+## AADDS600: Unresolved health alerts for 30 days

+### Alert Message

+*Microsoft canΓÇÖt manage the domain controllers for this managed domain due to unresolved health alerts \[IDs\]. This is blocking critical security updates as well as a planned migration to Windows Server 2019 for these domain controllers. Follow steps in the alert to resolve the issue. Failure to resolve this issue within 30 days will result in suspension of the managed domain.*

+### Resolution

+> [!WARNING]

+> If a managed domain is suspended for an extended period of time, there's a danger of it being deleted. Resolve the reason for suspension as quickly as possible. For more information, see [Understand the suspended states for Azure AD DS](suspension.md).

+[Check the Azure AD DS health](check-health.md) for alerts that indicate problems in the configuration of the managed domain. If you're able to resolve alerts that indicate a configuration issue, wait six hours and check back to see if the alert is removed. [Open an Azure support request][azure-support] if you need assistance.

+ Title: Known issues with System for Cross-Domain Identity Management (SCIM) 2.0 protocol compliance

+ Title: 'Azure AD on-premises application provisioning architecture'

+1. To run your app locally, in the terminal, run the .NET CLI command. The [dotnet run](/dotnet/core/tools/dotnet-run) runs the Microsoft.SCIM.WebHostSample project using the [development environment](/aspnet/core/fundamentals/environments#set-environment-on-the-command-line).

+1. In the Visual Studio Code terminal, run the .NET CLI command. This command generates a deployable publish folder for the app in the bin/debug/publish directory.

+1. A new workflow opens in the command palette at the top of the screen. Select the **Subscription** you would like to publish your app to.

+- [Tutorial: Configure provisioning for a gallery app](configure-automatic-user-provisioning-portal.md)

+ Title: 'What is HR driven provisioning with Azure Active Directory?'

+ Title: Application Proxy cookie settings

+ Title: Publish native client apps

+ Title: Publish apps on separate networks via connector groups

+ Title: Debug Application Proxy applications

+ Title: Debug Application Proxy connectors

+ Title: Use Application Proxy to integrate on-premises apps with Defender for Cloud Apps

+ Title: Android certificate-based authentication with federation

+ Title: Certificate-based authentication with federation

+ Title: Certificate-based authentication with federation on iOS

+ Title: Microsoft Authenticator authentication method

+ Title: Manage authentication methods

+ Title: Authentication methods and features

+ Title: OATH tokens authentication method

+ Title: Phone authentication methods

+ Title: Security questions authentication method

+ Title: Certificate user IDs for Azure AD certificate-based authentication

+ Title: Limitations with Azure AD certificate-based authentication without federation

+ Title: Azure Active Directory certificate-based authentication on Android devices

+ Title: Azure Active Directory certificate-based authentication on Apple devices

+ Title: Windows smart card sign-in using Azure Active Directory certificate-based authentication

+ Title: Azure AD certificate-based authentication technical deep dive

+ Title: Overview of Azure AD certificate-based authentication

+ Title: Azure AD Multi-Factor Auth Providers

+ Title: Azure AD Password Protection

+ Title: Combined registration for SSPR and Azure AD Multi-Factor Authentication

+ Title: Create a resilient access control management strategy

+ Title: Self-service password reset deep dive

+ Title: License self-service password reset

+ Title: Self-service password reset policies

+ Title: On-premises password writeback with self-service password reset

+ Title: System-preferred multifactor authentication (MFA)

+>[!NOTE]

+>System-preferred MFA is a key security upgrade to traditional second factor notifications. We highly recommend enabling system-preferred MFA in the near term for improved sign-in security.

+The following example excludes a sample target group and includes all users. For more information, see [Update authenticationMethodsPolicy](/graph/api/authenticationmethodspolicy-update).

+ Title: How to migrate to the Authentication methods policy (preview)

+The Authentication methods policy has other methods that aren't available in the legacy policies, such as FIDO2 security key, Temporary Access Pass, and Azure AD certificate-based authentication. These methods aren't in scope for migration and you won't need to make any changes to them if you've configured them already.

+| Microsoft 365 web apps (accessed directly on web) | [Outlook](https://outlook.live.com/owa/), [Word](https://office.live.com/start/Word.aspx), [Excel](https://office.live.com/start/Excel.aspx), [PowerPoint](https://office.live.com/start/PowerPoint.aspx)|

+ Title: Two-way SMS no longer supported

+ Title: How to configure Azure AD certificate-based authentication

+ Title: Use additional context in Microsoft Authenticator notifications

+ |Android | 4.2309.1 |

+ Title: Use number matching in multifactor authentication (MFA) notifications

+ Title: Nudge users to set up Microsoft Authenticator

+ Title: How to use the MFA Server Migration Utility to migrate to Azure AD MFA

+ Title: Migrate to Azure AD MFA and Azure AD user authentication

+ Title: Migrate to Azure AD MFA with federations

+ Title: Migrate from MFA Server to Azure AD Multi-Factor Authentication

+ Title: Authentication Methods Activity

+ Title: FAQs for hybrid FIDO2 security key deployment

+ Title: Passwordless sign-in with Microsoft Authenticator

+ Title: Passwordless security key sign-in to on-premises resources

+ Title: Passwordless security key sign-in Windows

+ Title: Passwordless security key sign-in

+ Title: Known issues and troubleshooting for hybrid FIDO2 security keys

+ Title: Secure resources with Azure AD MFA and ADFS

+ Title: Configure app passwords for Azure AD Multi-Factor Authentication

+ Title: Configure Azure AD Multi-Factor Authentication

+ Title: Configure the Azure AD MFA NPS extension

+ Title: Troubleshooting Azure AD MFA NPS extension

+ Title: Integrate RDG with Azure AD MFA NPS extension

+ Title: VPN with Azure AD MFA using the NPS extension

+ Title: Use Azure AD Multi-Factor Authentication with NPS

+* `https:\//login.microsoftonline.com`

+* `https:\//credentials.azure.com`

+* `https:\//login.microsoftonline.com`

+* `https:\//provisioningapi.microsoftonline.com`

+* `https:\//aadcdn.msauth.net`

+* `https:\//www.powershellgallery.com`

+* `https:\//go.microsoft.com`

+* `https:\//aadcdn.msftauthimages.net`

+ Title: Azure AD user data collection

+ Title: Sign-in event details for Azure AD Multi-Factor Authentication

+ Title: Configure MFA Server

+ Title: Manage authentication methods for Azure AD Multi-Factor Authentication

+ Title: Enable per-user Multi-Factor Authentication

+ Title: Use Azure MFA Server with AD FS 2.0

+ Title: Azure MFA Server with AD FS in Windows Server

+ Title: High availability for Azure MFA Server

+ Title: Azure MFA Server Mobile App Web Service

+ Title: Upgrade PhoneFactor to Azure AD Multi-Factor Authentication Server

+ Title: Upgrading Azure MFA Server

+ Title: User portal for Azure MFA Server

+ Title: Getting started Azure MFA Server

+ Title: Azure MFA Server and Active Directory

+ Title: LDAP Authentication and Azure Multi-Factor Authentication Server

+ Title: RADIUS and Azure MFA Server

+ Title: IIS Authentication and Azure Multi-Factor Authentication Server

+ Title: RDG and Azure MFA Server using RADIUS

+ Title: Azure MFA Server and third-party VPNs

+ Title: Windows authentication and Azure MFA Server

+ Title: Password protection agent release history

+ Title: Prevent attacks using smart lockout

+ Title: Troubleshoot combined registration

+ Title: Enable combined security information registration

+ Title: Pre-populate contact information for self-service password reset

+ Title: Customize self-service password reset

+ Title: Self-service password reset reports

+ Title: Self-service password reset for Windows devices

+ Title: Two-step verification Azure AD MFA and ADFS

+ Title: Troubleshoot self-service password reset writeback

+ Title: Troubleshoot self-service password reset

+ Title: Migrate from the Azure Access Control Service

+ Title: Azure AD Federation Metadata

+ Title: How to enable cross-app SSO on Android using ADAL

+ Title: How to enable cross-app SSO on iOS using ADAL

+ Title: Code samples for Azure Active Directory v1.0

+ Title: Azure AD Service to Service Auth using OAuth2.0

+ Title: Understanding the OAuth2 implicit grant flow in Azure AD

+ Title: Service-to-service authentication with OAuth2.0 on-behalf-of flow

+ Title: Permissions in Azure Active Directory

+ Title: Authorize web app access with OpenID Connect & Azure AD

+ Title: 'Azure AD Connect cloud provisioning agent: Automatic upgrade'

+ Title: 'Azure AD Connect cloud provisioning agent: Manage registry options'

+ Title: 'Azure AD Connect cloud provisioning agent: Version release history'

+ Title: 'What is Azure AD Connect cloud sync?'

+ Title: 'What is identity provisioning with Azure AD?'

+ Title: Block legacy authentication

+ Title: Filter for devices as a condition in Conditional Access policy

+ Title: Cloud apps, actions, and authentication context in Conditional Access policy

+ Title: Conditions in Conditional Access policy

+ Title: Grant controls in Conditional Access policy

+ Title: Building a Conditional Access policy

+ Title: Conditional Access templates

+ Title: What is Conditional Access report-only mode?

+ Title: Session controls in Conditional Access policy

+ Title: Users and groups in Conditional Access policy

+ Title: Filter for applications in Conditional Access policy (Preview)

+> [!IMPORTANT]

+ Title: Conditional Access APIs and PowerShell

+ Title: Conditional Access insights and reporting workbook

+ Title: Require MFA for administrators with Conditional Access

+ Title: Require MFA for all users with Conditional Access

+ Title: Conditional Access - Authentication strength for external users

+ Title: Require MFA for Azure management with Conditional Access

+ Title: Conditional Access - Block access

+ Title: Block legacy authentication with Conditional Access

+ Title: Require administrators use compliant or hybrid joined devices

+ Title: Require compliant, hybrid joined devices, or MFA

+ Title: Conditional Access - Block access by location

+ Title: Control security information registration with Conditional Access

+ Title: User risk-based password change

+ Title: Sign-in risk-based multifactor authentication

+ Title: Configure authentication session management

+ Title: Conditional Access - Use application enforced restrictions for unmanaged devices

+ Title: Conditional Access - Require approved app or app protection policy

+ Title: Require MFA for guest users with Conditional Access

+ Title: Require reauthentication with Conditional Access

+ Title: Block unsupported platforms with Conditional Access

+ Title: Migrate a classic Conditional Access policy

+ Title: Migrate Conditional Access policies

+ Title: Office 365 App in Conditional Access reference

+ Title: Conditional Access service dependencies

+ Title: Troubleshoot Conditional Access using the What If tool

+ Title: Troubleshooting sign-in problems with Conditional Access

+ Title: Troubleshoot Conditional Access policy changes

+ Title: The Conditional Access What If tool

+A [workload identity](../workload-identities/workload-identities-overview.md) is an identity that allows an application or service principal access to resources, sometimes in the context of a user. These workload identities differ from traditional user accounts as they:

+> > [!div id="apipermissionspage"]

+> > [Go to the API Permissions page]()

+You see these terms when you use our documentation, the Azure portal, our authentication libraries, and the Microsoft Graph API. Some terms are Microsoft-specific while others are related to protocols like OAuth or other technologies you use with the Microsoft identity platform.

+- Robust management of single sign-on using Azure AD Identity Management and [OpenID Connect][OpenIDConnect] protocol implementation

+A type of [client application](#client-application) that downloads code from a web server and executes within a user-agent (for instance, a web browser), such as a single-page application (SPA). Since all code is executed on a device, it's considered a "public" client due to its inability to store credentials privately/confidentially. For more information, see [OAuth 2.0 client types and profiles][OAuth2-Client-Types].

+Similar to the way a service principal object is used to represent an application instance, a user principal object is another type of security principal, which represents a user. The Microsoft Graph [User resource type][Graph-User-Resource] defines the schema for a user object, including user-related properties like first and last name, user principal name, directory role membership, etc. This provides the user identity configuration for Azure AD to establish a user principal at run-time. The user principal is used to represent an authenticated user for single sign-on, recording [consent](#consent) delegation, making access control decisions, etc.

+ <meta charset="UTF-8">

+ <meta http-equiv="X-UA-Compatible" content="IE=edge">

+ <meta name="viewport" content="width=device-width, initial-scale=1.0">

+ <script type="text/javascript" src="https://alcdn.msauth.net/lib/1.0.18/js/adal.min.js"></script>

+ <div>

+ <p id="welcomeMessage" style="visibility: hidden;"></p>

+ <button id="loginButton">Login</button>

+ <button id="logoutButton" style="visibility: hidden;">Logout</button>

+ <button id="tokenButton" style="visibility: hidden;">Get Token</button>

+ </div>

+ <script>

+ // DOM elements to work with

+ var welcomeMessage = document.getElementById("welcomeMessage");

+ var loginButton = document.getElementById("loginButton");

+ var logoutButton = document.getElementById("logoutButton");

+ var tokenButton = document.getElementById("tokenButton");

+ // if user is logged in, update the UI

+ function updateUI(user) {

+ if (!user) {

+ return;

+ }

+ welcomeMessage.innerHTML = 'Hello ' + user.profile.upn + '!';

+ welcomeMessage.style.visibility = "visible";

+ loginButton.style.visibility = "hidden";

+ };

+ // attach logger configuration to window

+ window.Logging = {

+ piiLoggingEnabled: false,

+ level: 3,

+ log: function (message) {

+ console.log(message);

+ };

+ // ADAL configuration

+ var adalConfig = {

+ instance: 'https://login.microsoftonline.com/',

+ clientId: "ENTER_CLIENT_ID_HERE",

+ tenant: "ENTER_TENANT_ID_HERE",

+ redirectUri: "ENTER_REDIRECT_URI_HERE",

+ cacheLocation: "sessionStorage",

+ popUp: true,

+ callback: function (errorDesc, token, error, tokenType) {

+ if (error) {

+ console.log(error, errorDesc);

+ } else {

+ updateUI(authContext.getCachedUser());

+ }

+ }

+ };

+ // instantiate ADAL client object

+ var authContext = new AuthenticationContext(adalConfig);

+ // handle redirect response or check for cached user

+ if (authContext.isCallback(window.location.hash)) {

+ authContext.handleWindowCallback();

+ } else {

+ updateUI(authContext.getCachedUser());

+ }

+ // attach event handlers to button clicks

+ loginButton.addEventListener('click', function () {

+ authContext.login();

+ });

+ logoutButton.addEventListener('click', function () {

+ authContext.logOut();

+ });

+ tokenButton.addEventListener('click', () => {

+ authContext.acquireToken(

+ "https://graph.microsoft.com",

+ function (errorDesc, token, error) {

+ if (error) {

+ console.log(error, errorDesc);

+ authContext.acquireTokenPopup(

+ "https://graph.microsoft.com",

+ null, // extraQueryParameters

+ null, // claims

+ function (errorDesc, token, error) {

+ if (error) {

+ console.log(error, errorDesc);

+ } else {

+ console.log(token);

+ }

+ }

+ );

+ } else {

+ console.log(token);

+ }

+ }

+ );

+ });

+ </script>

+ <meta charset="UTF-8">

+ <meta http-equiv="X-UA-Compatible" content="IE=edge">

+ <meta name="viewport" content="width=device-width, initial-scale=1.0">

+ <script type="text/javascript" src="https://alcdn.msauth.net/browser/2.34.0/js/msal-browser.min.js"></script>

+ <div>

+ <p id="welcomeMessage" style="visibility: hidden;"></p>

+ <button id="loginButton">Login</button>

+ <button id="logoutButton" style="visibility: hidden;">Logout</button>

+ <button id="tokenButton" style="visibility: hidden;">Get Token</button>

+ </div>

+ <script>

+ // DOM elements to work with

+ const welcomeMessage = document.getElementById("welcomeMessage");

+ const loginButton = document.getElementById("loginButton");

+ const logoutButton = document.getElementById("logoutButton");

+ const tokenButton = document.getElementById("tokenButton");

+ // if user is logged in, update the UI

+ const updateUI = (account) => {

+ if (!account) {

+ return;

+ welcomeMessage.innerHTML = `Hello ${account.username}!`;

+ welcomeMessage.style.visibility = "visible";

+ loginButton.style.visibility = "hidden";

+ };

+ // MSAL configuration

+ const msalConfig = {

+ auth: {

+ clientId: "ENTER_CLIENT_ID_HERE",

+ authority: "https://login.microsoftonline.com/ENTER_TENANT_ID_HERE",

+ redirectUri: "ENTER_REDIRECT_URI_HERE",

+ },

+ cache: {

+ cacheLocation: "sessionStorage"

+ },

+ system: {

+ loggerOptions: {

+ loggerCallback(loglevel, message, containsPii) {

+ console.log(message);

+ },

+ piiLoggingEnabled: false,

+ logLevel: msal.LogLevel.Verbose,

+ }

+ }

+ };

+ // instantiate MSAL client object

+ const pca = new msal.PublicClientApplication(msalConfig);

+ // handle redirect response or check for cached user

+ pca.handleRedirectPromise().then((response) => {

+ if (response) {

+ pca.setActiveAccount(response.account);

+ updateUI(response.account);

+ } else {

+ const account = pca.getAllAccounts()[0];

+ updateUI(account);

+ }

+ }).catch((error) => {

+ console.log(error);

+ });

+ // attach event handlers to button clicks

+ loginButton.addEventListener('click', () => {

+ pca.loginPopup().then((response) => {

+ pca.setActiveAccount(response.account);

+ updateUI(response.account);

+ })

+ });

+ logoutButton.addEventListener('click', () => {

+ pca.logoutPopup().then((response) => {

+ window.location.reload();

+ });

+ });

+ tokenButton.addEventListener('click', () => {

+ const account = pca.getActiveAccount();

+ pca.acquireTokenSilent({

+ account: account,

+ scopes: ["User.Read"]

+ }).then((response) => {

+ console.log(response);

+ }).catch((error) => {

+ if (error instanceof msal.InteractionRequiredAuthError) {

+ pca.acquireTokenPopup({

+ scopes: ["User.Read"]

+ }).then((response) => {

+ console.log(response);

+ });

+ }

+ console.log(error);

+ });

+ });

+ </script>

+- The following sample is an ASP.NET web app that uses the same technics: [Use OpenID Connect to sign in users to Microsoft identity platform](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect).

+[ms-identity-aspnet-webapp-openidconnect](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect) | ASP.NET (net472) | Example of token cache serialization in an ASP.NET MVC application (using MSAL.NET).

+ Title: Group Policy and MDM settings for ESR

+ Title: Windows roaming settings reference

+ Title: Device identity and desktop virtualization

+If the Azure Windows VM Sign-In application is missing from Conditional Access, make sure that the application is in the tenant:

+ Title: How to manage stale devices in Azure AD

+ Title: Troubleshoot devices by using the dsregcmd command

+ Title: Clean up stale guest accounts

+ Title: Clean up unmanaged Azure AD accounts

+ Title: Self-service sign up for email-verified users

+ Title: Service limits and restrictions

+ Title: Admin takeover of an unmanaged directory

+ Title: Add and verify custom domain names

+ Title: Change subdomain authentication type using PowerShell and Graph

+ Title: Assign sensitivity labels to groups

+ Title: Bulk download group membership list - Azure portal

+ Title: Download a list of groups in the Azure portal

+ Title: Bulk upload to add or create members of a group

+ Title: Bulk remove group members by uploading a CSV file

+ Title: Change static group membership to dynamic

+ Title: Create or edit a dynamic group and get status

+ Title: Rules for dynamically populated groups membership

+ Title: Group membership for Azure AD dynamic groups with memberOf

+ Title: Create simpler and faster rules for dynamic groups

+ Title: Validate rules for dynamic group membership (preview)

+ Title: Add users to a dynamic group - tutorial

+ Title: Set expiration for Microsoft 365 groups

+ Title: Search and filter groups members and owners (preview)

+ Title: Enforce group naming policy in Azure Active Directory

+ Title: Group expiration policy quickstart

+description: Expiration for Microsoft 365 groups

+ Title: Group naming policy quickstart

+ Title: Restore a deleted Microsoft 365 group

+ Title: Use a group to manage access to SaaS apps

+ Title: Set up self-service group management

+ Title: Configure group settings using PowerShell

+ Title: PowerShell V2 examples for managing groups

+ Title: Fix problems with dynamic group memberships

+ Title: Characteristics of multi-tenant interaction

+ Title: Group-based licensing additional scenarios

+ Title: Assign licenses to a group

+ Title: Change license plans for users and groups

+ Title: Add users with direct licenses to group licensing

+ Title: Resolve group license assignment problems

+ Title: PowerShell and Microsoft Graph examples for group licensing

+ Title: Product names and service plan identifiers for licensing

+ Title: Admin consent for LinkedIn account connections

+ Title: LinkedIn data sharing and consent

+ Title: Does my Azure AD sign-in page accept Microsoft accounts

+ Title: Username lookup during sign-in

+ Title: Bulk create users in the Azure portal

+ Title: Bulk delete users in the Azure portal

+ Title: Download a list of users in the Azure portal

+ Title: Bulk restore deleted users in the Azure portal

+ Title: Assign, update, list, or remove custom security attributes for a user (Preview)

+ Title: Restrict guest user access permissions

+ Title: Revoke user access in an emergency in Azure Active Directory

+ Title: User management enhancements

+ Title: Sharing accounts and credentials

+ Title: Add B2B collaboration users in the Azure portal

+ Title: Add B2B collaboration users as an information worker

+description: B2B collaboration allows information workers and app owners to add guest users to Azure AD for access

+ Title: Allow or block invites to specific organizations

+ Title: About API connectors in self-service sign-up flows

+ Title: Auditing and reporting a B2B collaboration user

+ Title: Authentication and Conditional Access for B2B users

+ Title: Azure AD B2B in government and national clouds

+ Title: 'Quickstart: Add a guest user and send an invitation'

+ Title: 'Quickstart: Add a guest user with PowerShell'

+ Title: 'Tutorial - Multi-factor authentication for B2B'

+ Title: Tutorial for bulk inviting B2B collaboration users

+ Title: B2B collaboration user claims mapping

+ Title: API connector code samples for user flows

+ Title: B2B collaboration code and PowerShell samples

+ Title: Configure SaaS apps for B2B collaboration

+ Title: Configure B2B collaboration Microsoft cloud settings

+ Title: Cross-tenant access overview

+ Title: Configure B2B collaboration cross-tenant access

+ Title: Configure B2B direct connect cross-tenant access

+ Title: Limitations of B2B collaboration

+ Title: B2B collaboration API and customization

+ Title: Set up SAML/WS-Fed IdP federation with an AD FS for B2B

+ Title: Federation with a SAML/WS-Fed identity provider (IdP) for B2B

+ Title: Enable B2B external collaboration settings

+ Title: External Identities in Azure Active Directory

+ Title: Add Facebook as an identity provider

+ Title: Add Google as an identity provider for B2B

+ Title: Grant B2B users access to your on-premises apps

+ Title: Sync local partner accounts to cloud as B2B users

+ Title: B2B collaboration for hybrid organizations

+ Title: Identity providers for External Identities

+ Title: Elements of the B2B invitation email

+# The elements of the B2B collaboration invitation email

+ Title: Invite internal users to B2B collaboration

+ Title: Add Microsoft account (MSA) as an identity provider

+ Title: One-time passcode authentication for B2B guest users

+ Title: Invitation redemption in B2B collaboration

+ Title: Reset a guest user's redemption status

+ Title: Self-service sign-up portal for B2B collaboration

+ Title: Add API connectors to self-service sign-up flows

+ Title: Add custom approvals to self-service sign-up flows

+description: Add API connectors for custom approval workflows in External Identities self-service sign-up

+ Title: Self-service sign-up for External Identities

+ Title: Add a self-service sign-up user flow

+ Title: Troubleshooting B2B collaboration

+ Title: Bulk invite guest users for B2B collaboration tutorial

+ Title: Dynamic groups and B2B collaboration

+ Title: Add custom attributes to self-service sign-up flows

+ Title: Properties of a B2B guest user

+ Title: Understand user tokens in B2B collaboration

+ Title: Quickstart - Access & create new tenant

+ Title: Architecture overview

+ Title: Customer data storage for Australian and New Zealand customers

+ Title: Identity data storage for Australian and New Zealand customers

+ Title: Customer data storage for Japan customers

+ Title: Sign up for premium editions

+ Title: Quickstart - View groups & members

+ Title: Add an existing Azure subscription to your tenant

+ Title: How to find your tenant ID

+ Title: What is group-based licensing

+- [Self-service password reset troubleshooting](../authentication/troubleshoot-sspr.md)

+ Title: Add your organization's privacy info

+ Title: Manage Azure AD user roles

+ Title: Add or update user profile information

+ Title: Reset a user's password

+ Title: Restore or permanently remove recently deleted user

+ Title: Add your custom domain

+ Title: Add or delete users

+ Title: Azure AD Multi-Factor Authentication for your organization

+ Title: Learn about groups and group membership

+ Title: Add or deactivate custom security attributes in Azure AD (Preview)

+ Title: Manage access to custom security attributes in Azure AD (Preview)

+ Title: What are custom security attributes in Azure AD? (Preview)

+ Title: Troubleshoot custom security attributes in Azure AD (Preview)

+ Title: Add branding to your organization's sign-in page

+ Title: Add company branding to your organization's sign-in page (preview)

+ Title: Find help and get support for Azure Active Directory

+ Title: How to manage groups

+ Title: What is identity secure score?

+ Title: Assign or remove licenses

+ Title: Resilience through developer best practices using Azure AD B2C

+ Title: Build resilience in Customer Identity and Access Management using Azure AD B2C

+ Title: Resilience through monitoring and analytics using Azure AD B2C

+ Title: Resilient end-user experience using Azure AD B2C

+ Title: Resilient interfaces with external processes using Azure AD B2C

+An Azure Active Directory (Azure AD) service principal is the local representation of an application object in a tenant or directory. It's the identity of the application instance. Service principals define application access and resources the application accesses. A service principal is created in each tenant where the application is used and references the globally unique application object. The tenant secures the service principal sign-in and access to resources.

+ Title: Sign up your organization

+ Title: Default user permissions

+ Title: Archive for What's new in Azure Active Directory?

+- [Configure SAML app multi-instancing for an application - Microsoft Entra](../develop/reference-app-multi-instancing.md)

+- [Customize app SAML token claims - Microsoft Entra](../develop/active-directory-saml-claims-customization.md)

+For more information, see:[Customize app SAML token claims - Microsoft Entra](../develop/active-directory-saml-claims-customization.md).

+- [Tutorial - Create an Azure Active Directory Domain Services managed domain](../../active-directory-domain-services/tutorial-create-instance.md#prerequisites)

+- [Least privileged roles by task](../roles/delegate-by-task.md#domain-services)

+- [Azure built-in roles - Azure RBAC](../../role-based-access-control/built-in-roles.md#domain-services-contributor)

+For more information, see: [Customize app SAML token claims - Microsoft identity platform](../develop/active-directory-saml-claims-customization.md#attributes).

+For more information, see [Claims mapping policy - Microsoft Entra](../develop/reference-claims-mapping-policy-type.md#claim-schema-entry-elements).

+The sign-ins Microsoft Graph API now supports confirming safe and compromised on risky sign-ins. This public preview functionality is available at the beta endpoint. For more information, please check out the Microsoft Graph documentation: [signIn: confirmSafe - Microsoft Graph beta](/graph/api/signin-confirmsafe?view=graph-rest-beta&preserve-view=true)

+To learn more about Microsoft cloud settings for B2B collaboration, see: [Cross-tenant access overview - Azure AD](../external-identities/cross-tenant-access-overview.md#microsoft-cloud-settings).

+When setting up federation with a partner's IdP, new guest users from that domain can use their own IdP-managed organizational account to sign in to your Azure AD tenant and start collaborating with you. There's no need for the guest user to create a separate Azure AD account. To learn more about federating with SAML or WS-Fed identity providers in External Identities, see: [Federation with a SAML/WS-Fed identity provider (IdP) for B2B - Azure AD](../external-identities/direct-federation.md).

+Identity Protection now integrates a signal from Microsoft Defender for Endpoint (MDE) that will protect against PRT theft detection. To learn more, see: [What is risk? Azure AD Identity Protection](../identity-protection/concept-identity-protection-risks.md).

+For more information, see [internalDomainFederation resource type - Microsoft Graph beta](/graph/api/resources/internaldomainfederation?view=graph-rest-beta&preserve-view=true).

+[List transitiveRoleAssignment - Microsoft Graph beta](/graph/api/rbacapplication-list-transitiveroleassignments).

+[List resourceActions - Microsoft Graph beta](/graph/api/unifiedrbacresourcenamespace-list-resourceactions).

+ Title: What's new in Sovereign Clouds? Release notes

+More information: [Configure authentication session management](../conditional-access/howto-conditional-access-session-lifetime.md#require-reauthentication-every-time).

+ Title: What's new? Release notes

+ Title: Preparing for an access review of users' access to an application

+ Title: What are access reviews? - Microsoft Entra

+ Title: Create an access review of PIM for Groups (preview)

+ Title: Create an access review of groups and applications

+ Title: 'Customize workflow schedule'

+ Title: 'Delete a Lifecycle workflow'

+ Title: Change resource roles for an access package in entitlement management

+ Title: Share link to request an access package in entitlement management

+ Title: Create and manage a catalog of resources in entitlement management

+ Title: Delegate access governance to catalog creators in entitlement management

+ Title: Delegate access governance to access package managers in entitlement management

+ Title: Delegation and roles in entitlement management

+ Title: Govern access for external users in entitlement management

+ Title: Trigger custom logic apps with entitlement management

+description: Learn how to configure and use custom logic app workflows in entitlement management.

+#Customer intent: As an administrator, I want detailed information about how I can configure and add custom logic apps to my catalogs and access packages in entitlement management.

+# Trigger custom logic apps with entitlement management

+[Azure Logic Apps](../../logic-apps/logic-apps-overview.md) can be used to automate custom workflows and connect apps and services in one place. Users can integrate Azure Logic Apps with entitlement management to broaden their governance workflows beyond the core entitlement management use cases.

+These logic app workflows can then be triggered to run in accordance with entitlement management use cases such as when an access package is granted or requested. For example, an admin could create and link a custom logic app workflow to entitlement management so that when a user requests an access package, the logic app workflow is triggered to ensure that the user is also assigned certain characteristics in a 3rd party SAAS app (like Salesforce) or is sent a custom email.

+Entitlement management use cases that can be integrated with Azure Logic Apps include:

+These triggers in logic app workflows are controlled in a new tab within access package policies called **Rules**. Additionally, a **Custom Extensions** tab on the Catalog page will show all added logic app resources for a given Catalog. This article describes how to create and add logic apps to catalogs and access packages in entitlement management.

+## Create and add a logic app workflow to a catalog for use in entitlement management

+1. In the **Basics** tab, enter the name of the custom extension (linked logic app that you are adding) and description of the workflow. These fields will show up in the **Custom Extensions** tab of the Catalog going forward.

+1. In the **Create new logic app** field, select **Yes**. Otherwise, select **No** and move on to step 9 if you are going to use an existing logic app. If you selected yes, select one of the options below and move on to step 9:

+ 1. Select **create new Azure AD application** if you want to use a new application as the basis for the new logic app, or

+ 1. select **an existing Azure AD Application** if you want to use an existing application as the basis for the new logic app.

+ > [!NOTE]

+ > Later, you can edit what your logic app workflow does in workflow designer. To do so, in the **Custom Extensions** tab of **Catalogs**, select the logic app you created.

+1. Review the summary of your custom extension and make sure the details for your logic app callout are correct. Then select **Create**.

+This custom extension to the linked logic app will now appear in your Custom Extensions tab under Catalogs. You will be able to call on this in access package policies.

+## Edit a linked logic app

+1. Here, you can view all custom extensions (logic apps) that you have added to this Catalog. To edit a logic app workflow, or to create a workflow for a newly-added logic app, select the Azure Logic Apps custom extension under **Endpoint**. This will open the workflow designer and allow you to create your workflow.

+For more information on creating logic app workflows, see [Create an example Consumption workflow with Azure Logic Apps in the Azure portal](../../logic-apps/quickstart-create-example-consumption-workflow.md).

+1. Select the access package you want to add a custom extension (logic app) to from the list of access packages that have already been created.

+1. In the menu below **Stage**, select the access package event you wish to use as trigger for this custom extension (logic app). For example, if you only want to trigger the custom extension logic app workflow when a user requests the access package, select **Request is created**.

+1. In the menu below **Custom Extension**, select the custom extension (logic app) you want to add to the access package. The do action you select will execute when the event selected in the when field occurs.

+To verify that your custom extension has correctly triggered the associated logic app when called upon by the access package **Do** option, you can view the Azure Logic Apps logs.

+The overview page for a specific logic app will show timestamps of when the logic app was last executed. Also, the Resource Group overview for a resource group with a linked custom extension will show the name of that custom extension in the overview if it has been configured correctly.

+ Title: Tutorial - Onboard external users to Azure AD through an approval process

+ Title: Add a connected organization in entitlement management

+ Title: What is entitlement management?

+ Title: Reprocess assignments for an access package in entitlement management

+ Title: Reprocess requests for an access package in entitlement management

+ Title: Configure verified ID settings for an access package in entitlement management (Preview)

+ Title: Govern access for applications in your environment

+ Title: Govern access with an organizational role model

+ Title: Identity Governance - Microsoft Entra

+ Title: Workflow Extensibility

+ Title: 'What are lifecycle workflows?'

+ Title: 'What is identity lifecycle management with Azure Active Directory?'

+ Title: 'What is provisioning with Azure Active Directory?'

+ Title: 'Lifecycle workflows FAQs (preview)'

+ Title: 'Azure AD Connect: ADSync service account'

+ Title: 'Azure AD Connect: Declarative Provisioning Expressions'

+ Title: 'Azure AD Connect: Understanding Declarative Provisioning'

+ Title: 'Azure AD Connect sync: Understanding the default configuration'

+ Title: 'Azure AD Connect sync: Understanding Users, Groups, and Contacts'

+ Title: Four steps to a strong identity foundation

+ Title: 'Azure AD Connect: What is the ADConnectivityTool PowerShell Module'

+ Title: Azure AD Connect - Manage AD FS trust with Azure AD using Azure AD Connect

+ Title: 'Change the Azure AD Connector account password'

+ Title: 'Azure AD Connect: Configure AD DS Connector Account Permissions '

+ Title: How to customize a synchronization rule in Azure AD Connect'

+ Title: 'Azure AD Connect: Device options'

+ Title: 'Azure AD Connect: Enabling device writeback'

+ Title: Emergency rotation of the AD FS certificates

+ Title: Configure group claims for applications by using Azure Active Directory

+ Title: Azure AD Connect - AD FS management and customization

+ Title: Certificate renewal for Microsoft 365 and Azure AD users

+ Title: Azure AD Connect - Update the TLS/SSL certificate for an AD FS farm

+ Title: Azure AD Connect and federation

+ Title: 'How to fix modified default rules - Azure AD Connect'

+ Title: AD FS sign-ins in Azure AD with Connect Health

+ Title: Using Azure AD Connect Health with AD DS

+ Title: Azure AD Connect Health with AD FS risky IP report workbook

+ Title: Azure AD Connect Health with the AD FS Risky IP report

+ Title: Using Azure AD Connect Health with AD FS

+ Title: Azure AD Connect Health - Alert Catalog

+ Title: Azure AD Connect Health - Health service data is not up to date alert

+ Title: Azure AD Connect Health instructions data retrieval

+ Title: Azure AD Connect Health - Diagnose duplicated attribute synchronization errors

+ Title: Using Azure AD Connect Health with sync

+ Title: 'Azure AD Connect: Automatic upgrade'

+ Title: 'Install Azure AD Connect by using an existing ADSync database'

+ Title: 'Azure AD Connect: When you already have Azure AD'

+ Title: 'Azure AD Connect: Prerequisites and hardware'

+ Title: 'Azure AD Connect and Azure AD Connect Health installation roadmap.'

+ Title: 'Azure AD Connect: Select your installation type'

+ Title: 'Install Azure AD Connect using SQL delegated administrator permissions'

+ Title: 'Re-running the Azure AD Connect install wizard'

+ Title: Monitor changes to federation configuration in Azure AD

+ Title: Implement password hash synchronization with Azure AD Connect sync

+ Title: 'Azure AD Connect: Next steps and how to manage Azure AD Connect'

+ Title: 'Azure AD Connect: Features in preview'

+ Title: 'Azure AD Connect: Pass-through Authentication - Current limitations'

+ Title: 'Disable pass-through authentication by using Azure AD Connect or PowerShell'

+ Title: 'Azure AD Connect: Pass-through Authentication - How it works'

+ Title: 'Azure AD Pass-through Authentication - Quickstart'

+ Title: Azure AD Connect - Pass-through Authentication - Upgrade auth agents

+ Title: User Privacy and Azure Active Directory Pass-through Authentication

+ Title: 'Azure AD Connect: Pass-through Authentication'

+ Title: 'Azure AD Connect: Seamless Single Sign-On - How it works'

+ Title: 'User Privacy and Azure AD Seamless Single Sign-On'

+ Title: 'Azure AD Connect: Seamless single sign-on'

+ Title: 'Azure AD Connect: Cloud authentication via Staged Rollout'

+ Title: 'Azure AD Connect sync: Changing the default configuration'

+ Title: 'Azure AD Connect sync: Changing the AD DS account password'

+ Title: 'Azure AD Connect sync: Changing the ADSync service account'

+ Title: 'Azure AD Connect sync: Configure filtering'

+ Title: 'Azure AD Connect sync V2 endpoint'

+ Title: 'Azure AD Connect sync: Directory extensions'

+ Title: 'Azure AD Connect sync: Prevent accidental deletes'

+ Title: 'Azure AD Connect sync: Scheduler'

+ Title: 'Azure AD Connect sync: Enable AD recycle bin'

+ Title: Connectors in the Azure AD Synchronization Service Manager UI'

+ Title: Azure AD Connect MV Designer'

+ Title: 'Azure AD Connect Synchronization Service Manager Operations'

+ Title: 'Azure AD Connect sync: Synchronization Service Manager UI'

+ Title: 'Azure AD Connect sync: Operational tasks and considerations'

+ Title: 'Azure AD Connect sync: Technical concepts'

+ Title: 'Azure AD Connect sync: Understand and customize synchronization'

+ Title: Identity synchronization and duplicate attribute resiliency

+ Title: Azure AD Connect sync service features and configuration

+ Title: Azure AD Connect sync service shadow attributes

+ Title: 'Azure AD Connect: Upgrade from a previous version'

+ Title: 'Azure AD Connect: Design concepts'

+ Title: 'Azure AD Connect: Supported topologies'

+ Title: 'Azure AD Connect: User sign-in'

+ Title: Hybrid identity design access control requirements Azure

+ Title: Identity requirements for hybrid cloud identity design Azure

+ Title: Hybrid identity design - content management requirements Azure

+ Title: Hybrid identity design - data protection strategy Azure

+ Title: Hybrid identity design - data protection requirements Azure

+ Title: Hybrid identity design - directory sync requirements Azure

+ Title: Hybrid identity design - management tasks Azure

+ Title: Hybrid identity design - adoption strategy Azure

+ Title: Hybrid identity design - incident response requirements Azure

+ Title: Hybrid identity design - lifecycle adoption strategy Azure

+ Title: Hybrid identity design - multi-factor authentication requirements Azure

+ Title: Azure Active Directory hybrid identity design considerations - overview

+ Title: 'Hybrid Identity: Directory integration tools comparison'

+ Title: 'Azure AD Connect: ADConnectivityTools PowerShell Reference'

+ Title: 'Azure AD Connect: ADSync PowerShell Reference'

+ Title: 'Azure AD Connect: ADSyncConfig PowerShell Reference'

+ Title: 'Azure AD Connect: ADSyncTools PowerShell Reference'

+ Title: Upgrade from DirSync and Azure AD Sync

+ Title: 'Azure AD Connect: Sync service instances'

+ Title: 'Azure AD Connect: msExchUserHoldPolicies and cloudMsExchUserHoldPolicies'

+ Title: 'Hybrid Identity required ports and protocols - Azure'

+ Title: 'Azure AD Pass-through Authentication: Version release history'

+ Title: 'Attributes synchronized by Azure AD Connect'

+ Title: 'Azure AD Connect sync: Functions Reference'

+ Title: 'Azure AD Connect and user privacy'

+ Title: 'Azure AD Connect: Version release history archive'

+ Title: 'Azure AD Connect: Version release history'

+ Title: Troubleshoot an attribute not synchronizing in Azure AD Connect'

+ Title: Troubleshoot Azure AD Connect install issues'

+ Title: Azure AD Connect - LargeObject errors caused by userCertificate attribute

+ Title: Troubleshoot an object that is not syncing with Azure Active Directory'

+ Title: 'Azure AD Connect: Troubleshoot Pass-through Authentication'

+ Title: Troubleshoot password hash synchronization with Azure AD Connect sync

+ Title: 'Azure AD Connect: How to recover from LocalDB 10GB limit issue'

+ Title: 'Azure AD Connect: Troubleshoot Source Anchor Issues during Installation'

+ Title: 'Azure Active Directory Connect: Troubleshoot Seamless Single Sign-On'

+ Title: 'Azure AD Connect: Troubleshoot errors during synchronization'

+ Title: 'Azure AD Connect: Troubleshoot SQL connectivity issues'

+ Title: 'What is inter-directory provisioning with Azure Active Directory?'

+ Title: 'What is Azure AD Connect v2.0?'

+ Title: 'What is Azure AD Connect and Connect Health.'

+ Title: 'What is federation with Azure AD?'

+ Title: 'What is password hash synchronization with Azure AD?'

+ Title: Identity Protection and B2B users

+# Securing workload identities

+- One of the following roles: Global Administrator, or owner of the service principal.

+New-AzureADPolicy

+ -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AccelerateToFederatedDomain`":true}}") -DisplayName BasicAutoAccelerationPolicy

+ -Type HomeRealmDiscoveryPolicy

+```http

+POST /policies/homeRealmDiscoveryPolicies

+New-AzureADPolicy

+ -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AccelerateToFederatedDomain`":true, `"PreferredDomain`":`"federated.example.edu`"}}")

+ -DisplayName MultiDomainAutoAccelerationPolicy

+ -Type HomeRealmDiscoveryPolicy

+```http

+POST /policies/homeRealmDiscoveryPolicies

+```powershell

+New-AzureADPolicy

+ -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AllowCloudPasswordValidation`":true}}")

+ -DisplayName EnableDirectAuthPolicy

+ -Type HomeRealmDiscoveryPolicy

+```

+```http

+POST /policies/homeRealmDiscoveryPolicies

+Add-AzureADServicePrincipalPolicy

+ -Id <ObjectID of the Service Principal>

+ -RefObjectId <ObjectId of the Policy>

+1. Sign in with one of the roles listed in the prerequisites section.

+1. Grant consent to the `Policy.ReadWrite.ApplicationConfiguration` permission.

+1. Use the [Home realm discovery policy](/graph/api/resources/homerealmdiscoverypolicy) to create a new policy.

+1. POST the new policy, or PATCH to update an existing policy.

+ ```http

+ PATCH /policies/homeRealmDiscoveryPolicies/{id}

+ {

+ "definition": [

+ "{\"HomeRealmDiscoveryPolicy\":

+ {\"AccelerateToFederatedDomain\":true,

+ \"PreferredDomain\":\"federated.example.edu\",

+ \"AlternateIdLogin\":{\"Enabled\":true}}}"

+ ],

+ "displayName": "Home Realm Discovery auto acceleration",

+ "isOrganizationDefault": true

+ }

+1. To view your new policy, run the following query:

+ GET /policies/homeRealmDiscoveryPolicies/{id}

+ DELETE /policies/homeRealmDiscoveryPolicies/{id}

+- [Permissions and consent in the Microsoft identity platform](../develop/v2-permissions-and-consent.md)

+ Title: Manage custom security attributes for an application (Preview)

+description: Learn how to review and revoke permissions, and invalidate refresh tokens for an application in Azure Active Directory.

+In this article, you learn how to review permissions granted to applications in your Azure Active Directory (Azure AD) tenant. You may need to review permissions when you've detected a malicious application or the application has been granted more permissions than is necessary. You learn how to revoke permissions granted to the application using Microsoft Graph API and existing versions of PowerShell.

+The steps in this article apply to all applications that were added to your Azure AD tenant via user or admin consent. For more information on consenting to applications, see [User and admin consent](user-admin-consent-overview.md).

+## Review and revoke permissions

+Use the following Azure AD PowerShell script to revoke all permissions granted to an application.

+## Review and revoke permissions

+Use the following Microsoft Graph PowerShell script to revoke all permissions granted to an application.

+## Review and revoke permissions

+You need to consent to the following permissions:

+This article describes the benefits and how to plan for migrating your application authentication to Azure AD. It's intended for technical project managers and identity professionals.

+- Header based authentication

+[Azure Active Directory (Azure AD)](../fundamentals/active-directory-whatis.md) offers a universal identity platform that provides your employees, partners, and customers a single identity to access the applications they want and collaborate from any platform and device.

+

+Moving app authentication to Azure AD helps you manage risk and cost, increase productivity, and address compliance and governance requirements.

+With Azure AD, you can reduce infrastructure costs by providing secure remote access to on-premises apps using [Azure AD Application Proxy](../app-proxy/application-proxy.md).

+ - Faster onboarding of new applications from the Azure AD app gallery.

+ - Using Azure AD Lifecycle workflows automate onboarding or offboarding, which was previously done with scripts.

+

+| **Security Owner** | A representative from the security team that can ensure that the plan meets the security requirements of your organization. |

+| **Application technical owners** | Includes technical owners of the apps and services that integrate with Azure AD. They provide the applicationsΓÇÖ identity attributes that should include in the synchronization process. They usually have a relationship with CSV representatives. |

+| **Pilot group of users** | Users who test as a part of their daily work, the pilot experience, and provide feedback to guide the rest of the deployments. |

+In the following table you find the minimum suggested communication to keep your stakeholders informed:

+| - Notification that migration is coming and explanation of resultant <br/>end-user experiences.<br />- Downtime coming and complete communications, including what<br/> they should now do, feedback, and how to get help | - End users (and all others) |

+There are two main categories of users of your apps and resources that Azure AD supports.

+This ensures app owners know what the app migration and testing schedule are when their apps are up for migration, and what the results are from other apps that have already been migrated. You might also consider providing links to your bug tracker database for owners to be able to file and view issues for apps that are being migrated.

+The first decision point in an application migration is which apps to migrate, which if any should remain, and which apps to deprecate. There is always an opportunity to deprecate the apps that you won't use in your organization. There are several ways to find apps in your organization. While discovering apps, ensure you include in-development and planned apps. Use Azure AD for authentication in all future apps.

+Using Active Directory Federation Services (AD FS) to gather a correct app inventory:

+- **Use Azure AD Connect Health.** If you have an Azure AD Premium license, we recommend deploying [Azure AD Connect Health](../hybrid/how-to-connect-health-adfs.md) to analyze the app usage in your on-premises environment. You can use the [ADFS application report](./migrate-adfs-application-activity.md) to discover ADFS applications that can be migrated and evaluate the readiness of the application to be migrated. After completing your migration, deploy [Cloud Discovery](/cloud-app-security/set-up-cloud-discovery) that allows you to continuously monitor Shadow IT in your organization once youΓÇÖre in the cloud.

+- **Use ADFS to Azure AD app migration tool**: If you donΓÇÖt have Azure AD Premium licenses, we recommend using the ADFS to Azure AD app migration tools based on [PowerShell](https://github.com/AzureAD/Deployment-Plans/tree/master/ADFS%20to%20AzureAD%20App%20Migration). Refer to [solution guide](./migrate-adfs-apps-to-azure.md):

+- **AD FS log parsing**. Parse the log files from your authentication servers to identify which apps are being used in your environment, and what their typical access patterns and access volumes are.

+For other identity providers (such as Okta or Ping), you can use their tools to export the application inventory.

+ - Use [Applications](/previous-versions/azure/ad/graph/api/entity-and-complex-type-reference#application-entity) and [Service Principals](/previous-versions/azure/ad/graph/api/entity-and-complex-type-reference#serviceprincipal-entity) to get your information on web apps and app instance in a directory in Azure AD.

+Once you have taken the automated approaches described in this article, you have a good handle on your applications. However, you might consider doing the following to ensure you have good coverage across all user access areas:

+Once you find your apps, you identify these types of apps in your organization:

+- Apps that use modern authentication protocols such as [Security Assertion Markup Language (SAML)](../fundamentals/auth-saml.md) and [OpenID Connect (OIDC)](../fundamentals/auth-oidc.md) already

+- Apps that use legacy authentication such as [Kerberos](https://techcommunity.microsoft.com/t5/itops-talk-blog/deep-dive-how-azure-ad-kerberos-works/ba-p/3070889), [Header-based](application-proxy-configure-single-sign-on-with-headers.md), or NT LAN Manager (NTLM) protocols that you choose to modernize

+- Apps that use legacy authentication protocols that you choose NOT to modernize

+The already modernized apps are the most likely to be moved to Azure AD. These apps already use modern authentication protocols such as SAML or OIDC and can be reconfigured to authenticate with Azure AD.

+We recommend you search and add applications from the [Azure AD app gallery](https://azuremarketplace.microsoft.com/marketplace/apps/category/azure-active-directory-apps). If you donΓÇÖt find them in the gallery, you can still add custom SAML or OIDC apps to Azure AD.

+We recommend updating the authentication stack code for these applications from the legacy protocol (such as Windows-Integrated Authentication, Kerberos, HTTP Headers-based authentication) to a modern protocol (such as SAML or OpenID Connect).

+Start by extending these apps into the cloud through our [Secure Hybrid Access (SHA) partner integrations](secure-hybrid-access.md) with application delivery controllers that you might have deployed already.

+ - Whether they'll be migrated, deprecated, or connected with [Azure AD Connect](../hybrid/whatis-azure-ad-connect.md).

+> You can download the [Application Discovery Worksheet](https://download.microsoft.com/download/2/8/3/283F995C-5169-43A0-B81D-B0ED539FB3DD/Application%20Discovery%20worksheet.xlsx) to record the applications that you want to migrate to Azure AD authentication.

+Business criticality takes on different dimensions for each business, but the two measures that you should consider are **features and functionality** and **user profiles**. Assign apps with unique functionality a higher point value than those with redundant or obsolete functionality.

+

+

+

+In a scenario where you may not have experience using Azure AD and Identity services, consider moving your **lowest priority apps** to Azure AD first. This minimizes your business impact, and you can build momentum. Once you have successfully moved these apps and have gained the stakeholderΓÇÖs confidence, you can continue to migrate the other apps.

+If there is no clear priority, you should consider moving the apps that are in the [Azure AD Gallery](https://azuremarketplace.microsoft.com/marketplace/apps/category/azure-active-directory-apps) first and support multiple identity providers because they are easier to integrate. It is likely that these apps are the **highest-priority apps** in your organization. To help integrate your SaaS applications with Azure AD, we have developed a collection of [tutorials](../saas-apps/tutorial-list.md) that walk you through configuration.

+When you have a deadline to migrate the apps, these highest priority apps bucket takes the major workload. You can eventually select the lower priority apps as they won't change the cost even though you have moved the deadline.

+In addition to this classification and depending on the urgency of your migration, you should publish a **migration schedule** within which app owners must engage to have their apps migrated. At the end of this process, you should have a list of all applications in prioritized buckets for migration.

+First, start by gathering key details about your applications. The [Application Discovery Worksheet](https://download.microsoft.com/download/2/8/3/283F995C-5169-43A0-B81D-B0ED539FB3DD/Application%20Discovery%20worksheet.xlsx) helps you to make your migration decisions quickly and get a recommendation out to your business group in no time at all.

+- **Current identity provider** ΓÇô what is the primary IdP for this app?

+- **Security requirements** - must it be on a corporate network? Requires MFA or registered device?

+- **User audience** ΓÇô employees, partners or internal or external customers?

+Other data that helps you later, but that you do not need to make an immediate migration decision includes:

+The app(s) you select for the pilot should represent the key identity and security requirements of your organization, and you must have clear buy-in from the application owners. Pilots typically run in a separate test environment.

+This also helps you implement the [five steps to securing your identity infrastructure](../../security/fundamentals/steps-secure-identity.md). Use the guidance as a starting point for your organization and adjust the policies to meet your organization's specific requirements.

+You can define groups for these users and populate these groups in diverse ways. You may choose that an administrator must manually add members into a group, or you can enable self-service group membership. Rules can be established that automatically add members into groups based on the specified criteria using [dynamic groups](../enterprise-users/groups-dynamic-membership.md).

+

+- **SaaS applications** ΓÇô See our list of [SaaS app tutorials](../saas-apps/tutorial-list.md) and the [Azure AD SSO deployment plan](plan-sso-deployment.md) to walk through the end-to-end process.

+During the process of the migration, your app may already have a test environment used during regular deployments. You can continue to use this environment for migration testing. If a test environment is not currently available, you may be able to set one up using Azure App Service or Azure Virtual Machines, depending on the architecture of the application. You may choose to set up a separate test Azure AD tenant to use as you develop your app configurations. This tenant will start in a clean state and won't be configured to sync with any system.

+You can test each app by logging in with a test user and make sure all functionality is the same as prior to the migration. If you determine during testing that users will need to update their [MFA](../authentication/howto-mfa-userstates.md) or [SSPR](../authentication/tutorial-enable-sspr.md)settings, or you are adding this functionality during the migration, be sure to add that to your end-user communication plan. See [MFA](https://aka.ms/mfatemplates) and [SSPR](https://aka.ms/ssprtemplates) end-user communication templates.

+If you run into problems, check out our [apps troubleshooting guide](../app-provisioning/isv-automatic-provisioning-multi-tenant-apps.md) and [Secure Hybrid Access partner integration article](secure-hybrid-access-integrations.md) to get help. You can also check out our troubleshooting articles, see [Problems signing in to SAML-based single sign-on configured apps](/troubleshoot/azure/active-directory/troubleshoot-sign-in-saml-based-apps).

+- You might also consider **providing links for the application to use legacy authentication**, if there were issues with cloud authentication.

+- Before you complete your migration, **do not change your existing configuration** with the existing identity provider.

+- Consider migrating **the apps that support multiple IdPs**. If something goes wrong, you can always change to the preferred IdPΓÇÖs configuration.

+- Point your user to the [MyApps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510#download-and-install-the-my-apps-secure-sign-in-extension) portal experience. Here, they can access all cloud-based apps, apps you make available by using [Azure AD Connect](../hybrid/whatis-azure-ad-connect.md), and apps using [Application Proxy](../app-proxy/application-proxy.md) provided they have permissions to access those apps.

+- Enable [Self-Service Application Access](./manage-self-service-access.md) to an app and **let users add apps that you curate**

+This policy is needed in situations where and admins can't control or update domain hints during sign-in. For example, `outlook.com/contoso.com` sends the user to a sign-in page with the `&domain_hint=contoso.com` parameter appended, to auto-accelerate the user directly to the federated IDP for the `contoso.com` domain. Users with managed credentials sent to a federated IDP can't sign in using their managed credentials, reducing security, and frustrating users with randomized sign-in experiences. Admins rolling out managed credentials [should also set up this policy](#suggested-use-within-a-tenant) to ensure that users can always use their managed credentials.

+The DomainHintPolicy section of the HRD policy is a JSON object that allows an admin to opt out certain domains and applications from domain hint usage. Functionally, this tells the Azure AD sign-in page to behave as if a `domain_hint` parameter on the sign-in request wasn't present.

+- In the absence of any domain hint policy, or if none of the four sections reference the app or domain hint mentioned, [the rest of the HRD policy will be evaluated](home-realm-discovery-policy.md#priority-and-evaluation-of-hrd-policies).

+- If either one (or both) of `RespectDomainHintForApps` or `RespectDomainHintForDomains` section includes the app or domain hint in the request, then the user is auto-accelerated to the federated IDP as requested.

+- If either one (or both) of `IgnoreDomainHintsForApps` or `IgnoreDomainHintsForDomains` references the app or the domain hint in the request, and theyΓÇÖre not referenced by the ΓÇ£RespectΓÇ¥ sections, then the request won't be auto-accelerated, and the user remains at the Azure AD sign-in page to provide a username.

+Once a user has entered a username at the sign-in page, they can use their managed credentials. If they choose not to use a managed credential, or they have none registered, they are taken to their federated IDP for credential entry as usual.

+- One of the following roles: Global Administrator, or owner of the service principal.

+1. Pick a domain to initially roll this change out to. This is your test domain, so pick one that may be more receptive to changes in UX (For example, seeing a different sign-in page). This ignores all domain hints from all applications that use this domain name. Set this policy in your tenant-default HRD policy:

+```http

+PATCH /policies/homeRealmDiscoveryPolicies/{id}

+New-AzureADPolicy

+ -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"DomainHintPolicy`": { `"IgnoreDomainHintForDomains`": [ `"testDomain.com`" ], `"RespectDomainHintForDomains`": [], `"IgnoreDomainHintForApps`": [], `"RespectDomainHintForApps`": [] } } }")

+ -DisplayName BasicBlockAccelerationPolicy

+ -Type HomeRealmDiscoveryPolicy

+```http

+PATCH /policies/homeRealmDiscoveryPolicies/{id}

+New-AzureADPolicy

+ -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"DomainHintPolicy`": { `"IgnoreDomainHintForDomains`": [ `"testDomain.com`" ], `"RespectDomainHintForDomains`": [], `"IgnoreDomainHintForApps`": [], `"RespectDomainHintForApps`": ["app1-clientID-Guid", "app2-clientID-Guid"] } } }")

+ -DisplayName BasicBlockAccelerationPolicy

+ -Type HomeRealmDiscoveryPolicy

+```http

+PATCH /policies/homeRealmDiscoveryPolicies/{id}

+New-AzureADPolicy

+ -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"DomainHintPolicy`": { `"IgnoreDomainHintForDomains`": [ `"testDomain.com`", "otherDomain.com", "anotherDomain.com"], `"RespectDomainHintForDomains`": [], `"IgnoreDomainHintForApps`": [], `"RespectDomainHintForApps`": ["app1-clientID-Guid", "app2-clientID-Guid"] } } }")

+ -DisplayName BasicBlockAccelerationPolicy

+ -Type HomeRealmDiscoveryPolicy

+```http

+PATCH /policies/homeRealmDiscoveryPolicies/{id}

+New-AzureADPolicy

+ -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"DomainHintPolicy`": { `"IgnoreDomainHintForDomains`": [ `"*`" ], `"RespectDomainHintForDomains`": [guestHandlingDomain.com], `"IgnoreDomainHintForApps`": [], `"RespectDomainHintForApps`": ["app1-clientID-Guid", "app2-clientID-Guid"] } } }")

+ -DisplayName BasicBlockAccelerationPolicy

+ -Type HomeRealmDiscoveryPolicy

+After step 4 is complete all users, except those in `guestHandlingDomain.com`, can sign-in at the Azure AD sign-in page even when domain hints would otherwise cause an auto-acceleration to a federated IDP. The exception to this is if the app requesting sign-in is one of the exempted ones - for those apps, all domain hints are still accepted.

+Manage the [Home Realm Discovery policy](/graph/api/resources/homeRealmDiscoveryPolicy) using [Microsoft Graph](https://developer.microsoft.com/graph/graph-explorer).

+1. Sign in to Microsoft Graph explorer with one of the roles listed in the prerequisite section.

+1. Grant the `Policy.ReadWrite.ApplicationConfiguration` permission.

+1. Use the [Home realm discovery policy](/graph/api/resources/homerealmdiscoverypolicy) to create a new policy.

+1. POST the new policy, or PATCH to update an existing policy.

+ ```http

+ PATCH /policies/homeRealmDiscoveryPolicies/{id}

+ {

+ "displayName":"Home Realm Discovery Domain Hint Exclusion Policy",

+ "definition":[

+ "{\"HomeRealmDiscoveryPolicy\" : {\"DomainHintPolicy\": { \"IgnoreDomainHintForDomains\": [\"Contoso.com\"], \"RespectDomainHintForDomains\": [], \"IgnoreDomainHintForApps\": [\"sample-guid-483c-9dea-7de4b5d0a54a\"], \"RespectDomainHintForApps\": [] } } }"

+ ],

+ "isOrganizationDefault":true

+ }

+ ```

+Large organizations that emphasize security want to move to cloud services like Microsoft 365, but need to know that their users only can access approved resources. Traditionally, companies restrict domain names or IP addresses when they want to manage access. This approach fails in a world where software as a service (or SaaS) apps are hosted in a public cloud, running on shared domain names like `outlook.office.com` and `login.microsoftonline.com`. Blocking these addresses would keep users from accessing Outlook on the web entirely, instead of merely restricting them to approved identities and resources.

+This article focuses on tenant restrictions for Microsoft 365, but the feature protects all apps that send the user to Azure AD for single sign-on. If you use SaaS apps with a different Azure AD tenant from the tenant used by your Microsoft 365, make sure that all required tenants are permitted (For example, in B2B collaboration scenarios). For more information about SaaS cloud apps, see the [Active Directory Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps).

+The tenant restrictions feature also supports [blocking the use of all Microsoft consumer applications](#blocking-consumer-applications) (MSA apps) such as OneDrive, Hotmail, and Xbox.com. This uses a separate header to the `login.live.com` endpoint, and is detailed at the end of this article.

+- Azure AD Premium 1 licenses are required for use of tenant restrictions.

+For each outgoing request to `login.microsoftonline.com`, `login.microsoft.com`, and `login.windows.net`, insert two HTTP headers: *Restrict-Access-To-Tenants* and *Restrict-Access-Context*.

+> Do not include subdomains under `*.login.microsoftonline.com` in your proxy configuration. Doing so will include `device.login.microsoftonline.com` and will interfere with Client Certificate authentication, which is used in Device Registration and Device-based Conditional Access scenarios. Configure your proxy server to exclude `device.login.microsoftonline.com` and `enterpriseregistration.windows.net` from TLS break-and-inspect and header injection.

+- For *Restrict-Access-To-Tenants*, use a value of \<permitted tenant list\>, which is a comma-separated list of tenants you want to allow users to access. Any domain that is registered with a tenant can be used to identify the tenant in this list, and the directory ID itself. For an example of all three ways of describing a tenant, the name/value pair to allow Contoso, Fabrikam, and Microsoft looks like: `Restrict-Access-To-Tenants: contoso.com,fabrikam.onmicrosoft.com,72f988bf-86f1-41af-91ab-2d7cd011db47`

+To prevent users from inserting their own HTTP header with non-approved tenants, the proxy needs to replace the *Restrict-Access-To-Tenants* header if it's already present in the incoming request.

+Clients must be forced to use the proxy for all requests to `login.microsoftonline.com`, `login.microsoft.com`, and `login.windows.net`. For example, if PAC files are used to direct clients to use the proxy, end users shouldn't be able to edit or disable the PAC files.

+The report may contain limited information, such as target directory ID, when a user who is in a tenant other than the Restricted-Access-Context tenant signs in. In this case, user identifiable information, such as name and user principal name, is masked to protect user data in other tenants (For example, `"{PII Removed}@domain.com" or 00000000-0000-0000-0000-000000000000` in place of usernames and object IDs as appropriate).

+- **User** - this field can have personal data removed, where it is set to `00000000-0000-0000-0000-000000000000`.

+- **Username** - this field can have personal data removed, where it is set to `{PII Removed}@domain.com`

+For the latest information on which Office clients currently support modern authentication, see [Updated Office 365 modern authentication](https://www.microsoft.com/microsoft-365/blog/2015/03/23/office-2013-modern-authentication-public-preview-announced/). That page also includes links to instructions for enabling modern authentication on specific Exchange Online and Skype for Business Online tenants. SharePoint Online already enables Modern authentication by default. Teams only supports modern auth, and doesn't support legacy auth, so this bypass concern doesn't apply to Teams.

+Microsoft 365 browser-based applications (such as the Office Portal, Yammer, SharePoint sites, and Outlook on the Web.) currently support tenant restrictions. Thick clients (Outlook, Skype for Business, Word, Excel, PowerPoint, and more) can enforce tenant restrictions only when using modern authentication.

+Outlook and Skype for Business clients that support modern authentication may still be able to use legacy protocols against tenants where modern authentication isn't enabled, effectively bypassing tenant restrictions. Tenant restrictions may block applications that use legacy protocols if they contact `login.microsoftonline.com`, `login.microsoft.com`, or `login.windows.net` during authentication.

+The [Azure Rights Management Service](/azure/information-protection/what-is-azure-rms) (RMS) and [Office Message Encryption](/microsoft-365/compliance/ome) features aren't compatible with tenant restrictions. These features rely on signing your users into other tenants in order to get decryption keys for the encrypted documents. Because tenant restrictions blocks access to other tenants, encrypted mail and documents sent to your users from untrusted tenants won't be accessible.

+Fiddler is a free web debugging proxy that can be used to capture and modify HTTP/HTTPS traffic, it includes inserting HTTP headers. To configure Fiddler to test tenant restrictions, perform the following steps:

+Depending on the capabilities of your proxy infrastructure, you may be able to stage the rollout of settings to your users. See the following high-level options for consideration:

+1. Organizational telemetry and Windows updates that rely on the login.live.com service for device IDs [cease to work](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).

+At this time, authentication to consumer applications doesn't appear in the [admin logs](#admin-experience), as login.live.com is hosted separately from Azure AD.

+### What the header does and doesn't block

+1. "Passthrough" authentication, used by many Azure apps and Office.com, where apps use Azure AD to sign in consumer users in a consumer context.

+ 1. This access is also controlled using the `Restrict-Access-To-Tenants` header to allow or deny access to the special "passthrough" tenant (`f8cdef31-a31e-4b4a-93e4-5f571e91255a`). If this tenant doesn't appear in your `Restrict-Access-To-Tenants` list of allowed domains, consumer accounts will be blocked by Azure AD from signing into these apps.

+## Platforms that don't support TLS break and inspect

+Tenant restrictions depends on injection of a list of allowed tenants in the HTTPS header, which requires Transport Layer Security Inspection (TLSI) to break and inspect traffic. For environments where the client's side isn't able to break and inspect the traffic to add headers, tenant restrictions won't work.

+Take the example of Android 7.0 and onwards. Android changed how it handles trusted certificate authorities (CAs) to provide safer defaults for secure app traffic. For more information, see [Changes to Trusted Certificate Authorities in Android Nougat](https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html).

+Following the recommendation from Google, Microsoft client apps ignore user certificates by default thus making such apps unable to work with tenant restrictions, since the certificates used by the network proxy are installed in the user certificate store, which isn't trusted by client apps.

+For such environments that can't break and inspect traffic to add the tenant restrictions parameters onto the header, other features of Azure AD can provide protection. The following list provides more information on such Azure AD features.

+- [Conditional Access: Only allow use of managed/compliant devices](/mem/intune/protect/conditional-access-intune-common-ways-use#device-based-conditional-access)

+- [Conditional Access: Manage access for guest/external users](/microsoft-365/security/office-365-security/identity-access-policies-guest-access)

+- [B2B Collaboration: Restrict outbound rules by Cross-tenant access for the same tenants listed in the parameter "Restrict-Access-To-Tenants"](../external-identities/cross-tenant-access-settings-b2b-collaboration.md)

+- [B2B Collaboration: Restrict invitations to B2B users to the same domains listed in the "Restrict-Access-To-Tenants" parameter](../external-identities/allow-deny-list.md)

+- [Application management: Restrict how users consent to applications](configure-user-consent.md)

+- [Intune: Apply App Policy through Intune to restrict usage of managed apps to only the UPN of the account that enrolled the device](/mem/intune/apps/app-configuration-policies-use-android) - Check the section under, **Allow only configured organization accounts in apps** subheading.

+However, some specific scenarios can only be covered using tenant restrictions.

+ Title: Manage user-assigned managed identities

+ Title: Assign a managed identity to an application role using Azure CLI

+ Title: Assign a managed identity to an application role using PowerShell

+ Title: Move managed identities to another region

+ Title: Use managed identities on an Azure VM with Azure SDKs

+ Title: Use managed identities on an Azure VM for sign-inV

+ Title: Use managed identities on a virtual machine to acquire access token

+ Title: View service principal of a managed identity - Azure CLI

+ Title: View service principal of a managed identity in the Azure portal

+ Title: View the service principal of a managed identity using PowerShell

+ Title: Assign a managed identity access to a resource using Azure CLI

+ Title: Assign a managed identity access to a resource using the Azure portal

+ Title: Assign a managed identity access to a resource using PowerShell

+ Title: Known issues with managed identities

+ Title: Managed identities for Azure resources frequently asked questions"

+# Managed identities for Azure resources frequently asked questions

+ Title: Azure Services with managed identities support

+ Title: Configure managed identities on Azure VM using Azure CLI

+ Title: Configure managed identities on virtual machine scale set - Azure CLI

+ Title: Configure managed identities using the Azure portal

+ Title: Configure managed identities on virtual machine scale set

+ Title: Configure managed identities on an Azure VM using PowerShell

+ Title: Configure managed identities on virtual machine scale sets using PowerShell

+ Title: Configure managed identities on Azure VM using REST

+ Title: Configure managed identities on Azure virtual machine scale set using REST

+ Title: Use a SDK to configure managed identities on a VM

+ Title: Configure managed identities on Azure VM using template

+ Title: Configure template to use managed identities on virtual machine scale sets

+ Title: Azure services that support Azure AD authentication

+ Title: "Quickstart`:` Use a managed identity to access Azure Resource Manager"

+ Title: Tutorial`:`Use a managed identity to access Azure Cosmos DB - Linux

+ Title: Tutorial`:` Use a managed identity to access Azure Data Lake Store - Linux

+ Title: Tutorial`:` Use a managed identity to access Azure Storage via access key - Linux

+ Title: 'Tutorial: Access Azure Storage using a SAS credential - Linux'

+ Title: Tutorial`:` Use a managed identity to access Azure Storage - Linux

+ Title: Access Azure Storage using a Windows VM system-assigned managed identity

+ Title: "Tutorial: Use managed identity to access Azure Resource Manager - Windows"

+ Title: 'Tutorial: Use a managed identity to access Azure Cosmos DB - Windows'

+ Title: Tutorial`:` Use a managed identity to access Azure Data Lake Store - Windows

+ Title: "Tutorial: Use a managed identity to access Azure Key Vault - Windows"

+ Title: 'Tutorial: Use a managed identity to access Azure SQL Database - Windows'

+ Title: Tutorial`:` Use managed identity to access Azure Storage using SAS credential

+ Title: "Tutorial: Use a managed identity to access Azure Resource Manager - Windows"

+ Title: Approve or deny requests for Azure AD roles in PIM

+ Title: View audit report for Azure resource roles in Privileged Identity Management (PIM)

+ Title: Privileged Identity Management (PIM) for Groups (preview)

+ Title: Activate your group membership or ownership in Privileged Identity Management

+ Title: Approve activation requests for group members and owners (preview)

+ Title: Assign eligibility for a group (preview) in Privileged Identity Management

+ Title: Audit activity history for group assignments (preview) in Privileged Identity Management

+ Title: Bring groups into Privileged Identity Management (preview)

+ Title: Extend or renew PIM for groups assignments (preview)

+ Title: Configure PIM for Groups settings (preview)

+ Title: API concepts in Privileged Identity management

+ Title: Complete an access review of Azure resource and Azure AD roles in PIM

+ Title: What is Privileged Identity Management?

+ Title: Create an access review of Azure resource and Azure AD roles in PIM

+ Title: Plan a Privileged Identity Management deployment

+ Title: Email notifications in Privileged Identity Management (PIM)

+ Title: Start using PIM

+ Title: Activate Azure AD roles in PIM

+ Title: Assign Azure AD roles in PIM

+ Title: Configure Azure AD role settings in PIM

+ Title: Security alerts for Azure AD roles in PIM

+ Title: Renew Azure AD role assignments in PIM

+ Title: MFA or 2FA and Privileged Identity Management

+ Title: View audit log report for Azure AD roles in Azure AD PIM

+ Title: Perform an access review of Azure resource and Azure AD roles in PIM

+ Title: Activate Azure resource roles in PIM

+ Title: Approve requests for Azure resource roles in PIM

+ Title: Assign Azure resource roles in Privileged Identity Management

+ Title: Configure security alerts for Azure roles in Privileged Identity Management

+ Title: Configure Azure resource role settings in PIM

+ Title: Use Azure custom roles in PIM

+ Title: Discover Azure resources to manage in PIM

+ Title: Resource dashboards for access reviews in PIM

+ Title: Renew Azure resource role assignments in PIM

+ Title: Roles you cannot manage in Privileged Identity Management

+ Title: Azure AD roles Discovery and insights (preview) in Privileged Identity Management former Security Wizard

+ Title: Troubleshoot resource access denied in Privileged Identity Management

+ Title: PowerShell for Azure AD roles in PIM

+ Title: License requirements to use Privileged Identity Management

+ Title: Azure Active Directory activity logs in Azure Monitor

+ Title: Sign-in logs (preview) in Azure Active Directory

+ Title: Audit logs in Azure Active Directory

+ Title: Provisioning logs in Azure Active Directory

+ Title: Sign-in logs in Azure Active Directory

+ Title: Usage and insights report

+ Title: Access activity logs in Azure AD

+ Title: Analyze activity logs using Azure Monitor logs

+ Title: Prerequisites for Azure Active Directory reporting API

+ Title: How to download logs in Azure Active Directory

+ Title: Integrate logs with ArcSight using Azure Monitor

+ Title: Stream Azure Active Directory logs to Azure Monitor logs

+ Title: Integrate Splunk using Azure Monitor

+ Title: Stream logs to SumoLogic using Azure Monitor

+ Title: How to manage inactive user accounts in Azure AD

+ Title: How to troubleshoot sign-in errors reports

+ Title: Azure Monitor workbooks for Azure Active Directory

+ Title: How to use Azure Active Directory recommendations

+ Title: What is Azure Active Directory monitoring?

+ Title: What are Azure Active Directory recommendations?

+ Title: What are Azure Active Directory reports?

+ Title: What are Service Health notifications in Azure Active Directory?

+ Title: Plan reports & monitoring deployment

+ Title: Access Azure AD logs with the Microsoft Graph API

+ Title: Tutorial - Archive directory logs to a storage account

+ Title: Azure Active Directory recommendation - Minimize MFA prompts from known devices in Azure AD

+ Title: Azure Active Directory recommendation - Migrate apps from ADFS to Azure AD in Azure AD

+ Title: Azure Active Directory recommendation - Migrate to Microsoft authenticator

+ Title: Azure Active Directory recommendation - Remove unused apps (preview)

+ Title: Azure Active Directory recommendation - Remove unused credentials from apps (preview)

+ Title: Azure Active Directory recommendation - Renew expiring application credentials (preview)

+ Title: Azure Active Directory recommendation - Renew expiring service principal credentials (preview)

+ Title: Azure Active Directory recommendation - Turn off per user MFA in Azure AD

+ Title: Azure Active Directory (Azure AD) audit activity reference

+ Title: Azure Active Directory SLA performance

+ Title: Sign-in log schema in Azure Monitor

+ Title: Basic info in the Azure AD sign-in logs

+ Title: Azure AD PowerShell cmdlets for reporting

+ Title: Azure Active Directory data retention

+ Title: 'Troubleshoot audit data of verified domain change '

+ Title: Tutorial - Stream logs to an Azure event hub

+ Title: Configure a log analytics workspace in Azure AD

+ Title: Authentication prompts analysis workbook in Azure AD

+ Title: Conditional access gap analyzer workbook in Azure AD

+ Title: Cross-tenant access activity workbook in Azure AD

+ Title: Sign-ins using legacy authentication workbook in Azure AD

+ Title: Multifactor Authentication Gaps workbook in Azure AD

+ Title: Identity protection risk analysis workbook in Azure AD

+ Title: Sensitive operations report workbook in Azure AD

+ Title: Assign or list Azure AD roles with administrative unit scope

+ Title: Create or delete administrative units

+ Title: Add users, groups, or devices to an administrative unit

+ Title: Manage users or devices for an administrative unit with dynamic membership rules (Preview)

+ Title: List users, groups, or devices in an administrative unit

+ Title: Remove users, groups, or devices from an administrative unit

+ Title: Administrative units in Azure Active Directory

+ Title: Assign Azure AD roles at different scopes

+ Title: Best practices for Azure AD roles

+ Title: Assign Azure AD admin roles with Microsoft Graph API

+ Title: Assign custom roles using Azure AD PowerShell

+ Title: Custom role permissions for app registration

+ Title: App consent permissions for custom roles in Azure Active Directory

+ Title: Create custom roles in Azure AD role-based access control

+ Title: Device management permissions for Azure AD custom roles

+ Title: App permissions for custom roles in Azure Active Directory

+ Title: Group management permissions for Azure AD custom roles

+ Title: User management permissions for Azure AD custom roles (preview)

+ Title: Delegate application management administrator permissions

+ Title: Least privileged roles by task

+ Title: Assign Azure AD roles to groups

+ Title: Use Azure AD groups to manage role assignments

+ Title: Create a group for assigning roles in Azure Active Directory

+ Title: Assign a role to a group using Privileged Identity Management in Azure AD

+ Title: View roles assigned to a group in Azure Active Directory

+ Title: List Azure AD role assignments for a user

+ Title: Admin role docs across Microsoft 365 services

+ Title: Assign Azure AD roles to users

+ Title: Use My Staff to delegate user management

+ Title: Azure AD built-in roles

+ Title: Prerequisites to use PowerShell or Graph Explorer for Azure AD roles

+ Title: Remove limits on creating app registrations

+ Title: List Azure AD role definitions

+ Title: Manage emergency access admin accounts

+ Title: Secure access practices for administrators in Azure AD

+ Title: 'Tutorial: Azure Active Directory integration with 123FormBuilder SSO'

+ Title: 'Tutorial: Configure 15Five for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory integration with 15Five'

+ Title: 'Tutorial: Azure Active Directory integration with 360 Online'

+ Title: 'Tutorial: Configure 4me for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with 4me'

+ Title: 'Tutorial: Configure 8x8 for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with 8x8'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with A Cloud Guru'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with ABBYY FlexiCapture Cloud'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Abintegro'

+ Title: 'Tutorial: Azure Active Directory integration with Absorb LMS'

+ Title: 'Tutorial: Azure Active Directory integration with Abstract'

+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with Academy Attendance"

+ Title: 'Tutorial: Azure Active Directory integration with Acadia'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Accenture Academy'

+ Title: 'Tutorial: Azure Active Directory integration with Accredible'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with AcquireIO'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Active and Thriving'

+ Title: 'Tutorial: Configure Acunetix 360 for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Acunetix 360'

+ Title: 'Tutorial: Azure Active Directory integration with Adaptive Insights'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with ADP Globalview (Deprecated)'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Adobe Creative Cloud'

+ Title: 'Tutorial: Azure AD SSO integration with Adobe Sign'

+ Title: 'Tutorial: Configure Adobe Identity Management (OIDC) for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Configure Adobe Identity Management for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory integration with Adobe Captivate Prime'

+ Title: 'Tutorial: Azure Active Directory integration with Adobe Experience Manager'

+1. Go to **Basic SAML Configuration** section and enter any instance specific URL in the **Identifier (Entity ID)** textbox.

+ > [!NOTE]

+ > Please note that this can be any random value which you feel relevant for your instance.

+ 1. In the **Audience claim value** textbox, enter `https://fed.adp.com` and click **Save**.

+ Title: 'Tutorial: Azure Active Directory single sign-on integration with F5'

+ Title: 'Tutorial: Azure Active Directory integration with Agiloft Contract Management Suite'

+ Title: 'Tutorial: Azure Active Directory integration with Aha!'

+ Title: 'Tutorial: Configure Airstack for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory integration with Airstack'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Airtable'

+ Title: 'Tutorial: Configure Akamai Enterprise Application Access for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with AKASHI'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with AlacrityLaw'

+ Title: 'Tutorial: Azure Active Directory integration with Alcumus Info Exchange'

+ Title: 'Tutorial: Configure AlertMedia for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with AlertMedia'

+ Title: 'Tutorial: Configure AlexisHR for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Alibaba Cloud Service (Role-based SSO)'

+ Title: 'Tutorial: Configure Alinto Protect for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Ally.io'

+ Title: 'Tutorial: Azure Active Directory integration with Amazon Business'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Amazon Managed Grafana'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Amplitude'

+ Title: 'Tutorial: Azure Active Directory integration with ANAQUA'

+ Title: 'Tutorial: Azure Active Directory integration with &frankly'

+ Title: "Tutorial: Azure Active Directory integration with Andromeda"

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Animaker'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Apex Portal'

+ Title: 'Tutorial: Configure Appaegis Isolation Access Cloud for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory integration with AppBlade'

+ Title: 'Tutorial: Azure Active Directory integration with AppDynamics'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Appian'

+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with Appinux"

+ Title: 'Tutorial: Configure Apple Business Manager for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Configure Apple School Manager for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Applied Mental Health'

+ Title: 'Tutorial: Azure Active Directory integration with Appraisd'

+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with Apptio"

+ Title: 'Tutorial: Azure Active Directory integration with Aravo'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with ARC Facilities'

+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with Arc Publishing - SSO"

+ Title: 'Tutorial: Azure Active Directory integration with ArcGIS Online'

+ Title: 'Tutorial: Configure Ardoq for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Ardoq'

+ Title: 'Tutorial: Azure Active Directory integration with ARES for Enterprise'

+ Title: 'Tutorial: Azure Active Directory integration with Ariba'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Aruba User Experience Insight'

+ Title: 'Tutorial: Configure Asana for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory integration with Ascentis'

+ Title: "Tutorial: Configure askSpoke for automatic user provisioning with Azure Active Directory"

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with askSpoke'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with AskYourTeam'

+ Title: 'Tutorial: Azure Active Directory integration with Asset Bank'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with AssetSonar'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Astra Schedule'

+ Title: 'Tutorial: Configure Atea for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Configure Atlassian Cloud for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Configure Atmos for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory integration with Attendance Management Services'

+ Title: 'Tutorial: Configure AuditBoard for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory integration with AuditBoard'

+ Title: 'Tutorial: Configure Autodesk SSO for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Autodesk SSO'

+ Title: 'Tutorial: Azure Active Directory integration with Autotask Endpoint Backup'

+ Title: 'Tutorial: Azure Active Directory integration with Autotask Workplace'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with AwareGo'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with AWS ClientVPN'

+ Title: "Tutorial: Azure Active Directory integration with Amazon Web Services to connect multiple accounts"

+ Title: 'Tutorial: Configure AWS IAM Identity Center(successor to AWS single sign-On) for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Baldwin Safety and Compliance'

+ Title: 'Tutorial: Azure Active Directory integration with BambooHR'

+ Title: 'Tutorial: Azure Active Directory integration with SAML SSO for Bamboo by resolution GmbH'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Banyan Security Zero Trust Remote Access Platform'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Beautiful.ai'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Beekeeper Azure AD SSO'

+ Title: 'Tutorial: Azure Active Directory integration with Beeline'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Benchling'

+ Title: 'Tutorial: Configure BenQ IAM for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Configure Bentley - Automatic User Provisioning for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory integration with Bersin'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Beyond Identity Admin Console'

+ Title: 'Tutorial: Azure Active Directory integration with BGS Online'

+ Title: 'Tutorial: Configure BIC Cloud Design for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with BIS'

+ Title: 'Tutorial: Configure BitaBIZ for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory integration with BitaBIZ'

+ Title: 'Tutorial: Azure Active Directory integration with SAML SSO for Bitbucket by resolution GmbH'

+ Title: 'Tutorial: Configure Bizagi Studio for Digital Process Automation for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Bizagi for Digital Process Automation'

+ Title: 'Tutorial: Configure BLDNG APP for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Configure Blink for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Blink'

+ Title: 'Tutorial: Configure Blinq for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Configure BlogIn for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with BlogIn'

+ Title: 'Tutorial: Configure BlueJeans for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with BlueJeans for Azure AD'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with BeyondTrust Remote Support'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Bonos'

+ Title: 'Tutorial: Azure Active Directory integration with Bonusly'

+ Title: 'Tutorial: Configure Bonusly for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Boomi'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Box'

+ Title: 'Tutorial: Configure Box for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Configure Boxcryptor for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory integration with Boxcryptor'

+ Title: 'Tutorial: Configure Bpanda for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory integration with Creatio'

+ Title: 'Tutorial: Azure Active Directory integration with Brandfolder'

+ Title: 'Tutorial: Azure Active Directory integration with Bridge'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Bright Pattern Omnichannel Contact Center'

+ Title: 'Tutorial: Azure Active Directory integration with Brightidea'

+ Title: 'Tutorial: Azure Active Directory integration with Brightspace by Desire2Learn'

+ Title: 'Tutorial: Configure Britive for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Britive'

+ Title: 'Tutorial: Configure Brivo Onair Identity Connector for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Broadcom DX SaaS'

+ Title: 'Tutorial: Configure BrowserStack Single Sign-on for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with BrowserStack Single Sign-on'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Brushup'

+ Title: 'Tutorial: Azure Active Directory integration with Bugsnag'

+ Title: 'Tutorial: Configure BullseyeTDP for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory integration with Bynder'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with C3M Cloud Control'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with CakeHR'

+ Title: 'Tutorial: Azure Active Directory integration with Carbonite Endpoint Backup'

+ Title: 'Tutorial: Configure Cato Networks for automatic user provisioning with Azure Active Directory'

+ Title: 'Tutorial: Azure Active Directory integration with Central Desktop'

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Cequence Application Security Platform'

+ Title: 'Tutorial: Configure Cerby for automatic user provisioning with Azure Active Directory'