier to find users in the All users and Deleted users pages. Changes in the preview include:
+The Azure portal has been updated to make it easier to find users in the All users and Deleted users pages. Changes in the preview include:
- More visible user properties including object ID, directory sync status, creation type, and identity issuer. - Search now allows combined search of names, emails, and object IDs. - Enhanced filtering by user type (member, guest, and none), directory sync status, creation type, company name, and domain name.
For listing your application in the Azure AD app gallery, please read the detail
**Service category:** Azure AD roles **Product capability:** Access Control
-You can now view role assignments across all scopes for a role in the "Roles and administrators" tab in the Azure AD portal. You can also download those role assignments for each role into a CSV file. For guidance on viewing and adding role assignments, see [View and assign administrator roles in Azure Active Directory](../roles/manage-roles-portal.md).
+You can now view role assignments across all scopes for a role in the "Roles and administrators" tab in the Azure portal. You can also download those role assignments for each role into a CSV file. For guidance on viewing and adding role assignments, see [View and assign administrator roles in Azure Active Directory](../roles/manage-roles-portal.md).
Users with this role can review network perimeter architecture recommendations f
-### Bulk activity and downloads in the Azure AD admin portal experience
+### Bulk activity and downloads in the Azure portal experience
**Type:** New feature
Users with this role can review network perimeter architecture recommendations f
**Product capability:** Directory
-Now you can perform bulk activities on users and groups in Azure AD by uploading a CSV file in the Azure AD admin portal experience. You can create users, delete users, and invite guest users. And you can add and remove members from a group.
+Now you can perform bulk activities on users and groups in Azure AD by uploading a CSV file in the Azure portal experience. You can create users, delete users, and invite guest users. And you can add and remove members from a group.
-You can also download lists of Azure AD resources from the Azure AD admin portal experience. You can download the list of users in the directory, the list of groups in the directory, and the members of a particular group.
+You can also download lists of Azure AD resources from the Azure portal experience. You can download the list of users in the directory, the list of groups in the directory, and the members of a particular group.
For more information, check out the following:
To learn more about the new App registrations experience, see the [App registrat
We've fixed a known issue whereby when users were required to re-register if they were disabled for per-user MultiFactor Authentication (MFA) and then enabled for multifactor authentication (MFA) through a Conditional Access policy.
-To require users to re-register, you can select the **Required re-register multifactor authentication (MFA)** option from the user's authentication methods in the Azure AD portal.
+To require users to re-register, you can select the **Required re-register multifactor authentication (MFA)** option from the user's authentication methods in the Azure portal.
For more information about the apps, see [SaaS application integration with Azur
-### Consolidated Security menu item in the Azure AD portal
+### Consolidated Security menu item in the Azure portal
**Type:** Changed feature **Service category:** Identity Protection
For more information about the My Profile (preview) experience, see [My Profile
-### Bulk manage groups and members using CSV files in the Azure AD portal (Public Preview)
+### Bulk manage groups and members using CSV files in the Azure portal (Public Preview)
**Type:** New feature **Service category:** Group Management **Product capability:** Collaboration
-We're pleased to announce public preview availability of the bulk group management experiences in the Azure AD portal. You can now use a CSV file and the Azure AD portal to manage groups and member lists, including:
+We're pleased to announce public preview availability of the bulk group management experiences in the Azure portal. You can now use a CSV file and the Azure portal to manage groups and member lists, including:
- Adding or removing members from a group.
Starting on September 24, 2019, we're going to start rolling out a new Azure Act
The Global Reader role is the read-only counterpart to Global Administrator. Users in this role can read settings and administrative information across Microsoft 365 services, but can't take management actions. We've created the Global Reader role to help reduce the number of Global Administrators in your organization. Because Global Administrator accounts are powerful and vulnerable to attack, we recommend that you have fewer than five Global Administrators. We recommend using the Global Reader role for planning, audits, or investigations. We also recommend using the Global Reader role in combination with other limited administrator roles, like Exchange Administrator, to help get work done without requiring the Global Administrator role.
-The Global Reader role works with the new Microsoft 365 Admin Center, Exchange Admin Center, Teams Admin Center, Security Center, Compliance Center, Azure AD Admin Center, and the Device Management Admin Center.
+The Global Reader role works with the new Microsoft 365 Admin Center, Exchange Admin Center, Teams Admin Center, Security Center, Compliance Center, Azure portal, and the Device Management Admin Center.
>[!NOTE] > At the start of public preview, the Global Reader role won't work with: SharePoint, Privileged Access Management, Customer Lockbox, sensitivity labels, Teams Lifecycle, Teams Reporting & Call Analytics, Teams IP Phone Device Management, and Teams App Catalog.
Starting July 1, 2019, Microsoft stopped offering multifactor authentication (MF
## August 2019
-### Enhanced search, filtering, and sorting for groups is available in the Azure AD portal (Public Preview)
+### Enhanced search, filtering, and sorting for groups is available in the Azure portal (Public Preview)
**Type:** New feature **Service category:** Group Management **Product capability:** Collaboration
-We're pleased to announce public preview availability of the enhanced groups-related experiences in the Azure AD portal. These enhancements help you better manage groups and member lists, by providing:
+We're pleased to announce public preview availability of the enhanced groups-related experiences in the Azure portal. These enhancements help you better manage groups and member lists, by providing:
- Advanced search capabilities, such as substring search on groups lists. - Advanced filtering and sorting options on member and owner lists.
New provisioning logs are available to help you monitor and troubleshoot the use
- What roles were imported from [AWS Single-Account Access](../saas-apps/amazon-web-service-tutorial.md#configure-and-test-azure-ad-sso-for-aws-single-account-access) - What employees weren't imported from [Workday](../saas-apps/workday-inbound-tutorial.md)
-For more information, see [Provisioning reports in the Azure Active Directory portal (preview)](../reports-monitoring/concept-provisioning-logs.md).
+For more information, see [Provisioning reports in the Azure portal (preview)](../reports-monitoring/concept-provisioning-logs.md).
For more information about how to better secure your organization by using autom
-### New check for duplicate group names in the Azure AD portal
+### New check for duplicate group names in the Azure portal
**Type:** New feature **Service category:** Group Management **Product capability:** Collaboration
-Now, when you create or update a group name from the Azure AD portal, we'll perform a check to see if you are duplicating an existing group name in your resource. If we determine that the name is already in use by another group, you'll be asked to modify your name.
+Now, when you create or update a group name from the Azure portal, we'll perform a check to see if you are duplicating an existing group name in your resource. If we determine that the name is already in use by another group, you'll be asked to modify your name.
-For more information, see [Manage groups in the Azure AD portal](./active-directory-groups-create-azure-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context).
+For more information, see [Manage groups in the Azure portal](./active-directory-groups-create-azure-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context).
You can now use the usage and insights report, located in the **Enterprise appli
- Top sign-in errors for each app
-For more information about this feature, see [Usage and insights report in the Azure Active Directory portal](../reports-monitoring/concept-usage-insights-report.md)
+For more information about this feature, see [Usage and insights report in the Azure portal](../reports-monitoring/concept-usage-insights-report.md)
For more information about the apps, see [SaaS application integration with Azur
-### Improved groups creation and management experiences in the Azure AD portal
+### Improved groups creation and management experiences in the Azure portal
**Type:** New feature **Service category:** Group Management **Product capability:** Collaboration
-We've made improvements to the groups-related experiences in the Azure AD portal. These improvements allow administrators to better manage groups lists, members lists, and to provide additional creation options.
+We've made improvements to the groups-related experiences in the Azure portal. These improvements allow administrators to better manage groups lists, members lists, and to provide additional creation options.
Improvements include:
For more information, see [Create a basic group and add members using Azure Acti
-### Configure a naming policy for Office 365 groups in Azure AD portal (General availability)
+### Configure a naming policy for Office 365 groups in Azure portal (General availability)
**Type:** Changed feature **Service category:** Group Management **Product capability:** Collaboration
-Administrators can now configure a naming policy for Office 365 groups, using the Azure AD portal. This change helps to enforce consistent naming conventions for Office 365 groups created or edited by users in your organization.
+Administrators can now configure a naming policy for Office 365 groups, using the Azure portal. This change helps to enforce consistent naming conventions for Office 365 groups created or edited by users in your organization.
You can configure naming policy for Office 365 groups in two different ways:
Azure AD entitlement management, now in public preview, helps customers to deleg
-### Configure a naming policy for Office 365 groups in Azure AD portal (Public preview)
+### Configure a naming policy for Office 365 groups in Azure portal (Public preview)
**Type:** New feature **Service category:** Group Management **Product capability:** Collaboration
-Administrators can now configure a naming policy for Office 365 groups, using the Azure AD portal. This change helps to enforce consistent naming conventions for Office 365 groups created or edited by users in your organization.
+Administrators can now configure a naming policy for Office 365 groups, using the Azure portal. This change helps to enforce consistent naming conventions for Office 365 groups created or edited by users in your organization.
You can configure naming policy for Office 365 groups in two different ways:
For more information about how to better secure your organization through automa
-### Restore and manage your deleted Office 365 groups in the Azure AD portal
+### Restore and manage your deleted Office 365 groups in the Azure portal
**Type:** New feature **Service category:** Group Management **Product capability:** Collaboration
-You can now view and manage your deleted Office 365 groups from the Azure AD portal. This change helps you to see which groups are available to restore, along with letting you permanently delete any groups that aren't needed by your organization.
+You can now view and manage your deleted Office 365 groups from the Azure portal. This change helps you to see which groups are available to restore, along with letting you permanently delete any groups that aren't needed by your organization.
For more information, see [Restore expired or deleted groups](../enterprise-users/groups-restore-deleted.md#view-and-manage-the-deleted-microsoft-365-groups-that-are-available-to-restore).
We've created a new Azure AD **Audit logs** page to help improve both readabilit
![New Audit logs page, with sample info](media/whats-new/audit-logs-page.png)
-For more information about the new **Audit logs** page, see [Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md).
+For more information about the new **Audit logs** page, see [Audit activity reports in the Azure portal](../reports-monitoring/concept-audit-logs.md).
For more information, see [Notification settings in Azure AD Domain Services](..
-### Azure AD portal supports using the ForceDelete domain API to delete custom domains
+### Azure portal supports using the ForceDelete domain API to delete custom domains
**Type:** Changed feature **Service category:** Directory Management
For more information about PIM and Azure resources, see [Discover and manage Azu
-### Application access (preview) provides faster access to the Azure AD portal
+### Application access (preview) provides faster access to the Azure portal
**Type:** New feature **Service category:** Privileged Identity Management **Product capability:** Privileged Identity Management
-Today, when activating a role using PIM, it can take over 10 minutes for the permissions to take effect. If you choose to use Application access, which is currently in public preview, administrators can access the Azure AD portal as soon as the activation request completes.
+Today, when activating a role using PIM, it can take over 10 minutes for the permissions to take effect. If you choose to use Application access, which is currently in public preview, administrators can access the Azure portal as soon as the activation request completes.
-Currently, Application access only supports the Azure AD portal experience and Azure resources. For more information about PIM and Application access, see [What is Azure AD Privileged Identity Management?](../privileged-identity-management/pim-configure.md)
+Currently, Application access only supports the Azure portal experience and Azure resources. For more information about PIM and Application access, see [What is Azure AD Privileged Identity Management?](../privileged-identity-management/pim-configure.md)
This update lets you see which policies are evaluated when a user signs in along
**Service category:** Reporting **Product capability:** Monitoring & Reporting
-With the introduction of the **Client App** field in the Sign-in activity logs, customers can now see users that are using legacy authentications. Customers will be able to access this information using the Sign-ins Microsoft Graph API or through the Sign-in activity logs in Azure AD portal where you can use the **Client App** control to filter on legacy authentications. Check out the documentation for more details.
+With the introduction of the **Client App** field in the Sign-in activity logs, customers can now see users that are using legacy authentications. Customers will be able to access this information using the Sign-ins Microsoft Graph API or through the Sign-in activity logs in Azure portal where you can use the **Client App** control to filter on legacy authentications. Check out the documentation for more details.
Specifically, Azure AD Password Protection helps you:
- Protect your organization's accounts in both Azure AD and Windows Server Active Directory (AD). - Stops your users from using passwords on a list of more than 500 of the most commonly used passwords, and over 1 million character substitution variations of those passwords.-- Administer Azure AD Password Protection from a single location in the Azure AD portal, for both Azure AD and on-premises Windows Server AD.
+- Administer Azure AD Password Protection from a single location in the Azure portal, for both Azure AD and on-premises Windows Server AD.
For more information about Azure AD Password Protection, see [Eliminate bad passwords in your organization](../authentication/concept-password-ban-bad.md).
Some users did not receive notifications for enterprise applications configured
For more information, see: - [Manage Certificates for federated single sign-on in Azure Active Directory](../manage-apps/manage-certificates-for-federated-single-sign-on.md)-- [Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)
+- [Audit activity reports in the Azure portal](../reports-monitoring/concept-audit-logs.md)
For more information, see: [Customizing the list of Workday user attributes](../
**Product capability:** Collaboration It is possible to change how membership is managed in a group. This is useful when you want to keep the same group name and ID in the system, so any existing references to the group are still valid; creating a new group would require updating those references.
-We've updated the Azure AD Admin center to support this functionality. Now, customers can convert existing groups from dynamic membership to assigned membership and vice-versa. The existing PowerShell cmdlets are also still available.
+We've updated the Azure portal to support this functionality. Now, customers can convert existing groups from dynamic membership to assigned membership and vice-versa. The existing PowerShell cmdlets are also still available.
For more information, see [Dynamic membership rules for groups in Azure Active Directory](../enterprise-users/groups-dynamic-membership.md)
For more information, see [My Apps Secure Sign-in Extension](https://support.mic
**Service category:** Azure AD **Product capability:** Directory
-As of January 8, 2018, the Azure AD administration experience in the Azure classic portal has been retired. This took place in conjunction with the retirement of the Azure classic portal itself. In the future, you should use the [Azure AD admin center](https://aad.portal.azure.com) for all your portal-based administration of Azure AD.
+As of January 8, 2018, the Azure AD administration experience in the Azure classic portal has been retired. This took place in conjunction with the retirement of the Azure classic portal itself. In the future, you should use the [Azure portal](https://portal.azure.com) for all your portal-based administration of Azure AD.
active-directory Whats New Sovereign Clouds https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-sovereign-clouds.md
Pick a group of up to five members and provision them into your third-party appl
-The new Device Overview in the Azure Active Directory portal provides meaningful and actionable insights about devices in your tenant.
+The new Device Overview in the Azure portal provides meaningful and actionable insights about devices in your tenant.
In the devices overview, you can view the number of total devices, stale devices, noncompliant devices, and unmanaged devices. You'll also find links to Intune, Conditional Access, BitLocker keys, and basic monitoring. For more information, see: [Manage device identities by using the Azure portal](../devices/device-management-azure-portal.md).
active-directory Access Reviews Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/access-reviews-overview.md
Azure AD Premium P2 licenses are **not** required for users with the Global Admi
Azure AD guest user access is based on a monthly active users (MAU) billing model, which replaces the 1:5 ratio billing model. For more information, see [Azure AD External Identities pricing](../external-identities/external-identities-pricing.md).
-For more information about licenses, see [Assign or remove licenses using the Azure Active Directory portal](../fundamentals/license-users-groups.md).
+For more information about licenses, see [Assign or remove licenses using the Azure portal](../fundamentals/license-users-groups.md).
### Example license scenarios
active-directory Complete Access Review https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/complete-access-review.md
Manually or automatically applying results doesn't have an effect on a group tha
On review creation, the creator can choose between two options for denied guest users in an access review. - Denied guest users can have their access to the resource removed. This is the default.
+ - The denied guest user can be blocked from signing in for 30 days, then deleted from the tenant. During the 30-day period the guest user is able to be restored access to the tenant by an administrator. After the 30-day period is completed, if the guest user has not had access to the resource granted to them again, they will be removed from the tenant permanently. In addition, using the Azure portal, a Global Administrator can explicitly [permanently delete a recently deleted user](../fundamentals/active-directory-users-restore.md) before that time period is reached. Once a user has been permanently deleted, the data about that guest user will be removed from active access reviews. Audit information about deleted users remains in the audit log.
### Actions taken on denied B2B direct connect users Denied B2B direct connect users and teams will lose access to all shared channels in the Team.
active-directory Configure Logic App Lifecycle Workflows https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/configure-logic-app-lifecycle-workflows.md
To configure those you'll follow these steps:
1. Select Save.
-1. For Logic Apps authorization policy, we'll need the managed identities **Application ID**. Since the Azure portal only shows the Object ID, we need to look up the Application ID. You can search for the managed identity by Object ID under **Enterprise Applications in the Azure AD Portal** to find the required Application ID.
+1. For Logic Apps authorization policy, we'll need the managed identities **Application ID**. Since the Azure portal only shows the Object ID, we need to look up the Application ID. You can search for the managed identity by Object ID under **Enterprise Applications in the Azure portal** to find the required Application ID.
1. Go back to the logic app you created, and select **Authorization**.
active-directory Deploy Access Reviews https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/deploy-access-reviews.md
Group owners review membership because they're best qualified to know who needs
For example, Microsoft Teams uses Microsoft 365 Groups as the underlying authorization model to grant users access to resources that are in SharePoint, Exchange, OneNote, or other Microsoft 365 services. The creator of the team automatically becomes an owner and should be responsible for attesting to the membership of that group.
-* Groups created manually in the Azure AD portal or via scripting through Microsoft Graph might not necessarily have owners defined. Define them either through the Azure AD portal in the group's **Owners** section or via Microsoft Graph.
+* Groups created manually in the Azure portal or via scripting through Microsoft Graph might not necessarily have owners defined. Define them either through the Azure portal in the group's **Owners** section or via Microsoft Graph.
* Groups that are synchronized from on-premises Active Directory can't have an owner in Azure AD. When you create an access review for them, select individuals who are best suited to decide on membership in them.
active-directory Entitlement Management Access Package First https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-access-package-first.md
In this step, you remove the changes you made and delete the **Marketing Campaig
To set up group writeback for Microsoft 365 groups in access packages, you must complete the following prerequisites: -- Set up group writeback in the Azure Active Directory admin center.
+- Set up group writeback in the Azure portal.
- The Organizational Unit (OU) that will be used to set up group writeback in Azure AD Connect Configuration. - Complete the [group writeback enablement steps](../hybrid/how-to-connect-group-writeback-enable.md) for Azure AD Connect.
Using group writeback, you can now sync Microsoft 365 groups that are part of ac
1. Create an Azure Active Directory Microsoft 365 group.
-1. Set the group to be written back to on-premises Active Directory. For instructions, see [Group writeback in the Azure Active Directory admin center](../enterprise-users/groups-write-back-portal.md).
+1. Set the group to be written back to on-premises Active Directory. For instructions, see [Group writeback in the Azure portal](../enterprise-users/groups-write-back-portal.md).
1. Add the group to an access package as a resource role. See [Create a new access package](entitlement-management-access-package-create.md#resource-roles) for guidance.
active-directory Entitlement Management Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-overview.md
Azure AD Premium P2 licenses are **not** required for the following tasks:
- No licenses are required for users who have been delegated administrative tasks, such as catalog creator, catalog owner, and access package manager. - No licenses are required for guests who have **a privilege to request access packages** but they **do not choose** to request them.
-For more information about licenses, see [Assign or remove licenses using the Azure Active Directory portal](../fundamentals/license-users-groups.md).
+For more information about licenses, see [Assign or remove licenses using the Azure portal](../fundamentals/license-users-groups.md).
### Example license scenarios
active-directory Perform Access Review https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/perform-access-review.md
If you're the second-stage or third-stage reviewer, you'll also see the decision
Approve or deny access as outlined in [Review access for one or more users](#review-access-for-one-or-more-users). > [!NOTE]
-> The next stage of the review won't become active until the duration specified during the access review setup has passed. If the administrator believes a stage is done but the review duration for this stage has not expired yet, they can use the **Stop current stage** button in the overview of the access review in the Azure AD portal. This action will close the active stage and start the next stage.
+> The next stage of the review won't become active until the duration specified during the access review setup has passed. If the administrator believes a stage is done but the review duration for this stage has not expired yet, they can use the **Stop current stage** button in the overview of the access review in the Azure portal. This action will close the active stage and start the next stage.
### Review access for B2B direct connect users in Teams shared channels and Microsoft 365 groups (preview)
active-directory Choose Ad Authn https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/choose-ad-authn.md
The following diagrams outline the high-level architecture components required f
|What are the on-premises server requirements beyond the provisioning system: Azure AD Connect?|None|One server for each additional authentication agent|Two or more AD FS servers<br><br>Two or more WAP servers in the perimeter/DMZ network| |What are the requirements for on-premises Internet and networking beyond the provisioning system?|None|[Outbound Internet access](../../active-directory/hybrid/how-to-connect-pta-quick-start.md) from the servers running authentication agents|[Inbound Internet access](/windows-server/identity/ad-fs/overview/ad-fs-requirements) to WAP servers in the perimeter<br><br>Inbound network access to AD FS servers from WAP servers in the perimeter<br><br>Network load balancing| |Is there a TLS/SSL certificate requirement?|No|No|Yes|
-|Is there a health monitoring solution?|Not required|Agent status provided by [Azure Active Directory admin center](../../active-directory/hybrid/tshoot-connect-pass-through-authentication.md)|[Azure AD Connect Health](../../active-directory/hybrid/how-to-connect-health-adfs.md)|
+|Is there a health monitoring solution?|Not required|Agent status provided by [Azure portal](../../active-directory/hybrid/tshoot-connect-pass-through-authentication.md)|[Azure AD Connect Health](../../active-directory/hybrid/how-to-connect-health-adfs.md)|
|Do users get single sign-on to cloud resources from domain-joined devices within the company network?|Yes with [Seamless SSO](../../active-directory/hybrid/how-to-connect-sso.md)|Yes with [Seamless SSO](../../active-directory/hybrid/how-to-connect-sso.md)|Yes| |What sign-in types are supported?|UserPrincipalName + password<br><br>Windows-Integrated Authentication by using [Seamless SSO](../../active-directory/hybrid/how-to-connect-sso.md)<br><br>[Alternate login ID](../../active-directory/hybrid/how-to-connect-install-custom.md)|UserPrincipalName + password<br><br>Windows-Integrated Authentication by using [Seamless SSO](../../active-directory/hybrid/how-to-connect-sso.md)<br><br>[Alternate login ID](../../active-directory/hybrid/how-to-connect-pta-faq.yml)|UserPrincipalName + password<br><br>sAMAccountName + password<br><br>Windows-Integrated Authentication<br><br>[Certificate and smart card authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication)<br><br>[Alternate login ID](/windows-server/identity/ad-fs/operations/configuring-alternate-login-id)| |Is Windows Hello for Business supported?|[Key trust model](/windows/security/identity-protection/hello-for-business/hello-identity-verification)<br><br>[Hybrid Cloud Trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust)|[Key trust model](/windows/security/identity-protection/hello-for-business/hello-identity-verification)<br><br>[Hybrid Cloud Trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust)<br><br>*Both require Windows Server 2016 Domain functional level*|[Key trust model](/windows/security/identity-protection/hello-for-business/hello-identity-verification)<br><br>[Hybrid Cloud Trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust)<br><br>[Certificate trust model](/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs)|
active-directory How To Connect Group Writeback V2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/how-to-connect-group-writeback-v2.md
There are two versions of group writeback. The original version is in general av
- Written-back groups nested as members of on-premises Active Directory synced groups will be synced up to Azure AD as nested. - Devices that are members of writeback-enabled groups in Azure AD will be written back as members of Active Directory. Azure AD-registered and Azure AD-joined devices require device writeback to be enabled for group membership to be written back. - You can configure the common name in an Active Directory group's distinguished name to include the group's display name when it's written back. -- You can use the Azure AD admin portal, Graph Explorer, and PowerShell to configure which Azure AD groups are written back.
+- You can use the Azure portal, Graph Explorer, and PowerShell to configure which Azure AD groups are written back.
The new version is enabled on the tenant and not per Azure AD Connect client instance. Make sure that all Azure AD Connect client instances are updated to a minimal build of [Azure AD Connect version 2.0 or later](https://www.microsoft.com/download/details.aspx?id=47594) if group writeback is currently enabled on the client instance.
active-directory How To Connect Health Adfs Risky Ip Workbook https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/how-to-connect-health-adfs-risky-ip-workbook.md
Additionally, it is possible for a single IP address to attempt multiple logins
2. A Log Analytics Workspace with the ΓÇ£ADFSSignInLogsΓÇ¥ stream enabled. 3. Permissions to use the Azure AD Monitor Workbooks. To use Workbooks, you need: - An Azure Active Directory tenant with a premium (P1 or P2) license.-- Access to a Log Analytics Workspace and the following roles in Azure AD (if accessing Log Analytics through Azure AD portal): Security administrator, Security reader, Reports reader, Global administrator
+- Access to a Log Analytics Workspace and the following roles in Azure AD (if accessing Log Analytics through Azure portal): Security administrator, Security reader, Reports reader, Global administrator
## What is in the report?
active-directory How To Connect Install Multiple Domains https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/how-to-connect-install-multiple-domains.md
c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] => issue(Type = "http://sche
## How to update the trust between AD FS and Azure AD If you did not set up the federated trust between AD FS and your instance of Azure AD, you may need to re-create this trust. The reason is, when it is originally set up without the `-SupportMultipleDomain` parameter, the IssuerUri is set with the default value. In the screenshot below, you can see the IssuerUri is set to `https://adfs.bmcontoso.com/adfs/services/trust`.
-If you have successfully added a new domain in the Azure AD portal and then attempt to convert it using `Convert-MsolDomaintoFederated -DomainName <your domain>`, you will get the following error.
+If you have successfully added a new domain in the Azure portal and then attempt to convert it using `Convert-MsolDomaintoFederated -DomainName <your domain>`, you will get the following error.
![Screenshot that shows a federation error in PowerShell after attempting to convert a new domain with the "Convert-MsolDomaintoFederated" command.](./media/how-to-connect-install-multiple-domains/trust1.png)
active-directory How To Connect Pta Quick Start https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/how-to-connect-pta-quick-start.md
Ensure that the following prerequisites are in place.
| | | | **80** | Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate | | **443** | Handles all outbound communication with the service |
- | **8080** (optional) | Authentication Agents report their status every ten minutes over port 8080, if port 443 is unavailable. This status is displayed on the Azure AD portal. Port 8080 is _not_ used for user sign-ins. |
+ | **8080** (optional) | Authentication Agents report their status every ten minutes over port 8080, if port 443 is unavailable. This status is displayed on the Azure portal. Port 8080 is _not_ used for user sign-ins. |
If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service. - If your firewall or proxy lets you add DNS entries to an allowlist, add connections to **\*.msappproxy.net** and **\*.servicebus.windows.net**. If not, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.
active-directory How To Connect Pta Upgrade Preview Authentication Agents https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/how-to-connect-pta-upgrade-preview-authentication-agents.md
This article is for customers using Azure AD Pass-through Authentication through
Follow these steps to check where your Authentication Agents are installed:
-1. Sign in to the [Azure Active Directory admin center](https://aad.portal.azure.com) with the Global Administrator credentials for your tenant.
+1. Sign in to the [Azure portal](https://portal.azure.com) with the Global Administrator credentials for your tenant.
2. Select **Azure Active Directory** on the left-hand navigation. 3. Select **Azure AD Connect**. 4. Select **Pass-through Authentication**. This blade lists the servers where your Authentication Agents are installed.
-![Azure Active Directory admin center - Pass-through Authentication blade](./media/how-to-connect-pta-upgrade-preview-authentication-agents/pta8.png)
+![Azure portal - Pass-through Authentication blade](./media/how-to-connect-pta-upgrade-preview-authentication-agents/pta8.png)
### Step 2: Check the versions of your Authentication Agents
You need upgrade Azure AD Connect before upgrading the Authentication Agent on t
1. **Upgrade Azure AD Connect**: Follow this [article](how-to-upgrade-previous-version.md) and upgrade to the latest Azure AD Connect version. 2. **Uninstall the preview version of the Authentication Agent**: Download [this PowerShell script](https://aka.ms/rmpreviewagent) and run it as an Administrator on the server.
-3. **Download the latest version of the Authentication Agent (versions 1.5.2482.0 or later)**: Sign in to the [Azure Active Directory admin center](https://aad.portal.azure.com) with your tenant's Global Administrator credentials. Select **Azure Active Directory -> Azure AD Connect -> Pass-through Authentication -> Download agent**. Accept the [terms of service](https://aka.ms/authagenteula) and download the latest version of the Authentication Agent. You can also download the Authentication Agent from [here](https://aka.ms/getauthagent).
+3. **Download the latest version of the Authentication Agent (versions 1.5.2482.0 or later)**: Sign in to the [Azure portal](https://portal.azure.com) with your tenant's Global Administrator credentials. Select **Azure Active Directory -> Azure AD Connect -> Pass-through Authentication -> Download agent**. Accept the [terms of service](https://aka.ms/authagenteula) and download the latest version of the Authentication Agent. You can also download the Authentication Agent from [here](https://aka.ms/getauthagent).
4. **Install the latest version of the Authentication Agent**: Run the executable downloaded in Step 3. Provide your tenant's Global Administrator credentials when prompted. 5. **Verify that the latest version has been installed**: As shown before, go to **Control Panel -> Programs -> Programs and Features** and verify that there is an entry for "**Microsoft Azure AD Connect Authentication Agent**".
->[!NOTE]
->If you check the Pass-through Authentication blade on the [Azure Active Directory admin center](https://aad.portal.azure.com) after completing the preceding steps, you'll see two Authentication Agent entries per server - one entry showing the Authentication Agent as **Active** and the other as **Inactive**. This is _expected_. The **Inactive** entry is automatically dropped after a few days.
+> [!NOTE]
+> If you check the Pass-through Authentication blade on the [Azure portal](https://portal.azure.com) after completing the preceding steps, you'll see two Authentication Agent entries per server - one entry showing the Authentication Agent as **Active** and the other as **Inactive**. This is _expected_. The **Inactive** entry is automatically dropped after a few days.
## Upgrading the Authentication Agent on other servers Follow these steps to upgrade Authentication Agents on other servers (where Azure AD Connect is not installed): 1. **Uninstall the preview version of the Authentication Agent**: Download [this PowerShell script](https://aka.ms/rmpreviewagent) and run it as an Administrator on the server.
-2. **Download the latest version of the Authentication Agent (versions 1.5.2482.0 or later)**: Sign in to the [Azure Active Directory admin center](https://aad.portal.azure.com) with your tenant's Global Administrator credentials. Select **Azure Active Directory -> Azure AD Connect -> Pass-through Authentication -> Download agent**. Accept the terms of service and download the latest version.
+2. **Download the latest version of the Authentication Agent (versions 1.5.2482.0 or later)**: Sign in to the [Azure portal](https://portal.azure.com) with your tenant's Global Administrator credentials. Select **Azure Active Directory -> Azure AD Connect -> Pass-through Authentication -> Download agent**. Accept the terms of service and download the latest version.
3. **Install the latest version of the Authentication Agent**: Run the executable downloaded in Step 2. Provide your tenant's Global Administrator credentials when prompted. 4. **Verify that the latest version has been installed**: As shown before, go to **Control Panel -> Programs -> Programs and Features** and verify that there is an entry called **Microsoft Azure AD Connect Authentication Agent**.
->[!NOTE]
->If you check the Pass-through Authentication blade on the [Azure Active Directory admin center](https://aad.portal.azure.com) after completing the preceding steps, you'll see two Authentication Agent entries per server - one entry showing the Authentication Agent as **Active** and the other as **Inactive**. This is _expected_. The **Inactive** entry is automatically dropped after a few days.
+> [!NOTE]
+> If you check the Pass-through Authentication blade on the [Azure portal](https://portal.azure.com) after completing the preceding steps, you'll see two Authentication Agent entries per server - one entry showing the Authentication Agent as **Active** and the other as **Inactive**. This is _expected_. The **Inactive** entry is automatically dropped after a few days.
## Next steps - [**Troubleshoot**](tshoot-connect-pass-through-authentication.md) - Learn how to resolve common issues with the feature.
active-directory How To Connect Sso Quick Start https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/how-to-connect-sso-quick-start.md
When you complete the wizard, Seamless SSO is enabled on your tenant.
To verify that you have enabled Seamless SSO correctly:
-1. Sign in to the [Azure Active Directory administrative center](https://aad.portal.azure.com) with the Hybrid Identity Administrator account credentials for your tenant.
+1. Sign in to the [Azure portal](https://portal.azure.com) with the Hybrid Identity Administrator account credentials for your tenant.
1. In the left menu, select **Azure Active Directory**. 1. Select **Azure AD Connect**. 1. Verify that **Seamless single sign-on** is set to **Enabled**.
active-directory Howto Troubleshoot Upn Changes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/howto-troubleshoot-upn-changes.md
We recommend you change user UPN when their primary email address changes. Durin
### UPNs in Active Directory
-In Active Directory, the default UPN suffix is the domain DNS name where you created the user account. In most cases, you register this domain name as the enterprise domain. If you create the user account in the contoso.com domain, the default UPN is: username@contoso.com. However, you can add more UPN suffixes by using Active Directory domains and trusts. Learn more: [Add your custom domain name using the Azure Active Directory portal](../fundamentals/add-custom-domain.md).
+In Active Directory, the default UPN suffix is the domain DNS name where you created the user account. In most cases, you register this domain name as the enterprise domain. If you create the user account in the contoso.com domain, the default UPN is: username@contoso.com. However, you can add more UPN suffixes by using Active Directory domains and trusts. Learn more: [Add your custom domain name using the Azure portal](../fundamentals/add-custom-domain.md).
For example, if you add labs.contoso.com and change the user UPNs and email to reflect that, the result is: username@labs.contoso.com. >[!IMPORTANT] > If you change the suffix in Active Directory, add and verify a matching custom domain name in Azure AD.
- > [Add your custom domain name using the Azure Active Directory portal](../fundamentals/add-custom-domain.md)
+ > [Add your custom domain name using the Azure portal](../fundamentals/add-custom-domain.md)
![Screenshot of the Add customer domain option, under Custom domain names.](./media/howto-troubleshoot-upn-changes/custom-domains.png)
active-directory Migrate From Federation To Cloud Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/migrate-from-federation-to-cloud-authentication.md
To choose one of these options, you must know what your current settings are.
#### Verify current Azure AD Connect settings
-Sign in to the [Azure AD portal](https://aad.portal.azure.com/), select **Azure AD Connect** and verify the **USER SIGN_IN** settings as shown in this diagram:
+Sign in to the [Azure portal](https://portal.azure.com/), browse to **Azure Active Directory** > **Azure AD Connect** and verify the **USER SIGN_IN** settings as shown in this diagram:
![Verify current Azure AD Connect settings](media/deploy-cloud-user-authentication/current-user-settings-on-azure-ad-portal.png)
Sign in to the [Azure AD portal](https://aad.portal.azure.com/), select **Azure
> [!IMPORTANT] > At this point, all your federated domains will change to managed authentication. Your selected User sign-in method is the new method of authentication.
-1. In the Azure AD portal, select **Azure Active Directory**, and then select **Azure AD Connect**.
+1. In the Azure portal, select **Azure Active Directory**, and then select **Azure AD Connect**.
2. Verify these settings:
On your Azure AD Connect server, follow the steps 1- 5 in [Option A](#option-a).
![ See Do not Configure option on the user sign-in page](media/deploy-cloud-user-authentication/do-not-configure-on-user-sign-in-page.png)
-1. In the Azure AD portal, select **Azure Active Directory**, and then select **Azure AD Connect**.
+1. In the Azure portal, select **Azure Active Directory**, and then select **Azure AD Connect**.
2. Verify these settings:
On your Azure AD Connect server, follow the steps 1- 5 in [Option A](#option-a).
**In case of PTA only**, follow these steps to install more PTA agent servers.
-1. In the Azure AD portal, select **Azure Active Directory**, and then select **Azure AD Connect**.
+1. In the Azure portal, select **Azure Active Directory**, and then select **Azure AD Connect**.
2. Select **Pass-through authentication**. Verify that the status is **Active**.
On your Azure AD Connect server, follow the steps 1- 5 in [Option A](#option-a).
``` See [Update-MgDomain](/powershell/module/microsoft.graph.identity.directorymanagement/update-mgdomain?view=graph-powershell-1.0 &preserve-view=true)
-3. In the Azure AD portal, select **Azure Active Directory > Azure AD Connect**.
+3. In the Azure portal, select **Azure Active Directory > Azure AD Connect**.
4. Verify that the domain has been converted to managed by running the following command: ```powershell
active-directory Tshoot Connect Pass Through Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/tshoot-connect-pass-through-authentication.md
If you get the same username/password error, this means that the Pass-through Au
> [!IMPORTANT] > If the Azure AD Connect server isn't domain joined, a requirement mentioned in [Azure AD Connect: Prerequisites](./how-to-connect-install-prerequisites.md#installation-prerequisites), the invalid username/password issue occurs.
-### Sign-in failure reasons on the Azure Active Directory admin center (needs Premium license)
+### Sign-in failure reasons on the Azure portal (needs Premium license)
If your tenant has an Azure AD Premium license associated with it, you can also look at the [sign-in activity report](../reports-monitoring/concept-sign-ins.md) on the [Entra admin center](https://entra.microsoft.com/). [![Screenshot shows Entra admin center - Sign-ins report,](./media/tshoot-connect-pass-through-authentication/sign-in-report.png)](./media/tshoot-connect-pass-through-authentication/sign-in-report.png#lightbox)
-Navigate to **Azure Active Directory** -> **Sign-ins** on the [Azure Active Directory admin center](https://aad.portal.azure.com/) and click a specific user's sign-in activity. Look for the **SIGN-IN ERROR CODE** field. Map the value of that field to a failure reason and resolution using the following table:
+Navigate to **Azure Active Directory** -> **Sign-ins** on the [Azure portal](https://portal.azure.com/) and click a specific user's sign-in activity. Look for the **SIGN-IN ERROR CODE** field. Map the value of that field to a failure reason and resolution using the following table:
|Sign-in error code|Sign-in failure reason|Resolution | | |
active-directory Tshoot Connect Sso https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/tshoot-connect-sso.md
This article helps you find troubleshooting information about common problems re
## Check status of feature
-Ensure that the Seamless SSO feature is still **Enabled** on your tenant. You can check the status by going to the **Azure AD Connect** pane in the [Azure Active Directory admin center](https://aad.portal.azure.com/).
+Ensure that the Seamless SSO feature is still **Enabled** on your tenant. You can check the status by going to the **Azure Active Directory** > **Azure AD Connect** pane in the [Azure portal](https://portal.azure.com/).
-![Azure Active Directory admin center: Azure AD Connect pane](./media/tshoot-connect-sso/sso10.png)
+![Azure portal: Azure AD Connect pane](./media/tshoot-connect-sso/sso10.png)
Click through to see all the AD forests that have been enabled for Seamless SSO.
-![Azure Active Directory admin center: Seamless SSO pane](./media/tshoot-connect-sso/sso13.png)
+![Azure portal: Seamless SSO pane](./media/tshoot-connect-sso/sso13.png)
-## Sign-in failure reasons in the Azure Active Directory admin center (needs a Premium license)
+## Sign-in failure reasons in the Azure portal (needs a Premium license)
-If your tenant has an Azure AD Premium license associated with it, you can also look at the [sign-in activity report](../reports-monitoring/concept-sign-ins.md) in the [Azure Active Directory admin center](https://aad.portal.azure.com/).
+If your tenant has an Azure AD Premium license associated with it, you can also look at the [sign-in activity report](../reports-monitoring/concept-sign-ins.md) inside of Azure Active Directory in the [Azure portal](https://portal.azure.com/).
-![Azure Active Directory admin center: Sign-ins report](./media/tshoot-connect-sso/sso9.png)
+![Azure portal: Sign-ins report](./media/tshoot-connect-sso/sso9.png)
-Browse to **Azure Active Directory** > **Sign-ins** in the [Azure Active Directory admin center](https://aad.portal.azure.com/), and then select a specific user's sign-in activity. Look for the **SIGN-IN ERROR CODE** field. Map the value of that field to a failure reason and resolution by using the following table:
+Browse to **Azure Active Directory** > **Sign-ins** in the [Azure portal](https://portal.azure.com/), and then select a specific user's sign-in activity. Look for the **SIGN-IN ERROR CODE** field. Map the value of that field to a failure reason and resolution by using the following table:
|Sign-in error code|Sign-in failure reason|Resolution | | |
active-directory Tutorial Federation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/tutorial-federation.md
Now that you have a tenant and a Hybrid Identity Administrator account, add your
To add a custom domain name to a directory:
-1. In the [Azure portal](https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview), be sure to close the **All users** pane.
+1. In the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview), be sure to close the **All users** pane.
1. In the left menu under **Manage**, select **Custom domain names**. 1. Select **Add custom domain**.
active-directory Tutorial Passthrough Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/tutorial-passthrough-authentication.md
Now that you have a tenant and a Hybrid Identity Administrator account, add your
To add a custom domain name to a directory:
-1. In the [Azure portal](https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview), be sure to close the **All users** pane.
+1. In the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview), be sure to close the **All users** pane.
1. In the left menu under **Manage**, select **Custom domain names**. 1. Select **Add custom domain**.
active-directory Concept Identity Protection B2b https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/concept-identity-protection-b2b.md
From the [Risky users report](https://portal.azure.com/#blade/Microsoft_AAD_IAM/
### Manually dismiss user's risk
-If password reset isn't an option for you from the Azure AD portal, you can choose to manually dismiss user risk. Dismissing user risk doesn't have any impact on the user's existing password, but this process will change the user's Risk State from At Risk to Dismissed. It's important that you change the user's password using whatever means are available to you in order to bring the identity back to a safe state.
+If password reset isn't an option for you from the Azure portal, you can choose to manually dismiss user risk. Dismissing user risk doesn't have any impact on the user's existing password, but this process will change the user's Risk State from At Risk to Dismissed. It's important that you change the user's password using whatever means are available to you in order to bring the identity back to a safe state.
To dismiss user risk, go to the [Risky users report](https://portal.azure.com/#blade/Microsoft_AAD_IAM/SecurityMenuBlade/RiskyUsers) in the Azure AD Security menu. Search for the impacted user using the 'User' filter and select the user. Select the "dismiss user risk" option from the top toolbar. This action may take a few minutes to complete and update the user risk state in the report.
active-directory How To Deploy Identity Protection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/how-to-deploy-identity-protection.md
+
+ Title: Plan an Azure AD Identity Protection deployment
+description: Deploy Azure Active Directory Identity Protection
+++++ Last updated : 03/10/2023++++++++
+# Plan an Identity Protection deployment
+
+Azure Active Directory (Azure AD) Identity Protection detects identity-based risks, reports them, and allows administrators to investigate and remediate these risks to keep organizations safe and secure. The risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation.
++
+This deployment plan extends concepts introduced in the [Conditional Access deployment plan](../conditional-access/plan-conditional-access.md).
+
+## Prerequisites
+
+* A working Azure AD tenant with Azure AD Premium P2, or trial license enabled. If needed, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+ * Azure AD Premium P2 is required to include Identity Protection risk in Conditional Access policies.
+* Administrators who interact with Identity Protection must have one or more of the following role assignments depending on the tasks they're performing. To follow the [Zero Trust principle of least privilege](/security/zero-trust/), consider using [Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md) to just-in-time activate privileged role assignments.
+ * Read Identity Protection and Conditional Access policies and configurations
+ * [Security Reader](../roles/permissions-reference.md#security-reader)
+ * [Global Reader](../roles/permissions-reference.md#global-reader)
+ * Manage Identity Protection
+ * [Security Operator](../roles/permissions-reference.md#security-operator)
+ * [Security Administrator](../roles/permissions-reference.md#security-administrator)
+ * Create or modify Conditional Access policies
+ * [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator)
+ * [Security Administrator](../roles/permissions-reference.md#security-administrator)
+* A test user (non-administrator) that allows you to verify policies work as expected before deploying to real users. If you need to create a user, see [Quickstart: Add new users to Azure Active Directory](../fundamentals/add-users-azure-active-directory.md).
+* A group that the non-administrator user is a member of. If you need to create a group, see [Create a group and add members in Azure Active Directory](../fundamentals/active-directory-groups-create-azure-portal.md).
+
+### Engage the right stakeholders
+
+When technology projects fail, they typically do so due to mismatched expectations on affect, outcomes, and responsibilities. To avoid these pitfalls, ensure that youΓÇÖre engaging the right stakeholders and that stakeholder roles in the project are well understood by documenting the stakeholders, their project input, and accountability.
+
+### Communicating change
+
+Communication is critical to the success of any new functionality. You should proactively communicate with your users how their [experience](concept-identity-protection-user-experience.md) changes, when it changes, and how to get support if they experience issues.
+
+## Step 1: Review existing reports
+
+It's important to review the [Identity Protection reports](howto-identity-protection-investigate-risk.md) before deploying risk-based Conditional Access policies. This review gives an opportunity to investigate existing suspicious behavior you may have missed and to dismiss or confirm these users as safe if you've determined they aren't at risk.
+
+- [Investigate risk detections](howto-identity-protection-investigate-risk.md)
+- [Remediate risks and unblock users](howto-identity-protection-remediate-unblock.md)
+- [Make bulk changes using Microsoft Graph PowerShell](howto-identity-protection-graph-api.md)
+
+For efficiency, we recommend allowing users to self-remediate through policies that are discussed in [Step 3](#step-3-configure-your-policies).
+
+## Step 2: Plan for Conditional Access risk policies
+
+Identity Protection sends risk signals to Conditional Access, to make decisions and enforce organizational policies like requiring multifactor authentication or password change. There are several items organizations should plan for prior to creating their policies.
+
+### Policy exclusions
++
+### Multifactor authentication
+
+For users to self-remediate risk though, they must register for Azure AD Multifactor Authentication before they become risky. For more information, see the article [Plan an Azure Active Directory Multi-Factor Authentication deployment](../authentication/howto-mfa-getstarted.md).
+
+### Known network locations
+
+It's important to configure named locations in Conditional Access and add your VPN ranges to [Defender for Cloud Apps](/defender-cloud-apps/ip-tags#create-an-ip-address-range). Sign-ins from named locations, marked as trusted or known, improve the accuracy of Azure AD Identity Protection risk calculations. These sign-ins lower a user's risk when they authenticate from a location marked as trusted or known. This practice reduces false positives for some detections in your environment.
+
+### Report only mode
+
+[Report-only mode](../conditional-access/howto-conditional-access-insights-reporting.md) is a Conditional Access policy state that allows administrators to evaluate the effect of Conditional Access policies before enforcing them in their environment.
+
+## Step 3: Configure your policies
+
+### Identity Protection MFA registration policy
+
+Use the Identity Protection multifactor authentication registration policy to help get your users registered for Azure AD Multifactor Authentication before they need to use it. Follow the steps in the article [How To: Configure the Azure AD multifactor authentication registration policy](howto-identity-protection-configure-mfa-policy.md) to enable this policy.
+
+### Conditional Access policies
+
+**Sign-in risk** - Most users have a normal behavior that can be tracked, when they fall outside of this norm it could be risky to allow them to just sign in. You may want to block that user or maybe just ask them to perform multi-factor authentication to prove that they're really who they say they are. You may want to start by scoping these policies to admins only.
+
+**User risk** - Microsoft works with researchers, law enforcement, various security teams at Microsoft, and other trusted sources to find leaked username and password pairs. When these vulnerable users are detected, we recommend requiring users perform multifactor authentication then reset their password.
+
+The article [Configure and enable risk policies](howto-identity-protection-configure-risk-policies.md) provides guidance to create Conditional Access policies to address these risks.
+
+## Step 4: Monitoring and continuous operational needs
+
+### Email notifications
+
+[Enable notifications](howto-identity-protection-configure-notifications.md) so you can respond when a user is flagged as at risk so you can start investigating immediately. You can also set up weekly digest emails giving you an overview of risk for that week.
+
+### Monitor and investigate
+
+The [Identity Protection workbook](../reports-monitoring/workbook-risk-analysis.md) can help monitor and look for patterns in your tenant. Monitor this workbook for trends and also Conditional Access Report Only mode results to see if there are any changes that need to be made, for example, additions to named locations.
+
+Microsoft Defender for Cloud Apps provides an investigation framework organizations can use as a starting point. For more information, see the article [How to investigate anomaly detection alerts](/defender-cloud-apps/investigate-anomaly-alerts).
+
+You can also use the Identity Protection APIs to [export risk information](howto-export-risk-data.md) to other tools, so your security team can monitor and alert on risk events.
+
+During testing, you might want to [simulate some threats](howto-identity-protection-simulate-risk.md) to test your investigation processes.
+
+## Next steps
+
+[What is risk?](concept-identity-protection-risks.md)
active-directory Howto Identity Protection Configure Mfa Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy.md
Previously updated : 08/22/2022 Last updated : 01/03/2023
For more information on Azure AD multifactor authentication, see [What is Azure
1. Navigate to the [Azure portal](https://portal.azure.com). 1. Browse to **Azure Active Directory** > **Security** > **Identity Protection** > **MFA registration policy**.
- 1. Under **Assignments**
- 1. **Users** - Choose **All users** or **Select individuals and groups** if limiting your rollout.
- 1. Optionally you can choose to exclude users or groups from the policy.
+ 1. Under **Assignments** > **Users**
+ 1. Under **Include**, select **All users** or **Select individuals and groups** if limiting your rollout.
+ 1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.
1. **Enforce Policy** - **On** 1. **Save**
For an overview of the related user experience, see:
## Next steps - [Enable sign-in and user risk policies](howto-identity-protection-configure-risk-policies.md)- - [Enable Azure AD self-service password reset](../authentication/howto-sspr-deployment.md)- - [Enable Azure AD multifactor authentication](../authentication/howto-mfa-getstarted.md)
active-directory Overview Identity Protection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/overview-identity-protection.md
Previously updated : 08/15/2022 Last updated : 03/10/2023
# What is Identity Protection?
-Identity Protection uses the learnings Microsoft has acquired from their position in organizations with Azure Active Directory, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users. Microsoft analyses trillions of signals per day to identify and protect customers from threats. Identity Protection allows organizations to accomplish three key tasks:
+Identity Protection allows organizations to accomplish three key tasks:
- [Automate the detection and remediation of identity-based risks](howto-identity-protection-configure-risk-policies.md). - [Investigate risks](howto-identity-protection-investigate-risk.md) using data in the portal. - [Export risk detection data to other tools](howto-export-risk-data.md). +
+Identity Protection uses the learnings Microsoft has acquired from their position in organizations with Azure Active Directory, the consumer space with Microsoft Accounts, and in gaming with Xbox to protect your users. Microsoft analyses trillions of signals per day to identify and protect customers from threats.
+ The signals generated by and fed to Identity Protection, can be further fed into tools like Conditional Access to make access decisions, or fed back to a security information and event management (SIEM) tool for further investigation. ## Why is automation important?
More information on these rich reports can be found in the article, [How To: Inv
## Next steps -- [Security overview](concept-identity-protection-security-overview.md)--- [What is risk](concept-identity-protection-risks.md)--- [Policies available to mitigate risks](concept-identity-protection-policies.md)
+- [Plan an Identity Protection deployment](how-to-deploy-identity-protection.md)
active-directory Add Application Portal Assign Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/add-application-portal-assign-users.md
# Quickstart: Create and assign a user account
-In this quickstart, you use the Azure Active Directory Admin Center to create a user account in your Azure Active Directory (Azure AD) tenant. After you create the account, you can assign it to the enterprise application that you added to your tenant.
+In this quickstart, you use the Azure portal to create a user account in your Azure Active Directory (Azure AD) tenant. After you create the account, you can assign it to the enterprise application that you added to your tenant.
It is recommended that you use a non-production environment to test the steps in this quickstart.
To create a user account and assign it to an enterprise application, you need:
To create a user account in your Azure AD tenant:
-1. Go to the [Azure Active Directory Admin Center](https://aad.portal.azure.com) and sign in using one of the roles listed in the prerequisites.
-1. In the left menu, select **Users**.
+1. Go to the [Azure portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.
+1. Browse to **Azure Active Directory** > **Users**.
1. Select **New user** at the top of the pane. :::image type="content" source="media/add-application-portal-assign-users/new-user.png" alt-text="Add a new user account to your Azure AD tenant.":::
To create a user account in your Azure AD tenant:
To assign a user account to an enterprise application:
-1. In the [Azure Active Directory Admin Center](https://aad.portal.azure.com), select **Enterprise applications**, and then search for and select the application to which you want to assign the user account. For example, the application that you created in the previous quickstart named **Azure AD SAML Toolkit 1**.
+1. In the [Azure portal](https://portal.azure.com), browse to **Azure Active Directory** > **Enterprise applications**, and then search for and select the application to which you want to assign the user account. For example, the application that you created in the previous quickstart named **Azure AD SAML Toolkit 1**.
1. In the left pane, select **Users and groups**, and then select **Add user/group**. :::image type="content" source="media/add-application-portal-assign-users/assign-user.png" alt-text="Assign user account to zn application in your Azure AD tenant.":::
active-directory Add Application Portal Configure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/add-application-portal-configure.md
Application properties control how the application is represented and how the ap
To configure the application properties:
-1. Go to the [Azure Active Directory Admin Center](https://aad.portal.azure.com) and sign in using one of the roles listed in the prerequisites.
-1. In the left menu, select **Enterprise applications**. The **All applications** pane opens and displays a list of the applications in your Azure AD tenant. Search for and select the application that you want to use.
+1. Go to the [Azure portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.
+1. Browse to **Azure Active Directory** > **Enterprise applications**. The **All applications** pane opens and displays a list of the applications in your Azure AD tenant. Search for and select the application that you want to use.
1. In the **Manage** section, select **Properties** to open the **Properties** pane for editing. 1. On the **Properties** pane, you may want to configure the following properties for your application: - Logo
active-directory Add Application Portal Setup Oidc Sso https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/add-application-portal-setup-oidc-sso.md
When you add an enterprise application that uses the OIDC standard for SSO, you
To configure OIDC-based SSO for an application:
-1. Go to the [Azure Active Directory Admin Center](https://aad.portal.azure.com) and sign in using one of the roles listed in the prerequisites.
-1. In the left menu, select **Enterprise applications**. The **All applications** pane opens and displays a list of the applications in your Azure AD tenant.
+1. Go to the [Azure portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.
+1. Browse to **Azure Active Directory** > **Enterprise applications**. The **All applications** pane opens and displays a list of the applications in your Azure AD tenant.
1. In the **Enterprise applications** pane, select **New application**. 1. The **Browse Azure AD Gallery** pane opens and displays tiles for cloud platforms, on-premises applications, and featured applications. Applications listed in the **Featured applications** section have icons indicating whether they support federated SSO and provisioning. Search for and select the application. In this example, **SmartSheet** is being used. 1. Select **Sign-up**. Sign in with the user account credentials from Azure Active Directory. If you already have a subscription to the application, then user details and tenant information is validated. If the application is not able to verify the user, then it redirects you to sign up for the application service.
active-directory Add Application Portal Setup Sso https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/add-application-portal-setup-sso.md
# Enable single sign-on for an enterprise application
-In this article, you use the Azure Active Directory Admin Center to enable single sign-on (SSO) for an enterprise application that you added to your Azure Active Directory (Azure AD) tenant. After you configure SSO, your users can sign in by using their Azure AD credentials.
+In this article, you use the Azure portal to enable single sign-on (SSO) for an enterprise application that you added to your Azure Active Directory (Azure AD) tenant. After you configure SSO, your users can sign in by using their Azure AD credentials.
Azure AD has a gallery that contains thousands of pre-integrated applications that use SSO. This article uses an enterprise application named **Azure AD SAML Toolkit 1** as an example, but the concepts apply for most pre-configured enterprise applications in the gallery.
To configure SSO, you need:
To enable SSO for an application:
-1. Go to the [Azure Active Directory Admin Center](https://aad.portal.azure.com) and sign in using one of the roles listed in the prerequisites.
-1. In the left menu, select **Enterprise applications**. The **All applications** pane opens and displays a list of the applications in your Azure AD tenant. Search for and select the application that you want to use. For example, **Azure AD SAML Toolkit 1**.
+1. Go to the [Azure portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.
+1. Browse to **Azure Active Directory** > **Enterprise applications**. The **All applications** pane opens and displays a list of the applications in your Azure AD tenant. Search for and select the application that you want to use. For example, **Azure AD SAML Toolkit 1**.
1. In the **Manage** section of the left menu, select **Single sign-on** to open the **Single sign-on** pane for editing. 1. Select **SAML** to open the SSO configuration page. After the application is configured, users can sign in to it by using their credentials from the Azure AD tenant. 1. The process of configuring an application to use Azure AD for SAML-based SSO varies depending on the application. For any of the enterprise applications in the gallery, use the **configuration guide** link to find information about the steps needed to configure the application. The steps for the **Azure AD SAML Toolkit 1** are listed in this article.
active-directory Add Application Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/add-application-portal.md
# Quickstart: Add an enterprise application
-In this quickstart, you use the Azure Active Directory Admin Center to add an enterprise application to your Azure Active Directory (Azure AD) tenant. Azure AD has a gallery that contains thousands of enterprise applications that have been pre-integrated. Many of the applications your organization uses are probably already in the gallery. This quickstart uses the application named **Azure AD SAML Toolkit** as an example, but the concepts apply for most [enterprise applications in the gallery](../saas-apps/tutorial-list.md).
+In this quickstart, you use the Azure portal to add an enterprise application to your Azure Active Directory (Azure AD) tenant. Azure AD has a gallery that contains thousands of enterprise applications that have been pre-integrated. Many of the applications your organization uses are probably already in the gallery. This quickstart uses the application named **Azure AD SAML Toolkit** as an example, but the concepts apply for most [enterprise applications in the gallery](../saas-apps/tutorial-list.md).
It is recommended that you use a non-production environment to test the steps in this quickstart.
To add an enterprise application to your Azure AD tenant, you need:
To add an enterprise application to your tenant:
-1. Go to the [Azure Active Directory Admin Center](https://aad.portal.azure.com) and sign in using one of the roles listed in the prerequisites.
-1. In the left menu, select **Enterprise applications**. The **All applications** pane opens and displays a list of the applications in your Azure AD tenant.
+1. Go to the [Azure portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.
+1. Browse to **Azure Active Directory** > **Enterprise applications**. The **All applications** pane opens and displays a list of the applications in your Azure AD tenant.
1. In the **Enterprise applications** pane, select **New application**. 1. The **Browse Azure AD Gallery** pane opens and displays tiles for cloud platforms, on-premises applications, and featured applications. Applications listed in the **Featured applications** section have icons indicating whether they support federated single sign-on (SSO) and provisioning. Search for and select the application. In this quickstart, **Azure AD SAML Toolkit** is being used.
active-directory App Management Videos https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/app-management-videos.md
___
>[!Video https://www.youtube.com/embed/19v7WSt9HwU] :::column-end::: :::column:::
- 2 - [How do I grant admin consent in the Azure AD portal](https://www.youtube.com/watch?v=LSYcelwdhHI&list=PLlrxD0HtieHiBPIyUWkqVzoMrgfwKi4dY&index=5)(1:19)
+ 2 - [How do I grant admin consent in the Azure portal](https://www.youtube.com/watch?v=LSYcelwdhHI&list=PLlrxD0HtieHiBPIyUWkqVzoMrgfwKi4dY&index=5)(1:19)
:::column-end::: :::column::: >[!Video https://www.youtube.com/embed/LSYcelwdhHI]
active-directory Application List https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/application-list.md
When filtered to **All Applications**, the **All Applications** **List** shows e
- When you add any application from the application gallery, including:
- - **Azure AD - Enterprise applications** ΓÇô Apps added to your tenant using the **Enterprise applications** option on the Azure AD portal. Usually apps integrated using the SAML standard.
- - **Azure AD - App registrations** ΓÇô Apps added to your tenant using the **App registrations** option on the Azure AD portal. Usually custom developed apps using the Open ID Connect and OAuth standards.
+ - **Azure AD - Enterprise applications** ΓÇô Apps added to your tenant using the **Enterprise applications** option on the Azure portal. Usually apps integrated using the SAML standard.
+ - **Azure AD - App registrations** ΓÇô Apps added to your tenant using the **App registrations** option on the Azure portal. Usually custom developed apps using the Open ID Connect and OAuth standards.
- **Application Proxy Applications** ΓÇô An application running in your on-premises environment that you want to provide secure single-sign on to externally - When signing up for, or signing in to, a third-party application integrated with Azure Active Directory. One example is [Smartsheet](https://app.smartsheet.com/b/home) or [DocuSign](https://www.docusign.net/member/MemberLogin.aspx). - Microsoft apps such as Microsoft 365.
active-directory Application Management Certs Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/application-management-certs-faq.md
Previously updated : 03/19/2021 Last updated : 03/03/2023
The owner of the application or Global Administrator or Application Administrato
In Azure AD, you can set up certificate signing options and the certificate signing algorithm. To learn more, see [Advanced SAML token certificate signing options for Azure AD apps](certificate-signing-options.md).
+## What type of certificate can I use for configuring the SAML Certificate for single sign-on?
+
+The recommendation for the SAML single sign-on certificate depends on your organization's security requirements and policies.
+If your organization has an internal certificate authority (PKI), using a certificate from the internal PKI can provide a higher level of security and trust. This is because the internal PKI is under the control of your organization and can be managed and monitored to ensure the security of the certificate.
+
+On the other hand, if your organization doesn't have an internal certificate authority, using a certificate from an external certificate authority such as DigiCert can provide a higher level of trust and security. This is because external certificate authorities are trusted by many organizations and are subject to strict security and validation requirements.
+ ## I need to replace the certificate for Azure AD Application Proxy applications and need more instructions To replace certificates for Azure AD Application Proxy applications, see [PowerShell sample - Replace certificate in Application Proxy apps](../app-proxy/scripts/powershell-get-custom-domain-replace-cert.md).
active-directory Application Sign In Other Problem Access Panel https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/application-sign-in-other-problem-access-panel.md
My Apps is a web-based portal that enables a user with a work or school account
To learn more about using Azure AD as an identity provider for an app, see the [What is Application Management in Azure AD](what-is-application-management.md). To get up to speed quickly, check out the [Quickstart Series on Application Management](view-applications-portal.md).
-These applications are configured on behalf of the user in the Azure AD portal. The application must be configured properly and assigned to the user or a group the user is a member of to see the application in My Apps.
+These applications are configured on behalf of the user in the Azure portal. The application must be configured properly and assigned to the user or a group the user is a member of to see the application in My Apps.
The type of apps a user may be seeing fall in the following categories:
active-directory Assign User Or Group Access Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/assign-user-or-group-access-portal.md
To assign users to an enterprise application, you need:
To assign a user or group account to an enterprise application:
-1. In the [Azure Active Directory Admin Center](https://aad.portal.azure.com), select **Enterprise applications**, and then search for and select the application to which you want to assign the user or group account.
-1. In the left pane, select **Users and groups**, and then select **Add user/group**.
+1. In the [Azure portal](https://portal.azure.com), select **Enterprise applications**, and then search for and select the application to which you want to assign the user or group account.
+1. Browse to **Azure Active Directory** > **Users and groups**, and then select **Add user/group**.
:::image type="content" source="media/add-application-portal-assign-users/assign-user.png" alt-text="Assign user account to an application in your Azure AD tenant.":::
active-directory Certificate Signing Options https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/certificate-signing-options.md
Azure AD supports two signing algorithms, or secure hash algorithms (SHAs), to s
To change an application's SAML certificate signing options and the certificate signing algorithm, select the application in question:
-1. In the [Azure Active Directory portal](https://aad.portal.azure.com/), sign in to your account. The **Azure Active Directory admin center** page appears.
-1. In the left pane, select **Enterprise applications**. A list of the enterprise applications in your account appears.
+1. In the [Azure portal](https://portal.azure.com), sign in to your account.
+1. Browse to **Azure Active Directory** > **Enterprise applications**. A list of the enterprise applications in your account appears.
1. Select an application. An overview page for the application appears. In this example, the Salesforce application is used. ![Example: Application overview page](./media/certificate-signing-options/application-overview-page.png)
active-directory Custom Security Attributes Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/custom-security-attributes-apps.md
Learn how to work with custom attributes for applications in Azure AD.
Undertake the following steps to assign custom security attributes through the Azure portal.
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory**, then select **Enterprise applications**.
Undertake the following steps to assign custom security attributes through the A
### Update custom security attribute assignment values for an application
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory**, then select **Enterprise applications**.
Undertake the following steps to assign custom security attributes through the A
You can filter the list of custom security attributes assigned to applications on the **All applications** page.
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory**, then select **Enterprise applications**.
You can filter the list of custom security attributes assigned to applications o
### Remove custom security attribute assignments from applications
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory**, then select **Enterprise applications**.
active-directory Delete Application Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/delete-application-portal.md
To delete an enterprise application, you need:
:::zone pivot="portal"
-1. Sign in to the [Azure AD portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.
+1. Sign in to the [Azure portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.
1. In the left menu, select **Enterprise applications**. The **All applications** pane opens and displays a list of the applications in your Azure AD tenant. Search for and select the application that you want to delete. For example, **Azure AD SAML Toolkit 1**. 1. In the **Manage** section of the left menu, select **Properties**. 1. At the top of the **Properties** pane, select **Delete**, and then select **Yes** to confirm you want to delete the application from your Azure AD tenant.
active-directory F5 Aad Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-aad-integration.md
When Azure AD pre-authenticates access to BIG-IP published services, there are m
Other benefits include: - One control plane to govern identity and access
- - The [Azure AD portal](https://azure.microsoft.com/features/azure-portal/)
+ - The [Azure portal](https://azure.microsoft.com/features/azure-portal/)
- Preemptive [Conditional Access](../conditional-access/overview.md) - [Azure AD Multi-Factor Authentication (MFA)](../authentication/concept-mfa-howitworks.md) - Adaptive protection through user and session risk profiling
active-directory F5 Aad Password Less Vpn https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-aad-password-less-vpn.md
To improve the tutorial experience, you can learn industry-standard terminology
Set up a SAML federation trust between the BIG-IP to allow the Azure AD BIG-IP to hand off the pre-authentication and [Conditional Access](../conditional-access/overview.md) to Azure AD, before it grants access to the published VPN service.
-1. Sign in to the Azure AD portal with application admin rights.
+1. Sign in to the Azure portal with application admin rights.
2. From the left navigation pane, select the **Azure Active Directory service**. 3. Go to **Enterprise Applications** and from the top ribbon select **New application**. 4. In the gallery, search for F5 and select **F5 BIG-IP APM Azure AD integration**.
active-directory F5 Big Ip Forms Advanced https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-forms-advanced.md
There are many methods to configure BIG-IP for this scenario, including a templa
Before BIG-IP can hand off pre-authentication to Azure AD, it must be registered in your tenant. This is the first step in establishing SSO between both entities. It's no different from making any IdP aware of a SAML relying party. In this case, the app that you create from the F5 BIG-IP gallery template is the relying party that represents the SAML SP for the BIG-IP published application.
-1. Sign in to the [Azure AD portal](https://portal.azure.com) by using an account with Application Administrator permissions.
+1. Sign in to the [Azure portal](https://portal.azure.com) by using an account with Application Administrator permissions.
2. From the left pane, select the **Azure Active Directory** service.
active-directory F5 Big Ip Header Advanced https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-header-advanced.md
There are many methods to configure BIG-IP for this scenario, including two temp
Setting up a SAML federation trust between BIG-IP APM and Azure AD is one of the first step in implementing SHA. It establishes the integration required for BIG-IP to hand off pre-authentication and [conditional access](../conditional-access/overview.md) to Azure AD, before granting access to the published service.
-1. Sign-in to the Azure AD portal using an account with application administrative rights.
+1. Sign-in to the Azure portal using an account with application administrative rights.
2. From the left navigation pane, select the **Azure Active Directory** service
active-directory F5 Big Ip Headers Easy Button https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-headers-easy-button.md
Before a client or service can access Microsoft Graph, it must be trusted by the
This first step creates a tenant app registration that will be used to authorize the **Easy Button** access to Graph. Through these permissions, the BIG-IP will be allowed to push the configurations required to establish a trust between a SAML SP instance for published application, and Azure AD as the SAML IdP.
-1. Sign-in to the [Azure AD portal](https://portal.azure.com/) using an account with Application Administrative rights
+1. Sign-in to the [Azure portal](https://portal.azure.com/) using an account with Application Administrative rights
2. From the left navigation pane, select the **Azure Active Directory** service 3. Under Manage, select **App registrations > New registration** 4. Enter a display name for your application. For example, *F5 BIG-IP Easy Button*
active-directory F5 Big Ip Kerberos Advanced https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-kerberos-advanced.md
This article covers the advanced configuration, a flexible SHA implementing that
Before BIG-IP can hand off pre-authentication to Azure AD, register it in your tenant. This process initiates SSO between both entities. The app you create from the F5 BIG-IP gallery template is the relying party that represents the SAML SP for the BIG-IP published application.
-1. Sign in to the [Azure AD portal](https://portal.azure.com) with Application Administrator permissions.
+1. Sign in to the [Azure portal](https://portal.azure.com) with Application Administrator permissions.
2. From the left pane, select the **Azure Active Directory** service. 3. On the left menu, select **Enterprise applications**. The **All applications** pane appears with a list of the applications in your Azure AD tenant. 4. On the **Enterprise applications** pane, select **New application**.
active-directory F5 Big Ip Ldap Header Easybutton https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-ldap-header-easybutton.md
Before a client or service can access Microsoft Graph, it must be trusted by the
This first step creates a tenant app registration to authorize the **Easy Button** access to Graph. With these permissions, the BIG-IP can push the configurations to establish a trust between a SAML SP instance for published application, and Azure AD as the SAML IdP.
-1. Sign in to the [Azure AD portal](https://portal.azure.com) using an account with Application Administrative rights.
+1. Sign in to the [Azure portal](https://portal.azure.com) using an account with Application Administrative rights.
2. From the left navigation pane, select the **Azure Active Directory** service. 3. Under Manage, select **App registrations > New registration**. 4. Enter a display name for your application. For example, F5 BIG-IP Easy Button.
active-directory F5 Big Ip Oracle Enterprise Business Suite Easy Button https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-oracle-enterprise-business-suite-easy-button.md
Before a client or service can access Microsoft Graph, it must be trusted by the
This first step creates a tenant app registration that will be used to authorize the **Easy Button** access to Graph. Through these permissions, the BIG-IP will be allowed to push the configurations required to establish a trust between a SAML SP instance for published application, and Azure AD as the SAML IdP.
-1. Sign in to the [Azure AD portal](https://portal.azure.com/) with Application Administrative rights
+1. Sign in to the [Azure portal](https://portal.azure.com/) with Application Administrative rights
2. From the left navigation pane, select the **Azure Active Directory** service
active-directory F5 Big Ip Oracle Jde Easy Button https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-oracle-jde-easy-button.md
Before a client or service can access Microsoft Graph, it must be trusted by the
This first step creates a tenant app registration that will be used to authorize the **Easy Button** access to Graph. Through these permissions, the BIG-IP will be allowed to push the configurations required to establish a trust between a SAML SP instance for published application, and Azure AD as the SAML IdP.
-1. Sign in to the [Azure AD portal](https://portal.azure.com/) with Application Administrative rights
+1. Sign in to the [Azure portal](https://portal.azure.com/) with Application Administrative rights
2. From the left navigation pane, select the **Azure Active Directory** service
active-directory F5 Big Ip Oracle Peoplesoft Easy Button https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-oracle-peoplesoft-easy-button.md
Before a client or service can access Microsoft Graph, it must be trusted by the
This first step creates a tenant app registration that will be used to authorize the **Easy Button** access to Graph. Throught these permissions, the BIG-IP will be allowed to push the configurations required to establish a trust between a SAML SP instance for published application, and Azure AD as the SAML IdP.
-1. Sign in to the [Azure AD portal](https://portal.azure.com/) with Application Administrative rights
+1. Sign in to the [Azure portal](https://portal.azure.com/) with Application Administrative rights
2. From the left navigation pane, select the **Azure Active Directory** service
active-directory F5 Big Ip Sap Erp Easy Button https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-sap-erp-easy-button.md
Before a client or service can access Microsoft Graph, it must be trusted by the
The Easy Button client must also be registered in Azure AD, before it is allowed to establish a trust between each SAML SP instance of a BIG-IP published application, and Azure AD as the SAML IdP.
-1. Sign-in to the [Azure AD portal](https://portal.azure.com/) using an account with Application Administrative rights
+1. Sign-in to the [Azure portal](https://portal.azure.com/) using an account with Application Administrative rights
2. From the left navigation pane, select the **Azure Active Directory** service
active-directory Manage Application Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/manage-application-permissions.md
To review permissions granted to applications, you need:
## Review permissions
-You can access the Azure AD portal to get contextual PowerShell scripts to perform the actions.
+You can access the Azure portal to get contextual PowerShell scripts to perform the actions.
To review application permissions:
active-directory Manage Self Service Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/manage-self-service-access.md
# Enable self-service application assignment
-In this article, you learn how to enable self-service application access using the Azure Active Directory Admin Center.
+In this article, you learn how to enable self-service application access using the Azure portal.
Before your users can self-discover applications from the [My Apps portal](my-apps-deployment-plan.md), you need to enable **Self-service application access** for the applications. This functionality is available for applications that were added from the Azure AD Gallery, [Azure AD Application Proxy](../app-proxy/application-proxy.md), or were added using [user or admin consent](../develop/application-consent-experience.md).
active-directory Migrate Adfs Apps To Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-adfs-apps-to-azure.md
No matter how your existing external users are configured, they likely have perm
## Migrate and test your apps
-Follow the migration process detailed in this article. Then go to the [Azure portal](https://aad.portal.azure.com/) to test if the migration was a success.
+Follow the migration process detailed in this article. Then go to the [Azure portal](https://portal.azure.com/) to test if the migration was a success.
Follow these instructions:
-1. Select **Enterprise Applications** > **All applications** and find your app from the list.
+1. Browse to **Azure Active Directory** > **Enterprise Applications** > **All applications** and find your app from the list.
1. Select **Manage** > **Users and groups** to assign at least one user or group to the app. 1. Select **Manage** > **Conditional Access**. Review your list of policies and ensure that you are not blocking access to the application with a [conditional access policy](../conditional-access/overview.md).
active-directory Migrate Application Authentication To Azure Active Directory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-application-authentication-to-azure-active-directory.md
During the process of the migration, your app may already have a test environmen
You can test each app by logging in with a test user and make sure all functionality is the same as prior to the migration. If you determine during testing that users will need to update their [MFA](../authentication/howto-mfa-userstates.md) or [SSPR](../authentication/tutorial-enable-sspr.md)settings, or you are adding this functionality during the migration, be sure to add that to your end-user communication plan. See [MFA](https://aka.ms/mfatemplates) and [SSPR](https://aka.ms/ssprtemplates) end-user communication templates.
-Once you have migrated the apps, go to the [Azure portal](https://aad.portal.azure.com/) to test if the migration was a success. Follow the instructions below:
+Once you have migrated the apps, go to the [Azure portal](https://portal.azure.com/) to test if the migration was a success. Follow the instructions below:
-- Select **Enterprise Applications &gt; All applications** and find your app from the list.-- Select **Manage &gt; Users and groups** to assign at least one user or group to the app.-- Select **Manage &gt; Conditional Access**. Review your list of policies and ensure that you are not blocking access to the application with a [conditional access policy](../conditional-access/overview.md).
+- Browse to **Azure Active Directory** > **Enterprise Applications** > **All applications** and find your app from the list.
+- Select **Users and groups** to assign at least one user or group to the app.
+- Select **Conditional Access**. Review your list of policies and ensure that you are not blocking access to the application with a [conditional access policy](../conditional-access/overview.md).
Depending on how you configure your app, verify that SSO works properly.
Visit the following support links to create or track support ticket and monitor
- **Azure Support:** You can call [Microsoft Support](https://azure.microsoft.com/support) and open a ticket for any Azure Identity deployment issue depending on your Enterprise Agreement with Microsoft. - **FastTrack**: If you have purchased Enterprise Mobility and Security (EMS) or Azure AD Premium licenses, you are eligible to receive deployment assistance from the [FastTrack program.](/enterprise-mobility-security/solutions/enterprise-mobility-fasttrack-program)-- **Engage the Product Engineering team:** If you are working on a major customer deployment with millions of users, you are entitled to support from the Microsoft account team or your Cloud Solutions Architect. Based on the projectΓÇÖs deployment complexity, you can work directly with the [Azure Identity Product Engineering team.](https://aad.portal.azure.com/#blade/Microsoft_Azure_Marketplace/MarketplaceOffersBlade/selectedMenuItemId/solutionProviders)
+- **Engage the Product Engineering team:** If you are working on a major customer deployment with millions of users, you are entitled to support from the Microsoft account team or your Cloud Solutions Architect. Based on the projectΓÇÖs deployment complexity, you can work directly with the [Azure Identity Product Engineering team.](https://portal.azure.com/#blade/Microsoft_Azure_Marketplace/MarketplaceOffersBlade/selectedMenuItemId/solutionProviders)
- **Azure AD Identity blog:** Subscribe to the [Azure AD Identity blog](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/bg-p/Identity) to stay up to date with all the latest product announcements, deep dives, and roadmap information provided directly by the Identity engineering team.
active-directory Migrate Applications From Okta To Azure Active Directory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-applications-from-okta-to-azure-active-directory.md
To migrate a SAML 2.0 application to Azure AD, configure the application in your
To complete the migration, repeat the configuration for all applications in the Okta tenant.
-2. In the [Azure Active Directory admin center](https://aad.portal.azure.com), select **Azure Active Directory** > **Enterprise applications** > **+ New application**.
+2. In the [Azure portal](https://portal.azure.com), select **Azure Active Directory** > **Enterprise applications** > **+ New application**.
![Screenshot of the New Application option on All applications.](media/migrate-applications-from-okta-to-azure-active-directory/list-of-new-applications.png)
To complete the migration, repeat the configuration for all applications in the
![Screenshot of the New from Metadata File option under Single Sign On Settings.](media/migrate-applications-from-okta-to-azure-active-directory/salesforce-admin-console.png)
-7. Upload the XML file you downloaded from the Azure AD portal. Then select **Create**.
+7. Upload the XML file you downloaded from the Azure portal. Then select **Create**.
8. Upload the certificate you downloaded from Azure. Select **Save**. ![Screenshot of the Identity Provider Certificate entry under SAML Single Sign On.](media/migrate-applications-from-okta-to-azure-active-directory/create-saml-provider.png)
To complete the migration, repeat the configuration for all applications in the
![Screenshot of the Download Metadata option, also entries for Entity ID and Your Organization.](media/migrate-applications-from-okta-to-azure-active-directory/record-values-for-azure.png)
-11. To upload the file to the Azure AD portal, in the Azure AD **Enterprise applications** page, in the SAML SSO settings, select **Upload metadata file**.
+11. To upload the file to the Azure portal, in the Azure AD **Enterprise applications** page, in the SAML SSO settings, select **Upload metadata file**.
12. Ensure the imported values match the recorded values. Select **Save**. ![Screenshot of entries for SAML-based sign-on, and Basic SAML Configuration.](media/migrate-applications-from-okta-to-azure-active-directory/upload-metadata-file.png)
To migrate an OpenID Connect (OIDC) or OAuth 2.0 application to Azure AD, in you
To complete the migration, repeat configuration for all applications in the Okta tenant.
-1. In the [Azure AD portal](https://aad.portal.azure.com), select **Azure Active Directory** > **Enterprise applications**.
+1. In the [Azure portal](https://portal.azure.com), select **Azure Active Directory** > **Enterprise applications**.
2. Under **All applications**, select **New application**. 3. Select **Create your own application**. 4. On the menu that appears, name the OIDC app and then select **Register an application you're working on to integrate with Azure AD**.
active-directory Migrate Okta Sign On Policies To Azure Active Directory Conditional Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access.md
After you've configured the prerequisites and established the base settings, it'
1. To configure Conditional Access policies in Azure AD, go to the [Azure portal](https://portal.azure.com). On **Manage Azure Active Directory**, select **View**.
- Configure Conditional Access policies by following [best
-practices for deploying and designing Conditional Access](../conditional-access/plan-conditional-access.md#understand-conditional-access-policy-components).
+ Configure Conditional Access policies by following [best practices for deploying and designing Conditional Access](../conditional-access/plan-conditional-access.md#conditional-access-policy-components).
1. To mimic the global sign-on MFA policy from Okta, [create a policy](../conditional-access/howto-conditional-access-policy-all-users-mfa.md).
active-directory Migrate Okta Sync Provisioning To Azure Active Directory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-okta-sync-provisioning-to-azure-active-directory.md
You've now successfully migrated to Azure AD Connect server-based provisioning.
After you disable Okta provisioning, the Azure AD cloud sync agent is ready to begin synchronizing objects.
-1. Go to the [Azure AD portal](https://aad.portal.azure.com/).
+1. Go to the [Azure portal](https://portal.azure.com/).
-1. In the **Configuration** profile, select **Enable**.
+1. Browse to **Azure Active Directory** > **Azure AD Connect** > **Cloud Sync** > **Configuration** profile, select **Enable**.
1. Return to the provisioning menu and select **Logs**.
active-directory Secure Hybrid Access Integrations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/secure-hybrid-access-integrations.md
The solution that you build can include the following parts:
* **App discovery** - Often, customers aren't aware of every application in use * Application discovery finds applications, facilitating app integrating with Azure AD
-* **App migration** - Create a workflow to integrate apps with Azure AD without using the Azure AD portal
+* **App migration** - Create a workflow to integrate apps with Azure AD without using the Azure portal
* Integrate apps that customers use today * **Legacy authentication support** - Connect apps with legacy authentication methods and single sign-on (SSO)
-* **Conditional Access** - Enable customers to apply Azure AD policies to apps in your solution without using the Azure AD portal
+* **Conditional Access** - Enable customers to apply Azure AD policies to apps in your solution without using the Azure portal
Learn more: [What is Conditional Access?](../conditional-access/overview.md)
active-directory Tenant Restrictions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/tenant-restrictions.md
The headers should include the following elements:
- For *Restrict-Access-Context*, use a value of a single directory ID, declaring which tenant is setting the tenant restrictions. For example, to declare Contoso as the tenant that set the tenant restrictions policy, the name/value pair looks like: `Restrict-Access-Context: 456ff232-35l2-5h23-b3b3-3236w0826f3d`. You *must* use your own directory ID here to get logs for these authentications. If you use any directory ID other than your own, those sign-in logs *will* appear in someone else's tenant, with all personal information removed. For more information, see [Admin experience](#admin-experience). > [!TIP]
-> You can find your directory ID in the [Azure Active Directory portal](https://aad.portal.azure.com/). Sign in as an administrator, select **Azure Active Directory**, then select **Properties**.
+> You can find your directory ID in the [Azure portal](https://portal.azure.com). Sign in as an administrator, select **Azure Active Directory**, then select **Properties**.
> > To validate that a directory ID or domain name refer to the same tenant, use that ID or domain in place of \<tenant\> in this URL: `https://login.microsoftonline.com/<tenant>/v2.0/.well-known/openid-configuration`. If the results with the domain and the ID are the same, they refer to the same tenant.
An example user is on the Contoso network, but is trying to access the Fabrikam
While configuration of tenant restrictions is done on the corporate proxy infrastructure, admins can access the tenant restrictions reports in the Azure portal directly. To view the reports:
-1. Sign in to the [Azure Active Directory portal](https://aad.portal.azure.com/). The **Azure Active Directory admin center** dashboard appears.
+1. Sign in to the [Azure portal](https://portal.azure.com).
-2. In the left pane, select **Azure Active Directory**. The Azure Active Directory overview page appears.
+2. Browse to **Azure Active Directory**. The Azure Active Directory overview page appears.
3. On the Overview page, select **Tenant restrictions**.
active-directory Tutorial Manage Certificates For Federated Single Sign On https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/tutorial-manage-certificates-for-federated-single-sign-on.md
By default, Azure configures a certificate to expire after three years when it's
1. Save the new certificate. 1. Download the new certificate in the correct format. 1. Upload the new certificate to the application.
-1. Make the new certificate active in the Azure Active Directory portal.
+1. Make the new certificate active in the Azure portal.
The following two sections help you perform these steps.
The following two sections help you perform these steps.
First, create and save new certificate with a different expiration date:
-1. Sign in to the [Azure Active Directory portal](https://aad.portal.azure.com/). The **Azure Active Directory admin center** page appears.
-1. Select **Enterprise applications**.
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Browse to **Azure Active Directory** > **Enterprise applications**.
1. From the list of applications, select your desired application. 1. Under the **Manage** section, select **Single sign-on**. 1. If the **Select a single sign-on method** page appears, select **SAML**.
active-directory View Applications Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/view-applications-portal.md
# Quickstart: View enterprise applications
-In this quickstart, you learn how to use the Azure Active Directory Admin Center to search for and view the enterprise applications that are already configured in your Azure Active Directory (Azure AD) tenant.
+In this quickstart, you learn how to use the Azure portal to search for and view the enterprise applications that are already configured in your Azure Active Directory (Azure AD) tenant.
It is recommended that you use a non-production environment to test the steps in this quickstart.
To view applications that have been registered in your Azure AD tenant, you need
To view the enterprise applications registered in your tenant:
-1. Go to the [Azure Active Directory Admin Center](https://aad.portal.azure.com) and sign in using one of the roles listed in the prerequisites.
-1. In the left menu, select **Enterprise applications**. The **All applications** pane opens and displays a list of the applications in your Azure AD tenant.
+1. Go to the [Azure portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.
+1. Browse to **Azure Active Directory** > **Enterprise applications**. The **All applications** pane opens and displays a list of the applications in your Azure AD tenant.
:::image type="content" source="media/view-applications-portal/view-enterprise-applications.png" alt-text="View the registered applications in your Azure AD tenant.":::
active-directory Azure Pim Resource Rbac https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/azure-pim-resource-rbac.md
My audit enables you to view your personal role activity.
## Get reason, approver, and ticket number for approval events
-1. Sign in to the [Azure portal](https://aad.portal.azure.com) with Privileged Role administrator role permissions, and open Azure AD.
+1. Sign in to the [Azure portal](https://portal.azure.com) with Privileged Role administrator role permissions, and open Azure AD.
1. Select **Audit logs**. 1. Use the **Service** filter to display only audit events for the Privileged identity Management service. On the **Audit logs** page, you can:
active-directory Groups Activate Roles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/groups-activate-roles.md
This article is for eligible members or owners who want to activate their group
When you need to take on a group membership or ownership, you can request activation by using the **My roles** navigation option in PIM.
-1. [Sign in to Azure AD portal](https://aad.portal.azure.com).
+1. [Sign in to the Azure portal](https://portal.azure.com).
1. Select **Azure AD Privileged Identity Management -> My roles -> Groups (Preview)**. >[!NOTE]
If the [role requires approval](pim-resource-roles-approval-workflow.md) to acti
You can view the status of your pending requests to activate. It is specifically important when your requests undergo approval of another person.
-1. [Sign in to Azure AD portal](https://aad.portal.azure.com).
+1. [Sign in to the Azure portal](https://portal.azure.com).
1. Select **Azure AD Privileged Identity Management -> My requests -> Groups (Preview)**.
You can view the status of your pending requests to activate. It is specifically
## Cancel a pending request
-1. [Sign in to Azure AD portal](https://aad.portal.azure.com).
+1. [Sign in to the Azure portal](https://portal.azure.com).
1. Select **Azure AD Privileged Identity Management -> My requests -> Groups (Preview)**.
active-directory Groups Approval Workflow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/groups-approval-workflow.md
Follow the steps in this article to approve or deny requests for group membershi
As a delegated approver, you'll receive an email notification when an Azure resource role request is pending your approval. You can view pending requests in Privileged Identity Management.
-1. [Sign in to Azure AD portal](https://aad.portal.azure.com).
+1. [Sign in to the Azure portal](https://portal.azure.com).
1. Select **Azure AD Privileged Identity Management -> Approve requests -> Groups (Preview)**.
active-directory Groups Assign Member Owner https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/groups-assign-member-owner.md
When a membership or ownership is assigned, the assignment:
Follow these steps to make a user eligible member or owner of a group. You will need to have Global Administrator, Privileged Role Administrator role, or be an Owner of the group.
-1. [Sign in to Azure AD](https://aad.portal.azure.com).
+1. [Sign in to the Azure portal](https://portal.azure.com).
1. Select **Azure AD Privileged Identity Management -> Groups (Preview)** and view groups that are already enabled for PIM for Groups.
Follow these steps to make a user eligible member or owner of a group. You will
Follow these steps to update or remove an existing role assignment. You will need to have Global Administrator, Privileged Role Administrator role, or Owner role of the group.
-1. [Sign in to Azure AD](https://aad.portal.azure.com) with appropriate role permissions.
+1. [Sign in to the Azure portal](https://portal.azure.com) with appropriate role permissions.
1. Select **Azure AD Privileged Identity Management -> Groups (Preview)** and view groups that are already enabled for PIM for Groups.
active-directory Groups Audit https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/groups-audit.md
Follow these steps to view the audit history for groups in Privileged Identity M
**Resource audit** gives you a view of all activity associated with groups in PIM.
-1. [Sign in to Azure AD portal](https://aad.portal.azure.com).
+1. [Sign in to the Azure portal](https://portal.azure.com).
1. Select **Azure AD Privileged Identity Management -> Groups (Preview)**.
Follow these steps to view the audit history for groups in Privileged Identity M
**My audit** enables you to view your personal role activity for groups in PIM.
-1. [Sign in to Azure AD portal](https://aad.portal.azure.com).
+1. [Sign in to the Azure portal](https://portal.azure.com).
1. Select **Azure AD Privileged Identity Management -> Groups (Preview)**.
active-directory Groups Discover Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/groups-discover-groups.md
Dynamic groups and groups synchronized from on-premises environment cannot be ma
You should either be a group Owner, have Global Administrator role, or Privileged Role Administrator role to bring the group under management with PIM.
-1. [Sign in to Azure AD](https://aad.portal.azure.com).
+1. [Sign in to the Azure portal](https://portal.azure.com).
1. Select **Azure AD Privileged Identity Management -> Groups (Preview)** and view groups that are already enabled for PIM for Groups.
active-directory Groups Role Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/groups-role-settings.md
You need to have Global Administrator, Privileged Role Administrator, or group O
Follow these steps to open the settings for a group role.
-1. [Sign in to Azure AD portal](https://aad.portal.azure.com).
+1. [Sign in to the Azure portal](https://portal.azure.com).
1. Select **Azure AD Privileged Identity Management -> Groups (Preview)**.
active-directory Pim Configure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-configure.md
Privileged Identity Management supports the following scenarios:
In Privileged Identity Management (PIM), you can now assign eligibility for membership or ownership of PIM for Groups. Starting with this preview, you can assign Azure Active Directory (Azure AD) built-in roles to cloud groups and use PIM to manage group member and owner eligibility and activation. For more information about role-assignable groups in Azure AD, see [Use Azure AD groups to manage role assignments](../roles/groups-concept.md). >[!Important]
-> To assign a PIM for Groups to a role for administrative access to Exchange, Security & Compliance Center, or SharePoint, use the Azure AD portal **Roles and Administrators** experience and not in the PIM for Groups experience to make the user or group eligible for activation into the group.
+> To assign a PIM for Groups to a role for administrative access to Exchange, Security & Compliance Center, or SharePoint, use the Azure portal **Roles and Administrators** experience and not in the PIM for Groups experience to make the user or group eligible for activation into the group.
### Different just-in-time policies for each group
With the PIM for Groups preview, you can give workload-specific administrators q
## Invite guest users and assign Azure resource roles in Privileged Identity Management
-Azure Active Directory (Azure AD) guest users are part of the business-to-business (B2B) collaboration capabilities within Azure AD so that you can manage external guest users and vendors as guests in Azure AD. For example, you can use these Privileged Identity Management features for Azure identity tasks with guests such as assigning access to specific Azure resources, specifying assignment duration and end date, or requiring two-step verification on active assignment or activation. For more information on how to invite a guest to your organization and manage their access, see [Add B2B collaboration users in the Azure AD portal](../external-identities/add-users-administrator.md).
+Azure Active Directory (Azure AD) guest users are part of the business-to-business (B2B) collaboration capabilities within Azure AD so that you can manage external guest users and vendors as guests in Azure AD. For example, you can use these Privileged Identity Management features for Azure identity tasks with guests such as assigning access to specific Azure resources, specifying assignment duration and end date, or requiring two-step verification on active assignment or activation. For more information on how to invite a guest to your organization and manage their access, see [Add B2B collaboration users in the Azure portal](../external-identities/add-users-administrator.md).
### When would you invite guests?
active-directory Pim How To Add Role To User https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-how-to-add-role-to-user.md
Follow these steps to make a user eligible for an Azure AD admin role.
For certain roles, the scope of the granted permissions can be restricted to a single admin unit, service principal, or application. This procedure is an example if assigning a role that has the scope of an administrative unit. For a list of roles that support scope via administrative unit, see [Assign scoped roles to an administrative unit](../roles/admin-units-assign-roles.md). This feature is currently being rolled out to Azure AD organizations.
-1. Sign in to the [Azure Active Directory admin center](https://aad.portal.azure.com) with Privileged Role Administrator permissions.
+1. Sign in to the [Azure portal](https://portal.azure.com) with Privileged Role Administrator permissions.
1. Select **Azure Active Directory** > **Roles and administrators**.
active-directory Pim How To Change Default Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-how-to-change-default-settings.md
PIM role settings are also known as ΓÇ£PIM PoliciesΓÇ¥.
Follow these steps to open the settings for an Azure AD role.
-1. [Sign in to Azure AD](https://aad.portal.azure.com/)
+1. [Sign in to the Azure portal](https://portal.azure.com/)
1. Select **Azure AD Privileged Identity Management -> Azure AD Roles -> Roles**. On this page you can see list of Azure AD roles available in the tenant, including built-in and custom roles. :::image type="content" source="media/pim-how-to-change-default-settings/role-settings.png" alt-text="Screenshot of the list of Azure AD roles available in the tenant, including built-in and custom roles." lightbox="media/pim-how-to-change-default-settings/role-settings.png":::
active-directory Pim Resource Roles Configure Role Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings.md
PIM role settings are also known as ΓÇ£PIM PoliciesΓÇ¥.
Follow these steps to open the settings for an Azure resource role.
-1. [Sign in to Azure AD](https://aad.portal.azure.com/)
+1. [Sign in to the Azure portal](https://portal.azure.com/)
1. Select **Azure AD Privileged Identity Management -> Azure Resources**. On this page you can see list of Azure resources discovered in PIM. Use Resource type filter to select all required resource types.
active-directory Powershell For Azure Ad Roles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/powershell-for-azure-ad-roles.md
Use the following cmdlet to retrieve all role assignments in your Azure AD organ
Get-AzureADMSPrivilegedRoleAssignment -ProviderId "aadRoles" -ResourceId "926d99e7-117c-4a6a-8031-0cc481e9da26" ```
-Use the following cmdlet to retrieve all role assignments for a particular user. This list is also known as "My Roles" in the Azure AD portal. The only difference here is that you have added a filter for the subject ID. The subject ID in this context is the user ID or the group ID.
+Use the following cmdlet to retrieve all role assignments for a particular user. This list is also known as "My Roles" in the Azure portal. The only difference here is that you have added a filter for the subject ID. The subject ID in this context is the user ID or the group ID.
```powershell Get-AzureADMSPrivilegedRoleAssignment -ProviderId "aadRoles" -ResourceId "926d99e7-117c-4a6a-8031-0cc481e9da26" -Filter "subjectId eq 'f7d1887c-7777-4ba3-ba3d-974488524a9d'"
active-directory Subscription Requirements https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/subscription-requirements.md
Azure AD Premium P2 licenses are **not** required for the following tasks:
- No licenses are required for users who set up PIM, configure policies, receive alerts, and set up access reviews.
-For more information about licenses, see [Assign or remove licenses using the Azure Active Directory portal](../fundamentals/license-users-groups.md).
+For more information about licenses, see [Assign or remove licenses using the Azure portal](../fundamentals/license-users-groups.md).
## Example license scenarios
active-directory Concept Usage Insights Report https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/concept-usage-insights-report.md
Title: Usage and insights report | Microsoft Docs
-description: Introduction to usage and insights report in the Azure Active Directory portal
+description: Introduction to usage and insights report in the Azure portal
active-directory Howto Analyze Activity Logs Log Analytics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-analyze-activity-logs-log-analytics.md
To follow along, you need:
* A [Log Analytics workspace](../../azure-monitor/logs/log-analytics-workspace-overview.md) in your Azure subscription. Learn how to [create a Log Analytics workspace](../../azure-monitor/logs/quick-create-workspace.md). * First, complete the steps to [route the Azure AD activity logs to your Log Analytics workspace](howto-integrate-activity-logs-with-log-analytics.md). * [Access](../../azure-monitor/logs/manage-access.md#azure-rbac) to the log analytics workspace
-* The following roles in Azure Active Directory (if you're accessing Log Analytics through Azure Active Directory portal)
+* The following roles in Azure Active Directory (if you're accessing Log Analytics through Azure portal)
- Security Admin - Security Reader - Reports Reader
active-directory Howto Use Azure Monitor Workbooks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-use-azure-monitor-workbooks.md
To use Azure Workbooks for Azure AD, you need:
- Access to the Log Analytics workspace is determined by the workspace settings, access to the resources sending the data to the workspace, and the method used to access the workspace. - To ensure you have the right access, review the [Manage access to Log Analytics workspaces](../../azure-monitor/logs/manage-access.md?tabs=tabs=portal#azure-rbac) article.
-2. Ensure that you have one of the following roles in Azure AD (if you're accessing the workspace through the Azure AD portal):
+2. Ensure that you have one of the following roles in Azure AD (if you're accessing the workspace through the Azure portal):
- Security Administrator - Security Reader - Reports Reader
active-directory Howto Use Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-use-recommendations.md
Each recommendation provides the same set of details that explain what the recom
- The recommendation's **Value** is an explanation of why completing the recommendation will benefit you, and the value of the associated feature. -- The **Action plan** provides step-by-step instructions to implement a recommendation. The Action plan may include links to relevant documentation or direct you to other pages in the Azure AD portal.
+- The **Action plan** provides step-by-step instructions to implement a recommendation. The Action plan may include links to relevant documentation or direct you to other pages in the Azure portal.
- The **Impacted resources** table contains a list of resources identified by the recommendation. The resource's name, ID, date it was first detected, and status are provided. The resource could be an application or resource service principal, for example.
active-directory Overview Flagged Sign Ins https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/overview-flagged-sign-ins.md
With flagging enabled, the same browser application and client must be used or t
### Admin: Find flagged events in reports
-1. In the Azure AD portal, go to **Sign-in logs** > **Add Filters**.
+1. In the Azure portal, go to **Sign-in logs** > **Add Filters**.
1. From the **Pick a field** menu, select **Flagged for review** and **Apply**. 1. All events that were flagged by users are shown. 1. If needed, apply more filters to refine the event view.
Any user signing into Azure AD via web page can use flag sign-ins for review. Me
## Who can review flagged sign-ins?
-Reviewing flagged sign-in events requires permissions to read the Sign-in Report events in the Azure AD portal. For more information, see [who can access it?](concept-sign-ins.md#how-do-you-access-the-sign-in-logs)
+Reviewing flagged sign-in events requires permissions to read the Sign-in Report events in the Azure portal. For more information, see [who can access it?](concept-sign-ins.md#how-do-you-access-the-sign-in-logs)
To flag sign-in failures, you don't need extra permissions.
active-directory Workbook Mfa Gaps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/workbook-mfa-gaps.md
The summary widget provides a detailed look at sign-ins related to multifactor a
- Select the link provided in the JSON editor, select the **Application-Insights-Workbooks** breadcrumb from the top of the page, select the **Workbooks** folder, select the **Azure Active Directory** folder, select the **MultiFactorAuthenticationGaps** folder, and open the **.workbook** file. ![Screenshot of the GitHub repository with the breadcrumbs and copy file button highlighted.](./media/workbook-mfa-gaps/github-repository.png) 1. Copy the entire JSON file from the GitHub repository.
-1. Return Advanced Editor window on the Azure AD portal and paste the JSON file over the exiting text.
+1. Return Advanced Editor window on the Azure portal and paste the JSON file over the exiting text.
1. Select the **Apply** button. The workbook will take a few moments to populate. 1. Select the **Save As** button and provide the required information. - Provide a **Title**, **Subscription**, **Resource Group** (you must have the ability to save a workbook for the selected Resource Group), and **Location**.
active-directory Admin Units Assign Roles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/admin-units-assign-roles.md
You can assign an Azure AD role with an administrative unit scope by using the A
### Azure portal
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory** > **Administrative units** and then select the administrative unit that you want to assign a user role scope to.
You can view a list of Azure AD role assignments with administrative unit scope
You can view all the role assignments created with an administrative unit scope in the [Administrative units section of Azure AD](https://portal.azure.com/?microsoft_aad_iam_adminunitprivatepreview=true&microsoft_aad_iam_rbacv2=true#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AdminUnit).
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory** > **Administrative units** and then select the administrative unit for the list of role assignments you want to view.
active-directory Admin Units Manage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/admin-units-manage.md
You can create a new administrative unit by using either the Azure portal, Power
### Azure portal
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory** > **Administrative units**.
In Azure AD, you can delete an administrative unit that you no longer need as a
### Azure portal
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory** > **Administrative units** and then select the administrative unit you want to delete.
active-directory Admin Units Members Add https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/admin-units-members-add.md
You can add users, groups, or devices to administrative units using the Azure po
### Add a single user, group, or device to administrative units
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory**.
You can add users, groups, or devices to administrative units using the Azure po
### Add users, groups, or devices to a single administrative unit
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory**.
You can add users, groups, or devices to administrative units using the Azure po
### Add users to an administrative unit in a bulk operation
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory**.
You can add users, groups, or devices to administrative units using the Azure po
### Create a new group in an administrative unit
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory**.
active-directory Admin Units Members Dynamic https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/admin-units-members-dynamic.md
Follow these steps to create administrative units with dynamic membership rules
### Azure portal
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory**.
When an administrative unit has been configured for dynamic membership, the usua
### Azure portal
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory**.
Follow these steps to change an administrative unit with dynamic membership rule
### Azure portal
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory**.
active-directory Admin Units Members List https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/admin-units-members-list.md
You can list the users, groups, or devices in administrative units using the Azu
### List the administrative units for a single user, group, or device
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory**.
You can list the users, groups, or devices in administrative units using the Azu
### List the users, groups, or devices for a single administrative unit
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory**.
You can list the users, groups, or devices in administrative units using the Azu
### List the devices for an administrative unit by using the All devices page
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory**.
active-directory Admin Units Members Remove https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/admin-units-members-remove.md
You can remove users, groups, or devices from administrative units individually
### Remove a single user, group, or device from administrative units
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory**.
You can remove users, groups, or devices from administrative units individually
### Remove users, groups, or devices from a single administrative unit
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory**.
You can remove users, groups, or devices from administrative units individually
### Remove users from an administrative unit in a bulk operation
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory**.
active-directory Assign Roles Different Scopes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/assign-roles-different-scopes.md
This section describes how to assign roles at the tenant scope.
### Azure portal
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory** > **Roles and administrators** to see the list of all available roles.
This section describes how to assign roles at an [administrative unit](administr
### Azure portal
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory > Administrative units** to see the list of all administrative units.
This section describes how to assign roles at an application registration scope.
### Azure portal
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory > App registrations** to see the list of all app registrations.
active-directory Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/best-practices.md
When planning your access control strategy, it's a best practice to manage to le
Follow these steps to help you find the right role.
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory** > **Roles and administrators** to see the list of Azure AD roles.
active-directory Custom Consent Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/custom-consent-permissions.md
This article contains the currently available app consent permissions for custom
Use the permissions listed in this article to manage app consent policies, as well as the permission to grant consent to apps. > [!NOTE]
-> The Azure AD admin portal does not yet support adding the permissions listed in this article to a custom directory role definition. You must [use Azure AD PowerShell to create a custom directory role](custom-create.md#create-a-role-using-powershell) with the permissions listed in this article.
+> The Azure portal does not yet support adding the permissions listed in this article to a custom directory role definition. You must [use Azure AD PowerShell to create a custom directory role](custom-create.md#create-a-role-using-powershell) with the permissions listed in this article.
#### Granting delegated permissions to apps on behalf of self (user consent)
active-directory Custom Create https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/custom-create.md
For more information, see [Prerequisites to use PowerShell or Graph Explorer](pr
### Create a new custom role to grant access to manage app registrations
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory** > **Roles and administrators** > **New custom role**.
$roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId $resourceScope -
Like built-in roles, custom roles are assigned by default at the default organization-wide scope to grant access permissions over all app registrations in your organization. Additionally, custom roles and some relevant built-in roles (depending on the type of Azure AD resource) can also be assigned at the scope of a single Azure AD resource. This allows you to give the user the permission to update credentials and basic properties of a single app without having to create a second custom role.
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com) with Application Developer permissions.
+1. Sign in to the [Azure portal](https://portal.azure.com) with Application Developer permissions.
1. Select **Azure Active Directory** > **App registrations**.
active-directory Custom Enterprise Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/custom-enterprise-apps.md
Granting the update permission is done in two steps:
>[!NOTE] > Custom roles are created and managed at an organization-wide level and are available only from the organization's Overview page.
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory** > **Roles and administrators** and then select **New custom role**.
Granting the update permission is done in two steps:
### Assign the role to a user using the Azure portal
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory** > **Roles and administrators**.
active-directory Groups Assign Role https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/groups-assign-role.md
For more information, see [Prerequisites to use PowerShell or Graph Explorer](pr
Assigning a group to an Azure AD role is similar to assigning users and service principals except that only groups that are role-assignable can be used. In the Azure portal, only groups that are role-assignable are displayed.
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory** > **Roles and administrators** and select the role you want to assign.
active-directory Groups Create Eligible https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/groups-create-eligible.md
For more information, see [Prerequisites to use PowerShell or Graph Explorer](pr
## Azure portal
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory** > **Groups** > **All groups** > **New group**.
active-directory Groups Remove Assignment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/groups-remove-assignment.md
For more information, see [Prerequisites to use PowerShell or Graph Explorer](pr
## Azure portal
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory** > **Roles and administrators** > *role name*.
active-directory Groups View Assignments https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/groups-view-assignments.md
For more information, see [Prerequisites to use PowerShell or Graph Explorer](pr
## Azure portal
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory** > **Groups**.
active-directory List Role Assignments Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/list-role-assignments-users.md
For more information, see [Prerequisites to use PowerShell or Graph Explorer](pr
## Azure portal Follow these steps to list Azure AD roles for a user using the Azure portal. Your experience will be different depending on whether you have [Azure AD Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md) enabled.
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
2. Select **Azure Active Directory** > **Users** > *user name* > **Assigned roles**.
active-directory Manage Roles Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/manage-roles-portal.md
Follow these steps to assign Azure AD roles using the Azure portal. Your experie
### Assign a role
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory** > **Roles and administrators** to see the list of all available roles.
If you have [Azure AD Privileged Identity Management (PIM)](../privileged-identi
Follow these steps to assign roles using the [Roles and administrators](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators) page. If you want to assign roles using the [Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) page, see [Assign Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-how-to-add-role-to-user.md).
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory** > **Roles and administrators** to see the list of all available roles.
active-directory My Staff Configure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/my-staff-configure.md
To complete this article, you need the following resources and privileges:
Once you have configured administrative units, you can apply this scope to your users who access My Staff. Only users who are assigned an administrative role can access My Staff. To enable My Staff, complete the following steps:
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com) as a Global Administrator, User Administrator, or Group Administrator.
+1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator, User Administrator, or Group Administrator.
1. Select **Azure Active Directory** > **User settings** > **User feature** > **Manage user feature settings**.
You can search for administrative units and users in your organization using the
## Audit logs
-You can view audit logs for actions taken in My Staff in the Azure Active Directory portal. If an audit log was generated by an action taken in My Staff, you will see this indicated under ADDITIONAL DETAILS in the audit event.
+You can view audit logs for actions taken in My Staff in the Azure portal. If an audit log was generated by an action taken in My Staff, you will see this indicated under ADDITIONAL DETAILS in the audit event.
## Next steps
active-directory Permissions Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/permissions-reference.md
Users in this role can manage the Desktop Analytics service. This includes the a
Users in this role can read basic directory information. This role should be used for: * Granting a specific set of guest users read access instead of granting it to all guest users.
-* Granting a specific set of non-admin users access to Azure portal when "Restrict access to Azure AD portal to admins only" is set to "Yes".
+* Granting a specific set of non-admin users access to Azure portal when "Restrict access to Azure portal to admins only" is set to "Yes".
* Granting service principals access to directory where Directory.Read.All is not an option. > [!div class="mx-tableFixed"]
Users with this role have access to all administrative features in Azure Active
## Global Reader
-Users in this role can read settings and administrative information across Microsoft 365 services but can't take management actions. Global Reader is the read-only counterpart to Global Administrator. Assign Global Reader instead of Global Administrator for planning, audits, or investigations. Use Global Reader in combination with other limited admin roles like Exchange Administrator to make it easier to get work done without the assigning the Global Administrator role. Global Reader works with Microsoft 365 admin center, Exchange admin center, SharePoint admin center, Teams admin center, Microsoft 365 Defender portal, Microsoft Purview compliance portal, Azure AD admin center, and Device Management admin center.
+Users in this role can read settings and administrative information across Microsoft 365 services but can't take management actions. Global Reader is the read-only counterpart to Global Administrator. Assign Global Reader instead of Global Administrator for planning, audits, or investigations. Use Global Reader in combination with other limited admin roles like Exchange Administrator to make it easier to get work done without the assigning the Global Administrator role. Global Reader works with Microsoft 365 admin center, Exchange admin center, SharePoint admin center, Teams admin center, Microsoft 365 Defender portal, Microsoft Purview compliance portal, Azure portal, and Device Management admin center.
Users with this role **cannot** do the following:
active-directory Prerequisites https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/prerequisites.md
To use AzureADPreview, follow these steps to make sure it is imported into the c
To manage Azure AD roles using the [Microsoft Graph API](/graph/overview) and [Graph Explorer](/graph/graph-explorer/graph-explorer-overview), you must do the following:
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory** > **Enterprise applications**.
active-directory Quickstart App Registration Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/quickstart-app-registration-limits.md
For more information, see [Prerequisites to use PowerShell or Graph Explorer](pr
### Create a custom role
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory** > **Roles and administrators** and then select **New custom role**.
For more information, see [Prerequisites to use PowerShell or Graph Explorer](pr
### Assign the role
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory** > **Roles and administrators**.
active-directory Role Definitions List https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/role-definitions-list.md
For more information, see [Prerequisites to use PowerShell or Graph Explorer](pr
## Azure portal
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory** > **Roles and administrators** to see the list of all available roles.
active-directory Security Emergency Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/security-emergency-access.md
Create two or more emergency access accounts. These accounts should be cloud-onl
### How to create an emergency access account
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com) as an existing Global Administrator.
+1. Sign in to the [Azure portal](https://portal.azure.com) as an existing Global Administrator.
1. Select **Azure Active Directory** > **Users**.
Organizations should monitor sign-in and audit log activity from the emergency a
### Obtain Object IDs of the break glass accounts
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com) with an account assigned to the User Administrator role.
+1. Sign in to the [Azure portal](https://portal.azure.com) with an account assigned to the User Administrator role.
1. Select **Azure Active Directory** > **Users**. 1. Search for the break-glass account and select the userΓÇÖs name.
active-directory View Assignments https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/view-assignments.md
Title: List Azure AD role assignments
-description: You can now see and manage members of an Azure Active Directory administrator role in the Azure Active Directory admin center.
+description: You can now see and manage members of an Azure Active Directory administrator role in the Azure portal.
For more information, see [Prerequisites to use PowerShell or Graph Explorer](pr
This procedure describes how to list role assignments with organization-wide scope.
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory** > **Roles and administrators** and then select a role to open it and view its properties.
To download all assignments for a specific role, follow these steps.
This section describes how to list role assignments with single-application scope. This feature is currently in public preview.
-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com).
+1. Sign in to the [Azure portal](https://portal.azure.com).
1. Select **Azure Active Directory** > **App registrations**, and then select the app registration to view its properties. You might have to select **All applications** to see the complete list of app registrations in your Azure AD organization.
active-directory Advance Kerbf5 Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/advance-kerbf5-tutorial.md
When you click the F5 tile in the Access Panel, you should be automatically sign
- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md) -- [Try F5 with Azure AD](https://aad.portal.azure.com/)+ - [Configure F5 single sign-on for Header Based application](headerf5-tutorial.md)
active-directory Akamai Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/akamai-tutorial.md
Akamai EAA is configured as a single application on the Azure AD. Admin can conf
#### Integration Scenario 2
-Akamai EAA Application is set up individually on the Azure AD Portal. Admin can configure Individual he Conditional Access policy on the Application(s) and once the conditions are satisfied users can directly be redirected to the specific application.
+Akamai EAA Application is set up individually on the Azure portal. Admin can configure Individual he Conditional Access policy on the Application(s) and once the conditions are satisfied users can directly be redirected to the specific application.
**Pros**:
active-directory Bright Pattern Omnichannel Contact Center Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/bright-pattern-omnichannel-contact-center-tutorial.md
When you click the Bright Pattern Omnichannel Contact Center tile in the Access
- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md) - [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)--- [Try Bright Pattern Omnichannel Contact Center with Azure AD](https://aad.portal.azure.com/)
active-directory Checkpoint Infinity Portal Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/checkpoint-infinity-portal-tutorial.md
Follow these steps to enable Azure AD SSO in the Azure portal.
There are two ways for authorizing users:
-* Configure Check Point Infinity Portal application user roles in Azure AD portal
+* Configure Check Point Infinity Portal application user roles in Azure portal
* Configure Check Point Infinity Portal application user roles in Check Point Infinity Portal
-#### Configure Check Point Infinity Portal application user roles in Azure AD portal
+#### Configure Check Point Infinity Portal application user roles in Azure portal
In this section, you'll create Admin and Read-Only roles in the Azure portal.
active-directory Cloudpassage Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/cloudpassage-tutorial.md
When you click the CloudPassage tile in the Access Panel, you should be automati
- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md) -- [Try CloudPassage with Azure AD](https://aad.portal.azure.com/)- <!--Image references--> [12]: ./media/cloudpassage-tutorial/tutorial_cloudpassage_07.png
active-directory Collaborativeinnovation Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/collaborativeinnovation-tutorial.md
When you click the Collaborative Innovation tile in the Access Panel, you should
- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md) -- [Try Collaborative Innovation with Azure AD](https://aad.portal.azure.com/)
active-directory Coralogix Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/coralogix-tutorial.md
When you click the Coralogix tile in the Access Panel, you should be automatical
- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md) - [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)--- [Try Coralogix with Azure AD](https://aad.portal.azure.com/)
active-directory Crossknowledge Learning Suite Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/crossknowledge-learning-suite-tutorial.md
When you click the CrossKnowledge Learning Suite tile in the Access Panel, you s
- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md) -- [Try CrossKnowledge Learning Suite with Azure AD](https://aad.portal.azure.com/)- - [What is session control in Microsoft Defender for Cloud Apps?](/cloud-app-security/proxy-intro-aad) - [How to protect CrossKnowledge Learning Suite with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
active-directory Descartes Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/descartes-tutorial.md
Complete the following steps to enable Azure AD single sign-on in the Azure port
![Screenshot shows the Certificate download link.](common/copy-metadataurl.png "Certificate")
-1. Compose a list of the Azure AD Groups you want the Descartes Application use for the Role-based configuration. A list of User Roles Descartes application modules can be found at https://www.gln.com/docs/Descartes_Application_User_Roles.pdf. You can find the Azure Active Direction Group GUIDs please download the Groups from your Azure AD Portal Groups.
+1. Compose a list of the Azure AD Groups you want the Descartes Application use for the Role-based configuration. A list of User Roles Descartes application modules can be found at https://www.gln.com/docs/Descartes_Application_User_Roles.pdf. You can find the Azure Active Direction Group GUIDs please download the Groups from your Azure portal Groups.
![Screenshot shows the AAD Portal Groups.](media/descartes-tutorial/copy-groups.png "Groups")
active-directory Docusign Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/docusign-tutorial.md
In this section, you'll grant B.Simon access to DocuSign so that this user can u
> [!NOTE] > Use the appropriate **User identifier** to map the user from Azure AD to DocuSign user mapping. Select the proper field, and enter the appropriate value based on your organization settings. Custom Attribute Mapping setting is not mandatory.
- i. In the **Identity Provider Certificates** section, select **ADD CERTIFICATE**, upload the certificate you downloaded from Azure AD portal, and select **SAVE**.
+ i. In the **Identity Provider Certificates** section, select **ADD CERTIFICATE**, upload the certificate you downloaded from Azure portal, and select **SAVE**.
![Screenshot of Identity Provider Certificates/Add Certificate.](media/docusign-tutorial/certificates.png)
active-directory Dovetale Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/dovetale-tutorial.md
When you click the Dovetale tile in the Access Panel, you should be automaticall
- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md) - [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)--- [Try Dovetale with Azure AD](https://aad.portal.azure.com/)
active-directory Ecornell Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/ecornell-tutorial.md
When you click the eCornell tile in the Access Panel, you should be automaticall
- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md) - [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)--- [Try eCornell with Azure AD](https://aad.portal.azure.com/)
active-directory Elqano Sso Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/elqano-sso-tutorial.md
When you click the Elqano SSO tile in the Access Panel, you should be automatica
- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md) -- [Try Elqano SSO with Azure AD](https://aad.portal.azure.com/)- - [What is session control in Microsoft Defender for Cloud Apps?](/cloud-app-security/proxy-intro-aad) - [How to protect Elqano SSO with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
active-directory Eplatform Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/eplatform-tutorial.md
When you click the ePlatform tile in the Access Panel, you should be automatical
- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md) - [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)--- [Try ePlatform with Azure AD](https://aad.portal.azure.com/)
active-directory Etouches Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/etouches-tutorial.md
When you click the Aventri tile in the Access Panel, you should be automatically
- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md) -- [Try Aventri with Azure AD](https://aad.portal.azure.com/)- - [What is session control in Microsoft Defender for Cloud Apps?](/cloud-app-security/proxy-intro-aad)
active-directory Eventfinity Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/eventfinity-tutorial.md
When you click the Eventfinity tile in the Access Panel, you should be automatic
- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md) -- [Try Eventfinity with Azure AD](https://aad.portal.azure.com/)- - [What is session control in Microsoft Defender for Cloud Apps?](/cloud-app-security/proxy-intro-aad)
active-directory Exactcare Sso Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/exactcare-sso-tutorial.md
When you click the ExactCare SSO tile in the Access Panel, you should be automat
- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md) - [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)--- [Try ExactCare SSO with Azure AD](https://aad.portal.azure.com/)
active-directory F5 Big Ip Headers Easy Button https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/f5-big-ip-headers-easy-button.md
Before a client or service can access Microsoft Graph, it must be trusted by the
This first step creates a tenant app registration that will be used to authorize the **Easy Button** access to Graph. Through these permissions, the BIG-IP will be allowed to push the configurations required to establish a trust between a SAML SP instance for published application, and Azure AD as the SAML IdP.
-1. Sign-in to the [Azure AD portal](https://portal.azure.com/) using an account with Application Administrative rights.
+1. Sign-in to the [Azure portal](https://portal.azure.com/) using an account with Application Administrative rights.
2. From the left navigation pane, select the **Azure Active Directory** service. 3. Under Manage, select **App registrations > New registration**. 4. Enter a display name for your application. For example, `F5 BIG-IP Easy Button`.
active-directory F5 Big Ip Oracle Enterprise Business Suite Easy Button https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/f5-big-ip-oracle-enterprise-business-suite-easy-button.md
Before a client or service can access Microsoft Graph, it must be trusted by the
This first step creates a tenant app registration that will be used to authorize the **Easy Button** access to Graph. Through these permissions, the BIG-IP will be allowed to push the configurations required to establish a trust between a SAML SP instance for published application, and Azure AD as the SAML IdP.
-1. Sign in to the [Azure AD portal](https://portal.azure.com/) with Application Administrative rights
+1. Sign in to the [Azure portal](https://portal.azure.com/) with Application Administrative rights
2. From the left navigation pane, select the **Azure Active Directory** service
active-directory F5 Big Ip Oracle Jd Edwards Easy Button https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/f5-big-ip-oracle-jd-edwards-easy-button.md
Before a client or service can access Microsoft Graph, it must be trusted by the
This first step creates a tenant app registration that will be used to authorize the **Easy Button** access to Graph. Through these permissions, the BIG-IP will be allowed to push the configurations required to establish a trust between a SAML SP instance for published application, and Azure AD as the SAML IdP.
-1. Sign in to the [Azure AD portal](https://portal.azure.com/) with Application Administrative rights
+1. Sign in to the [Azure portal](https://portal.azure.com/) with Application Administrative rights
2. From the left navigation pane, select the **Azure Active Directory** service
active-directory F5 Big Ip Sap Erp Easy Button https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/f5-big-ip-sap-erp-easy-button.md
Before a client or service can access Microsoft Graph, it must be trusted by the
The Easy Button client must also be registered in Azure AD, before it is allowed to establish a trust between each SAML SP instance of a BIG-IP published application, and Azure AD as the SAML IdP.
-1. Sign-in to the [Azure AD portal](https://portal.azure.com/) using an account with Application Administrative rights
+1. Sign-in to the [Azure portal](https://portal.azure.com/) using an account with Application Administrative rights
2. From the left navigation pane, select the **Azure Active Directory** service
active-directory Fiscalnote Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/fiscalnote-tutorial.md
When you click the FiscalNote tile in the Access Panel, you should be automatica
- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md) - [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)--- [Try FiscalNote with Azure AD](https://aad.portal.azure.com/)
active-directory Fuse Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/fuse-tutorial.md
Previously updated : 11/21/2022 Last updated : 3/10/2023 # Azure Active Directory integration with Fuse
Complete the following steps to enable Azure AD single sign-on in the Azure port
1. On the **Set up Fuse** section, copy the appropriate URL(s) as per your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
- ## Configure Fuse single sign-on To configure single sign-on on **Fuse** side, send the downloaded **Certificate (Base64)** and the copied URLs from Azure portal to [Fuse support team](mailto:support@fusion-universal.com). The support team will use the copied URLs to configure the single sign-on on the application.
active-directory G Suite Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/g-suite-provisioning-tutorial.md
This tutorial describes the steps you need to perform in both G Suite and Azure
## Capabilities supported > [!div class="checklist"] > * Create users in G Suite
-> * Remove users in G Suite when they do not require access anymore
+> * Remove users in G Suite when they do not require access anymore (note: removing a user from the sync scope will not result in deletion of the object in GSuite)
> * Keep user attributes synchronized between Azure AD and G Suite > * Provision groups and group memberships in G Suite > * [Single sign-on](./google-apps-tutorial.md) to G Suite (recommended)
Once you've configured provisioning, use the following resources to monitor your
2. Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion 3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
+## Troubleshooting Tips
+* Removing a user from the sync scope will disable them in GSuite but will not result in deletion of the user in G Suite
+ ## Change log * 10/17/2020 - Added support for additional G Suite user and group attributes.
active-directory Gr8 People Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/gr8-people-tutorial.md
When you click the gr8 People tile in the Access Panel, you should be automatica
- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md) -- [Try gr8 People with Azure AD](https://aad.portal.azure.com/)- - [What is session control in Microsoft Defender for Cloud Apps?](/cloud-app-security/proxy-intro-aad) - [How to protect gr8 People with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
active-directory Greenlight Compliant Access Management Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/greenlight-compliant-access-management-tutorial.md
When you click the Greenlight Compliant Access Management tile in the Access Pan
- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md) -- [Try Greenlight Compliant Access Management with Azure AD](https://aad.portal.azure.com/)- - [What is session control in Microsoft Defender for Cloud Apps?](/cloud-app-security/proxy-intro-aad) - [How to protect Greenlight Compliant Access Management with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
active-directory Grovo Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/grovo-tutorial.md
When you click the Grovo tile in the Access Panel, you should be automatically s
- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md) - [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)--- [Try Grovo with Azure AD](https://aad.portal.azure.com/)
active-directory Highground Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/highground-tutorial.md
When you click the HighGround tile in the Access Panel, you should be automatica
- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md) -- [Try HighGround with Azure AD](https://aad.portal.azure.com/)- - [What is session control in Microsoft Defender for Cloud Apps?](/cloud-app-security/proxy-intro-aad) - [How to protect HighGround with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
active-directory Honestly Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/honestly-tutorial.md
When you click the Honestly tile in the Access Panel, you should be automaticall
- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md) -- [Try Honestly with Azure AD](https://aad.portal.azure.com/)- - [What is session control in Microsoft Defender for Cloud Apps?](/cloud-app-security/proxy-intro-aad) - [How to protect Honestly with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
active-directory Humanage Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/humanage-tutorial.md
When you click the Humanage tile in the Access Panel, you should be automaticall
- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md) -- [Try Humanage with Azure AD](https://aad.portal.azure.com/)- - [What is session control in Microsoft Defender for Cloud Apps?](/cloud-app-security/proxy-intro-aad) - [How to protect Humanage with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
active-directory In Case Of Crisis Online Portal Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/in-case-of-crisis-online-portal-tutorial.md
When you click the In Case of Crisis - Online Portal tile in the Access Panel, y
- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md) -- [Try In Case of Crisis - Online Portal with Azure AD](https://aad.portal.azure.com/)- - [What is session control in Microsoft Defender for Cloud Apps?](/cloud-app-security/proxy-intro-aad)
active-directory Innovationhub Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/innovationhub-tutorial.md
When you click the Innoverse tile in the Access Panel, you should be automatical
- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md) - [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)--- [Try Innoverse with Azure AD](https://aad.portal.azure.com/)
active-directory Insuite Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/insuite-tutorial.md
When you click the insuite tile in the Access Panel, you should be automatically
- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md) -- [Try insuite with Azure AD](https://aad.portal.azure.com/)- - [What is session control in Microsoft Defender for Cloud Apps?](/cloud-app-security/proxy-intro-aad) - [How to protect insuite with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
active-directory Josa Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/josa-tutorial.md
When you click the JOSA tile in the Access Panel, you should be automatically si
- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md) - [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)--- [Try JOSA with Azure AD](https://aad.portal.azure.com/)
active-directory Kerbf5 Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/kerbf5-tutorial.md
When you click the F5 tile in the Access Panel, you should be automatically sign
- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md) -- [Try F5 with Azure AD](https://aad.portal.azure.com/)+ - [Configure F5 single sign-on for Header Based application](headerf5-tutorial.md)
active-directory Leandna Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/leandna-tutorial.md
Previously updated : 02/16/2023 Last updated : 03/10/2023
Complete the following steps to enable Azure AD single sign-on in the Azure port
`https://www.leandna.com/application/sso.html` > [!Note]
- > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [LeanDNA Client support team](mailto:it@leandna.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [LeanDNA Client support team](mailto:support@leandna.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
Complete the following steps to enable Azure AD single sign-on in the Azure port
## Configure LeanDNA SSO
-To configure single sign-on on **LeanDNA** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [LeanDNA support team](mailto:it@leandna.com). They set this setting to have the SAML SSO connection set properly on both sides.
+To configure single sign-on on **LeanDNA** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [LeanDNA support team](mailto:support@leandna.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create LeanDNA test user
-In this section, you create a user called Britta Simon at LeanDNA. Work with [LeanDNA support team](mailto:it@leandna.com) to add the users in the LeanDNA platform. Users must be created and activated before you use single sign-on.
+In this section, you create a user called Britta Simon at LeanDNA. Work with [LeanDNA support team](mailto:support@leandna.com) to add the users in the LeanDNA platform. Users must be created and activated before you use single sign-on.
## Test SSO
active-directory Learnster Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/learnster-tutorial.md
When you click the Learnster tile in the Access Panel, you should be automatical
- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md) - [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)--- [Try Learnster with Azure AD](https://aad.portal.azure.com/)
active-directory Legalforce Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/legalforce-tutorial.md
+
+ Title: Azure Active Directory SSO integration with LegalForce
+description: Learn how to configure single sign-on between Azure Active Directory and LegalForce.
++++++++ Last updated : 03/09/2023++++
+# Azure Active Directory SSO integration with LegalForce
+
+In this article, you learn how to integrate LegalForce with Azure Active Directory (Azure AD). LegalForce automatically checks checklists and contracts for each contract type using technologies such as natural language processing, instantly presents omissions in terms and excesses in clauses, and prevents omissions and omissions. It's equipped with functions that simultaneously improve the quality and efficiency of contract work. When you integrate LegalForce with Azure AD, you can:
+
+* Control in Azure AD who has access to LegalForce.
+* Enable your users to be automatically signed-in to LegalForce with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+You'll configure and test Azure AD single sign-on for LegalForce in a test environment. LegalForce supports only **SP** initiated single sign-on.
+
+## Prerequisites
+
+To integrate Azure Active Directory with LegalForce, you need:
+
+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* LegalForce single sign-on (SSO) enabled subscription.
+
+## Add application and assign a test user
+
+Before you begin the process of configuring single sign-on, you need to add the LegalForce application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.
+
+### Add LegalForce from the Azure AD gallery
+
+Add LegalForce from the Azure AD application gallery to configure single sign-on with LegalForce. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).
+
+### Create and assign Azure AD test user
+
+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.
+
+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).
+
+## Configure Azure AD SSO
+
+Complete the following steps to enable Azure AD single sign-on in the Azure portal.
+
+1. In the Azure portal, on the **LegalForce** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Screenshot shows how to edit Basic SAML Configuration.](common/edit-urls.png "Basic Configuration")
+
+1. On the **Basic SAML Configuration** section, perform the following steps:
+
+ a. In the **Identifier** textbox, type a URL using the following pattern:
+ `urn:auth0:legalforce:saml-<ORG.CUSTOMERID>`
+
+ b. In the **Reply URL** textbox, type a URL using the following pattern:
+ `https://auth.legalforce-cloud.com/login/callback?connection=saml-$<ORG.CUSTOMERID>`
+
+ c. In the **Sign on URL** textbox, type the URL:
+ `https://app.legalforce-cloud.com/`
+
+ > [!Note]
+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [LegalForce support team](mailto:support@legalforce.co.jp) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration section** in the Azure portal.
+
+ 1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (PEM)** and select **Download** to download the certificate and save it on your computer.
+
+ ![Screenshot of the Certificate download link](common/certificate-base64-download.png "Certificate")
+
+1. On the **Set up LegalForce** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Screenshot shows to copy configuration appropriate URL.](common/copy-configuration-urls.png "Metadata")
+
+## Configure LegalForce SSO
+
+To configure single sign-on on **LegalForce** side, you need to send the downloaded **Certificate (PEM)** and appropriate copied URLs from Azure portal to [LegalForce support team](mailto:support@legalforce.co.jp). They set this setting to have the SAML SSO connection set properly on both sides
+
+### Create LegalForce test user
+
+In this section, you create a user called Britta Simon at LegalForce. Work with [LegalForce support team](mailto:support@legalforce.co.jp) to add the users in the LegalForce platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on **Test this application** in Azure portal. This will redirect to LegalForce Sign-on URL where you can initiate the login flow.
+
+* Go to LegalForce Sign-on URL directly and initiate the login flow from there.
+
+* You can use Microsoft My Apps. When you click the LegalForce tile in the My Apps, this will redirect to LegalForce Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure LegalForce you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Mitel Connect Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/mitel-connect-tutorial.md
To configure the integration of Mitel Connect into Azure AD, you need to add Mit
## Configure and test Azure AD SSO
-In this section, you'll configure and test Azure AD SSO with MiCloud Connect or CloudLink Platform based on a test user named **_Britta Simon_**. For single sign-on to work, a link must be established between the user in Azure AD portal and the corresponding user on the Mitel platform. Refer to the following sections for information about configuring and testing Azure AD SSO with MiCloud Connect or CloudLink Platform.
+In this section, you'll configure and test Azure AD SSO with MiCloud Connect or CloudLink Platform based on a test user named **_Britta Simon_**. For single sign-on to work, a link must be established between the user in Azure portal and the corresponding user on the Mitel platform. Refer to the following sections for information about configuring and testing Azure AD SSO with MiCloud Connect or CloudLink Platform.
* Configure and test Azure AD SSO with MiCloud Connect * Configure and test Azure AD SSO with CloudLink Platform
active-directory Mobile Locker Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/mobile-locker-tutorial.md
When you click the Mobile Locker tile in the Access Panel, you should be automat
- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md) -- [Try Mobile Locker with Azure AD](https://aad.portal.azure.com/)- - [What is session control in Microsoft Defender for Cloud Apps?](/cloud-app-security/proxy-intro-aad)
active-directory Mural Identity Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/mural-identity-tutorial.md
Title: 'Tutorial: Azure AD SSO integration with MURAL Identity'
-description: Learn how to configure single sign-on between Azure Active Directory and MURAL Identity.
+ Title: 'Tutorial: Azure AD SSO integration with Mural Identity'
+description: Learn how to configure single sign-on between Azure Active Directory and Mural Identity.
Previously updated : 11/21/2022 Last updated : 03/10/2023
-# Tutorial: Azure AD SSO integration with MURAL Identity
+# Tutorial: Azure AD SSO integration with Mural Identity
-In this tutorial, you'll learn how to integrate MURAL Identity with Azure Active Directory (Azure AD). When you integrate MURAL Identity with Azure AD, you can:
+In this tutorial, you'll learn how to integrate Mural Identity with Azure Active Directory (Azure AD). When you integrate Mural Identity with Azure AD, you can:
-* Control in Azure AD who has access to MURAL Identity.
-* Enable your users to be automatically signed-in to MURAL Identity with their Azure AD accounts.
+* Control in Azure AD who has access to Mural Identity.
+* Enable your users to be automatically signed-in to Mural Identity with their Azure AD accounts.
* Manage your accounts in one central location - the Azure portal. ## Prerequisites
In this tutorial, you'll learn how to integrate MURAL Identity with Azure Active
To get started, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* MURAL Identity single sign-on (SSO) enabled subscription.
+* Mural Identity single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* MURAL Identity supports **SP and IDP** initiated SSO.
-* MURAL Identity supports **Just In Time** user provisioning.
+* Mural Identity supports **SP and IDP** initiated SSO.
+* Mural Identity supports **Just In Time** user provisioning.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Add MURAL Identity from the gallery
+## Add Mural Identity from the gallery
-To configure the integration of MURAL Identity into Azure AD, you need to add MURAL Identity from the gallery to your list of managed SaaS apps.
+To configure the integration of Mural Identity into Azure AD, you need to add Mural Identity from the gallery to your list of managed SaaS apps.
1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account. 1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**.
-1. In the **Add from the gallery** section, type **MURAL Identity** in the search box.
-1. Select **MURAL Identity** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+1. In the **Add from the gallery** section, type **Mural Identity** in the search box.
+1. Select **Mural Identity** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)
-## Configure and test Azure AD SSO for MURAL Identity
+## Configure and test Azure AD SSO for Mural Identity
-Configure and test Azure AD SSO with MURAL Identity using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in MURAL Identity.
+Configure and test Azure AD SSO with Mural Identity using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Mural Identity.
-To configure and test Azure AD SSO with MURAL Identity, perform the following steps:
+To configure and test Azure AD SSO with Mural Identity, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon. 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-1. **[Configure MURAL Identity SSO](#configure-mural-identity-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create MURAL Identity test user](#create-mural-identity-test-user)** - to have a counterpart of B.Simon in MURAL Identity that is linked to the Azure AD representation of user.
+1. **[Configure Mural Identity SSO](#configure-mural-identity-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Mural Identity test user](#create-mural-identity-test-user)** - to have a counterpart of B.Simon in Mural Identity that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the Azure portal, on the **MURAL Identity** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Mural Identity** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**. 1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.
-1. MURAL Identity application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
+1. Mural Identity application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
![image](common/default-attributes.png)
-1. In addition to above, MURAL Identity application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
+1. In addition to above, Mural Identity application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
| Name | Source Attribute| | -- | |
Follow these steps to enable Azure AD SSO in the Azure portal.
![The Certificate download link](common/certificate-base64-download.png)
-1. On the **Set up MURAL Identity** section, copy the appropriate URL(s) based on your requirement.
+1. On the **Set up Mural Identity** section, copy the appropriate URL(s) based on your requirement.
![Copy configuration URLs](common/copy-configuration-urls.png)
In this section, you'll create a test user in the Azure portal called B.Simon.
### Assign the Azure AD test user
-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to MURAL Identity.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Mural Identity.
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **MURAL Identity**.
+1. In the applications list, select **Mural Identity**.
1. In the app's overview page, find the **Manage** section and select **Users and groups**. 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog. 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. 1. In the **Add Assignment** dialog, click the **Assign** button.
-## Configure MURAL Identity SSO
+## Configure Mural Identity SSO
-1. Log in to the MURAL Identity website as an administrator.
+1. Log in to the Mural Identity website as an administrator.
1. Click your **name** in the bottom left corner of the dashboard and select **Company dashboard** from the list of options.
b. In the **Sign in URL** textbox, paste the **Login URL** value, which you have
c. In the **Sign in certificate**, upload the **Certificate (PEM)**, which you have downloaded from the Azure portal.
-d. Select **HTTP-POST** as the Request binding type and select **SHA256** as the Sign in algorithm type.
+d. Select **HTTP-POST** as the Request binding type and select **SHA256** as the Sign-in algorithm type.
e. In the **Claim mapping** section, fill the following fields.
f. Click **Test single sign-on** to test the configuration and **Save** it.
> [!NOTE] > For more information on how to configure the SSO at MURAL, please follow [this](https://support.mural.co/articles/6224385-mural-s-azure-ad-integration) support page.
-### Create MURAL Identity test user
+### Create Mural Identity test user
-In this section, a user called Britta Simon is created in MURAL Identity. MURAL Identity supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in MURAL Identity, a new one is created after authentication.
+In this section, a user called Britta Simon is created in Mural Identity. Mural Identity supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Mural Identity, a new one is created after authentication.
## Test SSO
In this section, you test your Azure AD single sign-on configuration with follow
#### SP initiated:
-* Click on **Test this application** in Azure portal. This will redirect to MURAL Identity Sign on URL where you can initiate the login flow.
+* Click on **Test this application** in Azure portal. This will redirect to Mural Identity Sign on URL where you can initiate the login flow.
-* Go to MURAL Identity Sign on URL directly and initiate the login flow from there.
+* Go to Mural Identity Sign on URL directly and initiate the login flow from there.
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the MURAL Identity for which you set up the SSO.
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Mural Identity for which you set up the SSO.
-You can also use Microsoft My Apps to test the application in any mode. When you click the MURAL Identity tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the MURAL Identity for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Mural Identity tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Mural Identity for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Change log
You can also use Microsoft My Apps to test the application in any mode. When you
## Next steps
-Once you configure MURAL Identity you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
+Once you configure Mural Identity you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Myvr Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/myvr-tutorial.md
When you click the MyVR tile in the Access Panel, you should be automatically si
- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md) - [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)--- [Try MyVR with Azure AD](https://aad.portal.azure.com/)
active-directory Netsparker Enterprise Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/netsparker-enterprise-provisioning-tutorial.md
This tutorial describes the steps you need to perform in both Netsparker Enterpr
> * Create users in Netsparker Enterprise. > * Remove users in Netsparker Enterprise when they do not require access anymore. > * Keep user attributes synchronized between Azure AD and Netsparker Enterprise.
-> * Provision groups and group memberships in Netsparker Enterprise
+> * Provision groups and group memberships in Netsparker Enterprise.
> * [Single sign-on](netsparker-enterprise-tutorial.md) to Netsparker Enterprise (recommended). ## Prerequisites
active-directory Netvision Compas Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/netvision-compas-tutorial.md
When you click the Netvision Compas tile in the Access Panel, you should be auto
- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md) -- [Try Netvision Compas with Azure AD](https://aad.portal.azure.com/)- - [What is session control in Microsoft Defender for Cloud Apps?](/cloud-app-security/proxy-intro-aad)
active-directory Numlyengage Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/numlyengage-tutorial.md
When you click the NumlyEngageΓäó tile in the Access Panel, you should be automa
- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md) -- [Try NumlyEngageΓäó with Azure AD](https://aad.portal.azure.com/)- - [What is session control in Microsoft Defender for Cloud Apps?](/cloud-app-security/proxy-intro-aad) - [How to protect NumlyEngageΓäó with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
active-directory Pennylane Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/pennylane-tutorial.md
Complete the following steps to enable Azure AD single sign-on in the Azure port
## Configure Pennylane SSO
-To configure single sign-on on **Pennylane** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Pennylane support team](mailto:tech@pennylane.com). They set this setting to have the SAML SSO connection set properly on both sides.
+To configure single sign-on on **Pennylane** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Pennylane support team](mailto:key-accounts-tech@pennylane.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Pennylane test user
-In this section, you create a user called Britta Simon at Pennylane. Work with [Pennylane support team](mailto:tech@pennylane.com) to add the users in the Pennylane platform. Users must be created and activated before you use single sign-on.
+In this section, you create a user called Britta Simon at Pennylane. Work with [Pennylane support team](mailto:key-accounts-tech@pennylane.com) to add the users in the Pennylane platform. Users must be created and activated before you use single sign-on.
## Test SSO
active-directory Presspage Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/presspage-tutorial.md
When you click the PressPage tile in the Access Panel, you should be automatical
- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md) - [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)--- [Try PressPage with Azure AD](https://aad.portal.azure.com/)
active-directory Projectplace Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/projectplace-tutorial.md
Title: 'Tutorial: Azure AD SSO integration with Projectplace'
-description: Learn how to configure single sign-on between Azure Active Directory and Projectplace.
+ Title: 'Tutorial: Azure AD SSO integration with ProjectPlace'
+description: Learn how to configure single sign-on between Azure Active Directory and ProjectPlace.
Last updated 11/21/2022
-# Tutorial: Azure AD SSO integration with Projectplace
+# Tutorial: Azure AD SSO integration with ProjectPlace
-In this tutorial, you'll learn how to integrate Projectplace with Azure Active Directory (Azure AD). When you integrate Projectplace with Azure AD, you can:
+In this tutorial, you'll learn how to integrate ProjectPlace with Azure Active Directory (Azure AD). When you integrate ProjectPlace with Azure AD, you can:
-* Control in Azure AD who has access to Projectplace.
-* Enable your users to be automatically signed-in to Projectplace with their Azure AD accounts.
+* Control in Azure AD who has access to ProjectPlace.
+* Enable your users to be automatically signed-in to ProjectPlace with their Azure AD accounts.
* Manage your accounts in one central location - the Azure portal.
-* Users can be provisioned in Projectplace automatically.
+* Users can be provisioned in ProjectPlace automatically.
## Prerequisites To get started, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Projectplace single sign-on (SSO) enabled subscription.
+* ProjectPlace single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Projectplace supports **SP and IDP** initiated SSO and supports **Just In Time** user provisioning.
+* ProjectPlace supports **SP and IDP** initiated SSO and supports **Just In Time** user provisioning.
-## Add Projectplace from the gallery
+## Add ProjectPlace from the gallery
-To configure the integration of Projectplace into Azure AD, you need to add Projectplace from the gallery to your list of managed SaaS apps.
+To configure the integration of ProjectPlace into Azure AD, you need to add ProjectPlace from the gallery to your list of managed SaaS apps.
1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account. 1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**.
-1. In the **Add from the gallery** section, type **Projectplace** in the search box.
-1. Select **Projectplace** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+1. In the **Add from the gallery** section, type **ProjectPlace** in the search box.
+1. Select **ProjectPlace** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)
-## Configure and test Azure AD SSO for Projectplace
+## Configure and test Azure AD SSO for ProjectPlace
-Configure and test Azure AD SSO with Projectplace using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Projectplace.
+Configure and test Azure AD SSO with ProjectPlace using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in ProjectPlace.
-To configure and test Azure AD SSO with Projectplace, perform the following steps:
+To configure and test Azure AD SSO with ProjectPlace, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon. 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-1. **[Configure Projectplace SSO](#configure-projectplace-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create Projectplace test user](#create-projectplace-test-user)** - to have a counterpart of B.Simon in Projectplace that is linked to the Azure AD representation of user.
+1. **[Configure ProjectPlace SSO](#configure-projectplace-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create ProjectPlace test user](#create-projectplace-test-user)** - to have a counterpart of B.Simon in ProjectPlace that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the Azure portal, on the **Projectplace** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **ProjectPlace** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a Single sign-on method** page, select **SAML**. 1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, the application is pre-configured and the necessary URLs are already pre-populated with Azure. The user needs to save the configuration by clicking the **Save** button.
-1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
+1. If you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type the URL:
+ In the **Sign on URL (Optional)** text box, type the URL:
`https://service.projectplace.com` 1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click copy **icon** to copy the **App Federation Metadata Url**, as per your requirement and save it in Notepad. ![The Certificate download link](common/copy-metadataurl.png)
-1. On the **Set up Projectplace** section, copy the appropriate URL(s) based on your requirement.
+1. On the **Set up ProjectPlace** section, copy the appropriate URL(s) based on your requirement.
![Copy configuration URLs](common/copy-configuration-urls.png)
In this section, you'll create a test user in the Azure portal called B. Simon.
### Assign the Azure AD test user
-In this section, you'll enable B. Simon to use Azure single sign-on by granting access to Projectplace.
+In this section, you'll enable B. Simon to use Azure single sign-on by granting access to ProjectPlace.
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **Projectplace**.
+1. In the applications list, select **ProjectPlace**.
1. In the app's overview page, find the **Manage** section and select **Users and groups**. 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog. 1. In the **Users and groups** dialog, select **B. Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
-## Configure Projectplace SSO
+## Configure ProjectPlace SSO
-To configure single sign-on on the **Projectplace** side, you need to send the copied **App Federation Metadata Url** from the Azure portal to the [Projectplace support team](https://success.planview.com/Projectplace/Support). This team ensures the SAML SSO connection is set properly on both sides.
+To configure single sign-on on the **ProjectPlace** side, you need to send the copied **App Federation Metadata Url** from the Azure portal to the [ProjectPlace support team](https://success.planview.com/Projectplace/Support). This team ensures the SAML SSO connection is set properly on both sides.
>[!NOTE]
->The single sign-on configuration has to be performed by the [Projectplace support team](https://success.planview.com/Projectplace/Support). You'll get a notification as soon as the configuration is complete.
+>The single sign-on configuration has to be performed by the [ProjectPlace support team](https://success.planview.com/Projectplace/Support). You'll get a notification as soon as the configuration is complete.
-### Create Projectplace test user
+### Create ProjectPlace test user
>[!NOTE]
->You can skip this step if you have provisioning enabled in Projectplace. You can ask the [Projectplace support team](https://success.planview.com/Projectplace/Support) to enable provisoning, once done users will be created in Projectplace during the first login.
+>You can skip this step if you have provisioning enabled in ProjectPlace. You can ask the [ProjectPlace support team](https://success.planview.com/Projectplace/Support) to enable provisoning, once done users will be created in ProjectPlace during the first login.
-To enable Azure AD users to sign in to Projectplace, you need to add them to Projectplace. You need to add them manually.
+To enable Azure AD users to sign in to ProjectPlace, you need to add them to ProjectPlace. You need to add them manually.
**To create a user account, take these steps:**
-1. Sign in to your **Projectplace** company site as an admin.
+1. Sign in to your **ProjectPlace** company site as an admin.
2. Go to **People**, and then select **Members**:
To enable Azure AD users to sign in to Projectplace, you need to add them to Pro
An email containing a link to confirm the account before it becomes active is sent to the Azure AD account holder. >[!NOTE]
->You can also use any other user-account creation tool or API provided by Projectplace to add Azure AD user accounts.
+>You can also use any other user-account creation tool or API provided by ProjectPlace to add Azure AD user accounts.
## Test SSO
In this section, you test your Azure AD single sign-on configuration with follow
#### SP initiated:
-* Click on **Test this application** in Azure portal. This will redirect to Projectplace Sign on URL where you can initiate the login flow.
+* Click on **Test this application** in Azure portal. This will redirect to ProjectPlace Sign on URL where you can initiate the login flow.
-* Go to Projectplace Sign-on URL directly and initiate the login flow from there.
+* Go to ProjectPlace Sign-on URL directly and initiate the login flow from there.
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the Projectplace for which you set up the SSO.
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the ProjectPlace for which you set up the SSO.
-You can also use Microsoft My Apps to test the application in any mode. When you click the Projectplace tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Projectplace for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+You can also use Microsoft My Apps to test the application in any mode. When you click the ProjectPlace tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the ProjectPlace for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Projectplace you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).
+Once you configure ProjectPlace you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).
active-directory Proto.Io Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/proto.io-tutorial.md
When you click the Proto.io tile in the Access Panel, you should be automaticall
- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md) -- [Try Proto.io with Azure AD](https://aad.portal.azure.com/)- - [What is session control in Microsoft Defender for Cloud Apps?](/cloud-app-security/proxy-intro-aad) - [How to protect Proto.io with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
active-directory Riva Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/riva-tutorial.md
When you click the Riva tile in the Access Panel, you should be automatically si
- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md) - [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)--- [Try Riva with Azure AD](https://aad.portal.azure.com/)
active-directory Sendsafely Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/sendsafely-tutorial.md
When you click the SendSafely tile in the Access Panel, you should be automatica
- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md) -- [Try SendSafely with Azure AD](https://aad.portal.azure.com/)- - [What is session control in Microsoft Defender for Cloud Apps?](/cloud-app-security/proxy-intro-aad) - [How to protect SendSafely with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
active-directory Servicenow Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/servicenow-provisioning-tutorial.md
Previously updated : 11/21/2022 Last updated : 3/10/2023
To configure automatic user provisioning for ServiceNow in Azure AD:
1. Set **Provisioning Mode** to **Automatic**.
-1. In the **Admin Credentials** section, enter your ServiceNow admin credentials and username. Select **Test Connection** to ensure that Azure AD can connect to ServiceNow. If the connection fails, ensure that your ServiceNow account has admin permissions and try again.
-
- ![Screenshot that shows the Service Provisioning page, where you can enter admin credentials.](./media/servicenow-provisioning-tutorial/servicenow-provisioning.png)
+1. In the **Admin Credentials** section, enter your ServiceNow tenant URL, Client ID, Client Secret and Authorization Endpoint. Select **Test Connection** to ensure that Azure AD can connect to ServiceNow. [This ServiceNow documentation](https://docs.servicenow.com/bundle/utah-platform-security/page/administer/security/task/t_CreateEndpointforExternalClients.html) outlines how to generate these values.
1. In the **Notification Email** box, enter the email address of a person or group that should receive the provisioning error notifications. Then select the **Send an email notification when a failure occurs** check box.
After you've configured provisioning, use the following resources to monitor you
- When an update to the *active* attribute in ServiceNow is provisioned, the attribute *locked_out* is also updated accordingly, even if *locked_out* is not mapped in the Azure provisioning service.
+## Update a ServiceNow application to use the ServiceNow SCIM 2.0 endpoint
+In March 2023, ServiceNow released a SCIM 2.0 connector. Completing the steps below will update applications configured to use the non-SCIM endpoint to the use the SCIM 2.0 endpoint. These steps will remove any customizations previously made to the ServiceNow application, including:
+* Authentication details
+* Scoping filters
+* Custom attribute mappings
+
+> [!NOTE]
+> Be sure to note any changes that have been made to the settings listed above before completing the steps below. Failure to do so will result in the loss of customized settings.
+
+1. Sign into the Azure portal at https://portal.azure.com
+2. Navigate to your current ServiceNow app under Azure Active Directory > Enterprise Applications
+3. In the Properties section of your new custom app, copy the Object ID.
+
+ ![Screenshot of ServiceNow app in the Azure portal.](./media/servicenow-provisioning-tutorial/app-properties.png)
+
+4. In a new web browser window, go to https://developer.microsoft.com/graph/graph-explorer and sign in as the administrator for the Azure AD tenant where your app is added.
+
+ ![Screenshot of Microsoft Graph explorer sign in page.](./media/workplace-by-facebook-provisioning-tutorial/permissions.png)
+
+5. Check to make sure the account being used has the correct permissions. The permission ΓÇ£Directory.ReadWrite.AllΓÇ¥ is required to make this change.
+
+ ![Screenshot of Microsoft Graph settings option.](./media/workplace-by-facebook-provisioning-tutorial/permissions-2.png)
+
+ ![Screenshot of Microsoft Graph permissions.](./media/workplace-by-facebook-provisioning-tutorial/permissions-3.png)
+
+6. Using the ObjectID selected from the app previously, run the following command:
+
+```
+GET https://graph.microsoft.com/beta/servicePrincipals/[object-id]/synchronization/jobs/
+```
+
+7. Taking the "id" value from the response body of the GET request from above, run the command below, replacing "[job-id]" with the id value from the GET request. The value should have the format of "ServiceNowOutDelta.xxxxxxxxxxxxxxx.xxxxxxxxxxxxxxx":
+```
+DELETE https://graph.microsoft.com/beta/servicePrincipals/[object-id]/synchronization/jobs/[job-id]
+```
+8. In the Graph Explorer, run the command below. Replace "[object-id]" with the service principal ID (object ID) copied from the third step.
+```
+POST https://graph.microsoft.com/beta/servicePrincipals/[object-id]/synchronization/jobs { "templateId": "serviceNowScim" }
+```
+
+![Screenshot of Microsoft Graph request.](./media/servicenow-provisioning-tutorial/graph-request.png)
+
+9. Return to the first web browser window and select the Provisioning tab for your application. Your configuration will have been reset. You can confirm the upgrade has taken place by confirming the Job ID starts with ΓÇ£serviceNowScimΓÇ¥.
+
+10. The new SCIM app uses OAuth2 to authenticate with the SCIM endpoint. Enter the required fields and authenticate with the new SCIM endpoint. [This ServiceNow documentation](https://docs.servicenow.com/bundle/utah-platform-security/page/administer/security/task/t_CreateEndpointforExternalClients.html) outlines how to generate these values.
+
+11. Restore any previous changes you made to the application (Authentication details, Scoping filters, Custom attribute mappings) and re-enable provisioning.
+
+> [!NOTE]
+> Failure to restore the previous settings may results in attributes (name.formatted for example) updating in Workplace unexpectedly. Be sure to check the configuration before enabling provisioning
+ ## Additional resources - [Managing user account provisioning for enterprise apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
active-directory Sharepoint On Premises Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/sharepoint-on-premises-tutorial.md
To configure the federation in Azure AD, you need to create a dedicated Enterpri
### Create the enterprise application
-1. Sign in to the [Azure Active Directory portal](https://aad.portal.azure.com/).
-1. Go to **Enterprise applications**, and then select **All applications**.
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Browse to **Azure Active Directory** > **Enterprise applications**, and then select **All applications**.
1. To add a new application, select **New application** at the top of the dialog box. 1. In the search box, enter **SharePoint on-premises**. Select **SharePoint on-premises** from the result pane. 1. Specify a name for your application (in this tutorial, it is `SharePoint corporate farm`), and click **Create** to add the application.
In this section, you configure the SAML authentication and define the claims tha
In this step, you create a SPTrustedLoginProvider to store the configuration that SharePoint needs to trust Azure AD. For that, you need the information from Azure AD that you copied above. Start the SharePoint Management Shell and run the following script to create it: ```powershell
-# Path to the public key of the Azure AD SAML signing certificate (self-signed), downloaded from the Enterprise application in the Azure AD portal
+# Path to the public key of the Azure AD SAML signing certificate (self-signed), downloaded from the Enterprise application in the Azure portal
$signingCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\AAD app\SharePoint corporate farm.cer") # Unique realm (corresponds to the "Identifier (Entity ID)" in the Azure AD Enterprise application) $realm = "urn:sharepoint:federation"
active-directory Sigstr Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/sigstr-tutorial.md
When you click the Sigstr tile in the Access Panel, you should be automatically
- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md) - [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)--- [Try Slack with Azure AD](https://aad.portal.azure.com/)
active-directory Siteintel Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/siteintel-tutorial.md
When you select the **SiteIntel** tile in the Access Panel, you should be automa
- [List of tutorials about how to integrate SaaS apps with Azure Active Directory ](./tutorial-list.md) - [What are application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) - [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)-- [Try SiteIntel with Azure AD](https://aad.portal.azure.com/) - [What is session control in Microsoft Defender for Cloud Apps?](/cloud-app-security/proxy-intro-aad) - [How to protect SiteIntel with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
active-directory Smart Global Governance Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/smart-global-governance-tutorial.md
When you select the Smart Global Governance tile in Access Panel, you should be
- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md) -- [Try Smart Global Governance with Azure AD](https://aad.portal.azure.com/)- - [What is session control in Microsoft Defender for Cloud Apps?](/cloud-app-security/proxy-intro-aad) - [How to protect Smart Global Governance with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
active-directory Spintr Sso Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/spintr-sso-tutorial.md
When you click the Spintr SSO tile in the Access Panel, you should be automatica
- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md) - [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)--- [Try Spintr SSO with Azure AD](https://aad.portal.azure.com/)
active-directory Supermood Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/supermood-tutorial.md
When you click the Supermood tile in the Access Panel, you should be automatical
- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md) - [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)--- [Try Supermood with Azure AD](https://aad.portal.azure.com/)
active-directory Symantec Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/symantec-tutorial.md
In this tutorial, you will learn how to integrate your Symantec Web Security Ser
Integrating Symantec Web Security Service (WSS) with Azure AD provides you with the following benefits:
-* Manage all of the end users and groups used by your WSS account from your Azure AD portal.
+* Manage all of the end users and groups used by your WSS account from your Azure portal.
* Allow the end users to authenticate themselves in WSS using their Azure AD credentials.
active-directory Tableau Online Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/tableau-online-provisioning-tutorial.md
To keep track of role assignments, you can create two purpose-specific groups fo
Once provisioning is set up, you will want to edit role changes directly in Azure Active Directory. Otherwise, you may end up with role inconsistencies between Tableau Cloud and Azure Active Directory. ### Valid Tableau site role values
-On the **Select a Role** page in your Azure Active Directory portal, the Tableau Site Role values that are valid include the following: **Creator, SiteAdministratorCreator, Explorer, SiteAdministratorExplorer, ExplorerCanPublish, Viewer, or Unlicensed**.
+On the **Select a Role** page in your Azure portal, the Tableau Site Role values that are valid include the following: **Creator, SiteAdministratorCreator, Explorer, SiteAdministratorExplorer, ExplorerCanPublish, Viewer, or Unlicensed**.
If you select a role that is not in the above list, such as a legacy (pre-v2018.1) role, you will experience an error.
active-directory Teamphoria Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/teamphoria-tutorial.md
When you click the Teamphoria tile in the Access Panel, you should be automatica
- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md) - [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)--- [Try Teamphoria with Azure AD](https://aad.portal.azure.com/)
active-directory Torii Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/torii-provisioning-tutorial.md
+
+ Title: 'Tutorial: Configure Torii for automatic user provisioning with Azure Active Directory | Microsoft Docs'
+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Torii.
++
+writer: twimmers
+
+ms.assetid: e6cfe864-b106-4d24-9070-03864e5dfb83
++++ Last updated : 03/09/2023+++
+# Tutorial: Configure Torii for automatic user provisioning
+
+This tutorial describes the steps you need to perform in both Torii and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users to [Torii](https://toriihq.com) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
++
+## Supported capabilities
+> [!div class="checklist"]
+> * Create users in Torii.
+> * Remove users in Torii when they do not require access anymore.
+> * Keep user attributes synchronized between Azure AD and Torii.
+> * [Single sign-on](torii-tutorial.md) to Torii (recommended).
+
+## Prerequisites
+
+The scenario outlined in this tutorial assumes that you already have the following prerequisites:
+
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* An administrator account with Torii.
+
+## Step 1. Plan your provisioning deployment
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+1. Determine what data to [map between Azure AD and Torii](../app-provisioning/customize-application-attributes.md).
+
+## Step 2. Configure Torii to support provisioning with Azure AD
+1. Log in to [Torii admin console](https://app.toriihq.com).
+1. Navigate to [Settings](https://app.toriihq.com/team/settings/apiAccess) page **> Security**, enable the SCIM toggle.
+
+ ![Screenshot of SCIM Toggle.](media/torii-provisioning-tutorial/scim-enabled.png)
+1. Navigate to the **API Access** tab. From here, you can view and manage the Torii API keys and SCIM.
+1. Click on **Generate API Key** to generate a new SCIM.
+
+ ![Screenshot of Generate API Key.](media/torii-provisioning-tutorial/generate-key.png)
+1. Choose type: **SCIM**.
+1. Add **Description** and set **Expiration date**. For security purposes, we recommend setting an expiration date when generating a new key.
+1. Click **Generate key**.
+1. Copy and save the API Key as it won't be available next. This value will be entered in the **Secret Token** field in the Provisioning tab of your Torii application in the Azure portal.
+1. Click **Got it**.
+
+ ![Screenshot of Create API Key.](media/torii-provisioning-tutorial/create-key.png)
+
+ ![Screenshot of Copy API Key.](media/torii-provisioning-tutorial/copy-key.png)
+
+1. **Torii Tenant Url:** `https://api.toriihq.com/v1.0/scim/v2` will be entered in the **Tenant URL** field in the Provisioning tab of your Torii application in the Azure portal.
+
+## Step 3. Add Torii from the Azure AD application gallery
+
+Add Torii from the Azure AD application gallery to start managing provisioning to Torii. If you have previously setup Torii for SSO you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
+
+## Step 4. Define who will be in scope for provisioning
+
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+* Start small. Test with a small set of users before rolling out to everyone. When scope for provisioning is set to assigned users, you can control this by assigning one or two users to the app. When scope is set to all users, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+* If you need more roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles.
++
+## Step 5. Configure automatic user provisioning to Torii
+
+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users in TestApp based on user and/or group assignments in Azure AD.
+
+### To configure automatic user provisioning for Torii in Azure AD:
+
+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.
+
+ ![Screenshot of Enterprise applications blade.](common/enterprise-applications.png)
+
+1. In the applications list, select **Torii**.
+
+ ![Screenshot of the Torii link in the Applications list.](common/all-applications.png)
+
+1. Select the **Provisioning** tab.
+
+ ![Screenshot of Provisioning tab.](common/provisioning.png)
+
+1. Set the **Provisioning Mode** to **Automatic**.
+
+ ![Screenshot of Provisioning tab automatic.](common/provisioning-automatic.png)
+
+1. Under the **Admin Credentials** section, input your Torii Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to Torii. If the connection fails, ensure your Torii account has Admin permissions and try again.
+
+ ![Screenshot of Token.](common/provisioning-testconnection-tenanturltoken.png)
+
+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
+
+ ![Screenshot of Notification Email.](common/provisioning-notification-email.png)
+
+1. Select **Save**.
+
+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Torii**.
+
+1. Review the user attributes that are synchronized from Azure AD to Torii in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Torii for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you'll need to ensure that the Torii API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+
+ |Attribute|Type|Supported for filtering|Required by Torii|
+ |||||
+ |userName|String|&check;|&check;
+ |active|Boolean||
+ |name.givenName|String||
+ |name.familyName|String||
+ |userType|String||
+
+ >[!NOTE]
+ >* **userName** must be a valid email address with a valid domain.
+ >* **userType**(role in Torii):
+ > * It must be exactly as appear at Torii
+ > * If **userType** is empty, the user will get the **Employee** role as the default.
+ > * The user types(roles) appear [here](https://support.toriihq.com/hc/en-us/articles/6174005637787#h_01G6FRWNXDJG89HCBD93PNYW4H).
+ > * Only admin users (not from type "Employee") will be displayed in Torii's UI
+ >* Read more about Torii's attributes [here](https://support.toriihq.com/hc/en-us/articles/9183460072347-Torii-s-SCIM-User-Provisioning#heading-3).
+
+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+1. To enable the Azure AD provisioning service for Torii, change the **Provisioning Status** to **On** in the **Settings** section.
+
+ ![Screenshot of Provisioning Status Toggled On.](common/provisioning-toggle-on.png)
+
+1. Define the users that you would like to provision to Torii by choosing the desired values in **Scope** in the **Settings** section.
+
+ ![Screenshot of Provisioning Scope.](common/provisioning-scope.png)
+
+1. When you're ready to provision, click **Save**.
+
+ ![Screenshot of Saving Provisioning Configuration.](common/provisioning-configuration-save.png)
+
+This operation starts the initial synchronization cycle of all users defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.
+
+## Step 6. Monitor your deployment
+Once you've configured provisioning, use the following resources to monitor your deployment:
+
+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion
+* If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
+
+## More resources
+
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+
+## Next steps
+
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
active-directory Trend Micro Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/trend-micro-tutorial.md
Complete these steps to configure TMWS SSO on the application side.
After you configure the Azure AD service and specify Azure AD as the user authentication method, you can sign in to the TMWS proxy server to verify your setup. After the Azure AD sign-in verifies your account, you can visit the internet. > [!NOTE]
-> TMWS doesn't support testing single sign-on from the Azure AD portal, under **Overview** > **Single sign-on** > **Set up Single Sign-on with SAML** > **Test** of your new enterprise application.
+> TMWS doesn't support testing single sign-on from the Azure portal, under **Overview** > **Single sign-on** > **Set up Single Sign-on with SAML** > **Test** of your new enterprise application.
1. Clear the browser of all cookies and then restart the browser.
active-directory Verasmart Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/verasmart-tutorial.md
When you click the VeraSMART tile in the Access Panel, you should be automatical
- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md) -- [Try VeraSMART with Azure AD](https://aad.portal.azure.com/)- - [What is session control in Microsoft Defender for Cloud Apps?](/cloud-app-security/proxy-intro-aad)
active-directory Configure Cmmc Level 2 Access Control https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/configure-cmmc-level-2-access-control.md
The following table provides a list of practice statement and objectives, and Az
| AC.L2-3.1.13<br><br>**Practice statement:** Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.<br><br>**Objectives:**<br>Determine if:<br>[a.] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified; and<br>[b.] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented. | All Azure AD customer-facing web services are secured with the Transport Layer Security (TLS) protocol and are implemented using FIPS-validated cryptography.<br>[Azure Active Directory Data Security Considerations (microsoft.com)](https://azure.microsoft.com/resources/azure-active-directory-data-security-considerations/) | | AC.L2-3.1.14<br><br>**Practice statement:** Route remote access via managed access control points.<br><br>**Objectives:**<br>Determine if:<br>[a.] managed access control points are identified and implemented; and<br>[b.] remote access is routed through managed network access control points. | Configure named locations to delineate internal vs external networks. Configure conditional access app control to route access via Microsoft Defender for Cloud Apps. Configure Defender for Cloud Apps to control and monitor all sessions. Secure devices used by privileged accounts as part of the privileged access story.<br>[Location condition in Azure Active Directory Conditional Access](../conditional-access/location-condition.md)<br>[Session controls in Conditional Access policy](../conditional-access/concept-conditional-access-session.md)<br>[Securing privileged access overview](/security/compass/overview) | | AC.L2-3.1.15<br><br>**Practice statement:** Authorize remote execution of privileged commands and remote access to security-relevant information.<br><br>**Objectives:**<br>Determine if:<br>[a.] privileged commands authorized for remote execution are identified;<br>[b.] security-relevant information authorized to be accessed remotely is identified;<br>[c.] the execution of the identified privileged commands via remote access is authorized; and<br>[d.] access to the identified security-relevant information via remote access is authorized. | Conditional Access is the Zero Trust control plane to target policies for access to your apps when combined with authentication context. You can apply different policies in those apps. Secure devices used by privileged accounts as part of the privileged access story. Configure conditional access policies to require the use of these secured devices by privileged users when performing privileged commands.<br>[Cloud apps, actions, and authentication context in Conditional Access policy](../conditional-access/concept-conditional-access-cloud-apps.md)<br>[Securing privileged access overview](/security/compass/overview)<br>[Filter for devices as a condition in Conditional Access policy](../conditional-access/concept-condition-filters-for-devices.md) |
-| AC.L2-3.1.18<br><br>**Practice statement:** Control connection of mobile devices.<br><br>**Objectives:**<br>Determine if:<br>[a.] mobile devices that process, store, or transmit CUI are identified;<br>[b.] mobile device connections are authorized; and<br>[c.] mobile device connections are monitored and logged. | Configure device management policies via MDM (such as Microsoft Intune), Microsoft Intune, Configuration Manager, or group policy objects (GPO) to enforce mobile device configuration and connection profile. Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md)<br><br>**InTune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started)<br>[What is app management in Microsoft Intune?](/mem/intune/apps/app-management) |
+| AC.L2-3.1.18<br><br>**Practice statement:** Control connection of mobile devices.<br><br>**Objectives:**<br>Determine if:<br>[a.] mobile devices that process, store, or transmit CUI are identified;<br>[b.] mobile device connections are authorized; and<br>[c.] mobile device connections are monitored and logged. | Configure device management policies via MDM (such as Microsoft Intune), Configuration Manager, or group policy objects (GPO) to enforce mobile device configuration and connection profile. Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md)<br><br>**InTune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started)<br>[What is app management in Microsoft Intune?](/mem/intune/apps/app-management) |
| AC.L2-3.1.19<br><br>**Practice statement:** Encrypt CUI on mobile devices and mobile computing platforms.<br><br>**Objectives:**<br>Determine if:<br>[a.] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified; and<br>[b.] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms. | **Managed Device**<br>Configure conditional access policies to enforce compliant or HAADJ device and to ensure managed devices are configured appropriately via device management solution to encrypt CUI.<br><br>**Unmanaged Device**<br>Configure conditional access policies to require app protection policies.<br>[Grant controls in Conditional Access policy - Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Grant controls in Conditional Access policy - Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md)<br>[Grant controls in Conditional Access policy - Require app protection policy](../conditional-access/concept-conditional-access-grant.md) |
-| AC.L2-3.1.21<br><br>**Practice statement:** Limit use of portable storage devices on external systems.<br><br>**Objectives:**<br>Determine if:<br>[a.] the use of portable storage devices containing CUI on external systems is identified and documented;<br>[b.] limits on the use of portable storage devices containing CUI on external systems are defined; and<br>[c.] the use of portable storage devices containing CUI on external systems is limited as defined. | Configure device management policies via MDM (such as Microsoft Intune), Microsoft Intune, Configuration Manager, or group policy objects (GPO) to control the use of portable storage devices on systems. Configure policy settings on the Windows device to completely prohibit or restrict use of portable storage at the OS level. For all other devices where you may be unable to granularly control access to portable storage block download entirely with Microsoft Defender for Cloud Apps. Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md)<br>[Configure authentication session management - Azure Active Directory](../conditional-access/howto-conditional-access-session-lifetime.md)<br><br>**InTune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started)<br>[Restrict USB devices using administrative templates in Microsoft Intune](/mem/intune/configuration/administrative-templates-restrict-usb)<br><br>**Microsoft Defender for Cloud Apps**<br>[Create session policies in Defender for Cloud Apps](/defender-cloud-apps/session-policy-aad)
+| AC.L2-3.1.21<br><br>**Practice statement:** Limit use of portable storage devices on external systems.<br><br>**Objectives:**<br>Determine if:<br>[a.] the use of portable storage devices containing CUI on external systems is identified and documented;<br>[b.] limits on the use of portable storage devices containing CUI on external systems are defined; and<br>[c.] the use of portable storage devices containing CUI on external systems is limited as defined. | Configure device management policies via MDM (such as Microsoft Intune), Configuration Manager, or group policy objects (GPO) to control the use of portable storage devices on systems. Configure policy settings on the Windows device to completely prohibit or restrict use of portable storage at the OS level. For all other devices where you may be unable to granularly control access to portable storage block download entirely with Microsoft Defender for Cloud Apps. Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md)<br>[Configure authentication session management - Azure Active Directory](../conditional-access/howto-conditional-access-session-lifetime.md)<br><br>**InTune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started)<br>[Restrict USB devices using administrative templates in Microsoft Intune](/mem/intune/configuration/administrative-templates-restrict-usb)<br><br>**Microsoft Defender for Cloud Apps**<br>[Create session policies in Defender for Cloud Apps](/defender-cloud-apps/session-policy-aad)
### Next steps
active-directory Configure Cmmc Level 2 Additional Controls https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/configure-cmmc-level-2-additional-controls.md
The following table provides a list of practice statement and objectives, and Az
| CMMC practice statement and objectives | Azure AD guidance and recommendations | | - | - |
-| AU.L2-3.3.1<br><br>**Practice statement:** Create and retain system audit logs and records to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.<br><br>**Objectives:**<br>Determine if:<br>[a.] audit logs (for example, event types to be logged) to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified;<br>[b.] the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined;<br>[c.] audit records are created (generated);<br>[d.] audit records, once created, contain the defined content;<br>[e.] retention requirements for audit records are defined; and<br>[f.] audit records are retained as defined.<br><br>AU.L2-3.3.2<br><br>**Practice statement:** Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.<br><br>**Objectives:**<br>Determine if:<br>[a.] the content of the audit records needed to support the ability to uniquely trace users to their actions is defined; and<br>[b.] audit records, once created, contain the defined content. | All operations are audited within the Azure AD audit logs. Each audit log entry contains a userΓÇÖs immutable objectID that can be used to uniquely trace an individual system user to each action. You can collect and analyze logs by using a Security Information and Event Management (SIEM) solution such as Microsoft Sentinel. Alternatively, you can use Azure Event Hubs to integrate logs with third-party SIEM solutions to enable monitoring and notification.<br>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<br>[Connect Azure Active Directory data to Microsoft Sentinel](../../sentinel/connect-azure-active-directory.md)<br>[Tutorial: Stream logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
+| AU.L2-3.3.1<br><br>**Practice statement:** Create and retain system audit logs and records to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.<br><br>**Objectives:**<br>Determine if:<br>[a.] audit logs (for example, event types to be logged) to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified;<br>[b.] the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined;<br>[c.] audit records are created (generated);<br>[d.] audit records, once created, contain the defined content;<br>[e.] retention requirements for audit records are defined; and<br>[f.] audit records are retained as defined.<br><br>AU.L2-3.3.2<br><br>**Practice statement:** Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.<br><br>**Objectives:**<br>Determine if:<br>[a.] the content of the audit records needed to support the ability to uniquely trace users to their actions is defined; and<br>[b.] audit records, once created, contain the defined content. | All operations are audited within the Azure AD audit logs. Each audit log entry contains a userΓÇÖs immutable objectID that can be used to uniquely trace an individual system user to each action. You can collect and analyze logs by using a Security Information and Event Management (SIEM) solution such as Microsoft Sentinel. Alternatively, you can use Azure Event Hubs to integrate logs with third-party SIEM solutions to enable monitoring and notification.<br>[Audit activity reports in the Azure portal](../reports-monitoring/concept-audit-logs.md)<br>[Connect Azure Active Directory data to Microsoft Sentinel](../../sentinel/connect-azure-active-directory.md)<br>[Tutorial: Stream logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
| AU.L2-3.3.4<br><br>**Practice statement:** Alert if an audit logging process fails.<br><br>**Objectives:**<br>Determine if:<br>[a.] personnel or roles to be alerted if an audit logging process failure is identified;<br>[b.] types of audit logging process failures for which alert will be generated are defined; and<br>[c] identified personnel or roles are alerted in the event of an audit logging process failure. | Azure Service Health notifies you about Azure service incidents so you can take action to mitigate downtime. Configure customizable cloud alerts for Azure Active Directory. <br>[What is Azure Service Health?](../../service-health/overview.md)<br>[Three ways to get notified about Azure service issues](https://azure.microsoft.com/blog/three-ways-to-get-notified-about-azure-service-issues/)<br>[Azure Service Health](https://azure.microsoft.com/get-started/azure-portal/service-health/) |
-| AU.L2-3.3.6<br><br>**Practice statement:** Provide audit record reduction and report generation to support on-demand analysis and reporting.<br><br>**Objectives:**<br>Determine if:<br>[a.] an audit record reduction capability that supports on-demand analysis is provided; and<br>[b.] a report generation capability that supports on-demand reporting is provided. | Ensure Azure AD events are included in event logging strategy. You can collect and analyze logs by using a Security Information and Event Management (SIEM) solution such as Microsoft Sentinel. Alternatively, you can use Azure Event Hubs to integrate logs with third-party SIEM solutions to enable monitoring and notification. Use Azure AD entitlement management with access reviews to ensure compliance status of accounts. <br>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<br>[Connect Azure Active Directory data to Microsoft Sentinel](../../sentinel/connect-azure-active-directory.md)<br>[Tutorial: Stream logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
+| AU.L2-3.3.6<br><br>**Practice statement:** Provide audit record reduction and report generation to support on-demand analysis and reporting.<br><br>**Objectives:**<br>Determine if:<br>[a.] an audit record reduction capability that supports on-demand analysis is provided; and<br>[b.] a report generation capability that supports on-demand reporting is provided. | Ensure Azure AD events are included in event logging strategy. You can collect and analyze logs by using a Security Information and Event Management (SIEM) solution such as Microsoft Sentinel. Alternatively, you can use Azure Event Hubs to integrate logs with third-party SIEM solutions to enable monitoring and notification. Use Azure AD entitlement management with access reviews to ensure compliance status of accounts. <br>[Audit activity reports in the Azure portal](../reports-monitoring/concept-audit-logs.md)<br>[Connect Azure Active Directory data to Microsoft Sentinel](../../sentinel/connect-azure-active-directory.md)<br>[Tutorial: Stream logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
| AU.L2-3.3.8<br><br>**Practice statement:** Protect audit information and audit logging tools from unauthorized access, modification, and deletion.<br><br>**Objectives:**<br>Determine if:<br>[a.] audit information is protected from unauthorized access;<br>[b.] audit information is protected from unauthorized modification;<br>[c.] audit information is protected from unauthorized deletion;<br>[d.] audit logging tools are protected from unauthorized access;<br>[e.] audit logging tools are protected from unauthorized modification; and<br>[f.] audit logging tools are protected from unauthorized deletion.<br><br>AU.L2-3.3.9<br><br>**Practice statement:** Limit management of audit logging functionality to a subset of privileged users.<br><br>**Objectives:**<br>Determine if:<br>[a.] a subset of privileged users granted access to manage audit logging functionality is defined; and<br>[b.] management of audit logging functionality is limited to the defined subset of privileged users. | Azure AD logs are retained by default for 30 days. These logs are unable to modified or deleted and are only accessible to limited set of privileged roles.<br>[Sign-in logs in Azure Active Directory](../reports-monitoring/concept-sign-ins.md)<br>[Audit logs in Azure Active Directory](../reports-monitoring/concept-audit-logs.md) ## Configuration Management (CM)
The following table provides a list of practice statement and objectives, and Az
| CMMC practice statement and objectives | Azure AD guidance and recommendations | | - | - |
-| IR.L2-3.6.1<br><br>**Practice statement:** Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.<br><br>**Objectives:**<br>Determine if:<br>[a.] an operational incident-handling capability is established;<br>[b.] the operational incident-handling capability includes preparation;<br>[c.] the operational incident-handling capability includes detection;<br>[d.] the operational incident-handling capability includes analysis;<br>[e.] the operational incident-handling capability includes containment;<br>[f.] the operational incident-handling capability includes recovery; and<br>[g.] the operational incident-handling capability includes user response activities. | Implement incident handling and monitoring capabilities. The audit logs record all configuration changes. Authentication and authorization events are audited within the sign-in logs, and any detected risks are audited in the Identity Protection logs. You can stream each of these logs directly into a SIEM solution, such as Microsoft Sentinel. Alternatively, use Azure Event Hubs to integrate logs with third-party SIEM solutions.<br><br>**Audit events**<br>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<br>[Sign-in activity reports in the Azure Active Directory portal](../reports-monitoring/concept-sign-ins.md)<br>[How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<br><br>**SIEM integrations**<br>[Microsoft Sentinel : Connect data from Azure Active Directory (Azure AD)](../../sentinel/connect-azure-active-directory.md)[Stream to Azure event hub and other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
+| IR.L2-3.6.1<br><br>**Practice statement:** Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.<br><br>**Objectives:**<br>Determine if:<br>[a.] an operational incident-handling capability is established;<br>[b.] the operational incident-handling capability includes preparation;<br>[c.] the operational incident-handling capability includes detection;<br>[d.] the operational incident-handling capability includes analysis;<br>[e.] the operational incident-handling capability includes containment;<br>[f.] the operational incident-handling capability includes recovery; and<br>[g.] the operational incident-handling capability includes user response activities. | Implement incident handling and monitoring capabilities. The audit logs record all configuration changes. Authentication and authorization events are audited within the sign-in logs, and any detected risks are audited in the Identity Protection logs. You can stream each of these logs directly into a SIEM solution, such as Microsoft Sentinel. Alternatively, use Azure Event Hubs to integrate logs with third-party SIEM solutions.<br><br>**Audit events**<br>[Audit activity reports in the Azure portal](../reports-monitoring/concept-audit-logs.md)<br>[Sign-in activity reports in the Azure portal](../reports-monitoring/concept-sign-ins.md)<br>[How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<br><br>**SIEM integrations**<br>[Microsoft Sentinel : Connect data from Azure Active Directory (Azure AD)](../../sentinel/connect-azure-active-directory.md)[Stream to Azure event hub and other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
## Maintenance (MA)
The following table provides a list of practice statement and objectives, and Az
| CMMC practice statement and objectives | Azure AD guidance and recommendations | | - | - | | MA.L2-3.7.5<br><br>**Practice statement:** Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.<br><br>**Objectives:**<br>Determine if:<br>[a.] multifactor authentication is used to establish nonlocal maintenance sessions via external network connections; and<br>[b.] nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete.| Accounts assigned administrative rights are targeted by attackers, including accounts used to establish non-local maintenance sessions. Requiring multifactor authentication (MFA) on those accounts is an easy way to reduce the risk of those accounts being compromised.<br>[Conditional Access - Require MFA for administrators](../conditional-access/howto-conditional-access-policy-admin-mfa.md) |
-| MP.L2-3.8.7<br><br>**Practice statement:** Control the use of removable media on system components.<br><br>**Objectives:**<br>Determine if:<br>[a.] the use of removable media on system components is controlled. | Configure device management policies via MDM (such as Microsoft Intune), Microsoft Intune, Configuration Manager, or group policy objects (GPO) to control the use of removable media on systems. Deploy and manage Removable Storage Access Control using Intune, Configuration Manager, or Group Policy. Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md#require-hybrid-azure-ad-joined-device)<br><br>**Intune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started)<br><br>**Removable storage access control**<br>[Deploy and manage Removable Storage Access Control using Intune](/microsoft-365/security/defender-endpoint/deploy-manage-removable-storage-intune?view=o365-worldwide&preserve-view=true)<br>[Deploy and manage Removable Storage Access Control using group policy](/microsoft-365/security/defender-endpoint/deploy-manage-removable-storage-group-policy?view=o365-worldwide&preserve-view=true) |
+| MP.L2-3.8.7<br><br>**Practice statement:** Control the use of removable media on system components.<br><br>**Objectives:**<br>Determine if:<br>[a.] the use of removable media on system components is controlled. | Configure device management policies via MDM (such as Microsoft Intune), Configuration Manager, or group policy objects (GPO) to control the use of removable media on systems. Deploy and manage Removable Storage Access Control using Intune, Configuration Manager, or Group Policy. Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md#require-hybrid-azure-ad-joined-device)<br><br>**Intune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started)<br><br>**Removable storage access control**<br>[Deploy and manage Removable Storage Access Control using Intune](/microsoft-365/security/defender-endpoint/deploy-manage-removable-storage-intune?view=o365-worldwide&preserve-view=true)<br>[Deploy and manage Removable Storage Access Control using group policy](/microsoft-365/security/defender-endpoint/deploy-manage-removable-storage-group-policy?view=o365-worldwide&preserve-view=true) |
## Personnel Security (PS)
The following table provides a list of practice statement and objectives, and Az
| CMMC practice statement and objectives | Azure AD guidance and recommendations | | - | - | | SC.L2-3.13.3<br><br>**Practice statement:** Separate user functionality form system management functionality. <br><br>**Objectives:**<br>Determine if:<br>[a.] user functionality is identified;<br>[b.] system management functionality is identified; and<br>[c.] user functionality is separated from system management functionality. | Maintain separate user accounts in Azure Active Directory for everyday productivity use and administrative or system/privileged management. Privileged accounts should be cloud-only or managed accounts and not synchronized from on-premises to protect the cloud environment from on-premises compromise. System/privileged access should only be permitted from a security hardened privileged access workstation (PAW). Configure Conditional Access device filters to restrict access to administrative applications from PAWs that are enabled using Azure Virtual Desktops.<br>[Why are privileged access devices important](/security/compass/privileged-access-devices)<br>[Device Roles and Profiles](/security/compass/privileged-access-devices)<br>[Filter for devices as a condition in Conditional Access policy](../conditional-access/concept-condition-filters-for-devices.md)<br>[Azure Virtual Desktop](https://azure.microsoft.com/products/virtual-desktop/) |
-| SC.L2-3.13.4<br><br>**Practice statement:** Prevent unauthorized and unintended information transfer via shared system resources.<br><br>**Objectives:**<br>Determine if:<br>[a.] unauthorized and unintended information transfer via shared system resources is prevented. | Configure device management policies via MDM (such as Microsoft Intune), Microsoft Intune, Configuration Manager, or group policy objects (GPO) to ensure devices are compliant with system hardening procedures. Include compliance with company policy regarding software patches to prevent attackers from exploiting flaws.<br><br>Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md)<br><br>**InTune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started) |
-| SC.L2-3.13.13<br><br>**Practice statement:** Control and monitor the use of mobile code.<br><br>**Objectives:**<br>Determine if:<br>[a.] use of mobile code is controlled; and<br>[b.] use of mobile code is monitored. | Configure device management policies via MDM (such as Microsoft Intune), Microsoft Intune, Configuration Manager, or group policy objects (GPO) to disable the use of mobile code. Where use of mobile code is required monitor the use with endpoint security such as Microsoft Defender for Endpoint.<br><br>Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md)<br><br>**InTune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started)<br><br>**Defender for Endpoint**<br>[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide&preserve-view=true) |
+| SC.L2-3.13.4<br><br>**Practice statement:** Prevent unauthorized and unintended information transfer via shared system resources.<br><br>**Objectives:**<br>Determine if:<br>[a.] unauthorized and unintended information transfer via shared system resources is prevented. | Configure device management policies via MDM (such as Microsoft Intune), Configuration Manager, or group policy objects (GPO) to ensure devices are compliant with system hardening procedures. Include compliance with company policy regarding software patches to prevent attackers from exploiting flaws.<br><br>Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md)<br><br>**InTune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started) |
+| SC.L2-3.13.13<br><br>**Practice statement:** Control and monitor the use of mobile code.<br><br>**Objectives:**<br>Determine if:<br>[a.] use of mobile code is controlled; and<br>[b.] use of mobile code is monitored. | Configure device management policies via MDM (such as Microsoft Intune), Configuration Manager, or group policy objects (GPO) to disable the use of mobile code. Where use of mobile code is required monitor the use with endpoint security such as Microsoft Defender for Endpoint.<br><br>Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md)<br><br>**InTune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started)<br><br>**Defender for Endpoint**<br>[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide&preserve-view=true) |
## System and Information Integrity (SI)
The following table provides a list of practice statement and objectives, and Az
| CMMC practice statement and objectives | Azure AD guidance and recommendations | | - | - |
-| SI.L2-3.14.7<br><br>**Practice statement:**<br><br>**Objectives:** Identify unauthorized use of organizational systems.<br>Determine if:<br>[a.] authorized use of the system is defined; and<br>[b.] unauthorized use of the system is identified. | Consolidate telemetry: Azure AD logs to stream to SIEM, such as Azure Sentinel Configure device management policies via MDM (such as Microsoft Intune), Microsoft Intune, Configuration Manager, or group policy objects (GPO) to require Intrusion Detection/Protection (IDS/IPS) such as Microsoft Defender for Endpoint is installed and in use. Use telemetry provided by the IDS/IPS to identify unusual activities or conditions related to inbound and outbound communications traffic or unauthorized use.<br><br>Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md)<br><br>**InTune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started)<br><br>**Defender for Endpoint**<br>[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide&preserve-view=true) |
+| SI.L2-3.14.7<br><br>**Practice statement:**<br><br>**Objectives:** Identify unauthorized use of organizational systems.<br>Determine if:<br>[a.] authorized use of the system is defined; and<br>[b.] unauthorized use of the system is identified. | Consolidate telemetry: Azure AD logs to stream to SIEM, such as Azure Sentinel Configure device management policies via MDM (such as Microsoft Intune), Configuration Manager, or group policy objects (GPO) to require Intrusion Detection/Protection (IDS/IPS) such as Microsoft Defender for Endpoint is installed and in use. Use telemetry provided by the IDS/IPS to identify unusual activities or conditions related to inbound and outbound communications traffic or unauthorized use.<br><br>Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md)<br><br>**InTune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started)<br><br>**Defender for Endpoint**<br>[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide&preserve-view=true) |
### Next steps
active-directory Fedramp Access Controls https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/fedramp-access-controls.md
Each row in the following table provides prescriptive guidance to help you devel
| Control ID | Customer responsibilities and guidance | | - | - |
-| AC-02 | **Implement account lifecycle management for customer-controlled accounts. Monitor the use of accounts and notify account managers of account lifecycle events. Review accounts for compliance with account management requirements every month for privileged access and every six months for nonprivileged access.**<p>Use Azure AD to provision accounts from external HR systems, on-premises Active Directory, or directly in the cloud. All account lifecycle operations are audited within the Azure AD audit logs. You can collect and analyze logs by using a Security Information and Event Management (SIEM) solution such as Microsoft Sentinel. Alternatively, you can use Azure Event Hubs to integrate logs with third-party SIEM solutions to enable monitoring and notification. Use Azure AD entitlement management with access reviews to ensure compliance status of accounts.<p>Provision accounts<br><li>[Plan cloud HR application to Azure Active Directory user provisioning](../app-provisioning/plan-cloud-hr-provision.md)<br><li>[Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md)<br><li>[Add or delete users using Azure Active Directory](../fundamentals/add-users-azure-active-directory.md)<p>Monitor accounts<br><li>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<br><li>[Connect Azure Active Directory data to Microsoft Sentinel](../../sentinel/connect-azure-active-directory.md) <br><li>[Tutorial: Stream logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md)<p>Review accounts<br><li>[What is Azure AD entitlement management?](../governance/entitlement-management-overview.md)<br><li>[Create an access review of an access package in Azure AD entitlement management](../governance/entitlement-management-access-reviews-create.md)<br><li>[Review access of an access package in Azure AD entitlement management](../governance/entitlement-management-access-reviews-review-access.md)<p>Resources<br><li>[Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md)<br><li>[Dynamic Groups in Azure AD](../enterprise-users/groups-create-rule.md) |
-| AC-02(1)| **Employ automated mechanisms to support management of customer-controlled accounts.**<p>Configure automated provisioning of customer-controlled accounts from external HR systems or on-premises Active Directory. For applications that support application provisioning, configure Azure AD to automatically create user identities and roles in cloud software as a solution (SaaS) applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. To ease monitoring of account usage, you can stream Azure AD Identity Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs directly into Microsoft Sentinel or Event Hubs.<p>Provision<br><li>[Plan cloud HR application to Azure Active Directory user provisioning](../app-provisioning/plan-cloud-hr-provision.md)<br><li>[Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md)<br><li>[What is automated SaaS app user provisioning in Azure AD?](../app-provisioning/user-provisioning.md)<br><li>[SaaS app integration tutorials for use with Azure AD](../saas-apps/tutorial-list.md)<p>Monitor and audit<br><li>[Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<br><li>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Microsoft Sentinel: Connect data from Azure Active Directory](../../sentinel/connect-azure-active-directory.md)<br><li>[Tutorial: Stream Azure Active Directory logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md)ΓÇÄ|
+| AC-02 | **Implement account lifecycle management for customer-controlled accounts. Monitor the use of accounts and notify account managers of account lifecycle events. Review accounts for compliance with account management requirements every month for privileged access and every six months for nonprivileged access.**<p>Use Azure AD to provision accounts from external HR systems, on-premises Active Directory, or directly in the cloud. All account lifecycle operations are audited within the Azure AD audit logs. You can collect and analyze logs by using a Security Information and Event Management (SIEM) solution such as Microsoft Sentinel. Alternatively, you can use Azure Event Hubs to integrate logs with third-party SIEM solutions to enable monitoring and notification. Use Azure AD entitlement management with access reviews to ensure compliance status of accounts.<p>Provision accounts<br><li>[Plan cloud HR application to Azure Active Directory user provisioning](../app-provisioning/plan-cloud-hr-provision.md)<br><li>[Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md)<br><li>[Add or delete users using Azure Active Directory](../fundamentals/add-users-azure-active-directory.md)<p>Monitor accounts<br><li>[Audit activity reports in the Azure portal](../reports-monitoring/concept-audit-logs.md)<br><li>[Connect Azure Active Directory data to Microsoft Sentinel](../../sentinel/connect-azure-active-directory.md) <br><li>[Tutorial: Stream logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md)<p>Review accounts<br><li>[What is Azure AD entitlement management?](../governance/entitlement-management-overview.md)<br><li>[Create an access review of an access package in Azure AD entitlement management](../governance/entitlement-management-access-reviews-create.md)<br><li>[Review access of an access package in Azure AD entitlement management](../governance/entitlement-management-access-reviews-review-access.md)<p>Resources<br><li>[Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md)<br><li>[Dynamic Groups in Azure AD](../enterprise-users/groups-create-rule.md) |
+| AC-02(1)| **Employ automated mechanisms to support management of customer-controlled accounts.**<p>Configure automated provisioning of customer-controlled accounts from external HR systems or on-premises Active Directory. For applications that support application provisioning, configure Azure AD to automatically create user identities and roles in cloud software as a solution (SaaS) applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. To ease monitoring of account usage, you can stream Azure AD Identity Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs directly into Microsoft Sentinel or Event Hubs.<p>Provision<br><li>[Plan cloud HR application to Azure Active Directory user provisioning](../app-provisioning/plan-cloud-hr-provision.md)<br><li>[Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md)<br><li>[What is automated SaaS app user provisioning in Azure AD?](../app-provisioning/user-provisioning.md)<br><li>[SaaS app integration tutorials for use with Azure AD](../saas-apps/tutorial-list.md)<p>Monitor and audit<br><li>[Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<br><li>[Audit activity reports in the Azure portal](../reports-monitoring/concept-audit-logs.md)<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Microsoft Sentinel: Connect data from Azure Active Directory](../../sentinel/connect-azure-active-directory.md)<br><li>[Tutorial: Stream Azure Active Directory logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md)ΓÇÄ|
| AC-02(2)<br>AC-02(3)| **Employ automated mechanisms to support automatically removing or disabling temporary and emergency accounts after 24 hours from last use and all customer-controlled accounts after 35 days of inactivity.**<p>Implement account management automation with Microsoft Graph and Azure AD PowerShell. Use Microsoft Graph to monitor sign-in activity and Azure AD PowerShell to take action on accounts within the required time frame. <p>Determine inactivity<br><li>[Manage inactive user accounts in Azure AD](../reports-monitoring/howto-manage-inactive-user-accounts.md)<br><li>[Manage stale devices in Azure AD](../devices/manage-stale-devices.md)<p>Remove or disable accounts<br><li>[Working with users in Microsoft Graph](/graph/api/resources/users)<br><li>[Get a user](/graph/api/user-get?tabs=http)<br><li>[Update user](/graph/api/user-update?tabs=http)<br><li>[Delete a user](/graph/api/user-delete?tabs=http)<p>Work with devices in Microsoft Graph<br><li>[Get device](/graph/api/device-get?tabs=http)<br><li>[Update device](/graph/api/device-update?tabs=http)<br><li>[Delete device](/graph/api/device-delete?tabs=http)<p>Use [Azure AD PowerShell](/powershell/module/azuread/)<br><li>[Get-AzureADUser](/powershell/module/azuread/get-azureaduser)<br><li>[Set-AzureADUser](/powershell/module/azuread/set-azureaduser)<br><li>[Get-AzureADDevice](/powershell/module/azuread/get-azureaddevice)<br><li>[Set-AzureADDevice](/powershell/module/azuread/set-azureaddevice) |
-| AC-02(4)| **Implement an automated audit and notification system for the lifecycle of managing customer-controlled accounts.**<p>All account lifecycle operations, such as account creation, modification, enabling, disabling, and removal actions, are audited within the Azure audit logs. You can stream the logs directly into Microsoft Sentinel or Event Hubs to help with notification.<p>Audit<br><li>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<br><li>[Microsoft Sentinel: Connect data from Azure Active Directory](../../sentinel/connect-azure-active-directory.md)<P>Notification<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Tutorial: Stream Azure Active Directory logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
+| AC-02(4)| **Implement an automated audit and notification system for the lifecycle of managing customer-controlled accounts.**<p>All account lifecycle operations, such as account creation, modification, enabling, disabling, and removal actions, are audited within the Azure audit logs. You can stream the logs directly into Microsoft Sentinel or Event Hubs to help with notification.<p>Audit<br><li>[Audit activity reports in the Azure portal](../reports-monitoring/concept-audit-logs.md)<br><li>[Microsoft Sentinel: Connect data from Azure Active Directory](../../sentinel/connect-azure-active-directory.md)<P>Notification<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Tutorial: Stream Azure Active Directory logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
| AC-02(5)| **Implement device log-out after a 15-minute period of inactivity.**<p>Implement device lock by using a conditional access policy that restricts access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with mobile device management (MDM) solutions such as Intune. Microsoft Intune, Configuration Manager, or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.<P>Conditional access<br><li>[Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<br><li>[User sign-in frequency](../conditional-access/howto-conditional-access-session-lifetime.md)<p>MDM policy<br><li>Configure devices for maximum minutes of inactivity until the screen locks and requires a password to unlock ([Android](/mem/intune/configuration/device-restrictions-android), [iOS](/mem/intune/configuration/device-restrictions-ios), [Windows 10](/mem/intune/configuration/device-restrictions-windows-10)). |
-| AC-02(7)| **Administer and monitor privileged role assignments by following a role-based access scheme for customer-controlled accounts. Disable or revoke privilege access for accounts when no longer appropriate.**<p>Implement Azure AD Privileged Identity Management with access reviews for privileged roles in Azure AD to monitor role assignments and remove role assignments when no longer appropriate. You can stream audit logs directly into Microsoft Sentinel or Event Hubs to help with monitoring.<p>Administer<br><li>[What is Azure AD Privileged Identity Management?](../privileged-identity-management/pim-configure.md)<br><li>[Activation maximum duration](../privileged-identity-management/pim-how-to-change-default-settings.md?tabs=new)<p>Monitor<br><li>[Create an access review of Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md)<br><li>[View audit history for Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-how-to-use-audit-log.md?tabs=new)<br><li>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Connect data from Azure Active Directory](../../sentinel/connect-azure-active-directory.md)<br><li>[Tutorial: Stream Azure Active Directory logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
+| AC-02(7)| **Administer and monitor privileged role assignments by following a role-based access scheme for customer-controlled accounts. Disable or revoke privilege access for accounts when no longer appropriate.**<p>Implement Azure AD Privileged Identity Management with access reviews for privileged roles in Azure AD to monitor role assignments and remove role assignments when no longer appropriate. You can stream audit logs directly into Microsoft Sentinel or Event Hubs to help with monitoring.<p>Administer<br><li>[What is Azure AD Privileged Identity Management?](../privileged-identity-management/pim-configure.md)<br><li>[Activation maximum duration](../privileged-identity-management/pim-how-to-change-default-settings.md?tabs=new)<p>Monitor<br><li>[Create an access review of Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md)<br><li>[View audit history for Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-how-to-use-audit-log.md?tabs=new)<br><li>[Audit activity reports in the Azure portal](../reports-monitoring/concept-audit-logs.md)<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Connect data from Azure Active Directory](../../sentinel/connect-azure-active-directory.md)<br><li>[Tutorial: Stream Azure Active Directory logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
| AC-02(11)| **Enforce usage of customer-controlled accounts to meet customer-defined conditions or circumstances.**<p>Create conditional access policies to enforce access control decisions across users and devices.<p>Conditional access<br><li>[Create a conditional access policy](../authentication/tutorial-enable-azure-mfa.md?bc=%2fazure%2factive-directory%2fconditional-access%2fbreadcrumb%2ftoc.json&toc=%2fazure%2factive-directory%2fconditional-access%2ftoc.json)<br><li>[What is conditional access?](../conditional-access/overview.md) |
-| AC-02(12)| **Monitor and report customer-controlled accounts with privileged access for atypical usage.**<p>For help with monitoring of atypical usage, you can stream Identity Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs, which help with correlation with privilege assignment, directly into a SIEM solution such as Microsoft Sentinel. You can also use Event Hubs to integrate logs with third-party SIEM solutions.<p>Identity protection<br><li>[What is Azure AD Identity Protection?](../identity-protection/overview-identity-protection.md)<br><li>[Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<br><li>[Azure Active Directory Identity Protection notifications](../identity-protection/howto-identity-protection-configure-notifications.md)<p>Monitor accounts<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<br><li>[Connect Azure Active Directory data to Microsoft Sentinel](../../sentinel/connect-azure-active-directory.md) <br><li>[Tutorial: Stream logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
+| AC-02(12)| **Monitor and report customer-controlled accounts with privileged access for atypical usage.**<p>For help with monitoring of atypical usage, you can stream Identity Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs, which help with correlation with privilege assignment, directly into a SIEM solution such as Microsoft Sentinel. You can also use Event Hubs to integrate logs with third-party SIEM solutions.<p>Identity protection<br><li>[What is Azure AD Identity Protection?](../identity-protection/overview-identity-protection.md)<br><li>[Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<br><li>[Azure Active Directory Identity Protection notifications](../identity-protection/howto-identity-protection-configure-notifications.md)<p>Monitor accounts<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Audit activity reports in the Azure portal](../reports-monitoring/concept-audit-logs.md)<br><li>[Connect Azure Active Directory data to Microsoft Sentinel](../../sentinel/connect-azure-active-directory.md) <br><li>[Tutorial: Stream logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
| AC-02(13)|**Disable customer-controlled accounts of users that pose a significant risk within one hour.**<p>In Azure AD Identity Protection, configure and enable a user risk policy with the threshold set to High. Create conditional access policies to block access for risky users and risky sign-ins. Configure risk policies to allow users to self-remediate and unblock subsequent sign-in attempts.<p>Identity protection<br><li>[What is Azure AD Identity Protection?](../identity-protection/overview-identity-protection.md)<p>Conditional access<br><li>[What is conditional access?](../conditional-access/overview.md)<br><li>[Create a conditional access policy](../authentication/tutorial-enable-azure-mfa.md?bc=%2fazure%2factive-directory%2fconditional-access%2fbreadcrumb%2ftoc.json&toc=%2fazure%2factive-directory%2fconditional-access%2ftoc.json)<br><li>[Conditional access: User risk-based conditional access](../conditional-access/howto-conditional-access-policy-risk-user.md)<br><li>[Conditional access: Sign-in risk-based conditional access](../conditional-access/howto-conditional-access-policy-risk-user.md)<br><li>[Self-remediation with risk policy](../identity-protection/howto-identity-protection-remediate-unblock.md) | | AC-06(7)| **Review and validate all users with privileged access every year. Ensure privileges are reassigned (or removed if necessary) to align with organizational mission and business requirements.**<p>Use Azure AD entitlement management with access reviews for privileged users to verify if privileged access is required. <p>Access reviews<br><li>[What is Azure AD entitlement management?](../governance/entitlement-management-overview.md)<br><li>[Create an access review of Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md)<br><li>[Review access of an access package in Azure AD entitlement management](../governance/entitlement-management-access-reviews-review-access.md) | | AC-07| **Enforce a limit of no more than three consecutive failed login attempts on customer-deployed resources within a 15-minute period. Lock the account for a minimum of three hours or until unlocked by an administrator.**<p>Enable custom smart lockout settings. Configure lockout threshold and lockout duration in seconds to implement these requirements. <p>Smart lockout<br><li>[Protect user accounts from attacks with Azure Active Directory smart lockout](../authentication/howto-password-smart-lockout.md)<br><li>[Manage Azure AD smart lockout values](../authentication/howto-password-smart-lockout.md) |
active-directory Fedramp Other Controls https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/fedramp-other-controls.md
The guidance in the following table pertains to:
| Control ID and subpart| Customer responsibilities and guidance | | - | - |
-| AU-02 <br>AU-03 <br>AU-03(1)<br>AU-03(2)| Ensure the system is capable of auditing events defined in AU-02 Part a. Coordinate with other entities within the organization's subset of auditable events to support after-the-fact investigations. Implement centralized management of audit records.<p>All account lifecycle operations (account creation, modification, enabling, disabling, and removal actions) are audited within the Azure AD audit logs. All authentication and authorization events are audited within Azure AD sign-in logs, and any detected risks are audited in the Identity Protection logs. You can stream each of these logs directly into a security information and event management (SIEM) solution such as Microsoft Sentinel. Alternatively, use Azure Event Hubs to integrate logs with third-party SIEM solutions.<p>Audit events<li> [Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<li> [Sign-in activity reports in the Azure Active Directory portal](../reports-monitoring/concept-sign-ins.md)<li>[How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<p>SIEM integrations<li> [Microsoft Sentinel : Connect data from Azure Active Directory (Azure AD)](../../sentinel/connect-azure-active-directory.md)<li>[Stream to Azure event hub and other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
+| AU-02 <br>AU-03 <br>AU-03(1)<br>AU-03(2)| Ensure the system is capable of auditing events defined in AU-02 Part a. Coordinate with other entities within the organization's subset of auditable events to support after-the-fact investigations. Implement centralized management of audit records.<p>All account lifecycle operations (account creation, modification, enabling, disabling, and removal actions) are audited within the Azure AD audit logs. All authentication and authorization events are audited within Azure AD sign-in logs, and any detected risks are audited in the Identity Protection logs. You can stream each of these logs directly into a security information and event management (SIEM) solution such as Microsoft Sentinel. Alternatively, use Azure Event Hubs to integrate logs with third-party SIEM solutions.<p>Audit events<li> [Audit activity reports in the Azure portal](../reports-monitoring/concept-audit-logs.md)<li> [Sign-in activity reports in the Azure portal](../reports-monitoring/concept-sign-ins.md)<li>[How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<p>SIEM integrations<li> [Microsoft Sentinel : Connect data from Azure Active Directory (Azure AD)](../../sentinel/connect-azure-active-directory.md)<li>[Stream to Azure event hub and other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
| AU-06<br>AU-06(1)<br>AU-06(3)<br>AU-06(4)<br>AU-06(5)<br>AU-06(6)<br>AU-06(7)<br>AU-06(10)<br>| Review and analyze audit records at least once each week to identify inappropriate or unusual activity, and report findings to appropriate personnel. <p>The preceding guidance provided for AU-02 and AU-03 allows for weekly review of audit records and reporting to appropriate personnel. You can't meet these requirements by using only Azure AD. You must also use a SIEM solution such as Microsoft Sentinel. For more information, see [What is Microsoft Sentinel?](../../sentinel/overview.md). | ## Incident response
The guidance in the following table pertains to:
| Control ID and subpart| Customer responsibilities and guidance | | - | - |
-| IR-04<br>IR-04(1)<br>IR-04(2)<br>IR-04(3)<br>IR-04(4)<br>IR-04(6)<br>IR-04(8)<br>IR-05<br>IR-05(1)| Implement incident handling and monitoring capabilities. This includes Automated Incident Handling, Dynamic Reconfiguration, Continuity of Operations, Information Correlation, Insider Threats, Correlation with External Organizations, and Incident Monitoring and Automated Tracking. <p>The audit logs record all configuration changes. Authentication and authorization events are audited within the sign-in logs, and any detected risks are audited in the Identity Protection logs. You can stream each of these logs directly into a SIEM solution, such as Microsoft Sentinel. Alternatively, use Azure Event Hubs to integrate logs with third-party SIEM solutions. Automate dynamic reconfiguration based on events within the SIEM by using Microsoft Graph or Azure AD PowerShell.<p>Audit events<br><li>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<li>[Sign-in activity reports in the Azure Active Directory portal](../reports-monitoring/concept-sign-ins.md)<li>[How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<p>SIEM integrations<li>[Microsoft Sentinel : Connect data from Azure Active Directory (Azure AD)](../../sentinel/connect-azure-active-directory.md)<li>[Stream to Azure event hub and other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md)<p>Dynamic reconfiguration<li>[AzureAD Module](/powershell/module/azuread/)<li>[Overview of Microsoft Graph](/graph/overview?view=graph-rest-1.0&preserve-view=true) |
+| IR-04<br>IR-04(1)<br>IR-04(2)<br>IR-04(3)<br>IR-04(4)<br>IR-04(6)<br>IR-04(8)<br>IR-05<br>IR-05(1)| Implement incident handling and monitoring capabilities. This includes Automated Incident Handling, Dynamic Reconfiguration, Continuity of Operations, Information Correlation, Insider Threats, Correlation with External Organizations, and Incident Monitoring and Automated Tracking. <p>The audit logs record all configuration changes. Authentication and authorization events are audited within the sign-in logs, and any detected risks are audited in the Identity Protection logs. You can stream each of these logs directly into a SIEM solution, such as Microsoft Sentinel. Alternatively, use Azure Event Hubs to integrate logs with third-party SIEM solutions. Automate dynamic reconfiguration based on events within the SIEM by using Microsoft Graph or Azure AD PowerShell.<p>Audit events<br><li>[Audit activity reports in the Azure portal](../reports-monitoring/concept-audit-logs.md)<li>[Sign-in activity reports in the Azure portal](../reports-monitoring/concept-sign-ins.md)<li>[How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<p>SIEM integrations<li>[Microsoft Sentinel : Connect data from Azure Active Directory (Azure AD)](../../sentinel/connect-azure-active-directory.md)<li>[Stream to Azure event hub and other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md)<p>Dynamic reconfiguration<li>[AzureAD Module](/powershell/module/azuread/)<li>[Overview of Microsoft Graph](/graph/overview?view=graph-rest-1.0&preserve-view=true) |
## Personnel security
advisor Advisor Performance Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/advisor/advisor-performance-recommendations.md
Migrate your storage account deployment model to Azure Resource Manager to take
Advisor identifies any stand-alone storage accounts that are using the classic deployment model and recommends migrating to the Resource Manager deployment model. > [!NOTE]
-> Classic alerts in Azure Monitor were retired in August 2019. We recommended that you upgrade your classic storage account to use Resource Manager to retain alerting functionality with the new platform. For more information, see [classic alerts retirement](../azure-monitor/alerts/monitoring-classic-retirement.md#retirement-of-classic-monitoring-and-alerting-platform).
+> Classic alerts in Azure Monitor were retired in August 2019. We recommended that you upgrade your classic storage account to use Resource Manager to retain alerting functionality with the new platform. For more information, see [classic alerts retirement](/previous-versions/azure/azure-monitor/alerts/monitoring-classic-retirement#retirement-of-classic-monitoring-and-alerting-platform).
## Design your storage accounts to prevent reaching the maximum subscription limit
aks Auto Upgrade Node Image https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/auto-upgrade-node-image.md
The following upgrade channels are available:
||| | `None`| Your nodes won't have security updates applied automatically. This means you're solely responsible for your security updates|N/A| | `Unmanaged`|OS updates will be applied automatically through the OS built-in patching infrastructure. Newly allocated machines will be unpatched initially and will be patched at some point by the OS's infrastructure|Ubuntu applies security patches through unattended upgrade roughly once a day around 06:00 UTC. Windows and Mariner don't apply security patches automatically, so this option behaves equivalently to `None`|
-| `SecurityPatch`|AKS will update the node's virtual hard disk (VHD) with patches from the image maintainer labeled "security only" on a regular basis. Where possible, patches will also be applied without disruption to existing nodes. Some patches, such as kernel patches, can't be applied to existing nodes without disruption. For such patches, the VHD will be updated and existing machines will be upgraded to that VHD following maintenance windows and surge settings. This option incurs the extra cost of hosting the VHDs in your node resource group. If you use this channel, Linux [unattended upgrades][unattended-upgrades] will be disabled by default.|N/A|
+| `SecurityPatch`|AKS will update the node's virtual hard disk (VHD) with patches from the image maintainer labeled "security only" on a regular basis. Some patches, such as kernel patches, can't be applied to existing nodes without disruption. For such patches, the VHD will be updated and existing machines will be upgraded to that VHD following maintenance windows and surge settings. This option incurs the extra cost of hosting the VHDs in your node resource group. If you use this channel, Linux [unattended upgrades][unattended-upgrades] will be disabled by default.|N/A|
| `NodeImage`|AKS will update the nodes with a newly patched VHD containing security fixes and bug fixes on a weekly cadence. The update to the new VHD is disruptive, following maintenance windows and surge settings. No extra VHD cost is incurred when choosing this option. If you use this channel, Linux [unattended upgrades][unattended-upgrades] will be disabled by default.| To set the node OS auto-upgrade channel when creating a cluster, use the *node-os-upgrade-channel* parameter, similar to the following example.
aks Azure Cni Overlay https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-cni-overlay.md
Previously updated : 03/06/2023 Last updated : 03/09/2023 # Configure Azure CNI Overlay networking in Azure Kubernetes Service (AKS)
location="westcentralus"
az aks create -n $clusterName -g $resourceGroup --location $location --network-plugin azure --network-plugin-mode overlay --pod-cidr 192.168.0.0/16 ```
-## Upgrade existing clusters
-
-To update an existing cluster to use Azure CNI overlay, there are a couple prerequisites:
-
-* The cluster must use Azure CNI without the pod subnet feature.
-* The cluster is _not_ using network policies.
-* The Overlay Pod CIDR needs to be an address range that _does not_ overlap with the existing cluster's VNet.
-* If you have subnet Network Security Group rules, they must allow traffic to and from the Pod CIDR (refer to the [network security groups](#network-security-groups) section in this document for more information).
-
-To update a cluster, run the following Azure CLI command.
-
-```azurecli
-az aks update --name $clusterName --resource-group $resourceGroup --network-plugin azure --network-plugin-mode overlay --pod-cidr $overlayPodCidr
-```
- This will perform a rolling upgrade of nodes in **all** nodepools simultaneously to Azure CNI overlay and should be treated like a node image upgrade. During the upgrade, traffic from an Overlay pod to a CNI v1 pod will be SNATed(Source Network Address Translation) ## Next steps
aks Http Application Routing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/http-application-routing.md
# HTTP application routing
-The HTTP application routing solution makes it easy to access applications that are deployed to your Azure Kubernetes Service (AKS) cluster. When the solution's enabled, it configures an [Ingress controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) in your AKS cluster. As applications are deployed, the solution also creates publicly accessible DNS names for application endpoints.
+>
+> [!CAUTION]
+> The HTTP application routing add-on is in the process of being retired and is not recommended for production use. Please use the [Web Application Routing add-on](./web-app-routing.md) instead.
-When the add-on is enabled, it creates a DNS Zone in your subscription. For more information about DNS cost, see [DNS pricing][dns-pricing].
-> [!CAUTION]
-> The HTTP application routing add-on is designed to let you quickly create an ingress controller and access your applications. This add-on is not currently designed for use in a production environment and is not recommended for production use. For production-ready ingress deployments that include multiple replicas and TLS support, see [Create an HTTPS ingress controller](./ingress-tls.md).
+The HTTP application routing solution makes it easy to access applications that are deployed to your Azure Kubernetes Service (AKS) cluster. When the solution's enabled, it configures an [Ingress controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) in your AKS cluster. As applications are deployed, the solution also creates publicly accessible DNS names for application endpoints.
+When the add-on is enabled, it creates a DNS Zone in your subscription. For more information about DNS cost, see [DNS pricing][dns-pricing].
## Limitations
aks Intro Kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/intro-kubernetes.md
To get started with Ingress traffic, see [HTTP application routing][aks-http-rou
Kubernetes has a rich ecosystem of development and management tools that work seamlessly with AKS. These tools include [Helm][helm] and the [Kubernetes extension for Visual Studio Code][k8s-extension].
-Azure provides several tools that help streamline Kubernetes, such as DevOps Starter.
-
-### DevOps Starter
-
-DevOps Starter provides a simple solution for bringing existing code and Git repositories into Azure. DevOps Starter automatically:
-
-* Creates Azure resources (such as AKS).
-* Configures a release pipeline in Azure DevOps Services that includes a build pipeline for CI.
-* Sets up a release pipeline for CD.
-* Generates an Azure Application Insights resource for monitoring.
-
-For more information, see [DevOps Starter][azure-devops].
+Azure provides several tools that help streamline Kubernetes.
## Docker image support and private container registry
Learn more about deploying and managing AKS.
[conf-com-node]: ../confidential-computing/confidential-nodes-aks-overview.md [aad]: managed-aad.md [aks-monitor]: monitor-aks.md
-[azure-monitor]: ../azure-monitor/containers/containers.md
+[azure-monitor]: /previous-versions/azure/azure-monitor/containers/containers
[azure-logs]: ../azure-monitor/logs/log-analytics-overview.md [helm]: quickstart-helm.md [aks-best-practices]: best-practices.md
aks Use Azure Dedicated Hosts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-azure-dedicated-hosts.md
Title: Use Azure Dedicated Hosts in Azure Kubernetes Service (AKS)
description: Learn how to create an Azure Dedicated Hosts Group and associate it with Azure Kubernetes Service (AKS) Previously updated : 12/01/2022 Last updated : 03/10/2023 # Add Azure Dedicated Host to an Azure Kubernetes Service (AKS) cluster
Using Azure Dedicated Hosts for nodes with your AKS cluster has the following be
The following limitations apply when you integrate Azure Dedicated Host with Azure Kubernetes Service:
+* Accelerated Networking
* An existing agent pool can't be converted from non-ADH to ADH or ADH to non-ADH. * It isn't supported to update agent pool from host group A to host group B. * Using ADH across subscriptions.
api-management Api Management Howto App Insights https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-app-insights.md
You need an Azure API Management instance. [Create one](get-started-create-servi
## Create an Application Insights instance
-To use Application Insights, [create an instance of the Application Insights service](../azure-monitor/app/create-new-resource.md). To create an instance using the Azure portal, see [Workspace-based Application Insights resources](../azure-monitor/app/create-workspace-resource.md).
+To use Application Insights, [create an instance of the Application Insights service](/previous-versions/azure/azure-monitor/app/create-new-resource). To create an instance using the Azure portal, see [Workspace-based Application Insights resources](../azure-monitor/app/create-workspace-resource.md).
> [!NOTE] > The Application Insights resource **can be** in a different subscription or even a different tenant than the API Management resource.
To use Application Insights, [create an instance of the Application Insights ser
1. Select **+ Add**. :::image type="content" source="media/api-management-howto-app-insights/apim-app-insights-logger-1.png" alt-text="Screenshot that shows where to add a new connection"::: 1. Select the **Application Insights** instance you created earlier and provide a short description.
-1. To enable [availability monitoring](../azure-monitor/app/monitor-web-app-availability.md) of your API Management instance in Application Insights, select the **Add availability monitor** checkbox.
+1. To enable [availability monitoring](/previous-versions/azure/azure-monitor/app/monitor-web-app-availability) of your API Management instance in Application Insights, select the **Add availability monitor** checkbox.
* This setting regularly validates whether the API Management gateway endpoint is responding. * Results appear in the **Availability** pane of the Application Insights instance. 1. Select **Create**.
api-management Api Management Howto Configure Notifications https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/api-management-howto-configure-notifications.md
To view and configure a notification template in the portal:
## Configure email settings
-You can modify general email settings for notifications that are sent from your API Management instance. You can change the administrator email address, the name of the organization sending notifications, and the originating email address.
+You can modify general email settings for notifications that are sent from your API Management instance. You can change the administrator email address, the name of the organization sending notifications, and the originating email address.
+> [!IMPORTANT]
+> Changing the originating email address may affect recipients' ability to receive email. See the [considerations](#considerations-for-changing-the-originating-email-address) in the following section.
+>
To modify email settings: 1. In the left menu, select **Notification templates**.
To modify email settings:
* **Administrator email** - the email address to receive all system notifications and other configured notifications * **Organization name** - the name of your organization for use in the developer portal and notifications * **Originating email address** - The value of the `From` header for notifications from the API Management instance. API Management sends notifications on behalf of this originating address.
- > [!NOTE]
- > When you change the Originating email address, some recipients may not receive the auto-generated emails from API Management or emails may get sent to the Junk/Spam folder. This happens because the email no longer passes SPF Authentication after you change the Originating email address domain. To ensure successful SPF Authentication and delivery of email, create the following TXT record in the DNS database of the domain specified in the email address. For instance, if the email address is `noreply@contoso.com`, you will need to contact the administrator of contoso.com to add the following TXT record: **"v=spf1 include:spf.protection.outlook.com include:_spf-ssg-a.microsoft.com -all"**
+
:::image type="content" source="media/api-management-howto-configure-notifications/configure-email-settings.png" alt-text="Screenshot of API Management email settings in the portal"::: 1. Select **Save**.
+### Considerations for changing the originating email address
+
+Recipients of email notifications from API Management could be affected when you change the originating email address.
+
+* **Change to From address** - When you change the originating email address (for example, to `no-reply@contoso.com`), the `From` address header will be `noreply@contoso.com apimgmt-noreply@mail.windowsazure.com`. This is because the email is being sent by API Management, and not the email server of the originating email address.
+
+* **Email set to Junk or Spam folder** - Some recipients may not receive the email notifications from API Management or emails may get sent to the Junk or Spam folder. This can happen depending on the organization's SPF or DKIM email authentication settings:
+
+ * **SPF authentication** - Email might no longer pass SPF authentication after you change the originating email address domain. To ensure successful SPF authentication and delivery of email, create the following TXT record in the DNS database of the domain specified in the email address. For instance, if the email address is `noreply@contoso.com`, contact the administrator of contoso.com to add the following TXT record: **"v=spf1 include:spf.protection.outlook.com include:_spf-ssg-a.microsoft.com -all"**
+
+ * **DKIM authentication** - To generate a valid signature for DKIM for email authentication, API Management requires the private key associated with the domain of the originating email address. However, it is currently not possible to upload this private key in API Management. Therefore, to assign a valid signature, API Management uses the private key associated with the `mail.windowsazure.com` domain.
+ ## Next steps * [Overview of the developer portal](api-management-howto-developer-portal.md).
app-service Configure Language Java https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/configure-language-java.md
Azure Blob Storage logging for Linux based App Services can only be configured u
::: zone-end
-If your application uses [Logback](https://logback.qos.ch/) or [Log4j](https://logging.apache.org/log4j) for tracing, you can forward these traces for review into Azure Application Insights using the logging framework configuration instructions in [Explore Java trace logs in Application Insights](../azure-monitor/app/deprecated-java-2x.md#explore-java-trace-logs-in-application-insights).
+If your application uses [Logback](https://logback.qos.ch/) or [Log4j](https://logging.apache.org/log4j) for tracing, you can forward these traces for review into Azure Application Insights using the logging framework configuration instructions in [Explore Java trace logs in Application Insights](/previous-versions/azure/azure-monitor/app/deprecated-java-2x#explore-java-trace-logs-in-application-insights).
> [!NOTE] > Due to known vulnerability [CVE-2021-44228](https://logging.apache.org/log4j/2.x/security.html), be sure to use Log4j version 2.16 or later.
app-service Migrate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/migrate.md
Title: Migrate to App Service Environment v3 by using the migration feature
description: Overview of the migration feature for migration to App Service Environment v3 Previously updated : 02/22/2023 Last updated : 03/10/2023
At this time, the migration feature doesn't support migrations to App Service En
- China East 2 - China North 2
-The following App Service Environment configurations can be migrated using the migration feature. The table gives the App Service Environment v3 configuration you'll end up with when using the migration feature based on your existing App Service Environment. All supported App Service Environments can be migrated to a [zone redundant App Service Environment v3](../../availability-zones/migrate-app-service-environment.md) using the migration feature as long as the environment is [in a region that supports zone redundancy](./overview.md#regions). You can [configure zone redundancy](#choose-your-app-service-environment-v3-configurations) during the migration process.
+The following App Service Environment configurations can be migrated using the migration feature. The table gives the App Service Environment v3 configuration when using the migration feature based on your existing App Service Environment. All supported App Service Environments can be migrated to a [zone redundant App Service Environment v3](../../availability-zones/migrate-app-service-environment.md) using the migration feature as long as the environment is [in a region that supports zone redundancy](./overview.md#regions). You can [configure zone redundancy](#choose-your-app-service-environment-v3-configurations) during the migration process.
|Configuration |App Service Environment v3 Configuration | ||--|
You can find the version of your App Service Environment by navigating to your A
The following are limitations when using the migration feature: -- Your new App Service Environment v3 will be placed in the existing subnet that was used for your old environment.
+- Your new App Service Environment v3 is in the existing subnet that was used for your old environment.
- You can't change the region your App Service Environment is located in. - ELB App Service Environment canΓÇÖt be migrated to ILB App Service Environment v3 and vice versa.-- If your existing App Service Environment uses a custom domain suffix, you'll have to configure custom domain suffix for your App Service Environment v3 during the migration process.
+- If your existing App Service Environment uses a custom domain suffix, you have to configure custom domain suffix for your App Service Environment v3 during the migration process.
- If you no longer want to use a custom domain suffix, you can remove it once the migration is complete. App Service Environment v3 doesn't support the following features that you may be using with your current App Service Environment v1 or v2.
App Service Environment v3 doesn't support the following features that you may b
- Configuring an IP-based TLS/SSL binding with your apps. - App Service Environment v3 doesn't fall back to Azure DNS if your configured custom DNS servers in the virtual network aren't able to resolve a given name. If this behavior is required, ensure that you have a forwarder to a public DNS or include Azure DNS in the list of custom DNS servers.
-The following scenarios aren't supported by the migration feature. See the [manual migration options](migration-alternatives.md) if your App Service Environment falls into one of these categories.
+The migration feature doesn't support the following scenarios. See the [manual migration options](migration-alternatives.md) if your App Service Environment falls into one of these categories.
- App Service Environment v1 in a [Classic VNet](/previous-versions/azure/virtual-network/create-virtual-network-classic) - ELB App Service Environment v2 with IP SSL addresses
The following scenarios aren't supported by the migration feature. See the [manu
- [Zone pinned](zone-redundancy.md) App Service Environment v2 - App Service Environment in a region not listed in the supported regions
-The App Service platform will review your App Service Environment to confirm migration support. If your scenario doesn't pass all validation checks, you won't be able to migrate at this time using the migration feature. If your environment is in an unhealthy or suspended state, you won't be able to migrate until you make the needed updates.
+The App Service platform reviews your App Service Environment to confirm migration support. If your scenario doesn't pass all validation checks, you can't migrate at this time using the migration feature. If your environment is in an unhealthy or suspended state, you can't migrate until you make the needed updates.
### Troubleshooting
If your App Service Environment doesn't pass the validation checks or you try to
|||-| |Migrate can only be called on an ASE in ARM VNET and this ASE is in Classic VNET. |App Service Environments in Classic VNets can't migrate using the migration feature. |Migrate using one of the [manual migration options](migration-alternatives.md). | |ASEv3 Migration is not yet ready. |The underlying infrastructure isn't ready to support App Service Environment v3. |Migrate using one of the [manual migration options](migration-alternatives.md) if you want to migrate immediately. Otherwise, wait for the migration feature to be available in your region. |
-|Migration cannot be called on this ASE, please contact support for help migrating. |Support will need to be engaged for migrating this App Service Environment. This is potentially due to custom settings used by this environment. |Engage support to resolve your issue. |
+|Migration cannot be called on this ASE, please contact support for help migrating. |Support needs to be engaged for migrating this App Service Environment. This issue is potentially due to custom settings used by this environment. |Engage support to resolve your issue. |
|Migrate cannot be called on Zone Pinned ASEs. |App Service Environment v2 that is zone pinned can't be migrated using the migration feature at this time. |Migrate using one of the [manual migration options](migration-alternatives.md) if you want to migrate immediately. | |Migrate cannot be called if IP SSL is enabled on any of the sites.|App Service Environments that have sites with IP SSL enabled can't be migrated using the migration feature at this time. |Migrate using one of the [manual migration options](migration-alternatives.md) if you want to migrate immediately. |
-|Full migration cannot be called before IP addresses are generated. |You'll see this error if you attempt to migrate before finishing the pre-migration steps. |Ensure you've completed all pre-migration steps before you attempt to migrate. See the [step-by-step guide for migrating](how-to-migrate.md). |
-|Migration to ASEv3 is not allowed for this ASE. |You won't be able to migrate using the migration feature. |Migrate using one of the [manual migration options](migration-alternatives.md). |
+|Full migration cannot be called before IP addresses are generated. |This error appears if you attempt to migrate before finishing the pre-migration steps. |Ensure you've completed all pre-migration steps before you attempt to migrate. See the [step-by-step guide for migrating](how-to-migrate.md). |
+|Migration to ASEv3 is not allowed for this ASE. |You can't migrate using the migration feature. |Migrate using one of the [manual migration options](migration-alternatives.md). |
|Subscription has too many App Service Environments. Please remove some before trying to create more.|The App Service Environment [quota for your subscription](../../azure-resource-manager/management/azure-subscription-service-limits.md#app-service-limits) has been met. |Remove unneeded environments or contact support to review your options. |
-|`<ZoneRedundant><DedicatedHosts><ASEv3/ASE>` is not available in this location. |You'll see this error if you're trying to migrate an App Service Environment in a region that doesn't support one of your requested features. |Migrate using one of the [manual migration options](migration-alternatives.md) if you want to migrate immediately. Otherwise, wait for the migration feature to support this App Service Environment configuration. |
-|Migrate cannot be called on this ASE until the active upgrade has finished. |App Service Environments can't be migrated during platform upgrades. You can set your [upgrade preference](how-to-upgrade-preference.md) from the Azure portal. In some cases, an upgrade will be initiated when visiting the migration page if your App Service Environment isn't on the current build. |Wait until the upgrade finishes and then migrate. |
-|App Service Environment management operation in progress. |Your App Service Environment is undergoing a management operation. These operations can include activities such as deployments or upgrades. Migration is blocked until these operations are complete. |You'll be able to migrate once these operations are complete. |
+|`<ZoneRedundant><DedicatedHosts><ASEv3/ASE>` is not available in this location. |This error appears if you're trying to migrate an App Service Environment in a region that doesn't support one of your requested features. |Migrate using one of the [manual migration options](migration-alternatives.md) if you want to migrate immediately. Otherwise, wait for the migration feature to support this App Service Environment configuration. |
+|Migrate cannot be called on this ASE until the active upgrade has finished. |App Service Environments can't be migrated during platform upgrades. You can set your [upgrade preference](how-to-upgrade-preference.md) from the Azure portal. In some cases, an upgrade is initiated when visiting the migration page if your App Service Environment isn't on the current build. |Wait until the upgrade finishes and then migrate. |
+|App Service Environment management operation in progress. |Your App Service Environment is undergoing a management operation. These operations can include activities such as deployments or upgrades. Migration is blocked until these operations are complete. |You can migrate once these operations are complete. |
## Overview of the migration process using the migration feature
-Migration consists of a series of steps that must be followed in order. Key points are given for a subset of the steps. It's important to understand what will happen during these steps and how your environment and apps will be impacted. After reviewing the following information and when you're ready to migrate, follow the [step-by-step guide](how-to-migrate.md).
+Migration consists of a series of steps that must be followed in order. Key points are given for a subset of the steps. It's important to understand what happens during these steps and how your environment and apps are impacted. After reviewing the following information and when you're ready to migrate, follow the [step-by-step guide](how-to-migrate.md).
### Generate IP addresses for your new App Service Environment v3
-The platform will create the [new inbound IP (if you're migrating an ELB App Service Environment) and the new outbound IP](networking.md#addresses) addresses. While these IPs are getting created, activity with your existing App Service Environment won't be interrupted, however, you won't be able to scale or make changes to your existing environment. This process will take about 15 minutes to complete.
+The platform creates the [new inbound IP (if you're migrating an ELB App Service Environment) and the new outbound IP](networking.md#addresses) addresses. While these IPs are getting created, activity with your existing App Service Environment isn't interrupted, however, you can't scale or make changes to your existing environment. This process takes about 15 minutes to complete.
-When completed, you'll be given the new IPs that will be used by your future App Service Environment v3. These new IPs have no effect on your existing environment. The IPs used by your existing environment will continue to be used up until your existing environment is shut down during the migration step.
+When completed, you'll be given the new IPs that your future App Service Environment v3 uses. These new IPs have no effect on your existing environment. The IPs used by your existing environment continue to be used up until your existing environment is shut down during the migration step.
### Update dependent resources with new IPs
-Once the new IPs are created, you'll have the new default outbound to the internet public addresses so you can adjust any external firewalls, DNS routing, network security groups, and any other resources that rely on these IPs, in preparation for the migration. For ELB App Service Environment, you'll also have the new inbound IP address that you can use to set up new endpoints with services like [Traffic Manager](../../traffic-manager/traffic-manager-overview.md) or [Azure Front Door](../../frontdoor/front-door-overview.md). **It's your responsibility to update any and all resources that will be impacted by the IP address change associated with the new App Service Environment v3. Don't move on to the next step until you've made all required updates.**
+Once the new IPs are created, you have the new default outbound to the internet public addresses. In preparation for the migration, you can adjust any external firewalls, DNS routing, network security groups, and any other resources that rely on these IPs. For ELB App Service Environment, you also have the new inbound IP address that you can use to set up new endpoints with services like [Traffic Manager](../../traffic-manager/traffic-manager-overview.md) or [Azure Front Door](../../frontdoor/front-door-overview.md). **It's your responsibility to update any and all resources that will be impacted by the IP address change associated with the new App Service Environment v3. Don't move on to the next step until you've made all required updates.**
### Delegate your App Service Environment subnet
-App Service Environment v3 requires the subnet it's in to have a single delegation of `Microsoft.Web/hostingEnvironments`. Migration won't succeed if the App Service Environment's subnet isn't delegated or it's delegated to a different resource.
+App Service Environment v3 requires the subnet it's in to have a single delegation of `Microsoft.Web/hostingEnvironments`. Migration can't succeed if the App Service Environment's subnet isn't delegated or it's delegated to a different resource.
### Ensure there are no locks on your resources
-Virtual network locks will block platform operations during migration. If your virtual network has locks, you'll need to remove them before migrating. The locks can be readded if needed once migration is complete. Locks can exist at three different scopes: subscription, resource group, and resource. When you apply a lock at a parent scope, all resources within that scope inherit the same lock. If you have locks applied at the subscription, resource group, or resource scope, they'll need to be removed before the migration. For more information on locks and lock inheritance, see [Lock your resources to protect your infrastructure](../../azure-resource-manager/management/lock-resources.md).
+Virtual network locks block platform operations during migration. If your virtual network has locks, you need to remove them before migrating. The locks can be readded if needed once migration is complete. Locks can exist at three different scopes: subscription, resource group, and resource. When you apply a lock at a parent scope, all resources within that scope inherit the same lock. If you have locks applied at the subscription, resource group, or resource scope, they need to be removed before the migration. For more information on locks and lock inheritance, see [Lock your resources to protect your infrastructure](../../azure-resource-manager/management/lock-resources.md).
### Choose your App Service Environment v3 configurations
-Your App Service Environment v3 can be deployed across availability zones in the regions that support it. This architecture is known as [zone redundancy](../../availability-zones/migrate-app-service-environment.md). Zone redundancy can only be configured during App Service Environment creation. If you want your new App Service Environment v3 to be zone redundant, enable the configuration during the migration process. Any App Service Environment that is using the migration feature to migrate can be configured as zone redundant as long as you're using a [region that supports zone redundancy for App Service Environment v3](./overview.md#regions). If you're existing environment is using a region that doesn't support zone redundancy, the configuration option will be disabled and you won't be able to configure it. The migration feature doesn't support changing regions. If you'd like to use a different region, use one of the [manual migration options](migration-alternatives.md).
+Your App Service Environment v3 can be deployed across availability zones in the regions that support it. This architecture is known as [zone redundancy](../../availability-zones/migrate-app-service-environment.md). Zone redundancy can only be configured during App Service Environment creation. If you want your new App Service Environment v3 to be zone redundant, enable the configuration during the migration process. Any App Service Environment that is using the migration feature to migrate can be configured as zone redundant as long as you're using a [region that supports zone redundancy for App Service Environment v3](./overview.md#regions). If you're existing environment is using a region that doesn't support zone redundancy, the configuration option is disabled and you can't configure it. The migration feature doesn't support changing regions. If you'd like to use a different region, use one of the [manual migration options](migration-alternatives.md).
> [!NOTE] > Enabling zone redundancy can lead to additional charges. Review the [zone redundancy pricing model](../../availability-zones/migrate-app-service-environment.md#pricing) for more information. >
-If your existing App Service Environment uses a custom domain suffix, you'll be prompted to configure a custom domain suffix for your new App Service Environment v3. You'll need to provide the custom domain name, managed identity, and certificate. For more information on App Service Environment v3 custom domain suffix including requirements, step-by-step instructions, and best practices, see [Configure custom domain suffix for App Service Environment](./how-to-custom-domain-suffix.md). You must configure a custom domain suffix for your new environment even if you no longer want to use it. Once migration is complete, you can remove the custom domain suffix configuration if needed.
+If your existing App Service Environment uses a custom domain suffix, you're prompted to configure a custom domain suffix for your new App Service Environment v3. You need to provide the custom domain name, managed identity, and certificate. For more information on App Service Environment v3 custom domain suffix including requirements, step-by-step instructions, and best practices, see [Configure custom domain suffix for App Service Environment](./how-to-custom-domain-suffix.md). You must configure a custom domain suffix for your new environment even if you no longer want to use it. Once migration is complete, you can remove the custom domain suffix configuration if needed.
-If your migration includes a custom domain suffix, for App Service Environment v3, the custom domain will no longer be shown in the **Essentials** section of the **Overview** page of the portal as it is for App Service Environment v1/v2. Instead, for App Service Environment v3, go to the **Custom domain suffix** page where you can confirm your custom domain suffix is configured correctly.
+If your migration includes a custom domain suffix, for App Service Environment v3, the custom domain isn't displayed in the **Essentials** section of the **Overview** page of the portal as it is for App Service Environment v1/v2. Instead, for App Service Environment v3, go to the **Custom domain suffix** page where you can confirm your custom domain suffix is configured correctly.
### Migrate to App Service Environment v3 After completing the previous steps, you should continue with migration as soon as possible.
-During migration, which requires up to a three hour service window for App Service Environment v2 to v3 migrations and up to a six hour service window depending on environment size for v1 to v3 migrations, scaling and environment configurations are blocked and the following events will occur:
+Migration requires up to a three hour service window for App Service Environment v2 to v3 migrations. Up to a six hour service window is required depending on environment size for v1 to v3 migrations. During migration, scaling and environment configurations are blocked and the following events occur:
- The existing App Service Environment is shut down and replaced by the new App Service Environment v3. - All App Service plans in the App Service Environment are converted from the Isolated to Isolated v2 SKU. - All of the apps that are on your App Service Environment are temporarily down. **You should expect about one hour of downtime during this period**. - If you can't support downtime, see [migration-alternatives](migration-alternatives.md#guidance-for-manual-migration).-- The public addresses that are used by the App Service Environment will change to the IPs generated during the IP generation step.
+- The public addresses that are used by the App Service Environment change to the IPs generated during the IP generation step.
-As in the IP generation step, you won't be able to scale, modify your App Service Environment, or deploy apps to it during this process. When migration is complete, the apps that were on the old App Service Environment will be running on the new App Service Environment v3.
+As in the IP generation step, you can't scale, modify your App Service Environment, or deploy apps to it during this process. When migration is complete, the apps that were on the old App Service Environment are running on the new App Service Environment v3.
> [!NOTE] > Due to the conversion of App Service plans from Isolated to Isolated v2, your apps may be over-provisioned after the migration since the Isolated v2 tier has more memory and CPU per corresponding instance size. You'll have the opportunity to [scale your environment](../manage-scale-up.md) as needed once migration is complete. For more information, review the [SKU details](https://azure.microsoft.com/pricing/details/app-service/windows/).
As in the IP generation step, you won't be able to scale, modify your App Servic
## Pricing
-There's no cost to migrate your App Service Environment. You'll stop being charged for your previous App Service Environment as soon as it shuts down during the migration process, and you'll begin getting charged for your new App Service Environment v3 as soon as it's deployed. For more information about App Service Environment v3 pricing, see the [pricing details](overview.md#pricing).
+There's no cost to migrate your App Service Environment. You stop being charged for your previous App Service Environment as soon as it shuts down during the migration process, and you begin getting charged for your new App Service Environment v3 as soon as it's deployed. For more information about App Service Environment v3 pricing, see the [pricing details](overview.md#pricing).
+
+When you migrate to App Service Environment v3 from previous versions, there are scenarios that you should consider that can potentially reduce your monthly cost.
+
+### Scale down your App Service plans
+
+The App Service plan SKUs available for App Service Environment v3 run on the Isolated v2 (Iv2) tier. The number of cores and amount of RAM are effectively doubled per corresponding tier compared the Isolated tier. When you migrate, your App Service plans are converted to the corresponding tier. For example, your I2 instances are converted to I2v2. While I2 has two cores and 7-GB RAM, I2v2 has four cores and 16-GB RAM. If you expect your capacity requirements to stay the same, you're over-provisioned and paying for compute and memory you're not using. For this scenario, you can scale down your I2v2 instance to I1v2 and end up with a similar number of cores and RAM that you had previously.
+
+> [!NOTE]
+> All scenarios are calculated using costs based on Linux $USD pricing in East US. The payment option is set to monthly. Estimates are based on the prices applicable on the day the estimate was created. Actual total estimates may vary. For the most up-to-date estimates, see the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/).
+>
+
+To demonstrate the cost saving opportunity for this scenario, use the [pricing calculator](https://azure.microsoft.com/pricing/calculator/) to estimate the monthly savings as a result of scaling down your App Service plans. For this example, your App Service Environment v2 has 1 I2 instance. You require two cores and 7-GB RAM. You're using pay-as-you-go pricing. On App Service Environment v2, your monthly payment is the following.
+
+[Stamp fee + 1(I2) = $991.34 + $416.10 = $1,407.44](https://azure.com/e/014bf22b3e88439dba350866a472a41a)
+
+When you migrate this App Service Environment using the migration feature, your new App Service Environment v3 has 1 I2v2 instance, which means you have four cores and 16-GB RAM. If you don't change anything, your monthly payment is the following.
+
+[1(I2v2) = $563.56](https://azure.com/e/0a042f33d87548bfb966bdff74e35715)
+
+Your monthly cost is reduced, but you don't need that much compute and capacity. You scale down your instance to I1v2 and your monthly cost is reduced even further.
+
+[1(I1v2) = $281.78](https://azure.com/e/c400e2c91ed44cadbf849923b902dded)
+
+### Break even point
+
+In most cases, migrating to App Service Environment v3 allows for cost saving opportunities. However, cost savings may not always be possible, especially if you're required to maintain a large number of small instances.
+
+To demonstrate this scenario, you have an App Service Environment v2 with a single I1 instance. Your monthly cost is:
+
+[Stamp fee + 1(I1) = $991.34 + $208.05 = **$1,199.39**](https://azure.com/e/ac89a70062a240e1b990304052d49fad)
+
+If you migrate this environment to App Service Environment v3, your monthly cost is:
+
+[1(I1v2) = **$281.78**](https://azure.com/e/4c247282128746898ef4cfe1ef0f1070)
+
+This change is a significant cost reduction, but you're over-provisioned since you have double the cores and RAM, which you may not need. This excess isn't an issue for this scenario since the new environment is cheaper. However, when you increase your I1 instances in a single App Service Environment, you see how migrating to App Service Environment v3 can increase your monthly cost.
+
+For this scenario, your App Service Environment v2 has 14 I1 instances. Your monthly cost is:
+
+[Stamp fee + 14(I1) = $991.34 + $2,912.70 = **$3,904.04**](https://azure.com/e/bd1dce4b5c8f4d6d807ed3c4ae78fcae)
+
+When you migrate this environment to App Service Environment v3, your monthly cost is:
+
+[14(I1v2) = **$3,944.92**](https://azure.com/e/750b78d9e34a43dc9c8c8c400d4628bf)
+
+Your App Service Environment v3 is now more expensive than your App Service Environment v2. As you start add more I1 instances, and therefore need more I1v2 instances when you migrate, the difference in price becomes more significant. If this scenario is a requirement for your environment, you may need to plan for an increase in your monthly cost. The following graph visually depicts the point where App Service Environment v3 becomes more expensive than App Service Environment v2 for this specific scenario.
+
+> [!NOTE]
+> This calculation was done with Linux $USD prices in East US. Break even points will vary due to price variances in the different regions. For an estimate that reflects your situation, see [the Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/).
+>
++
+For more scenarios on cost changes and savings opportunities with App Service Environment v3, see [Estimate your cost savings by migrating to App Service Environment v3](https://azure.github.io/AppService/2023/03/02/App-service-environment-v3-pricing.html).
## Frequently asked questions - **What if migrating my App Service Environment is not currently supported?**
- You won't be able migrate using the migration feature at this time. If you have an unsupported environment and want to migrate immediately, see the [manual migration options](migration-alternatives.md). This doc will be updated as additional regions and supported scenarios become available.
+ You can't migrate using the migration feature at this time. If you have an unsupported environment and want to migrate immediately, see the [manual migration options](migration-alternatives.md).
- **Will I experience downtime during the migration?** Yes, you should expect about one hour of downtime during the three to six hour service window during the migration step, so plan accordingly. If downtime isn't an option for you, see the [manual migration options](migration-alternatives.md). - **Will I need to do anything to my apps after the migration to get them running on the new App Service Environment?**
- No, all of your apps running on the old environment will be automatically migrated to the new environment and run like before. No user input is needed.
+ No, all of your apps running on the old environment are automatically migrated to the new environment and run like before. No user input is needed.
- **What if my App Service Environment has a custom domain suffix?** The migration feature supports this [migration scenario](#supported-scenarios). You can migrate using a manual method if you don't want to use the migration feature. You can configure your [custom domain suffix](./how-to-custom-domain-suffix.md) when creating your App Service Environment v3 or any time after. - **What if my App Service Environment is zone pinned?** Zone pinned App Service Environment is currently not a supported scenario for migration using the migration feature. App Service Environment v3 doesn't support zone pinning. To migrate to App Service Environment v3, see the [manual migration options](migration-alternatives.md). - **What properties of my App Service Environment will change?**
- You'll now be on App Service Environment v3 so be sure to review the [features and feature differences](overview.md#feature-differences) compared to previous versions. For ILB App Service Environment, you'll keep the same ILB IP address. For internet facing App Service Environment, the public IP address and the outbound IP address will change. Note for ELB App Service Environment, previously there was a single IP for both inbound and outbound. For App Service Environment v3, they're separate. For more information, see [App Service Environment v3 networking](networking.md#addresses).
+ You're on App Service Environment v3 so be sure to review the [features and feature differences](overview.md#feature-differences) compared to previous versions. For ILB App Service Environment, you keep the same ILB IP address. For internet facing App Service Environment, the public IP address and the outbound IP address change. Note for ELB App Service Environment, previously there was a single IP for both inbound and outbound. For App Service Environment v3, they're separate. For more information, see [App Service Environment v3 networking](networking.md#addresses).
- **What happens if migration fails or there is an unexpected issue during the migration?**
- If there's an unexpected issue, support teams will be on hand. It's recommended to migrate dev environments before touching any production environments.
+ If there's an unexpected issue, support teams are on hand. It's recommended to migrate dev environments before touching any production environments.
- **What happens to my old App Service Environment?**
- If you decide to migrate an App Service Environment using the migration feature, the old environment gets shut down, deleted, and all of your apps are migrated to a new environment. Your old environment will no longer be accessible. A rollback to the old environment won't be possible.
+ If you decide to migrate an App Service Environment using the migration feature, the old environment gets shut down, deleted, and all of your apps are migrated to a new environment. Your old environment is no longer accessible. A rollback to the old environment isn't possible.
- **What will happen to my App Service Environment v1/v2 resources after 31 August 2024?** After 31 August 2024, if you haven't migrated to App Service Environment v3, your App Service Environment v1/v2s and the apps deployed in them will no longer be available. App Service Environment v1/v2 is hosted on App Service scale units running on [Cloud Services (classic)](../../cloud-services/cloud-services-choose-me.md) architecture that will be [retired on 31 August 2024](https://azure.microsoft.com/updates/cloud-services-retirement-announcement/). Because of this, [App Service Environment v1/v2 will no longer be available after that date](https://azure.microsoft.com/updates/app-service-environment-v1-and-v2-retirement-announcement/). Migrate to App Service Environment v3 to keep your apps running or save or back up any resources or data that you need to maintain.
app-service Networking https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/environment/networking.md
If you want to use your own DNS server, add the following records:
1. Create a zone for `<App Service Environment-name>.appserviceenvironment.net`. 1. Create an A record in that zone that points * to the inbound IP address used by your App Service Environment.
+1. Create an A record in that zone that points @ to the inbound IP address used by your App Service Environment.
1. Create a zone in `<App Service Environment-name>.appserviceenvironment.net` named `scm`. 1. Create an A record in the `scm` zone that points * to the IP address used by the private endpoint of your App Service Environment.
To configure DNS in Azure DNS private zones:
1. Create an Azure DNS private zone named `<App Service Environment-name>.appserviceenvironment.net`. 1. Create an A record in that zone that points * to the inbound IP address.
+1. Create an A record in that zone that points @ to the inbound IP address.
1. Create an A record in that zone that points *.scm to the inbound IP address. In addition to the default domain provided when an app is created, you can also add a custom domain to your app. You can set a custom domain name without any validation on your apps. If you're using custom domains, you need to ensure they have DNS records configured. You can follow the preceding guidance to configure DNS zones and records for a custom domain name (replace the default domain name with the custom domain name). The custom domain name works for app requests, but doesn't work for the `scm` site. The `scm` site is only available at *&lt;appname&gt;.scm.&lt;asename&gt;.appserviceenvironment.net*.
app-service Monitor Instances Health Check https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/monitor-instances-health-check.md
function envVarMatchesHeader(headerValue) {
> [!NOTE] > The `x-ms-auth-internal-token` header is only available on Windows App Service.
+## Instances
+Once Health Check is enabled, you can restart and monitor the status of your application instances through the instances tab. The instances tab will show your instance's name, the status of that instance and give you the option to manually restart the application instance.
+
+If the status of your instance is unhealthy, you can restart the instance manually using the restart button in the table. Keep in mind that any other applications hosted on the same App Service Plan as the instance will also be affected by the restart. If there are other applications using the same App Service Plan as the instance, they will be listed on the opening blade from the restart button.
+
+If you restart the instance and the restart process fails, you will then be given the option to replace the worker (only 1 instance can be replaced per hour). This will also affect any applications using the same App Service Plan.
+
+Windows applications will also have the option to view processes via the Process Explorer. This gives you further insight on the instance's processes including thread count, private memory, and total CPU time.
+ ## Monitoring
app-service Quickstart Java Uiex https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/quickstart-java-uiex.md
ms.assetid: 582bb3c2-164b-42f5-b081-95bfcb7a502a
ms.devlang: java Last updated 08/01/2020-+ zone_pivot_groups: app-service-platform-windows-linux
app-service Quickstart Java https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/quickstart-java.md
keywords: azure, app service, web app, windows, linux, java, maven, quickstart
ms.assetid: 582bb3c2-164b-42f5-b081-95bfcb7a502a ms.devlang: java Previously updated : 03/03/2022- Last updated : 03/08/2023+ zone_pivot_groups: app-service-platform-environment adobe-target: true adobe-target-activity: DocsExpΓÇô386541ΓÇôA/BΓÇôEnhanced-Readability-QuickstartsΓÇô2.19.2021
app-service Tutorial Auth Aad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-auth-aad.md
Create the resource group, web app plan, the web app and deploy in a single step
1. Create and deploy the frontend web app with [az webapp up](/cli/azure/webapp#az-webapp-up). Because web app name has to be globally unique, replace `<front-end-app-name>` with a unique name. ```azurecli-interactive
- az webapp up --resource-group myAuthResourceGroup --name <front-end-app-name> --plan myPlan --sku FREE --location "West Europe"--runtime "NODE:16-lts"
+ az webapp up --resource-group myAuthResourceGroup --name <front-end-app-name> --plan myPlan --sku FREE --os-type Windows --location "West Europe" --runtime "NODE:16LTS"
``` 1. Change into the backend web app directory.
Create the resource group, web app plan, the web app and deploy in a single step
1. Deploy the backend web app to same resource group and app plan. Because web app name has to be globally unique, replace `<back-end-app-name>` with a unique set of initials or numbers. ```azurecli-interactive
- az webapp up --resource-group myAuthResourceGroup --name <back-end-app-name> --plan myPlan --runtime "NODE:16-lts"
+ az webapp up --resource-group myAuthResourceGroup --name <back-end-app-name> --plan myPlan --os-type Windows --location "West Europe" --runtime "NODE:16LTS"
``` ::: zone-end
application-gateway Application Gateway Diagnostics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/application-gateway-diagnostics.md
The following snippet shows an example of the response:
## <a name="diagnostic-logging"></a>Diagnostic logs
-You can use different types of logs in Azure to manage and troubleshoot application gateways. You can access some of these logs through the portal. All logs can be extracted from Azure Blob storage and viewed in different tools, such as [Azure Monitor logs](../azure-monitor/insights/azure-networking-analytics.md), Excel, and Power BI. You can learn more about the different types of logs from the following list:
+You can use different types of logs in Azure to manage and troubleshoot application gateways. You can access some of these logs through the portal. All logs can be extracted from Azure Blob storage and viewed in different tools, such as [Azure Monitor logs](/previous-versions/azure/azure-monitor/insights/azure-networking-analytics), Excel, and Power BI. You can learn more about the different types of logs from the following list:
* **Activity log**: You can use [Azure activity logs](../azure-monitor/essentials/activity-log.md) (formerly known as operational logs and audit logs) to view all operations that are submitted to your Azure subscription, and their status. Activity log entries are collected by default, and you can view them in the Azure portal. * **Access log**: You can use this log to view Application Gateway access patterns and analyze important information. This includes the caller's IP, requested URL, response latency, return code, and bytes in and out. An access log is collected every 60 seconds. This log contains one record per instance of Application Gateway. The Application Gateway instance is identified by the instanceId property.
You can view and analyze activity log data by using any of the following methods
### View and analyze the access, performance, and firewall logs
-[Azure Monitor logs](../azure-monitor/insights/azure-networking-analytics.md) can collect the counter and event log files from your Blob storage account. It includes visualizations and powerful search capabilities to analyze your logs.
+[Azure Monitor logs](/previous-versions/azure/azure-monitor/insights/azure-networking-analytics) can collect the counter and event log files from your Blob storage account. It includes visualizations and powerful search capabilities to analyze your logs.
You can also connect to your storage account and retrieve the JSON log entries for access and performance logs. After you download the JSON files, you can convert them to CSV and view them in Excel, Power BI, or any other data-visualization tool.
We have published a Resource Manager template that installs and runs the popular
## Next steps
-* Visualize counter and event logs by using [Azure Monitor logs](../azure-monitor/insights/azure-networking-analytics.md).
+* Visualize counter and event logs by using [Azure Monitor logs](/previous-versions/azure/azure-monitor/insights/azure-networking-analytics).
* [Visualize your Azure activity log with Power BI](https://powerbi.microsoft.com/blog/monitor-azure-audit-logs-with-power-bi/) blog post. * [View and analyze Azure activity logs in Power BI and more](https://azure.microsoft.com/blog/analyze-azure-audit-logs-in-powerbi-more/) blog post.
application-gateway Application Gateway Metrics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/application-gateway-metrics.md
To understand more about webhooks and how you can use them with alerts, visit [C
## Next steps
-* Visualize counter and event logs by using [Azure Monitor logs](../azure-monitor/insights/azure-networking-analytics.md).
+* Visualize counter and event logs by using [Azure Monitor logs](/previous-versions/azure/azure-monitor/insights/azure-networking-analytics).
* [Visualize your Azure activity log with Power BI](https://powerbi.microsoft.com/blog/monitor-azure-audit-logs-with-power-bi/) blog post. * [View and analyze Azure activity logs in Power BI and more](https://azure.microsoft.com/blog/analyze-azure-audit-logs-in-powerbi-more/) blog post.
automation Manage Scope Configurations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/change-tracking/manage-scope-configurations.md
# Limit Change Tracking and Inventory deployment scope
-This article describes how to work with scope configurations when using the [Change Tracking and Inventory](overview.md) feature to deploy changes to your VMs. For more information, see [Targeting monitoring solutions in Azure Monitor (Preview)](../../azure-monitor/insights/solution-targeting.md).
+This article describes how to work with scope configurations when using the [Change Tracking and Inventory](overview.md) feature to deploy changes to your VMs. For more information, see [Targeting monitoring solutions in Azure Monitor (Preview)](/previous-versions/azure/azure-monitor/insights/solution-targeting).
## About scope configurations
automation Region Mappings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/how-to/region-mappings.md
Before connecting VMs to a workspace in a different region, you should review th
This article provides the supported mappings in order to successfully enable and use these features in your Automation account.
-For more information, see [Log Analytics workspace and Automation account](../../azure-monitor/insights/solutions.md#log-analytics-workspace-and-automation-account).
+For more information, see [Log Analytics workspace and Automation account](/previous-versions/azure/azure-monitor/insights/solutions#log-analytics-workspace-and-automation-account).
## Supported mappings for Log Analytics and Azure Automation
automation Change Tracking https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/troubleshoot/change-tracking.md
Heartbeat
If you don't see your machine in query results, it hasn't recently checked in. There's probably a local configuration issue and you should reinstall the agent. For information about installation and configuration, see [Collect log data with the Log Analytics agent](../../azure-monitor/agents/log-analytics-agent.md).
-If your machine shows up in the query results, verify the scope configuration. See [Targeting monitoring solutions in Azure Monitor](../../azure-monitor/insights/solution-targeting.md).
+If your machine shows up in the query results, verify the scope configuration. See [Targeting monitoring solutions in Azure Monitor](/previous-versions/azure/azure-monitor/insights/solution-targeting).
For more troubleshooting of this issue, see [Issue: You are not seeing any Linux data](../../azure-monitor/agents/agent-linux-troubleshoot.md#issue-you-arent-seeing-any-linux-data).
automation Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/update-management/overview.md
If the Windows Update Agent (WUA) on the Windows machine is configured to report
You can deploy and install software updates on machines that require the updates by creating a scheduled deployment. Updates classified as *Optional* aren't included in the deployment scope for Windows machines. Only required updates are included in the deployment scope.
-The scheduled deployment defines which target machines receive the applicable updates. It does so either by explicitly specifying certain machines or by selecting a [computer group](../../azure-monitor/logs/computer-groups.md) that's based on log searches of a specific set of machines (or based on an [Azure query](query-logs.md) that dynamically selects Azure VMs based on specified criteria). These groups differ from [scope configuration](../../azure-monitor/insights/solution-targeting.md), which is used to control the targeting of machines that receive the configuration to enable Update Management. This prevents them from performing and reporting update compliance, and install approved required updates.
+The scheduled deployment defines which target machines receive the applicable updates. It does so either by explicitly specifying certain machines or by selecting a [computer group](../../azure-monitor/logs/computer-groups.md) that's based on log searches of a specific set of machines (or based on an [Azure query](query-logs.md) that dynamically selects Azure VMs based on specified criteria). These groups differ from [scope configuration](/previous-versions/azure/azure-monitor/insights/solution-targeting), which is used to control the targeting of machines that receive the configuration to enable Update Management. This prevents them from performing and reporting update compliance, and install approved required updates.
While defining a deployment, you also specify a schedule to approve and set a time period during which updates can be installed. This period is called the maintenance window. A 10-minute span of the maintenance window is reserved for reboots, assuming one is needed and you selected the appropriate reboot option. If patching takes longer than expected and there's less than 10 minutes in the maintenance window, a reboot won't occur.
automation Scope Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/update-management/scope-configuration.md
# Limit Update Management deployment scope
-This article describes how to work with scope configurations when using the [Update Management](overview.md) feature to deploy updates and patches to your machines. For more information, see [Targeting monitoring solutions in Azure Monitor (Preview)](../../azure-monitor/insights/solution-targeting.md).
+This article describes how to work with scope configurations when using the [Update Management](overview.md) feature to deploy updates and patches to your machines. For more information, see [Targeting monitoring solutions in Azure Monitor (Preview)](/previous-versions/azure/azure-monitor/insights/solution-targeting).
## About scope configurations
azure-app-configuration Quickstart Python Provider https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/quickstart-python-provider.md
Title: Quickstart for using Azure App Configuration with Python apps (preview) | Microsoft Learn
+ Title: Quickstart for using Azure App Configuration with Python apps | Microsoft Learn
description: In this quickstart, create a Python app with the Azure App Configuration to centralize storage and management of application settings separate from your code.
ms.devlang: python Previously updated : 11/30/2022 Last updated : 03/10/2023 #Customer intent: As a Python developer, I want to manage all my app settings in one place.
-# Quickstart: Create a Python app with Azure App Configuration (preview)
+# Quickstart: Create a Python app with Azure App Configuration
-> [!IMPORTANT]
-> The Python provider for Azure App Configuration is currently in preview.
-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+In this quickstart, you will use the Python provider for Azure App Configuration to centralize storage and management of application settings using the [Azure App Configuration Python provider client library](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/appconfiguration/azure-appconfiguration-provider).
-In this quickstart, you will use the Python provider for Azure App Configuration (preview) to centralize storage and management of application settings using the [Azure App Configuration Python provider client library](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/appconfiguration/azure-appconfiguration-provider).
-
-The Python App Configuration provider is a library in preview running on top of the [Azure SDK for Python](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/appconfiguration/azure-appconfiguration), helping Python developers easily consume the App Configuration service. It enables configuration settings to be used like a dictionary.
+The Python App Configuration provider is a library running on top of the [Azure SDK for Python](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/appconfiguration/azure-appconfiguration), helping Python developers easily consume the App Configuration service. It enables configuration settings to be used like a dictionary.
## Prerequisites
The Python App Configuration provider is a library in preview running on top of
```python from azure.appconfiguration.provider import (
- load_provider,
+ load,
SettingSelector ) import os
The Python App Configuration provider is a library in preview running on top of
connection_string = os.environ.get("AZURE_APPCONFIG_CONNECTION_STRING") # Connect to Azure App Configuration using a connection string.
- config = load_provider(connection_string=connection_string)
+ config = load(connection_string=connection_string)
# Find the key "message" and print its value. print(config["message"])
The Python App Configuration provider is a library in preview running on top of
# Connect to Azure App Configuration using a connection string and trimmed key prefixes. trimmed = {"test."}
- config = load_provider(connection_string=connection_string, trim_prefixes=trimmed)
+ config = load(connection_string=connection_string, trim_prefixes=trimmed)
# From the keys with trimmed prefixes, find a key with "message" and print its value. print(config["message"]) # Connect to Azure App Configuration using SettingSelector. selects = {SettingSelector(key_filter="message*", label_filter="\0")}
- config = load_provider(connection_string=connection_string, selects=selects)
+ config = load(connection_string=connection_string, selects=selects)
# Print True or False to indicate if "message" is found in Azure App Configuration. print("message found: " + str("message" in config))
In this quickstart, you created a new App Configuration store and learned how to
For additional code samples, visit: > [!div class="nextstepaction"]
+> [Django Sample](https://github.com/Azure/AppConfiguration/tree/main/examples/Python/python-django-webapp-sample)
+> [Flask Sample](https://github.com/Azure/AppConfiguration/tree/main/examples/Python/python-flask-webapp-sample)
> [Azure App Configuration Python provider](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/appconfiguration/azure-appconfiguration-provider)
azure-arc Validation Program https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/validation-program.md
To see how all Azure Arc-enabled components are validated, see [Validation progr
| [PowerFlex](https://www.dell.com/en-us/dt/storage/powerflex.htm) |1.21.5|1.4.1_2022-03-08|15.0.2255.119 | 12.3 (Ubuntu 12.3-1) | | [PowerStore X](https://www.dell.com/en-us/dt/storage/powerstore-storage-appliance/powerstore-x-series.htm)|1.20.6|1.0.0_2021-07-30|15.0.2148.140 | 12.3 (Ubuntu 12.3-1) |
+### Hitachi
+|Solution and version | Kubernetes version | Azure Arc-enabled data services version | SQL engine version | PostgreSQL server version
+|--|--|--|--|--|
+|[Hitachi UCP with RedHat OpenShift](https://www.hitachivantara.com/en-us/solutions/modernize-digital-core/infrastructure-modernization/hybrid-cloud-infrastructure.html) | 1.23.12 | 1.16.0_2023-02-14 | 16.0.937.6221 | 14.5 (Ubuntu 20.04)|
+|[Hitachi UCP with VMware Tanzu](https://www.hitachivantara.com/en-us/solutions/modernize-digital-core/infrastructure-modernization/hybrid-cloud-infrastructure.html) | 1.23.8 | 1.16.0_2023-02-14 | 16.0.937.6221 | 14.5 (Ubuntu 20.04)|
### HPE
azure-arc Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/resource-bridge/overview.md
You can connect an SCVMM management server to Azure by deploying Azure Arc resou
### Supported regions
-In order to use Arc resource bridge in a region, Arc resource bridge and the private cloud product must be supported in the region. For example, to use Arc resource bridge with Azure Stack HCI in East US, Arc resource bridge and Azure Stack HCI must be supported in East US. Please check with the private cloud product for their region availability - it is typically called out in their deployment instructions of Arc resource bridge. There are instances where Arc Resource Bridge may be available in a region where private cloud support is not yet available.
+In order to use Arc resource bridge in a region, Arc resource bridge and the arc-enabled feature for a private cloud must be supported in the region. For example, to use Arc resource bridge with Azure Stack HCI in East US, Arc resource bridge and the Arc VM management feature for Azure Stack HCI must be supported in East US. Please check with the private cloud product for their feature region availability - it is typically in their [deployment guide](deploy-cli.md#az-arcappliance-createconfig) for Arc resource bridge. There are instances where Arc Resource Bridge may be available in a region where the private cloud feature is not yet available.
Arc resource bridge supports the following Azure regions:
azure-cache-for-redis Cache High Availability https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-high-availability.md
Previously updated : 03/29/2022 Last updated : 03/09/2023 -+ # High availability and disaster recovery
Various high availability options are available in the Standard, Premium, and En
| - | - | - | :: | :: | :: | | [Standard replication](#standard-replication-for-high-availability)| Dual-node replicated configuration in a single data center with automatic failover | 99.9% (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_1/)) |Γ£ö|Γ£ö|Γ£ö| | [Zone redundancy](#zone-redundancy) | Multi-node replicated configuration across Availability Zones, with automatic failover | 99.9% in Premium; 99.99% in Enterprise (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_1/)) |-|Γ£ö|Γ£ö|
-| [Geo-replication](#geo-replication) | Linked cache instances in two regions, with user-controlled failover | Premium; Enterprise (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_1/)) |-|Passive|Active|
+| Geo-replication | Linked cache instances in two regions, with user-controlled failover | Premium; Enterprise (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_1/)) |-| [Passive](#passive-geo-replication) | [Active](#active-geo-replication) |
| [Import/Export](#importexport) | Point-in-time snapshot of data in cache. | 99.9% (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_1/)) |-|Γ£ö|Γ£ö| | [Persistence](#persistence) | Periodic data saving to storage account. | 99.9% (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_1/)) |-|Γ£ö|Preview|
Various high availability options are available in the Standard, Premium, and En
Applicable tiers: **Standard**, **Premium**, **Enterprise**, **Enterprise Flash**
-Azure Cache for Redis has a high availability architecture that ensures your managed instance is functioning, even when outages affect the underlying virtual machines (VMs). Whether the outage is planned or unplanned outages, Azure Cache for Redis delivers much greater percentage availability rates than what's attainable by hosting Redis on a single VM.
+Recommended for: **High availability**
+
+Azure Cache for Redis has a high availability architecture that ensures your managed instance is functioning, even when outages affect the underlying virtual machines (VMs). Whether the outage is planned or unplanned outages, Azure Cache for Redis delivers greater percentage availability rates than what's attainable by hosting Redis on a single VM.
An Azure Cache for Redis in the applicable tiers runs on a pair of Redis servers by default. The two servers are hosted on dedicated VMs. Open-source Redis allows only one server to handle data write requests.
A typical failover sequence looks like this, when a primary needs to go down for
A primary node can go out of service as part of a planned maintenance activity, such as an update to Redis software or the operating system. It also can stop working because of unplanned events such as failures in underlying hardware, software, or network. [Failover and patching for Azure Cache for Redis](cache-failover.md) provides a detailed explanation on types of failovers. An Azure Cache for Redis goes through many failovers during its lifetime. The design of the high availability architecture makes these changes inside a cache as transparent to its clients as possible.
-Also, Azure Cache for Redis provides more replica nodes in the Premium tier. A [multi-replica cache](cache-how-to-multi-replicas.md) can be configured with up to three replica nodes. Having more replicas generally improves resiliency because you have nodes backing up the primary. Even with more replicas, an Azure Cache for Redis instance still can be severely impacted by a data center or Availability Zone outage. You can increase cache availability by using multiple replicas with [zone redundancy](#zone-redundancy).
+Also, Azure Cache for Redis provides more replica nodes in the Premium tier. A [multi-replica cache](cache-how-to-multi-replicas.md) can be configured with up to three replica nodes. Having more replicas generally improves resiliency because you have nodes backing up the primary. Even with more replicas, an Azure Cache for Redis instance still can be severely affected by a data center or Availability Zone outage. You can increase cache availability by using multiple replicas with [zone redundancy](#zone-redundancy).
## Zone redundancy Applicable tiers: **Premium**, **Enterprise**, **Enterprise Flash**
+Recommended for: **High availability**, **Disaster recovery - intra region**
+ Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A zone redundant cache can place its nodes across different Azure Availability Zones in the same region. It eliminates data center or AZ outage as a single point of failure and increases the overall availability of your cache. See this article for information on how to set it up.
-If a cache is configured to use two or more zones as described above, the cache nodes are created in different zones. When a zone goes down, cache nodes in other zones are available to keep the cache functioning as usual.
+If a cache is configured to use two or more zones as described earlier in the article, the cache nodes are created in different zones. When a zone goes down, cache nodes in other zones are available to keep the cache functioning as usual.
Azure Cache for Redis supports zone redundant configurations in the Premium and Enterprise tiers. A [zone redundant cache](cache-how-to-zone-redundancy.md) can place its nodes across different [Azure Availability Zones](../reliability/availability-zones-overview.md) in the same region. It eliminates data center or Availability Zone outage as a single point of failure and increases the overall availability of your cache.
The following diagram illustrates the zone redundant configuration for the Premi
:::image type="content" source="media/cache-high-availability/zone-redundancy.png" alt-text="Zone redundancy setup":::
-Azure Cache for Redis distributes nodes in a zone redundant cache in a round-robin manner over the selected Availability Zones. It also determines which node will serve as the primary initially.
+Azure Cache for Redis distributes nodes in a zone redundant cache in a round-robin manner over the selected Availability Zones. It also determines the node that serves as the primary initially.
-A zone redundant cache provides automatic failover. When the current primary node is unavailable, one of the replicas will take over. Your application may experience higher cache response time if the new primary node is located in a different AZ. Availability Zones are geographically separated. Switching from one AZ to another alters the physical distance between where your application and cache are hosted. This change impacts round-trip network latencies from your application to the cache. The extra latency is expected to fall within an acceptable range for most applications. We recommend you test your application to ensure it does well with a zone-redundant cache.
+#### Zone Down Experience for Premium tier
+
+A zone redundant cache provides automatic failover. When the current primary node is unavailable, one of the replicas takes over. Your application may experience higher cache response time if the new primary node is located in a different AZ. Availability Zones are geographically separated. Switching from one AZ to another alters the physical distance between where your application and cache are hosted. This change impacts round-trip network latencies from your application to the cache. The extra latency is expected to fall within an acceptable range for most applications. We recommend you test your application to ensure it does well with a zone-redundant cache.
### Enterprise and Enterprise Flash tiers
A cache in either Enterprise tier runs on a Redis Enterprise _cluster_. It alway
The Enterprise cluster divides Azure Cache for Redis data into partitions internally. Each partition has a _primary_ and at least one _replica_. Each data node holds one or more partitions. The Enterprise cluster ensures that the primary and replica(s) of any partition are never collocated on the same data node. Partitions replicate data asynchronously from primaries to their corresponding replicas.
+#### Zone Down Experience for Enterprise tiers
+ When a data node becomes unavailable or a network split happens, a failover similar to the one described in [Standard replication](#standard-replication-for-high-availability) takes place. The Enterprise cluster uses a quorum-based model to determine which surviving nodes participate in a new quorum. It also promotes replica partitions within these nodes to primaries as needed.
+### Regional availability
+
+Zone-redundant Premium tier caches are available in the following regions:
+
+| Americas | Europe | Middle East | Africa | Asia Pacific |
+||||||
+| Brazil South | France Central | Qatar Central | South Africa North | Australia East |
+| Canada Central | Germany West Central | | | Central India |
+| Central US | North Europe | | | Japan East |
+| East US | Norway East | | | Korea Central |
+| East US 2 | UK South | | | Southeast Asia |
+| South Central US | West Europe | | | East Asia |
+| US Gov Virginia | Sweden Central | | | China North 3 |
+| West US 2 | Switzerland North | | | |
+| West US 3 | | | | |
+
+Zone-redundant Enterprise and Enterprise Flash tier caches are available in the following regions:
+
+| Americas | Europe | Middle East | Africa | Asia Pacific |
+||||||
+| Canada Central* | North Europe | | | Australia East |
+| Central US* | UK South | | | Central India |
+| East US | West Europe | | | Southeast Asia |
+| East US 2 | | | | |
+| South Central US | | | | |
+| West US 2 | | | | |
+
+\* Enterprise Flash tier not available in this region.
+
+#### Availability zone redeployment and migration
+
+Currently, the only way to convert your cache from a non-AZ configuration to an AZ configuration is to redeploy the cache. To learn how to redeploy your current cache, see [Migrate an Azure Cache for Redis instance to availability zone support](/azure/availability-zones/migrate-cache-redis).
+ ## Persistence Applicable tiers: **Premium**, **Enterprise (preview)**, **Enterprise Flash (preview)**
+Recommended for: **Data durability**
+ Because your cache data is stored in memory, a rare and unplanned failure of multiple nodes can cause all the data to be dropped. To avoid losing data completely, [Redis persistence](https://redis.io/topics/persistence) allows you to take periodic snapshots of in-memory data, and store it to your storage account. If you experience a failure across multiple nodes causing data loss, your cache loads the snapshot from storage account. For more information, see [Configure data persistence for a Premium Azure Cache for Redis instance](cache-how-to-premium-persistence.md). ### Storage account for persistence
Consider choosing a geo-redundant storage account to ensure high availability of
Applicable tiers: **Premium**, **Enterprise**, **Enterprise Flash**
+Recommended for: **Disaster recovery**
+ Azure cache for Redis supports the option to import and export Redis Database (RDB) files to provide data portability. It allows you to import data into Azure Cache for Redis or export data from Azure Cache for Redis by using an RDB snapshot. The RDB snapshot from a premium cache is exported to a blob in an Azure Storage Account. You can create a script to trigger export periodically to your storage account. For more information, see [Import and Export data in Azure Cache for Redis](cache-how-to-import-export-data.md). ### Storage account for export Consider choosing a geo-redundant storage account to ensure high availability of your exported data. For more information, see [Azure Storage redundancy](../storage/common/storage-redundancy.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json).
-## Geo-replication
+## Passive Geo-replication
Applicable tiers: **Premium**
-[Geo-replication](cache-how-to-geo-replication.md) is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.
+Recommended for: **Disaster recovery - single region**
+
+[Geo-replication](cache-how-to-geo-replication.md) is a mechanism for linking two or more Azure Cache for Redis instances, typically spanning two Azure regions. Geo-replication is designed mainly for cross-region disaster recovery. Two Premium tier cache instances are connected through geo-replication in a way that provides reads and writes to your primary cache, and that data is replicated to the secondary cache.
+ For more information on how to set it up, see [Configure geo-replication for Premium Azure Cache for Redis instances](./cache-how-to-geo-replication.md). If the region hosting the primary cache goes down, youΓÇÖll need to start the failover by: first, unlinking the secondary cache, and then, updating your application to point to the secondary cache for reads and writes.
If the region hosting the primary cache goes down, youΓÇÖll need to start the fa
Applicable tiers: **Enterprise**, **Enterprise Flash**
-The Enterprise tiers support a more advanced form of geo-replication called [active geo-replication](cache-how-to-active-geo-replication.md). The Azure Cache for Redis Enterprise software uses conflict-free replicated data types to support writes to multiple cache instances, merges changes, and resolves conflicts. You can join up to five Enterprise tier cache instances in different Azure regions to form a geo-replication group.
+Recommended for: **High Availability**, **Disaster recovery - multi-region**
+
+The Enterprise tiers support a more advanced form of geo-replication called [active geo-replication](cache-how-to-active-geo-replication.md) that offers both higher availability and cross-region disaster recovery across multiple regions. The Azure Cache for Redis Enterprise software uses conflict-free replicated data types to support writes to multiple cache instances, merges changes, and resolves conflicts. You can join up to five Enterprise tier cache instances in different Azure regions to form a geo-replication group.
An application using such a cache can read and write to any of the geo-distributed cache instances through their corresponding endpoints. The application should use what is the closest to each application instance, giving you the lowest latency. For more information, see [Configure active geo-replication for Enterprise Azure Cache for Redis instances](cache-how-to-active-geo-replication.md).
For more information on force-unlinking, see [Force-Unlink if there's region out
Applicable tiers: **Standard**, **Premium**, **Enterprise**, **Enterprise Flash**
-If you experience a regional outage, consider recreating your cache in a different region, and updating your application to connect to the new cache instead. It's important to understand that data will be lost during a regional outage. Your application code should be resilient to data loss.
+If you experience a regional outage, consider recreating your cache in a different region, and updating your application to connect to the new cache instead. It's important to understand that data is lost during a regional outage. Your application code should be resilient to data loss.
Once the affected region is restored, your unavailable Azure Cache for Redis is automatically restored, and available for use again. For more strategies for moving your cache to a different region, see [Move Azure Cache for Redis instances to different regions](./cache-moving-resources.md).
azure-cache-for-redis Cache How To Import Export Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-how-to-import-export-data.md
# Import and Export data in Azure Cache for Redis
-Import/Export is an Azure Cache for Redis data management operation. It allows you to import data into Azure Cache for Redis or export data from Azure Cache for Redis by importing and exporting an Azure Cache for Redis Database (RDB) snapshot from a premium cache to a blob in an Azure Storage Account.
+Import/Export is an Azure Cache for Redis data management operation. It allows you to import data into a cache instance or export data from a cache instance. You import and export an Azure Cache for Redis Database (RDB) snapshot from a cache to a blob in an Azure Storage Account. Import/Export is supported in the Premium, Enterprise, and Enterprise Flash tiers.
- **Export** - you can export your Azure Cache for Redis RDB snapshots to a Page Blob. - **Import** - you can import your Azure Cache for Redis RDB snapshots from either a Page Blob or a Block Blob.
This section contains frequently asked questions about the Import/Export feature
### What pricing tiers can use Import/Export?
-Import/Export is available only in the premium pricing tier.
+Import/Export is available in the Premium, Enterprise and Enterprise Flash tiers.
### Can I import data from any Redis server?
azure-cache-for-redis Cache How To Premium Clustering https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-how-to-premium-clustering.md
Previously updated : 07/13/2022 Last updated : 03/09/2023
The largest cache size you can have is 1.2 TB. This result is a clustered P5 cac
### Do all Redis clients support clustering?
-Many clients libraries support Redis clustering but not all. Check the documentation for the library you're using to verify you're using a library and version that support clustering. StackExchange.Redis is one library that does support clustering, in its newer versions. For more information on other clients, see the [Playing with the cluster](https://redis.io/topics/cluster-tutorial#playing-with-the-cluster) section of the [Redis cluster tutorial](https://redis.io/topics/cluster-tutorial).
+Many clients libraries support Redis clustering but not all. Check the documentation for the library you're using to verify you're using a library and version that support clustering. StackExchange.Redis is one library that does support clustering, in its newer versions. For more information on other clients, see [Scaling with Redis Cluster](https://redis.io/topics/cluster-tutorial).
The Redis clustering protocol requires each client to connect to each shard directly in clustering mode, and also defines new error responses such as 'MOVED' na 'CROSSSLOTS'. When you attempt to use a client library that doesn't support clustering, with a cluster mode cache, the result can be many [MOVED redirection exceptions](https://redis.io/topics/cluster-spec#moved-redirection), or just break your application, if you're doing cross-slot multi-key requests.
You can connect to your cache using the same [endpoints](cache-configure.md#prop
### Can I directly connect to the individual shards of my cache?
-The clustering protoco