+Create an HTML page with your own branding to serve your custom page content. This page can be a static `*.html` page, or a dynamic page like .NET, Node.js, or PHP,however, Azure B2C does not support any view engines. Any server-side rendering of the dynamic page must be performed by a dedicated web application.

+ Title: Tutorial to enable secure hybrid access for applications with Azure Active Directory B2C and F5 BIG-IP

+# Tutorial: Enable secure hybrid access for applications with Azure Active Directory B2C and F5 BIG-IP

+Learn to integrate Azure Active Directory B2C (Azure AD B2C) with F5 BIG-IP Access Policy Manager (APM). You can expose legacy applications securely to the internet through BIG-IP security, with Azure AD B2C preauthentication, Conditional Access (CA), and single sign-on (SSO). F5 Inc. focuses on delivery, security, performance, and availability of connected services, including computing, storage, and network resources. It provides hardware, modularized software, and cloud-ready virtual appliance solutions.

+Deploy F5 BIG-IP Application Delivery Controller (ADC) as a secure gateway between private networks and the internet. There are features for application-level inspection and customizable access controls. If deployed as a reverse proxy, use the BIG-IP to enable secure hybrid access to business applications, with a federated identity access layer managed by APM.

+Go to f5.com resources and white papers for: [Easily Configure Secure Access to All Your Applications via Azure AD](https://www.f5.com/services/resources/white-papers/easily-configure-secure-access-to-all-your-applications-via-azure-active-directory)

+To get started, you need:

+* An Azure subscription

+ * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/)

+* An Azure AD B2C tenant linked to the Azure subscription

+ * See, [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md)

+* A BIG-IP or a deployed trial BIG-IP Virtual Environment (VE) on Azure

+ * See, [Deploy F5 BIG-IP Virtual Edition VM in Azure](../active-directory/manage-apps/f5-bigip-deployment-guide.md)

+* Any of the following F5 BIG-IP licenses:

+ * F5 BIG-IP® Best bundle

+ * F5 BIG-IP Access Policy ManagerΓäó standalone license

+ * F5 BIG-IP Access Policy Manager™ add-on license on a BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM)

+ * 90-day BIG-IP full feature [trial license](https://www.f5.com/trial/big-ip-trial.php)

+* A header-based web application or an IIS app for testing

+ * See, [Set up an IIS app](/previous-versions/iis/6.0-sdk/ms525396(v=vs.90))

+* SSL certificate to publish services over HTTPS, or use default while testing

+ * See, [SSL profile](../active-directory/manage-apps/f5-bigip-deployment-guide.md#ssl-profile)

+The following scenario is header-based, but you can use these methods to achieve Kerberos SSO.

+For this scenario, access for an internal application relies on receiving HTTP authorization headers from a legacy broker system. Sales agents can be directed to respective areas of content. The service needs to be expanded to a broader consumer base. The application gets upgraded for consumer authentication options, or gets replaced.

+Ideally, an application upgrade supports direct management and governance with a modern control plane. However, time and effort to modernize introduces costs and potential downtime. Instead, deploy a BIG-IP Virtual Edition (VE) between the public internet and the internal Azure virtual network (VNet) to gate access with Azure AD B2C. BIG-IP in front of the application enables overlay of the service with Azure AD B2C preauthentication and header-based SSO, improving the app security posture.

+The secure hybrid access solution has of the following components:

+* **Application** - back-end service protected by Azure AD B2C and BIG-IP secure hybrid access

+* **Azure AD B2C** - identity provider (IdP) and Open ID Connect (OIDC) authorization server that verifies user credentials, multifactor authentication, and SSO to the BIG-IP APM

+* **BIG-IP** - reverse proxy for the application. The BIG-IP APM is the OIDC client, delegating authentication to the OIDC authorization server, before header-based SSO to the back-end service.

+The following diagram illustrates the service provider (SP) initiated flow for this scenario.

+

+1. User connects to the application endpoint. BIG-IP is service provider.

+2. BIG-IP APM OIDC client redirects user to Azure AD B2C tenant endpoint, the OIDC authorization server

+3. Azure AD B2C tenant pre-authenticates user and applies Conditional Access policies

+4. Azure AD B2C redirects user back to the SP with authorization code

+5. OIDC client asks the authorization server to exchange authorization code for an ID token

+6. BIG-IP APM grants user access and injects the HTTP headers in the client request forwarded on to the application

+## Azure AD B2C configuration

+To enable a BIG-IP with Azure AD B2C authentication, use an Azure AD B2C tenant with a user flow or custom policy.

+See, [Tutorial: Create user flows and custom policies in Azure AD B2C](tutorial-create-user-flows.md)

+Obtain custom attributes from Azure AD B2C user objects, federated IdPs, API connectors, or user sign-up. Include attributes in the token that goes to the application.

+Legacy applications expect specific attributes, so include them in your user flow. You can replace them with attributes your application requires. Or if you're setting up a test app using the instructions, then user any headers.

+1. Sign in to theΓÇ»[Azure portal](https://portal.azure.com/) as Global Administrator.

+2. In the left-hand pane, select **User attributes**.

+3. Select **Add** to create two custom attributes.

+4. For Agent ID, select String **Data Type**.

+5. For Agent Geo, select String **Data Type**.

+1. In the left-hand menu, navigate go to **Policies** > **User flows**.

+2. Select your policy, for example, **B2C_1_SignupSignin**.

+3. Select **User attributes**.

+4. Add both custom attributes.

+5. Add the **Display Name** attribute. These attributes are collected during user sign-up.

+6. Select **Application claims**.

+7. Add both custom attributes.

+8. Add the **Display Name**. These attributes go to the BIG-IP.

+9. Select **Run user flow**.

+10. In the user flow menu, on the left navigation bar, verify the prompts for defined attributes.

+Learn more: [Tutorial: Create user flows and custom policies in Azure AD B2C](tutorial-create-user-flows.md)

+Federate BIG-IP and Azure AD B2C for mutual trust. Register the BIG-IP in the Azure AD B2C tenant as an OIDC application.

+1. In the portal, select **App registrations** > **New registration**.

+2. Enter an app **Name**, for example, **HeaderApp1**.

+3. Under **Supported account types**, select **Accounts in any identity provider or organizational directory (for authenticating users with user flows)**.

+4. Under **Redirect URI**, select **Web**.

+5. Enter protected service public FQDN.

+6. Enter the path.

+7. Leave the remaining selections.

+8. Select **Register**.

+9. Navigate to **Certificates & secrets** > **+ New client secret**.

+10. Enter a descriptive name

+11. Enter a TTL for the secret used by the BIG-IP.

+12. Note the Client Secret for BIG-IP configuration.

+The redirect URI is the BIG-IP endpoint. After authentication, the authorization server (Azure AD B2C) sends users to the endpoint.

+Learn more: [Tutorial: Register a web application in Azure AD B2C](tutorial-register-applications.md) for Azure AD B2C.

+For BIG-IP configuration use Guided Configuration v.7/8. The workflow framework is tailored to access topologies and it accomplishes rapid web service publishing.

+### Guided Configuration version

+1. To confirm version, sign in to the BIG-IP web config with an administrator account.

+2. Go to **Access** > **Guided Configuration**.

+3. The version appears in the top right-hand corner.

+To upgrade the Guided Configuration, go to my.f5.com for [K85454683: Upgrade F5 BIG-IP Guided Configuration on the BIG-IP system](https://support.f5.com/csp/article/K85454683).

+Use BIG-IP configured with a client SSL profile to secure client-side traffic over TLS. Import a certificate that matches the domain name, used by the public-facing URL for your app. We recommend you use a public certificate authority, but you can use BIG-IP self-signed certificates for testing.

+To add and manage certificates in the BIG-IP VE, go to techdocs.f5.com for [BIG-IP System: SSL Administration](https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-13-0-0.html).

+## Guided Configuration

+1. To launch the deployment wizard, in the web config, go to **Access** > **Guided Configuration**.

+2. Select **Federation** > **F5 as OAuth Client and Resource Server**.

+3. Observe the flow summary for this scenario.

+4. Select **Next**.

+5. The wizard starts.

+In the following sections, define properties to enable federation between the BIG-IP APM and the OAuth authorization server, the Azure AD B2C tenant. OAuth is referred to throughout BIG-IP configuration. The solution uses OIDC, an identity layer on the OAuth 2.0 protocol. OIDC clients verify user identity and obtain other profile information.

+A configuration display name helps distinguish between deployment configurations in the Guided Configuration. You can't change the name, and it appears only in the Guided Configuration view.

+The BIG-IP APM is an OIDC client, therefore select the Client option.

+The specified target must resolve the public IP addresses of the Azure AD B2C endpoints. Select a public DNS resolver, or create a new one.

+Configure Azure AD B2C as the OAuth2 IdP. The Guided Configuration has Azure AD B2C templates, but not certain scopes.

+Add a new provider and configure it:

+**OAuth general properties**

+ | Choose OAuth provider | Create new, or use an OAuth provider |

+ | Name | A display name for the B2C IdP. This name appears to users as a provider option at sign-in|

+**OAuth policy settings**

+ | Scope | Leave blank. The OpenID scope for user sign-in is added automatically |

+ | Enable OpenID Connect | Select the option to put the APM OAuth client in OIDC mode |

+**OAuth provider settings**

+The following OpenID URI refers to the metadata endpoint used by OIDC clients to discover IdP information such as signing certificate rollover.

+1. Locate the metadata endpoint for your Azure AD B2C tenant.Navigating to **App registrations** > **Endpoints**.

+2. Copy the Azure AD B2C OpenID Connect metadata document URI. For example, `https://wacketywackb2c .b2clogin.com/<tenantname>.onmicrosoft.com/<policyname>/v2.0/.well-known/openid-configuration`.

+3. Update the URI with your properties, `https://<tenantname>.b2clogin.com/WacketywackB2C.onmicrosoft.com/B2C_1_SignUpIn/v2.0/.well-known/openid-configuration`.

+4. Paste the URI into the browser.

+5. View the OIDC metadata for your Azure AD B2C tenant.

+| Property | Description |

+|||

+| Audience | The application client ID representing the BIG-IP in the Azure AD B2C tenant |

+| Authentication URI | The authorization endpoint in your B2C OIDC metadata |

+| Token URI | The token endpoint in your Azure AD B2C metadata |

+| Userinfo request URI | Leave empty. Azure AD B2C doesn't support this feature |

+|OpenID URI | The OpenID URI metadata endpoint you created |

+| Ignore expired certificate validation | Leave unchecked |

+| Allow self-signed JWK config certificate | Check |

+| Trusted CA bundle | Select ca-bundle.crt to use the default F5 trusted authorities |

+| Discovery interval | Provide an interval for the BIG-IP to query your Azure AD B2C tenant for updates. The minimum interval in AGC version 16.1 0.0.19, is 5 minutes.|

+**OAuth server settings**

+For the OIDC authorization server, being your Azure AD B2C tenant.

+|Property | Descriptions|

+|||

+| Client ID | The application Client ID representing the BIG-IP in the Azure AD B2C tenant|

+| Client Secret | The application Client Secret |

+|Client-server SSL profile | Set an SSL profile to ensure APM communicates with the Azure AD B2C IdP over TLS. Select the default **serverssl**. |

+**OAuth request settings**

+The BIG-IP has required Azure AD B2C requests in its preconfigured request set. However, the requests were malformed, and missing important parameters. So, we created them manually.

+**Token request: Enabled**

+| Property | Description |

+|||

+| Choose OAuth request | Create new |

+| HTTP method | POST |

+| Enable headers| Unchecked |

+| Enable parameters | Checked |

+| Parameter | Parameter name | Parameter value|

+|-|||

+| client-id | client-id |N/A |

+| nonce | nonce| N/A|

+| redirect-uri | redirect-uri | N/A|

+| scope | scope | N/A|

+| response-type | response-type | N/A|

+| client-secret | client-secret |N/A |

+| custom | grant_type | authorization_code |

+**Auth redirect request: Enabled**

+| Property | Description |

+|-|-|

+| Choose OAuth request | Create new |

+| HTTP method | GET |

+| Prompt type | None |

+| Enable headers | Unchecked |

+| Enable parameters | Checked |

+| Parameter | Parameter name | Parameter value|

+|||-|

+| client-id | client-id | N/A|

+| redirect-uri | redirect-uri |N/A |

+| response-type |response-type |N/A |

+| scope | scope | N/A|

+| nonce | nonce | N/A|

+**Token refresh request**: **Disabled** You can enable and configure as needed.

+**OpenID UserInfo request**: **Disabled** Not supported in global Azure AD B2C tenants.

+**Virtual server properties**

+Create a BIG-IP virtual server to intercept external client requests for the back-end service protected by secure hybrid access. Assign the virtual server an IP mapped to the public DNS record for the BIG-IP service endpoint representing the application. Use a virtual server if available, otherwise provide the following properties.

+| Property | Description |

+|-|-|

+| Destination address | Private or public IP that becomes the BIG-IP service endpoint for the back-end application |

+| Service port | HTTPS |

+| Enable redirect port | Select so users are auto redirected from http to https |

+| Redirect port | HTTP |

+| Client SSL profile | Swap the predefined `clientssl` profile with the one that has your SSL certificate. You can test with the default profile. but it likely causes a browser alert. |

+**Pool properties**

+Back-end services appear in the BIG-IP as a pool, with one or more application servers to which virtual servers direct inbound traffic. Select a pool, otherwise create a new one.

+| Property | Description |

+|||

+| Load-balancing method | Select Round Robin |

+|Pool server | Internal IP of the back-end application |

+| Port | Service port of the back-end application |

+

+ >[!NOTE]

+ >Ensure the BIG-IP has line of sight to the pool server address.

+**SSO settings**

+A BIG-IP supports SSO options, but in OAuth client mode the Guided Configuration is limited to Kerberos or HTTP Headers. Enable SSO and use the following information for the APM to map defined inbound attributes to outbound headers.

+| Property | Description |

+|||

+| Header Operation |Insert|

+| Header Name | name|

+| Header Value | `%{session.oauth.client.last.id_token.name}`|

+| Header Operation |Inser|

+|Header Name|agentid|

+|Header Value | `%{session.oauth.client.last.id_token.extension_AgentGeo}`|

+

+ >[!Note]

+ > APM session variables in curly brackets are case-sensitive. Entering agentid, when the Azure AD B2C attribute name is sent as AgentID, causes an attribute mapping failure. Define attributes in lowercase. In Azure AD B2C, the user flow prompts the user for more attributes, using the attribute name in the portal. Therefore, use sentence case instead of lowercase.

+ 

+**Customization properties**

+Customize the language and appearance of screens users see in the APM access policy flow. Edit screen messages and prompts, change screen layouts, colors, images, and localize captions, descriptions, and messages.

+In the **Form Header** text field, replace the `F5 Networks` string with a name that you want.

+**Session management properties**

+Use the BIG-IP session management settings to define conditions that terminate sessions or allow them to continue. Set limits for users and IP addresses, and error pages. We recommend implementing single log out (SLO), which terminates sessions securely, reducing risks of unauthorized access.

+## Deploy settings

+Select **Deploy** to commit settings and create BIG-IP and APM objects fir secure hybrid access to the application. The application appears as a target resource in Conditional Access. For increased security, block direct access to the application, thereby enforcing a path through the BIG-IP.

+Learn more: [Identity Protection and Conditional Access for Azure AD B2C](conditional-access-identity-protection-overview.md)

+### Test the sign-in sign-up flow

+1. As a user, go to the application external URL.

+2. The BIG-IPΓÇÖs OAuth client sign-in page appears.

+3. Sign in using the authorization code grant. To remove this step, see the **Supplemental configurations** section.

+4. Sign up and authenticate against your Azure AD B2C tenant.

+The following images are the user sign in dialog and the sign-in welcome page.

+ 

+ 

+For increased security, block direct access to the application, thereby enforcing a path through the BIG-IP.

+### Supplemental configurations

+**Single log-out (SLO)**

+Azure AD B2C supports identity provider (IdP) and application sign-out. See, [Single sign out](session-behavior.md?pivots=b2c-custom-policy#single-sign-out).

+To achieve SLO, enable your application sign out function to call the Azure AD B2C sign-out endpoint. Then, Azure AD B2C issues a final redirect to the BIG-IP. This action ensures the user-application APM session terminates.

+An alternative SLO process is to enable the BIG-IP to listen for the request, when selecting the applications **Sign out** button. Upon detecting the request, it calls to the Azure AD B2C sign out endpoint. This approach precludes making changes to the application.

+To learn more BIG-IP iRules, go to support.f5.com for [K42052145: Configuring automatic session termination (logout) based on a URI-referenced file name](https://support.f5.com/csp/article/K42052145).

+> [!NOTE]

+> Regardless of approach, ensure the Azure AD B2C tenant knows the APM sign-out endpoint.

+1. In the portal, navigate to **Manage** > **Manifest**.

+2. Locate the `logoutUrl` property. It reads null.

+3. Add the APM post log-out URI: `https://<mysite.com>/my.logout.php3`

+> [!NOTE]

+> `<mysite.com>` is the BIG-IP FQDN for your header-based application.

+To improve the user sign-in experience, suppress the OAuth user sign-in prompt that appears before Azure AD preauthentication.

+1. Navigate to **Access** > **Guided Configuration**.

+2. On the far right of the row, select the **padlock** icon.

+3. The header-based application unlocks the strict configuration.

+ 

+Unlocking the strict configuration prevents changes with the wizard UI. BIG-IP objects are associated with the published instance of the application, and are open for direct management.

+4. Navigate to **Access** > **Profiles/ Policies** > **Access Profiles (Per-session Policies)**.

+5. For the application policy object, in the **Per-Session Policy** column, select **Edit**.

+ 

+6. To delete the **OAuth Logon Page** policy object, select **X**.

+7. At the prompt, connect to the previous node.

+ 

+8. In the top left corner, select **Apply Access Policy**.

+9. Close the visual editor tab.

+When you attempt to connect to the application, the Azure AD B2C sign-in page appears.

+>If you re-enable strict mode and deploy a configuration, settings performed outside the Guided Configuration UI are overwritten. Implement this scenario by manually creating configuration objects for production services.

+Use the following troubleshooting guidance if access to the protected application is prevented.

+#### Log verbosity

+BIG-IP logs have information to isolate authentication and SSO issues. Increase the log verbosity level.

+ 1. Go to **Access Policy** > **Overview** > **Event Logs** > **Settings**.

+ 3. From the SSO list, select **Debug**.

+ 4. Select **OK**.

+ 5. Before reviewing logs, reproduce your issue.

+

+When complete, revert the previous settings.

+

+#### BIG-IP error message

+If you see a BIG-IP error message after Azure AD B2C authentication, the issue might relate to SSO from Azure AD to the BIG-IP.

+ 2. Run the report for the last hour

+ 3. Review logs for clues.

+ 4. Select the **View session variables** link.

+ 5. Determine if the APM receives the expected Azure AD claims.

+#### No BIG-IP error message

+If no BIG-IP error message appears, the issue might be related to the back-end request, or SSO from the BIG-IP to the application.

+ 3. Select the **View Variables** link.

+ 4. Review to determine root cause, particularly if the BIG-IP APM obtains inaccurate session attributes.

+ 5. Use the application logs to help understand if it received the attributes as headers.

+#### Guided Configuration v8 known issue

+If using Guided Configuration v8, a known issue generates the following error after successful Azure AD B2C authentication. The issue might be the AGC not enabling the Auto JWT setting during deployment. The APM can't obtain the current token signing keys. F5 engineering is investigating root cause.

+ 

+The same access log provides detail.

+ 

+**Manually enable the setting**

+ 1. Navigate to **Access** > **Guided Configuration**.

+ 2. On the far-right of the row for your header-based application, select the **padlock**.

+ 3. Navigate to **Access** > **Federation** > **OAuth Client/Resource Server** > **Providers**.

+ 4. Select the provider for your Azure AD B2C configuration.

+ 5. Check the **Use Auto JWT** box.

+ 6. Select **Discover**.

+ 7. Select **Save**.

+ 8. The **Key** (JWT) field has the token signing certificate key ID (KID) from OpenID URI metadata.

+ 9. In the top-left corner, select **Apply Access Policy**.

+ 10. Select **Apply**.

+For more information, go to techdocs.f5.com for [OAuth client and resource server troubleshooting tips](https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/37.html#GUID-774384BC-CF63-469D-A589-1595D0DDFBA2)

+|A user is unassigned from an app, soft-deleted in Azure AD, or blocked from sign-in. You don't want anything to be done.|Remove `isSoftDeleted` from the attribute mappings and / or set the [skip out of scope deletions](skip-out-of-scope-deletions.md) property to true.|

+|A user is unassigned from an app, soft-deleted in Azure AD, or blocked from sign-in. You want to set a specific attribute to `true` or `false`.|Map `isSoftDeleted` to the attribute that you would like to set to false.|

+|A user is disabled in Azure AD, unassigned from an app, soft-deleted in Azure AD, or blocked from sign-in. You want to send a DELETE request to the target application.|This is currently supported for a limited set of gallery applications where the functionality is required. It's not configurable by customers.|

+|A user is deleted in Azure AD. You don't want anything done in the target application.|Ensure that "Delete" isn't selected as one of the target object actions in the [attribute configuration experience](skip-out-of-scope-deletions.md).|

+|A user is deleted in Azure AD. You want to set the value of an attribute in the target application.|Not supported.|

+|A user is deleted in Azure AD. You want to delete the user in the target application|Ensure that Delete is selected as one of the target object actions in the [attribute configuration experience](skip-out-of-scope-deletions.md).|

+* When a user or group is unassigned from an app and no longer managed with the provisioning service, a disable request is sent. At that point, the service doesn't manage the user and a delete request isn't sent when the user is deleted from the directory.

+* When a user goes from soft-deleted to active, the Azure AD provisioning service activates the user in the target app, but doesn't automatically restore the group memberships. The target application should maintain the group memberships for the user in inactive state. If the target application doesn't support maintaining the inactive state, you can restart provisioning to update the group memberships.

+> In directories without appropriate licenses, existing Conditional Access policies for workload identities will continue to function, but can't be modified. For more information, see [Microsoft Entra Workload Identities](https://www.microsoft.com/security/business/identity-access/microsoft-entra-workload-identities#office-StandaloneSKU-k3hubfz).  

+1. Under **Cloud apps or actions**, select **All cloud apps**. The policy applies only when a service principal requests a token.

+1. Under **Cloud apps or actions**, select **All cloud apps**. The policy applies only when a service principal requests a token.

+You can specify the lifetime of an access, ID, or SAML token issued by the Microsoft identity platform. You can set token lifetimes for all apps in your organization or for a multi-tenant (multi-organization) application. We currently don't support configuring the token lifetimes for service principals or [managed identity service principals](../managed-identities-azure-resources/overview.md).

+For an example, see [Create a policy for web sign-in](configure-token-lifetimes.md).

+You can use PowerShell to find the policies that will be affected by the retirement. Use the [PowerShell cmdlets](configure-token-lifetimes.md#get-started) to see the all policies created in your organization, or to find which apps are linked to a specific policy.

+You can create and then assign a token lifetime policy to a specific application and to your organization. Multiple policies might apply to a specific application. The token lifetime policy that takes effect follows these rules:

+* If a policy is explicitly assigned to the organization, it's enforced.

+* If no policy is explicitly assigned to the organization, the policy assigned to the application is enforced.

+* If no policy has been assigned to the organization or the application object, the default values are enforced. (See the table in [Configurable token lifetime properties](#configurable-token-lifetime-properties).)

+You can configure token lifetime policies and assign them to apps using Microsoft Graph. For more information, see the [tokenLifetimePolicy resource type](/graph/api/resources/tokenlifetimepolicy) and its associated methods.

+These are the cmdlets in the [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation).

+| [New-MgPolicyTokenLifetimePolicy](/powershell/module/microsoft.graph.identity.signins/new-mgpolicytokenlifetimepolicy) | Creates a new policy. |

+| [Get-MgPolicyTokenLifetimePolicy](/powershell/module/microsoft.graph.identity.signins/get-mgpolicytokenlifetimepolicy) | Gets all token lifetime policies or a specified policy. |

+| [Update-MgPolicyTokenLifetimePolicy](/powershell/module/microsoft.graph.identity.signins/update-mgpolicytokenlifetimepolicy) | Updates an existing policy. |

+| [Remove-MgPolicyTokenLifetimePolicy](/powershell/module/microsoft.graph.identity.signins/remove-mgpolicytokenlifetimepolicy) | Deletes the specified policy. |

+| [New-MgApplicationTokenLifetimePolicyByRef](/powershell/module/microsoft.graph.applications/new-mgapplicationtokenlifetimepolicybyref) | Links the specified policy to an application. |

+| [Get-MgApplicationTokenLifetimePolicyByRef](/powershell/module/microsoft.graph.applications/get-mgapplicationtokenlifetimepolicybyref) | Gets the policies that are assigned to an application. |

+| [Remove-MgApplicationTokenLifetimePolicyByRef](/powershell/module/microsoft.graph.applications/remove-mgapplicationtokenlifetimepolicybyref) | Removes a policy from an application. |

+Service principal policies are not supported.

+1. In the [Azure portal](https://portal.azure.com/), in the **Attributes & Claims** section, select **Edit** to edit the claims.

+### Directory Schema extensions (Preview)

+You can also configure directory schema extension attribute as non-conditional/conditional attribute in Azure AD. The following steps outline how to configure the single or multi-valued directory schema extension attribute as claim:

+1. In the [Azure portal](https://portal.azure.com/), in the **Attributes & Claims** section, select **Edit** to edit the claims.ΓÇ»

+2. Click **Add new claim** or edit an existing claim.ΓÇ»

+ :::image type="content" source="./media/active-directory-saml-claims-customization/mv-extension-1.jpg" alt-text="Screenshot of the MultiValue extension configuration section in the Azure portal.":::

+3. Select source application from application picker where extension property is defined.

+ :::image type="content" source="./media/active-directory-saml-claims-customization/mv-extension-2.jpg" alt-text="Screenshot of the source application selection in MultiValue extension configuration section in the Azure portal.":::

+4. Click **Add** to add the selection to the claims.

+<!

+5. To select single or multi-valued directory schema extension attribute as conditional attribute select **Directory schema extension** option from the source dropdown.

+ :::image type="content" source="./media/active-directory-saml-claims-customization/mv-extension-3.png" alt-text="Screenshot of the MultiValue extension configuration for conditional claims section in the Azure portal.":::

+>

+5. Click **Save** to commit the changes.

+1. Select the source of the attribute by clicking on the appropriate radio button. Directory schema extension source is in preview currently.

+ :::image type="content" source="./media/active-directory-saml-claims-customization/mv-extension-4.png" alt-text="Screenshot of claims transformation.":::

+1. Select the attribute name from the dropdown.

+1. Select the **Source** where the claim is going to retrieve its value. You can either select a user attribute from the source attribute dropdown or apply a transformation to the user attribute or a directory schema extension (preview) before emitting it as a claim.

+ Title: Set lifetimes for tokens

+description: Learn how to set lifetimes for access tokens issued by Microsoft identity platform.

+# Configure token lifetime policies (preview)

+In the following steps, you'll implement a common policy scenario that imposes new rules for token lifetime. It's possible to specify the lifetime of an access, SAML, or ID token issued by the Microsoft identity platform. This can be set for all apps in your organization or for a specific service principal. They can also be set for multi-organizations (multi-tenant application).

+For more information, see [configurable token lifetimes](active-directory-configurable-token-lifetimes.md).

+## Get started

+To get started, download the latest [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation).

+## Create a policy for web sign-in

+In the following steps, you'll create a policy that requires users to authenticate less frequently in your web app. This policy sets the lifetime of the access/ID tokens for your web app.

+```powershell

+Connect-MgGraph -Scopes "Policy.ReadWrite.ApplicationConfiguration"

+# Create a token lifetime policy

+$params = @{

+ Definition = @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"4:00:00"}}')

+ DisplayName = "WebPolicyScenario"

+ IsOrganizationDefault = $false

+}

+$tokenLifetimePolicyId=(New-MgPolicyTokenLifetimePolicy -BodyParameter $params).Id

+# Display the policy

+Get-MgPolicyTokenLifetimePolicy -TokenLifetimePolicyId $tokenLifetimePolicyId

+# Assign the token lifetime policy to an app

+$params = @{

+ "@odata.id" = "https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies/$tokenLifetimePolicyId"

+}

+$applicationObjectId="11111111-1111-1111-1111-111111111111"

+New-MgApplicationTokenLifetimePolicyByRef -ApplicationId $applicationObjectId -BodyParameter $params

+# List the token lifetime policy on the app

+Get-MgApplicationTokenLifetimePolicy -ApplicationId $applicationObjectId

+# Remove the policy from the app

+Remove-MgApplicationTokenLifetimePolicyByRef -ApplicationId $applicationObjectId -TokenLifetimePolicyId $tokenLifetimePolicyId

+# Delete the policy

+Remove-MgPolicyTokenLifetimePolicy -TokenLifetimePolicyId $tokenLifetimePolicyId

+```

+## View existing policies in a tenant

+To see all policies that have been created in your organization, run the [Get-MgPolicyTokenLifetimePolicy](/powershell/module/microsoft.graph.identity.signins/get-mgpolicytokenlifetimepolicy) cmdlet. Any results with defined property values that differ from the defaults listed above are in scope of the retirement.

+```powershell

+Get-MgPolicyTokenLifetimePolicy

+```

+To see which apps are linked to a specific policy that you identified, run [List appliesTo](/graph/api/tokenlifetimepolicy-list-appliesto) with any of your policy IDs.

+```powershell

+GET https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies/4d2f137b-e8a9-46da-a5c3-cc85b2b840a4/appliesTo

+```

+## Next steps

+Learn about [authentication session management capabilities](../conditional-access/howto-conditional-access-session-lifetime.md) in Azure AD Conditional Access.

+ Title: Call an ASP.NET Core web API with cURL

+description: Learn how to call a protected ASP.NET Core Web API using the Microsoft identity platform with cURL

+zone_pivot_groups: web-api-howto-prereq

+#Customer intent: As a software developer, I want to call a protected ASP.NET Core Web API using the Microsoft identity platform with cURL

+# Call an ASP.NET Core web API with cURL

+This article shows you how to call a protected ASP.NET Core web API using Client URL (cURL). cURL is a command line tool that developers use to transfer data to and from a server. In this article, you'll register a web app and a web API in a tenant on the Azure portal. The web app is used to get an access token generated by the Microsoft identity platform. Next, you'll use the token to make an authorized call to the web API using cURL.

+This article shows you how to call a protected ASP.NET Core web API using Client URL (cURL). cURL is a command line tool that developers use to transfer data to and from a server. Following on from the [Tutorial: Implement a protected endpoint to your API](web-api-tutorial-03-protect-endpoint.md), where you created a protected API, you'll need to register a web application with the Microsoft identity platform to generate an access token. Next, you'll use the token to make an authorized call to the API using cURL.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/).

+- This Azure account must have permissions to manage applications. Any of the following Azure Active Directory (Azure AD) roles include the required permissions:

+ - Application administrator

+ - Application developer

+ - Cloud application administrator

+- [Download and install cURL](https://curl.se/download.html) on your workstation computer.

+- A minimum requirement of [.NET Core 6.0 SDK](https://dotnet.microsoft.com/download/dotnet).

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/).

+- This Azure account must have permissions to manage applications. Any of the following Azure Active Directory (Azure AD) roles include the required permissions:

+ - Application administrator

+ - Application developer

+ - Cloud application administrator

+- Completion of the tutorial series:

+ - [Tutorial: Register web API with the Microsoft identity platform](web-api-tutorial-01-register-app.md).

+ - [Tutorial: Create and configure an ASP.NET Core project for authentication](web-api-tutorial-02-prepare-api.md).

+ - [Tutorial: Implement a protected endpoint to your API](web-api-tutorial-03-protect-endpoint.md).

+- [Download and install cURL](https://curl.se/download.html) on your workstation computer.

+## Register an application with the Microsoft identity platform

+The Microsoft identity platform requires your application to be registered before providing identity and access management services. The application registration allows you to specify the name, and type of the application, and the sign-in audience. The sign-in audience specifies what types of user accounts are allowed to sign-in to a given application.

+### Register the web API

+Follow these steps to create the web API registration:

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.

+1. Search for and select **Azure Active Directory**.

+1. Under **Manage**, select **App registrations > New registration**.

+1. Enter a **Name** for the application, such as *NewWebAPI1*.

+1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select **Help me choose** option.

+1. Select **Register**.

+ :::image type="content" source="./media/web-api-tutorial-01-register-app/register-application.png" alt-text="Screenshot that shows how to enter a name and select the account type.":::

+1. The application's **Overview** pane is displayed when registration is complete. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in your application source code.

+ :::image type="content" source="./media/web-api-tutorial-01-register-app/record-identifiers.png" alt-text="Screenshot that shows the identifier values on the overview page.":::

+> [!NOTE]

+> The **Supported account types** can be changed by referring to [Modify the accounts supported by an application](howto-modify-supported-accounts.md).

+#### Expose the API

+Once the API is registered, you can configure its permission by defining the scopes that the API exposes to client applications. Client applications request permission to perform operations by passing an access token along with its requests to the protected web API. The web API then performs the requested operation only if the access token it receives is valid.

+1. Under **Manage**, select **Expose an API > Add a scope**. Accept the proposed **Application ID URI** `(api://{clientId})` by selecting **Save and continue**. The `{clientId}` is the value recorded from the **Overview** page. Then enter the following information:

+ 1. For **Scope name**, enter `Forecast.Read`.

+ 1. For **Who can consent**, ensure that the **Admins and users** option is selected.

+ 1. In the **Admin consent display name** box, enter `Read forecast data`.

+ 1. In the **Admin consent description** box, enter `Allows the application to read weather forecast data`.

+ 1. In the **User consent display name** box, enter `Read forecast data`.

+ 1. In the **User consent description** box, enter `Allows the application to read weather forecast data`.

+ 1. Ensure that the **State** is set to **Enabled**.

+1. Select **Add scope**. If the scope has been entered correctly, it'll be listed in the **Expose an API** pane.

+ :::image type="content" source="./media/web-api-tutorial-01-register-app/add-a-scope-inline.png" alt-text="Screenshot that shows the field values when adding the scope to an API." lightbox="./media/web-api-tutorial-01-register-app/add-a-scope-expanded.png":::

+### Register the web app

+Having a web API isn't enough however, as a web app is also needed to obtain an access token to access the web API you've created.

+Follow these steps to create the web app registration:

+1. Select **Home** to return to the home page. Search for and select **Azure Active Directory**.

+1. Under **Manage**, select **App registrations** > **New registration**.

+1. Enter a **Name** for the application, such as `web-app-calls-web-api`.

+1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option.

+1. Under **Redirect URI (optional)**, select **Web**, and then enter `http://localhost` in the URL text box.

+1. Select **Register**.

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. If access to multiple tenants is available, use the Directories + subscriptions filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.

+1. Search for and select **Azure Active Directory**.

+1. Under **Manage**, select **App registrations** > **New registration**.

+1. Enter a Name for the application, such as `web-app-calls-web-api`.

+1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option.

+1. Under **Redirect URI (optional)**, select **Web**, and then enter `http://localhost` in the URL text box.

+1. Select **Register**.

+When registration is complete, the Azure portal displays the app registration's **Overview** pane. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in later steps.

+#### Add a client secret

+A client secret is a string value your app can use to identity itself, and is sometimes referred to as an *application password*. The web app uses the client secret to prove its identity when it requests tokens.

+Follow these steps to configure a client secret:

+1. From the **Overview** pane in the Azure portal, under **Manage**, select **Certificates & secrets** > **Client secrets** > **New client secret**.

+1. Add a description for your client secret, for example *My client secret*.

+1. Select an expiration for the secret or specify a custom lifetime.

+ - A client secret's lifetime is limited to two years (24 months) or less. You can't specify a custom lifetime longer than 24 months.

+ - Microsoft recommends that you set an expiration value of less than 12 months.

+1. Select **Add**.

+1. Be sure to record the **Value** of the client secret. This secret value is **never displayed again** after you leave this page.

+#### Add application permissions to allow access to a web API

+By specifying a web API's scopes in the web app registration, the web app can obtain an access token containing the scopes provided by the Microsoft identity platform. Within the code, the web API can then provide permission-based access to its resources based on the scopes found in the access token.

+Follow these steps to configure the web app permissions to the web API:

+1. From the **Overview** pane of your web application in the Azure portal (*web-app-that-calls-web-api*), under **Manage**, select **API permissions** > **Add a permission** > **My APIs**.

+1. Select **NewWebAPI1** or the API that you wish to add permissions to.

+1. Under **Select permissions**, check the box next to **Forecast.Read**. You may need to expand the **Permission** list. This selects the permissions the client app should have on behalf of the signed-in user.

+1. Select **Add permissions** to complete the process.

+After adding these permissions to your API, you should see the selected permissions under **Configured permissions**.

+You may also notice the **User.Read** permission for the Microsoft Graph API. This permission is added automatically when you register an app in the Azure portal.

+## Test the web API

+1. Clone the [ms-identity-docs-code-dotnet](https://github.com/Azure-Samples/ms-identity-docs-code-dotnet) repository.

+ ```bash

+ git clone https://github.com/Azure-Samples/ms-identity-docs-code-dotnet.git

+ ```

+1. Navigate to `ms-identity-docs-code-dotnet/web-api` folder and open `./appsettings.json` file, replace the `{APPLICATION_CLIENT_ID}` and `{DIRECTORY_TENANT_ID}` with:

+ - `{APPLICATION_CLIENT_ID}` is the web API **Application (client) ID** on the app's **Overview** pane **App registrations** in the Azure portal.

+ - `{DIRECTORY_TENANT_ID}` is the web API **Directory (tenant) ID** on the app's **Overview** pane **App registrations** in the Azure portal.

+1. Execute the following command to start the app:

+ ### [.NET 6.0](#tab/dotnet6)

+

+ ```bash

+ dotnet run

+ ```

+

+ ### [.NET 7.0](#tab/dotnet7)

+

+ ```bash

+ dotnet run --launch-profile https

+ ```

+1. An output similar to the following will appear. Record the port number in the `https://localhost:{port}` URL.

+ ```bash

+ ...

+ info: Microsoft.Hosting.Lifetime[14]

+ Now listening on: https://localhost:{port}

+ ...

+ ```

+## Test the web API

+1. Navigate to the web API that was created in [Tutorial: Create an ASP.NET Core project and configure the API](web-api-tutorial-02-prepare-api.md), for example *NewWebAPILocal*, and open the folder.

+1. Open a new terminal window and navigate to the folder where the web API project is located.

+### [.NET 6.0](#tab/dotnet6)

+

+1. Execute the following command to start the app:

+

+ ```bash

+ dotnet run

+ ```

+

+### [.NET 7.0](#tab/dotnet7)

+

+1. Execute the following command to start the app on the `https` profile:

+

+ ```bash

+ dotnet run --launch-profile https

+ ```

+1. An output similar to the following will appear. Record the port number in the `https://localhost:{port}` URL.

+ ```bash

+ ...

+ info: Microsoft.Hosting.Lifetime[14]

+ Now listening on: https://localhost:{port}

+ ...

+ ```

+### Request an authorization code

+The authorization code flow begins with the client directing the user to the `/authorize` endpoint. In this request, the client requests the `Forecast.Read` permission from the user.

+ ```http

+ https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize?client_id={web-app-calls-web-api_application_client_id}&response_type=code&redirect_uri=http://localhost&response_mode=query&scope=api://{web_API_application_client_id}/Forecast.Read

+ ```

+1. Copy the URL, replace the following parameters and paste it into your browser:

+ - `{tenant_id}` is the web app **Directory (tenant) ID**. This should be the same value across both of the applications's **Overview** pane **App registrations** in the Azure portal.

+ - `{web-app-calls-web-api_application_client_id}` is the **Application (client) ID** on the web app's (*web-app-calls-web-api*) **Overview** pane in the Azure portal.

+ - `{web_API_application_client_id}` is the **Application (client) ID** on the web API's (*NewWebAPI1*) **Overview** pane in the Azure portal.

+1. Sign in as a user in the Azure AD tenant in which the apps are registered. Consent to any requests for access, if necessary.

+1. Your browser will be redirected to `http://localhost/`. Refer to your browser's navigation bar and copy the `{authorization_code}` to use in the following steps. The URL takes the form of the following snippet:

+ ```http

+ http://localhost/?code={authorization_code}

+ ```

+### Use an authorization code and cURL to get an access token

+cURL can now be used to request an access token from the Microsoft identity platform.

+1. Copy the cURL command in the following snippet. Replace the values in parentheses with the following parameters to your terminal. Be sure to remove the parentheses:

+ ```bash

+ curl -X POST https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token \

+ -d 'client_id={web-app-calls-web-api_application_client_id}' \

+ -d 'api://{web_API_application_client_id}/Forecast.Read' \

+ -d 'code={authorization_code}&session_state={web-app-calls-web-api_application_client_id}' \

+ -d 'redirect_uri=http://localhost' \

+ -d 'grant_type=authorization_code' \

+ -d 'client_secret={client_secret}'

+ ```

+ - `{tenant_id}` is the web app **Directory (tenant) ID**. This should be the same value across both of the applications's **Overview** pane **App registrations** in the Azure portal.

+ - `client_id={web-app-calls-web-api_application_client_id}`, and `session_state={web-app-calls-web-api_application_client_id}` is the **Application (client) ID** on the web application's (*web-app-calls-web-api*) **Overview** pane in the Azure portal.

+ - `api://{web_API_application_client_id}/Forecast.Read` is the **Application (client) ID** on the web API's (*NewWebAPI1*) **Overview** pane in the Azure portal.

+ - `code={authorization_code}` is the authorization code that was received in [Request an authorization code](#request-an-authorization-code). This enables the cURL tool to request an access token.

+ - `client_secret={client_secret}` is the client secret **Value** recorded in [Add a client secret](#add-a-client-secret).

+

+1. Run the cURL command and if entered correctly, you should receive a JSON response similar to the following output:

+ ```json

+ {

+ "token_type": "Bearer",

+ "scope": "api://{web_API_application_client_id}/Forecast.Read",

+ "expires_in": 3600,

+ "ext_expires_in": 3600,

+ "access_token": "{access_token}"

+ }

+ ```

+### Call web API with access token

+By running the previous cURL command, the Microsoft identity platform has provided an access token. The acquired token can now be used as a bearer in an HTTP request to call the web API.

+1. To call the web API, copy the following cURL command, replace the following values in parentheses and paste it into your terminal:

+ ```bash

+ curl -X GET https://localhost:{port}/weatherforecast -ki \

+ -H 'Content-Type: application/json' \

+ -H "Authorization: Bearer {access_token}"

+ ```

+ - `{access_token}` the access token value recorded from the JSON output in the previous section.

+ - `{port}` the port number from the web API recorded when running the API in the terminal. Ensure it's the `https` port number.

+1. With a valid access token included in the request, the expected response is `HTTP/2 200` with output similar to the following output:

+ ```bash

+ HTTP/2 200

+ content-type: application/json; charset=utf-8

+ date: Day, DD Month YYYY HH:MM:SS

+ server: Kestrel

+ [{"date":"YYYY-MM-DDTHH:MM:SS","temperatureC":36,"summary":"Hot","temperatureF":96},{"date":"YYYY-MM-DDTHH:MM:SS","temperatureC":43,"summary":"Warm","temperatureF":109},{"date":"YYYY-MM-DDTHH:MM:SS","temperatureC":18,"summary":"Warm","temperatureF":64},{"date":"YYYY-MM-DDTHH:MM:SS","temperatureC":50,"summary":"Chilly","temperatureF":121},{"date":"YYYY-MM-DDTHH:MM:SS","temperatureC":3,"summary":"Bracing","temperatureF":37}]

+ ```

+## Next steps

+For more information about OAuth 2.0 authorization code flow and application types, see:

+- [Microsoft identity platform and OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md)

+- [Application types for the Microsoft identity platform](v2-app-types.md#web-apps)

+ Title: Call an ASP.NET Core web API with Postman

+description: Learn how to call a protected ASP.NET Core Web API using the Microsoft identity platform and Postman

+zone_pivot_groups: web-api-howto-prereq

+#Customer intent: As a software developer, I want to call a protected ASP.NET Core Web API using the Microsoft identity platform with Postman

+# Call an ASP.NET Core web API with Postman

+This article shows you how to call a protected ASP.NET Core web API using [Postman](https://www.postman.com/). Postman is an application that lets you send HTTP requests to a web API to test its authorization and access control (authentication) policies. In this article, you'll register a web app and a web API in a tenant on the Azure portal. The web app is used to get an access token generated by the Microsoft identity platform. Next, you'll use the token to make an authorized call to the web API using Postman.

+This article shows you how to call a protected ASP.NET Core web API using [Postman](https://www.postman.com/). Postman is an application that lets you send HTTP requests to a web API to test its authorization and access control (authentication) policies. Following on from the [Tutorial: Implement a protected endpoint to your API](web-api-tutorial-03-protect-endpoint.md), where you created a protected API, you'll need to register a web application with the Microsoft identity platform to generate an access token. Next, you'll use the token to make an authorized call to the API using Postman.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/).

+- This Azure account must have permissions to manage applications. Any of the following Azure Active Directory (Azure AD) roles include the required permissions:

+ - Application administrator

+ - Application developer

+ - Cloud application administrator

+- [Download and install Postman](https://www.postman.com/downloads/).

+- A minimum requirement of [.NET Core 6.0 SDK](https://dotnet.microsoft.com/download/dotnet).

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/).

+- This Azure account must have permissions to manage applications. Any of the following Azure Active Directory (Azure AD) roles include the required permissions:

+ - Application administrator

+ - Application developer

+ - Cloud application administrator

+- Completion of the tutorial series:

+ - [Tutorial: Register web API with the Microsoft identity platform](web-api-tutorial-01-register-app.md).

+ - [Tutorial: Create and configure an ASP.NET Core project for authentication](web-api-tutorial-02-prepare-api.md).

+ - [Tutorial: Implement a protected endpoint to your API](web-api-tutorial-03-protect-endpoint.md).

+- [Download and install Postman](https://www.postman.com/downloads/).

+## Register an application with the Microsoft identity platform

+The Microsoft identity platform requires your application to be registered before providing identity and access management services. The application registration allows you to specify the name and type of the application and the sign-in audience. The sign-in audience specifies what types of user accounts are allowed to sign-in to a given application.

+### Register the web API

+Follow these steps to create the web API registration:

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.

+1. Search for and select **Azure Active Directory**.

+1. Under **Manage**, select **App registrations > New registration**.

+1. Enter a **Name** for the application, such as *NewWebAPI1*.

+1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select **Help me choose** option.

+1. Select **Register**.

+ :::image type="content" source="./media/web-api-tutorial-01-register-app/register-application.png" alt-text="Screenshot that shows how to enter a name and select the account type.":::

+1. The application's **Overview** pane is displayed when registration is complete. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in your application source code.

+ :::image type="content" source="./media/web-api-tutorial-01-register-app/record-identifiers.png" alt-text="Screenshot that shows the identifier values on the overview page.":::

+> [!NOTE]

+> The **Supported account types** can be changed by referring to [Modify the accounts supported by an application](howto-modify-supported-accounts.md).

+#### Expose the API

+Once the API is registered, you can configure its permission by defining the scopes that the API exposes to client applications. Client applications request permission to perform operations by passing an access token along with its requests to the protected web API. The web API then performs the requested operation only if the access token it receives is valid.

+1. Under **Manage**, select **Expose an API > Add a scope**. Accept the proposed **Application ID URI** `(api://{clientId})` by selecting **Save and continue**. The `{clientId}` is the value recorded from the **Overview** page. Then enter the following information:

+ 1. For **Scope name**, enter `Forecast.Read`.

+ 1. For **Who can consent**, ensure that the **Admins and users** option is selected.

+ 1. In the **Admin consent display name** box, enter `Read forecast data`.

+ 1. In the **Admin consent description** box, enter `Allows the application to read weather forecast data`.

+ 1. In the **User consent display name** box, enter `Read forecast data`.

+ 1. In the **User consent description** box, enter `Allows the application to read weather forecast data`.

+ 1. Ensure that the **State** is set to **Enabled**.

+1. Select **Add scope**. If the scope has been entered correctly, it's listed in the **Expose an API** pane.

+ :::image type="content" source="./media/web-api-tutorial-01-register-app/add-a-scope-inline.png" alt-text="Screenshot that shows the field values when adding the scope to an API." lightbox="./media/web-api-tutorial-01-register-app/add-a-scope-expanded.png":::

+

+### Register the web app

+Having a web API isn't enough however, as a web app is also needed to obtain an access token to access the web API you've created.

+Follow these steps to create the web app registration:

+1. Select **Home** to return to the home page. Search for and select **Azure Active Directory**.

+1. Under **Manage**, select **App registrations** > **New registration**.

+1. Enter a **Name** for the application, such as `web-app-calls-web-api`.

+1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option.

+1. Under **Redirect URI (optional)**, select **Web**, and then enter `http://localhost` in the URL text box.

+1. Select **Register**.

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. If access to multiple tenants is available, use the Directories + subscriptions filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.

+1. Search for and select **Azure Active Directory**.

+1. Under **Manage**, select **App registrations** > **New registration**.

+1. Enter a Name for the application, such as `web-app-calls-web-api`.

+1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option.

+1. Under **Redirect URI (optional)**, select **Web**, and then enter `http://localhost` in the URL text box.

+1. Select **Register**.

+When registration is complete, the Azure portal displays the app registration's **Overview** pane. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in later steps.

+#### Add a client secret

+A client secret is a string value your app can use to identity itself, and is sometimes referred to as an *application password*. The web app uses the client secret to prove its identity when it requests tokens.

+Follow these steps to configure a client secret:

+1. From the **Overview** pane in the Azure portal, under **Manage**, select **Certificates & secrets** > **Client secrets** > **New client secret**.

+1. Add a description for your client secret, for example *My client secret*.

+1. Select an expiration for the secret or specify a custom lifetime.

+ - A client secret's lifetime is limited to two years (24 months) or less. You can't specify a custom lifetime longer than 24 months.

+ - Microsoft recommends that you set an expiration value of less than 12 months.

+1. Select **Add**.

+1. Be sure to record the **Value** of the client secret. This secret value is **never displayed again** after you leave this page.

+#### Add permissions to access your web API

+By specifying a web API's scopes, the web app can obtain an access token containing the scopes provided by the Microsoft identity platform. Within the code, the web API can then provide permission-based access to its resources based on the scopes found in the access token.

+Follow these steps to configure client's permissions to the web API:

+1. From the **Overview** pane of your application in the Azure portal, under **Manage**, select **API permissions** > **Add a permission** > **My APIs**.

+1. Select **NewWebAPI1** or the API that you wish to add permissions to.

+1. Under **Select permissions**, check the box next to **Forecast.Read**. You may need to expand the **Permission** list. This selects the permissions the client app should have on behalf of the signed-in user.

+1. Select **Add permissions** to complete the process.

+After adding these permissions to your API, you should see the selected permissions under **Configured permissions**.

+You may also notice the **User.Read** permission for the Microsoft Graph API. This permission is added automatically when you register an app in the Azure portal.

+## Test the web API

+1. Clone the [ms-identity-docs-code-dotnet](https://github.com/Azure-Samples/ms-identity-docs-code-dotnet) repository.

+

+ ```bash

+ git clone https://github.com/Azure-Samples/ms-identity-docs-code-dotnet.git

+ ```

+1. Navigate to `ms-identity-docs-code-dotnet/web-api` folder and open `appsettings.json`, replace the `{APPLICATION_CLIENT_ID}` and `{DIRECTORY_TENANT_ID}` with:

+ - `{APPLICATION_CLIENT_ID}` is the web API **Application (client) ID** on the app's **Overview** pane **App registrations** in the Azure portal.

+ - `{DIRECTORY_TENANT_ID}` is the web API **Directory (tenant) ID** on the app's **Overview** pane **App registrations** in the Azure portal.

+1. Execute the following command to start the app:

+ ```bash

+ dotnet run

+ ```

+1. An output similar to the following will appear. Record the port number in the `https://localhost:{port}` URL.

+ ```bash

+ ...

+ info: Microsoft.Hosting.Lifetime[14]

+ Now listening on: https://localhost:{port}

+ ...

+ ```

+## Test the web API

+1. Navigate to the web API that was created in [Tutorial: Create an ASP.NET Core project and configure the API](web-api-tutorial-02-prepare-api.md), for example *NewWebAPILocal*, and open the folder.

+1. Open a new terminal window and navigate to the folder where the web API project is located.

+ ### [.NET 6.0](#tab/dotnet6)

+

+ 1. Execute the following command to start the app:

+

+ ```bash

+ dotnet run

+ ```

+

+ ### [.NET 7.0](#tab/dotnet7)

+

+ 1. Open a new terminal and execute the following command to start the app on the `https` profile:

+

+ ```bash

+ dotnet run -launch-profile https`

+ ```

+

+

+1. An output similar to the following will appear. Record the port number in the `https://localhost:{port}` URL.

+ ```bash

+ ...

+ info: Microsoft.Hosting.Lifetime[14]

+ Now listening on: https://localhost:{port}

+ ...

+ ```

+### Configure an authorized request to the web API in Postman

+1. Launch the **Postman** application.

+1. In the main Postman window, find **Create a new request** and select **HTTP Request**.

+1. In the top bar, ensure that **GET** is selected from the dropdown menu.

+1. For the request URL, enter the URL of the endpoint exposed by the web API, `https://localhost:{port}/weatherforecast`.

+1. Select the **Authorization** tab to configure Postman to obtain a token from the Microsoft Identity platform that will grant access to the web API.

+1. Enter the following values in the **Authorization** tab:

+ | Setting | Value |

+ |--|-|

+ | Auth URL | `https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize` <br/> Replace `{tenantId}` with the **Directory (tenant) ID** |

+ | Access Token URL | `https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token` <br/> Replace `{tenantId}` with the **Directory (tenant) ID** |

+ | Client ID | The **Application (client) ID** value of your web app registration |

+ | Client Secret | The client secret **Value** of your web app registration |

+ | Scope | `api://{application_client_id}/Forecast.Read` <br/> Navigate to your web app registration, under **Manage**, select **API permissions**, then select **Forecast.Read** <br/> Copy the value in the textbox, which contains the **Scope** value |

+

+#### Get an access token and send a request to the web API

+1. Once these values are entered select the **Get New Access Token** button. This launches a Postman browser window where you authenticate with your user credentials. Be sure to allow pop ups from the Postman application in the browser.

+1. After authenticating, a new Postman generated pop-up window will appear. Select the **Use Token** button in Postman to provide the access token in the request.

+1. Select **Send** to send the request to the protected web API endpoint.

+With a valid access token included in the request, the expected response is 200 OK with output similar to:

+```json

+[

+ {

+ "date": "YYYY-MM-DDTHH:MM:SS",

+ "temperatureC": -16,

+ "summary": "Scorching",

+ "temperatureF": 4

+ },

+ {

+ "date": "YYYY-MM-DDTHH:MM:SS",

+ "temperatureC": 1,

+ "summary": "Sweltering",

+ "temperatureF": 33

+ },

+ {

+ "date": "YYYY-MM-DDTHH:MM:SS",

+ "temperatureC": 26,

+ "summary": "Freezing",

+ "temperatureF": 78

+ },

+ {

+ "date": "YYYY-MM-DDTHH:MM:SS",

+ "temperatureC": 54,

+ "summary": "Mild",

+ "temperatureF": 129

+ },

+ {

+ "date": "YYYY-MM-DDTHH:MM:SS",

+ "temperatureC": 11,

+ "summary": "Bracing",

+ "temperatureF": 51

+ }

+]

+```

+## Next steps

+For more information about OAuth 2.0 authorization code flow and application types, see:

+- [Microsoft identity platform and OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md)

+- [Application types for the Microsoft identity platform](v2-app-types.md#web-apps)

+In the Python sample, the code that calls the API is in [app.py#L60-71](https://github.com/Azure-Samples/ms-identity-python-webapp/blob/0.5.0/app.py#L60-71).

+The code attempts to get a token from the token cache. If it can't get a token, it redirects the user to the sign-in route. Otherwise, it can proceed to call the API.

+# [ASP.NET Core](#tab/aspnetcore)

+Move on to the next article in this scenario,

+[Call a web API](scenario-web-app-call-api-call-api.md?tabs=aspnetcore).

+# [ASP.NET](#tab/aspnet)

+[Call a web API](scenario-web-app-call-api-call-api.md?tabs=aspnet).

+# [Java](#tab/java)

+Move on to the next article in this scenario,

+[Call a web API](scenario-web-app-call-api-call-api.md?tabs=java).

+# [Python](#tab/python)

+Move on to the next article in this scenario,

+[Call a web API](scenario-web-app-call-api-call-api.md?tabs=python).

+Your web app needs to acquire a token for the downstream API. You specify it by adding the `.EnableTokenAcquisitionToCallDownstreamApi()` line after `.AddMicrosoftIdentityWebApp(Configuration)`. This line exposes the `ITokenAcquisition` service that you can use in your controller and page actions. However, as you'll see in the following two options, it can be done more simply. You'll also need to choose a token cache implementation, for example `.AddInMemoryTokenCaches()`, in *Startup.cs*:

+The scopes passed to `EnableTokenAcquisitionToCallDownstreamApi` are optional, and enable your web app to request the scopes and the user's consent to those scopes when they sign in. If you don't specify the scopes, *Microsoft.Identity.Web* enables an incremental consent experience.

+The following image shows the various possibilities of *Microsoft.Identity.Web* and their effect on the *Startup.cs* file:

+- When the authorization code is received, the code uses MSAL libraries to redeem it. The resulting access tokens and refresh tokens are stored in the token cache. The cache can be used in other parts of the application, such as controllers, to acquire other tokens silently.

+Code snippets in this article and the following are extracted from the [Python web application calling Microsoft graph](https://github.com/Azure-Samples/ms-identity-python-webapp) sample using the [identity package](https://pypi.org/project/identity/) (a wrapper around MSAL Python).

+The sample uses the identity package to produce the authorization-code URL and handles the navigation to the authorization endpoint for the Microsoft identity platform. You might want to refer to the sample for full implementation details.

+ASP.NET handles things similarly to ASP.NET Core, except that the configuration of OpenID Connect and the subscription to the `OnAuthorizationCodeReceived` event happen in the [App_Start\Startup.Auth.cs](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/blob/a2da310539aa613b77da1f9e1c17585311ab22b7/WebApp/App_Start/Startup.Auth.cs) file. The concepts are also similar to those in ASP.NET Core, except that in ASP.NET you must specify the `RedirectUri` in [Web.config#L15](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/blob/master/WebApp/Web.config#L15). This configuration is a bit less robust than the one in ASP.NET Core, because you need to change it when you deploy your application.

+See [Web app that signs in users: Code configuration](scenario-web-app-sign-user-app-configuration.md?tabs=python#initialization-code) to understand how the Python sample gets the authorization code.

+The Microsoft sign-in screen sends the authorization code to the `/getAToken` URL that was specified in the app registration. The `auth_response` route handles that URL, calling `auth.complete_login` to process the authorization code, and then either returning an error or redirecting to the home page.

+See [app.py](https://github.com/Azure-Samples/ms-identity-python-webapp/blob/0.5.0/app.py#L36-41) for the full context of that code.

+Instead of a client secret, the confidential client application can also prove its identity by using a client certificate or a client assertion.

+The ASP.NET core tutorial uses dependency injection to let you decide the token cache implementation in the Startup.cs file for your application. Microsoft.Identity.Web comes with prebuilt token-cache serializers described in [Token cache serialization](msal-net-token-cache-serialization.md). An interesting possibility is to choose ASP.NET Core [distributed memory caches](/aspnet/core/performance/caching/distributed#distributed-memory-cache):

+- add the Microsoft.Identity.Web NuGet package. These token cache serializers aren't brought in MSAL.NET directly to avoid unwanted dependencies. In addition to a higher level for ASP.NET Core, Microsoft.Identity.Web brings classes that are helpers for MSAL.NET,

+Instead of `clientapp.AddInMemoryTokenCache()`, you can also use more advanced cache serialization implementations like Redis, SQL, Cosmos DB, or distributed memory. Here's an example for Redis:

+In the Python sample, the identity package takes care of the token cache, using the global `session` object for storage.

+Flask has built-in support for sessions stored in a cookie, but due to the length of the identity cookies, the sample uses the [Flask-session](https://flask-session.readthedocs.io/) package instead. Everything is initialized in *app.py*:

+Due to the `SESSION_TYPE="filesystem"` setting in `app_config.py`, the Flask-session package stores sessions using the local file system.

+For production, you should use [a setting](https://flask-session.readthedocs.io/en/latest/#configuration) that persists across multiple instances and deploys of your app, such as "sqlachemy" or "redis".

+# [ASP.NET Core](#tab/aspnetcore)

+Move on to the next article in this scenario,

+[Remove accounts from the cache on global sign out](scenario-web-app-call-api-sign-in.md?tabs=aspnetcore).

+# [ASP.NET](#tab/aspnet)

+Move on to the next article in this scenario,

+[Remove accounts from the cache on global sign out](scenario-web-app-call-api-sign-in.md?tabs=aspnet).

+# [Java](#tab/java)

+Move on to the next article in this scenario,

+[Remove accounts from the cache on global sign out](scenario-web-app-call-api-sign-in.md?tabs=java).

+# [Python](#tab/python)

+Move on to the next article in this scenario,

+[Remove accounts from the cache on global sign out](scenario-web-app-call-api-sign-in.md?tabs=python).

+After successfully retrieving a token, the code uses the requests package to query the API endpoint and retrieve a JSON result.

+Code snippets in this article and the following are extracted from the [Python web application calling Microsoft graph](https://github.com/Azure-Samples/ms-identity-python-webapp) sample using the [identity package](https://pypi.org/project/identity/) (a wrapper around MSAL Python).

+Web applications that sign in users by using the Microsoft identity platform are configured through configuration files. Those files must specify the following values:

+- The cloud **instance** if you want your app to run in national clouds, for example. The different options include;

+- The audience in the **tenant ID**. The options vary depending on whether your app is single tenant or multitenant.

+ - The tenant GUID obtained from the Azure portal to sign in users in your organization. You can also use a domain name.

+- The **client ID** for your application, as copied from the Azure portal

+You might also see references to the **authority**, a concatenation of the **instance** and **tenant ID** values.

+The configuration parameters are set in *.env* as environment variables:

+```bash

+CLIENT_ID=<client id>

+CLIENT_SECRET=<client secret>

+TENANT_ID=<tenant id>

+Those environment variables are referenced in *app_config.py*:

+The *.env* file should never be checked into source control, since it contains secrets. The quickstart sample includes a *.gitignore* file that prevents the *.env* file from being checked in.

+> If you want to start directly with the new ASP.NET Core templates for Microsoft identity platform, that leverage Microsoft.Identity.Web, you can download a preview NuGet package containing project templates for .NET 5.0. Then, once installed, you can directly instantiate ASP.NET Core web applications (MVC or Blazor). See [Microsoft.Identity.Web web app project templates](https://aka.ms/ms-id-web/webapp-project-templates) for details. This is the simplest approach as it will do all the following steps for you.

+1. Add the [Microsoft.Identity.Web](https://www.nuget.org/packages/Microsoft.Identity.Web) and [Microsoft.Identity.Web.UI](https://www.nuget.org/packages/Microsoft.Identity.Web.UI) NuGet packages to your project. Remove the `Microsoft.AspNetCore.Authentication.AzureAD.UI` NuGet package if it's present.

+In that code:

+The Node sample uses the Express framework. MSAL is initialized in *auth* route handler:

+The Python sample is built with the Flask framework, though other frameworks like Django could be used as well. The Flask app is initialized with the app configuration at the top of *app.py*:

+Then the code constructs an [`auth` object](https://identity-library.readthedocs.io/en/latest/#identity.web.Auth) using the [identity package](https://pypi.org/project/identity/).

+ 1. Select **Accounts in any organizational directory and personal Microsoft Accounts**.

+1. On the app's **Overview** page, find the **Application (client) ID** value and record it for later. You'll need it to configure the *.env* file for this project.

+ 1. Enter a key description. Leave the default expiration.

+ 1. Save the **Value** of the **Client Secret** in a safe location. You'll need it to configure the code, and you can't retrieve it later.

+Write-Host "Connecting to Microsoft Graph"

+if ($tenantId -eq "") {

+ Connect-MgGraph -Scopes "User.Read.All Organization.Read.All Application.ReadWrite.All" -Environment $azureEnvironmentName

+}

+else {

+ Connect-MgGraph -TenantId $tenantId -Scopes "User.Read.All Organization.Read.All Application.ReadWrite.All" -Environment $azureEnvironmentName

+}

+

+$context = Get-MgContext

+$tenantId = $context.TenantId

+# Get the user running the script

+$currentUserPrincipalName = $context.Account

+$user = Get-MgUser -Filter "UserPrincipalName eq '$($context.Account)'"

+# get the tenant we signed in to

+$Tenant = Get-MgOrganization

+$tenantName = $Tenant.DisplayName

+

+$verifiedDomain = $Tenant.VerifiedDomains | where {$_.Isdefault -eq $true}

+$verifiedDomainName = $verifiedDomain.Name

+$tenantId = $Tenant.Id

+Write-Host ("Connected to Tenant {0} ({1}) as account '{2}'. Domain is '{3}'" -f $Tenant.DisplayName, $Tenant.Id, $currentUserPrincipalName, $verifiedDomainName)

+# Create the webApp AAD application

+Write-Host "Creating the AAD application (WebApp)"

+# create the application

+$webAppAadApplication = New-MgApplication -DisplayName "WebApp" `

+ -Web `

+ @{ `

+ RedirectUris = "https://localhost:44321/", "https://localhost:44321/signin-oidc"; `

+ HomePageUrl = "https://localhost:44321/"; `

+ LogoutUrl = "https://localhost:44321/signout-oidc"; `

+ } `

+ -SignInAudience AzureADandPersonalMicrosoftAccount `

+ #end of command

+$currentAppId = $webAppAadApplication.AppId

+$currentAppObjectId = $webAppAadApplication.Id

+$tenantName = (Get-MgApplication -ApplicationId $currentAppObjectId).PublisherDomain

+#Update-MgApplication -ApplicationId $currentAppObjectId -IdentifierUris @("https://$tenantName/WebApp")

+

+# create the service principal of the newly created application

+$webAppServicePrincipal = New-MgServicePrincipal -AppId $currentAppId -Tags {WindowsAzureActiveDirectoryIntegratedApp}

+# add the user running the script as an app owner if needed

+$owner = Get-MgApplicationOwner -ApplicationId $currentAppObjectId

+if ($owner -eq $null)

+{

+ New-MgApplicationOwnerByRef -ApplicationId $currentAppObjectId -BodyParameter = @{"@odata.id" = "htps://graph.microsoft.com/v1.0/directoryObjects/$user.ObjectId"}

+ Write-Host "'$($user.UserPrincipalName)' added as an application owner to app '$($webAppServicePrincipal.DisplayName)'"

+}

+Write-Host "Done creating the webApp application (WebApp)"

+# [ASP.NET Core](#tab/aspnetcore)

+Move on to the next article in this scenario,

+[App's code configuration](scenario-web-app-sign-user-app-configuration.md?tabs=aspnetcore).

+# [ASP.NET](#tab/aspnet)

+[App's code configuration](scenario-web-app-sign-user-app-configuration.md?tabs=aspnet).

+# [Java](#tab/java)

+Move on to the next article in this scenario,

+[App's code configuration](scenario-web-app-sign-user-app-configuration.md?tabs=java).

+# [Node.js](#tab/nodejs)

+Move on to the next article in this scenario,

+[App's code configuration](scenario-web-app-sign-user-app-configuration.md?tabs=nodejs).

+# [Python](#tab/python)

+Move on to the next article in this scenario,

+[App's code configuration](scenario-web-app-sign-user-app-configuration.md?tabs=python).

+In the Python quickstart, the code for the sign-in link is located in *login.html* template file.

+When an unauthenticated user visits the home page, the `index` route in *app.py* redirects the user to the `login` route.

+The `login` route figures out the appropriate `auth_uri` and renders the *login.html* template.

+When the user selects the **Sign in** link, they're brought to the Microsoft Identity Platform authorization endpoint.

+A successful sign-in redirects the user to the `auth_response` route, which completes the sign-in process using [`auth.complete_login`](https://identity-library.readthedocs.io/en/latest/#identity.web.Auth.complete_log_in), renders errors if any, and redirects the now authenticated user to the home page.

+In the Python quickstart, the sign-out button is located in the *templates/https://docsupdatetracker.net/index.html* file.

+When the user selects **Logout**, the app triggers the `logout` route, which redirects the browser to the Microsoft identity platform sign-out endpoint.

+In the Python quickstart, the post-logout redirect URI just displays the *https://docsupdatetracker.net/index.html* page.

+ Title: "Tutorial: Register a Single-page application with the Microsoft identity platform"

+description: Register an application in an Azure Active Directory tenant.

+#Customer intent: As a React developer, I want to know how to register my application with the Microsoft identity platform so that the security token service can issue access tokens to client applications that request them.

+# Tutorial: Register a Single-page application with the Microsoft identity platform

+To interact with the Microsoft identity platform, Azure Active Directory (Azure AD) must be made aware of the application you create. This tutorial shows you how to register a single-page application (SPA) in a tenant on the Azure portal.

+In this tutorial:

+> [!div class="checklist"]

+> * Register the application in a tenant

+> * Add a Redirect URI to the application

+> * Record the application's unique identifiers

+## Prerequisites

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/).

+* This Azure account must have permissions to manage applications. Any of the following Azure AD roles include the required permissions:

+ * Application administrator

+ * Application developer

+ * Cloud application administrator

+## Register the application and record identifiers

+To complete registration, provide the application a name, specify the supported account types, and add a redirect URI. Once registered, the application **Overview** pane displays the identifiers needed in the application source code.

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which to register the application.

+1. Search for and select **Azure Active Directory**.

+1. Under **Manage**, select **App registrations > New registration**.

+1. Enter a **Name** for the application, such as *NewSPA1*.

+1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option.

+1. Under **Redirect URI (optional)**, use the drop-down menu to select **Single-page-application (SPA)** and enter `http://localhost:3000` into the text box.

+1. Select **Register**.

+ :::image type="content" source="./media/single-page-app-tutorial-01-register-app/register-application.png" alt-text="Screenshot that shows how to enter a name and select the account type in the Azure portal.":::

+1. The application's **Overview** pane is displayed when registration is complete. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in your application source code.

+ :::image type="content" source="./media/single-page-app-tutorial-01-register-app/record-identifiers.png" alt-text="Screenshot that shows the identifier values on the overview page on the Azure portal.":::

+ >[!NOTE]

+ > The **Supported account types** can be changed by referring to [Modify the accounts supported by an application](howto-modify-supported-accounts.md).

+## Next steps

+> [!div class="nextstepaction"]

+> [Tutorial: Prepare an application for authentication](single-page-app-tutorial-02-prepare-spa.md)

+ Title: "Tutorial: Prepare an application for authentication"

+description: Register a tenant application and configure it for a React SPA.

+#Customer intent: As a React developer, I want to know how to create a new React project in an IDE and add authentication.

+# Tutorial: Prepare a Single-page application for authentication

+After registration is complete, a React project can be created using an integrated development environment (IDE). This tutorial demonstrates how to create a single-page React application using `npm` and create files needed for authentication and authorization.

+In this tutorial:

+> [!div class="checklist"]

+> * Create a new React project

+> * Configure the settings for the application

+> * Install identity and bootstrap packages

+> * Add authentication code to the application

+## Prerequisites

+* Completion of the prerequisites and steps in [Tutorial: Register an application](single-page-app-tutorial-01-register-app.md).

+* Although any IDE that supports React applications can be used, the following Visual Studio IDEs are used for this tutorial. They can be downloaded from the [Downloads](https://visualstudio.microsoft.com/downloads) page. For macOS users, it's recommended to use Visual Studio Code.

+ - Visual Studio 2022

+ - Visual Studio Code

+* [Node.js](https://nodejs.org/en/download/).

+## Create a new React project

+Use the following tabs to create a React project within the IDE.

+### [Visual Studio](#tab/visual-studio)

+1. Open Visual Studio, and then select **Create a new project**.

+1. Search for and choose the **Standalone JavaScript React Project** template, and then select **Next**.

+1. Enter a name for the project, such as *reactspalocal*.

+1. Choose a location for the project or accept the default option, and then select **Next**.

+1. In **Additional information**, select **Create**.

+1. From the toolbar, select **Start Without Debugging** to launch the application. A web browser will open with the address `http://localhost:3000/` by default. The browser remains open and re-renders for every saved change.

+### [Visual Studio Code](#tab/visual-studio-code)

+1. Open Visual Studio Code, select **File** > **Open Folder...**. Navigate to and select the location in which to create your project.

+1. Open a new terminal by selecting **Terminal** > **New Terminal**.

+1. Run the following commands to create a new React project with the name *reactspalocal*, change to the new directory and start the React project. A web browser will open with the address `http://localhost:3000/` by default. The browser remains open and re-renders for every saved change.

+ ```powershell

+ npx create-react-app reactspalocal

+ cd reactspalocal

+ npm start

+ ```

+## Install identity and bootstrap packages

+Identity related **npm** packages must be installed in the project to enable user authentication. For project styling, **Bootstrap** will be used.

+### [Visual Studio](#tab/visual-studio)

+1. In the **Solution Explorer**, right-click the **npm** option and select **Install new npm packages**.

+1. Search for **@azure/msal-browser**, then select **Install Package**. Repeat for **@azure/msal-react** and **@azure/msal-common**.

+1. Search for and install **react-bootstrap**.

+1. Select **Close**.

+### [Visual Studio Code](#tab/visual-studio-code)

+1. In the **Terminal** bar, select the **+** icon to create a new terminal. A separate terminal window will open with the previous node terminal continuing to run in the background.

+1. Ensure that the correct directory is selected (*reactspalocal*) then enter the following into the terminal to install the relevant `msal` and `bootstrap` packages.

+ ```powershell

+ npm install @azure/msal-browser @azure/msal-react

+ npm install react-bootstrap bootstrap

+ ```

+To learn more about these packages refer to the documentation in [msal-browser](/javascript/api/@azure/msal-browser), [msal-common](/javascript/api/@azure/msal-common), [msal-react](/javascript/api/@azure/msal-react).

+## Creating the authentication configuration file

+### [Visual Studio](#tab/visual-studio)

+1. In the **Solution Explorer**, right-click the *src* folder and select **Add** > **New Item**.

+1. Name the file *authConfig.js*, and select **Add**.

+1. Open *authConfig.js* and replace the code with the following code snippet.

+ :::code language="javascript" source="~/ms-identity-docs-code-javascript/react-spa/src/authConfig.js" :::

+1. Replace the following values with the values from the Azure portal.

+ - `clientId` - The identifier of the application, also referred to as the client. Replace `Enter_the_Application_Id_Here` with the **Application (client) ID** value that was recorded earlier from the overview page of the registered application.

+ - `authority` - This is composed of two parts:

+ - The *Instance* is endpoint of the cloud provider. Check with the different available endpoints in [National clouds](authentication-national-cloud.md#azure-ad-authentication-endpoints).

+ - The *Tenant ID* is the identifier of the tenant where the application is registered. Replace the `_Enter_the_Tenant_Info_Here` with the **Directory (tenant) ID** value that was recorded earlier from the overview page of the registered application.

+### [Visual Studio Code](#tab/visual-studio-code)

+1. In the *src* folder, create a new file called *authConfig.js*.

+1. Open *authConfig.js* and add the following code snippet:

+ :::code language="javascript" source="~/ms-identity-docs-code-javascript/react-spa/src/authConfig.js" :::

+1. Replace the following values with the values from the Azure portal.

+ - `clientId` - The identifier of the application, also referred to as the client. Replace `Enter_the_Application_Id_Here` with the **Application (client) ID** value that was recorded earlier from the overview page of the registered application.

+ - `authority` - This is composed of two parts:

+ - The *Instance* is endpoint of the cloud provider. Check with the different available endpoints in [National clouds](authentication-national-cloud.md#azure-ad-authentication-endpoints).

+ - The *Tenant ID* is the identifier of the tenant where the application is registered. Replace the `_Enter_the_Tenant_Info_Here` with the **Directory (tenant) ID** value that was recorded earlier from the overview page of the registered application.

+## Modify *index.js* to include the authentication provider

+All parts of the app that require authentication must be wrapped in the [`MsalProvider`](/javascript/api/@azure/msal-react/#@azure-msal-react-msalprovider) component. You instantiate a [PublicClientApplication](/javascript/api/@azure/msal-browser/publicclientapplication) then pass it to `MsalProvider`.

+1. In the *src* folder, open the *index.js* file and replace the contents of the file with the following code snippet to use the `msal` packages and bootstrap styling:

+ :::code language="javascript" source="~/ms-identity-docs-code-javascript/react-spa/src/index.js" :::

+## Next steps

+> [!div class="nextstepaction"]

+> [Tutorial: Create components for sign in and sign out in a React single-page app](single-page-app-tutorial-03-sign-in-users.md)

+ Title: "Tutorial: Create components for sign in and sign out in a React single-page app"

+description: Add sign in and sign out components to your React single-page app

+#Customer intent: As a React developer, I want to know how to use functional components to add sign in and sign out experiences in my React application.

+# Tutorial: Create components for sign in and sign out in a React single page app

+Functional components are the building blocks of React apps. This tutorial demonstrates how functional components can be used to build the sign in and sign out experience in a React single-page app (SPA). The `useMsal` hook is used to retrieve an access token to allow user sign in.

+In this tutorial:

+> [!div class="checklist"]

+>

+> - Add components to the application

+> - Create a way of displaying the user's profile information

+> - Create a layout that displays the sign in and sign out experience

+> - Add the sign in and sign out experiences

+## Prerequisites

+* Completion of the prerequisites and steps in [Tutorial: Prepare an application for authentication](single-page-app-tutorial-02-prepare-spa.md).

+## Adding components to the application

+The project needs extra files to be created for the page layout, displaying profile data, sign in and sign out options.

+### [Visual Studio](#tab/visual-studio)

+1. In the Solution Explorer, open the *src* folder.

+1. Select **Add** > **New Folder** and name it *components*.

+1. Open the *components* folder, and select **Add** > **New Item**.

+1. Search for and select **JSX file**, and create the following four files:

+ - *PageLayout.jsx*

+ - *ProfileData.jsx*

+ - *SignInButton.jsx*

+ - *SignOutButton.jsx*

+### [Visual Studio Code](#tab/visual-studio-code)

+1. Navigate to the *src* folder in the left panel.

+1. Right click on *src*, select **New Folder** and call it *components*.

+1. Right click on *components* and using the **New File** option, create the following four files;

+ - *PageLayout.jsx*

+ - *ProfileData.jsx*

+ - *SignInButton.jsx*

+ - *SignOutButton.jsx*

+Once complete, you should have the following folder structure.

+```txt

+reactspalocal/

+Γö£ΓöÇΓöÇ src/

+Γöé Γö£ΓöÇΓöÇ components/

+Γöé Γöé Γö£ΓöÇΓöÇ PageLayout.jsx

+Γöé Γöé Γö£ΓöÇΓöÇ ProfileData.jsx

+Γöé Γöé Γö£ΓöÇΓöÇ SignInButton.jsx

+Γöé Γöé ΓööΓöÇΓöÇ SignOutButton.jsx

+Γöé ΓööΓöÇΓöÇ ...

+ΓööΓöÇΓöÇ ...

+```

+### Adding the page layout

+1. Open *PageLayout.jsx* and add the following code to render the page layout. The [useIsAuthenticated](/javascript/api/@azure/msal-react) hook returns whether or not a user is currently signed-in.

+ ```javascript

+ /*

+ * Copyright (c) Microsoft Corporation. All rights reserved.

+ * Licensed under the MIT License.

+ */

+ import React from "react";

+ import Navbar from "react-bootstrap/Navbar";

+ import { useIsAuthenticated } from "@azure/msal-react";

+ import { SignInButton } from "./SignInButton";

+ import { SignOutButton } from "./SignOutButton";

+ /**

+ * Renders the navbar component with a sign in or sign out button depending on whether or not a user is authenticated

+ * @param props

+ */

+ export const PageLayout = (props) => {

+ const isAuthenticated = useIsAuthenticated();

+ return (

+ <>

+ <Navbar bg="primary" variant="dark" className="navbarStyle">

+ <a className="navbar-brand" href="/">

+ Microsoft Identity Platform

+ </a>

+ <div className="collapse navbar-collapse justify-content-end">

+ {isAuthenticated ? <SignOutButton /> : <SignInButton />}

+ </div>

+ </Navbar>

+ <br />

+ <br />

+ <h5>

+ <center>

+ Welcome to the Microsoft Authentication Library For Javascript -

+ React SPA Tutorial

+ </center>

+ </h5>

+ <br />

+ <br />

+ {props.children}

+ </>

+ );

+ };

+ ```

+1. Save the file.

+### Display profile information

+1. Open the *ProfileData.jsx* and add the following code, which creates a component that displays the user's profile information:

+ ```javascript

+ import React from "react";

+ /**

+ * Renders information about the user obtained from MS Graph

+ * @param props

+ */

+ export const ProfileData = (props) => {

+ return (

+ <div id="profile-div">

+ <p>

+ <strong>First Name: </strong> {props.graphData.givenName}

+ </p>

+ <p>

+ <strong>Last Name: </strong> {props.graphData.surname}

+ </p>

+ <p>

+ <strong>Email: </strong> {props.graphData.userPrincipalName}

+ </p>

+ <p>

+ <strong>Id: </strong> {props.graphData.id}

+ </p>

+ </div>

+ );

+ };

+ ```

+1. Save the file.

+### Adding the sign in experience

+1. Open *SignInButton.jsx* and add the following code, which creates a button that signs in the user using either a popup or redirect.

+ ```javascript

+ import React from "react";

+ import { useMsal } from "@azure/msal-react";

+ import { loginRequest } from "../authConfig";

+ import DropdownButton from "react-bootstrap/DropdownButton";

+ import Dropdown from "react-bootstrap/Dropdown";

+ /**

+ * Renders a drop down button with child buttons for logging in with a popup or redirect

+ * Note the [useMsal] package

+ */

+ export const SignInButton = () => {

+ const { instance } = useMsal();

+ const handleLogin = (loginType) => {

+ if (loginType === "popup") {

+ instance.loginPopup(loginRequest).catch((e) => {

+ console.log(e);

+ });

+ } else if (loginType === "redirect") {

+ instance.loginRedirect(loginRequest).catch((e) => {

+ console.log(e);

+ });

+ }

+ };

+ return (

+ <DropdownButton

+ variant="secondary"

+ className="ml-auto"

+ drop="start"

+ title="Sign In"

+ >

+ <Dropdown.Item as="button" onClick={() => handleLogin("popup")}>

+ Sign in using Popup

+ </Dropdown.Item>

+ <Dropdown.Item as="button" onClick={() => handleLogin("redirect")}>

+ Sign in using Redirect

+ </Dropdown.Item>

+ </DropdownButton>

+ );

+ };

+ ```

+1. Save the file.

+### Adding the sign out experience

+1. Open *SignOutButton.jsx* and add the following code, which creates a button that signs out the user using either a pop-up or redirect.

+ ```javascript

+ import React from "react";

+ import { useMsal } from "@azure/msal-react";

+ import DropdownButton from "react-bootstrap/DropdownButton";

+ import Dropdown from "react-bootstrap/Dropdown";

+ /**

+ * Renders a sign out button

+ */

+ export const SignOutButton = () => {

+ const { instance } = useMsal();

+ const handleLogout = (logoutType) => {

+ if (logoutType === "popup") {

+ instance.logoutPopup({

+ postLogoutRedirectUri: "/",

+ mainWindowRedirectUri: "/",

+ });

+ } else if (logoutType === "redirect") {

+ instance.logoutRedirect({

+ postLogoutRedirectUri: "/",

+ });

+ }

+ };

+ return (

+ <DropdownButton

+ variant="secondary"

+ className="ml-auto"

+ drop="start"

+ title="Sign Out"

+ >

+ <Dropdown.Item as="button" onClick={() => handleLogout("popup")}>

+ Sign out using Popup

+ </Dropdown.Item>

+ <Dropdown.Item as="button" onClick={() => handleLogout("redirect")}>

+ Sign out using Redirect

+ </Dropdown.Item>

+ </DropdownButton>

+ );

+ };

+ ```

+1. Save the file.

+<!-- ::: zone pivot="devlang-javascript"

+<!-- ::: zone-end -->

+> [!div class="nextstepaction"]

+> [Tutorial: Call an API from a React single-page app](single-page-app-tutorial-04-call-api.md)

+ Title: "Tutorial: Call an API from a React single-page app"

+description: Call an API from a React single-page app.

+#Customer intent: As a React developer, I want to know how to create a user interface and access the Microsoft Graph API

+# Tutorial: Call an API from a React single-page app

+Before being able to interact with the single-page app (SPA), we need to initiate an API call to Microsoft Graph and create the user interface (UI) for the application. After this is added, we can sign in to the application and get profile data information from the Microsoft Graph API.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Create the API call to Microsoft Graph

+> * Create a UI for the application

+> * Import and use components in the application

+> * Create a component that renders the user's profile information

+> * Call the API from the application

+## Prerequisites

+* Completion of the prerequisites and steps in [Tutorial: Create components for sign in and sign out in a React single-page app](single-page-app-tutorial-03-sign-in-users.md).

+## Creating a helper the Microsoft Graph client

+To allow the SPA to request access to Microsoft Graph, a reference to the `graphConfig` object needs to be added. This contains the Graph REST API endpoint defined in *authConfig.js* file.

+### [Visual Studio](#tab/visual-studio)

+1. Right click on the *src* folder, select **Add** > **New Item**. Create a new file called *graph.js* and select **Add**.

+1. Replace the contents of the file with the following code snippet to request access to Microsoft Graph;

+ :::code language="javascript" source="~/ms-identity-docs-code-javascript/react-spa/src/graph.js" :::

+### [Visual Studio Code](#tab/visual-studio-code)

+1. In the *src* folder, create a new file called *graph.js*.

+1. Add the following code snippet to request access to Microsoft Graph;

+ :::code language="javascript" source="~/ms-identity-docs-code-javascript/react-spa/src/graph.js" :::

+## Change filename and add required imports

+By default, the application runs via a JavaScript file called *App.js*. It needs to be changed to *App.jsx* file, which is an extension that allows a developer to write HTML in React.

+1. Rename *App.js* to *App.jsx*.

+1. Replace the existing imports with the following snippet;

+ ```javascript

+ import React, { useState } from 'react';

+ import { PageLayout } from './components/PageLayout';

+ import { loginRequest } from './authConfig';

+ import { callMsGraph } from './graph';

+ import { ProfileData } from './components/ProfileData';

+ import { AuthenticatedTemplate, UnauthenticatedTemplate, useMsal } from '@azure/msal-react';

+ import './App.css';

+ import Button from 'react-bootstrap/Button';

+ ```

+### Adding the `ProfileContent` function

+The `ProfileContent` function is used to render the user's profile information. In the *App.jsx* file, add the following code below your imports:

+```javascript

+/**

+* Renders information about the signed-in user or a button to retrieve data about the user

+*/

+const ProfileContent = () => {

+ const { instance, accounts } = useMsal();

+ const [graphData, setGraphData] = useState(null);

+

+ function RequestProfileData() {

+ // Silently acquires an access token which is then attached to a request for MS Graph data

+ instance

+ .acquireTokenSilent({

+ ...loginRequest,

+ account: accounts[0],

+ })

+ .then((response) => {

+ callMsGraph(response.accessToken).then((response) => setGraphData(response));

+ });

+ }

+

+ return (

+ <>

+ <h5 className="card-title">Welcome {accounts[0].name}</h5>

+ <br/>

+ {graphData ? (

+ <ProfileData graphData={graphData} />

+ ) : (

+ <Button variant="secondary" onClick={RequestProfileData}>

+ Request Profile Information

+ </Button>

+ )}

+ </>

+ );

+};

+```

+### Replacing the default function to render authenticated information

+The following code will render based on whether the user is authenticated or not. Replace the default function `App()` to render authenticated information with the following code:

+```javascript

+/**

+* If a user is authenticated the ProfileContent component above is rendered. Otherwise a message indicating a user is not authenticated is rendered.

+*/

+const MainContent = () => {

+ return (

+ <div className="App">

+ <AuthenticatedTemplate>

+ <ProfileContent />

+ </AuthenticatedTemplate>

+

+ <UnauthenticatedTemplate>

+ <h5>

+ <center>

+ Please sign-in to see your profile information.

+ </center>

+ </h5>

+ </UnauthenticatedTemplate>

+ </div>

+ );

+};

+

+export default function App() {

+ return (

+ <PageLayout>

+ <center>

+ <MainContent />

+ </center>

+ </PageLayout>

+ );

+}

+```

+## Calling the API from the application

+All the required code snippets have been added, so the application can now be called and tested in a web browser.

+1. Navigate to the browser previously opened in [Tutorial: Prepare an application for authentication](./single-page-app-tutorial-02-prepare-spa.md). If your browser is closed, open a new window with the address `http://localhost:3000/`.

+1. Select the **Sign In** button. For the purposes of this tutorial, choose the **Sign in using Popup** option.

+ :::image type="content" source="./media/single-page-app-tutorial-04-call-api/sign-in-window.png" alt-text="Screenshot of React App sign-in window.":::

+1. After the popup window appears with the sign-in options, select the account with which to sign-in.

+ :::image type="content" source="./media/single-page-app-tutorial-04-call-api/pick-account.png" alt-text="Screenshot requesting user to choose Microsoft account to sign into.":::

+1. A second window may appear indicating that a code will be sent to your email address. If this happens, select **Send code**. Open the email from the sender **Microsoft account team**, and enter the 7-digit single-use code. Once entered, select **Sign in**.

+ :::image type="content" source="./media/single-page-app-tutorial-04-call-api/enter-code.png" alt-text="Screenshot prompting user to enter verification code to sign-in.":::

+1. For **Stay signed in**, you can select either **No** or **Yes**.

+ :::image type="content" source="./media/single-page-app-tutorial-04-call-api/stay-signed-in.png" alt-text="Screenshot prompting user to decide whether to stay signed in or not.":::

+1. The app will now ask for permission to sign-in and access data. Select **Accept** to continue.

+ :::image type="content" source="./media/single-page-app-tutorial-04-call-api/permissions-requested.png" alt-text="Screenshot prompting user to allow the application to access permissions.":::

+1. The SPA will now display a button saying **Request Profile Information**. Select it to display the Microsoft Graph profile data acquired from the Microsoft Graph API.

+ :::image type="content" source="./media/single-page-app-tutorial-04-call-api/display-api-call-results.png" alt-text="Screenshot of React App depicting the results of the API call.":::

+## Next steps

+Learn how to use the Microsoft identity platform by trying out the following tutorial series on how to build a web API.

+> [!div class="nextstepaction"]

+> [Tutorial: Register a web API with the Microsoft identity platform](web-api-tutorial-01-register-app.md)

+If the application isn't needed anymore, the first option you should consider is to delete the app registration entirely. (You can [restore recently deleted applications](/azure/active-directory/fundamentals/recover-from-deletions#applications-and-service-principals), in case you discover soon afterwards that it was still needed.)

+In this tutorial, you build an Android app that integrates with the Azure Active Directory (Azure AD) to sign in users and get an access token to call the Microsoft Graph API.

+When you've completed this tutorial, your application will accept sign-ins of personal Microsoft accounts (including outlook.com, live.com, and others) and work or school accounts from any company or organization that uses Azure AD.

+In this tutorial:

+>

+> - Create an Android app project in _Android Studio_

+> - Register the app in the Azure portal

+> - Add code to support user sign-in and sign-out

+> - Add code to call the Microsoft Graph API

+> - Test the app

+- [Android Studio](https://developer.android.com/studio)

+- [Android documentation on generating a key](https://developer.android.com/studio/publish/app-signing#generate-key)

+This sample uses the Microsoft Authentication Library (MSAL) for Android to implement Authentication: [com.microsoft.identity.client](https://javadoc.io/doc/com.microsoft.identity.client/msal).

+Follow these steps to create a new project if you don't already have an Android application.

+3. Enter a name for the application, such as _MSALAndroidapp_.

+4. Record the package name to be used in the Azure portal in later steps.

+6. Set the **Minimum SDK API level** to **API 19** or higher, and select **Finish**.

+### Register your application with Azure AD

+1. For **Supported account types**, select **Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**. For information on different account types, select the **Help me choose** option.

+1. In the **Signature hash** section of the **Configure your Android app** pane, select **Generating a development Signature Hash.** and copy the KeyTool command to your command line.

+ - KeyTool.exe is installed as part of the Java Development Kit (JDK). You must also install the OpenSSL tool to execute the KeyTool command. For more information, see [Android documentation on generating a key](https://developer.android.com/studio/publish/app-signing#generate-key) for more information.

+1. Select **Configure** and save the **MSAL Configuration** that appears in the **Android configuration** pane so you can enter it when you configure your app later.

+1. Right-click **res** and choose **New** > **Directory**. Enter `raw` as the new directory name and select **OK**.

+ Below the redirect URI, paste:

+ ```json

+ "account_mode" : "SINGLE",

+ ```

+ Your config file should resemble this example:

+ ```json

+ {

+ "client_id": "00001111-aaaa-bbbb-3333-cccc4444",

+ "authorization_user_agent": "DEFAULT",

+ "redirect_uri": "msauth://com.azuresamples.msalandroidapp/00001111%cccc4444%3D",

+ "broker_redirect_uri_registered": true,

+ "account_mode": "SINGLE",

+ "authorities": [

+ {

+ "type": "AAD",

+ "audience": {

+ "type": "AzureADandPersonalMicrosoftAccount",

+ "tenant_id": "common"

+ }

+ }

+ ]

+ }

+ ```

+ As this tutorial only demonstrates how to configure an app in Single Account mode, see [single vs. multiple account mode](./single-multi-account.md) and [configuring your app](./msal-configuration.md) for more information

+1. In **app** > **src** > **main** > **AndroidManifest.xml**, add the `BrowserTabActivity` activity as a child of the `<application>` element. This entry allows Azure AD to call back to your application after it completes the authentication:

+ ```xml

+ <!--Intent filter to capture System Browser or Authenticator calling back to our app after sign-in-->

+ <activity

+ android:name="com.microsoft.identity.client.BrowserTabActivity"

+ android:exported="true">

+ <intent-filter>

+ <action android:name="android.intent.action.VIEW" />

+ <category android:name="android.intent.category.DEFAULT" />

+ <category android:name="android.intent.category.BROWSABLE" />

+ <data android:scheme="msauth"

+ android:host="Enter_the_Package_Name"

+ android:path="/Enter_the_Signature_Hash" />

+ </intent-filter>

+ </activity>

+ ```

+ - Use your Azure portal **Package name** to replace `android:host=.` value. It should look like `com.azuresamples.msalandroidapp`.

+ - Use your Azure portal **Signature Hash** to replace `android:path=` value. Ensure that there's a leading `/` at the beginning of your Signature Hash. It should look like `/1wIqXSqBj7w+h11ZifsnqwgyKrY=`.

+ You can find these values in the Authentication blade of your app registration as well.

+### Add MSAL and relevant libraries to your project

+1. In the Android Studio project window, navigate to **app** > **build.gradle** and add the following libraries in the _dependencies_ section:

+ ```gradle

+ implementation 'com.microsoft.identity.client:msal:4.2.0'

+ implementation 'com.android.volley:volley:1.2.1'

+ ```

+1. In the Android Studio project window, open **settings.gradle** and declare the following maven repository in **dependencyResolutionManagement** > **repositories** section:

+ ```gradle

+ maven {

+ url 'https://pkgs.dev.azure.com/MicrosoftDeviceSDK/DuoSDK-Public/_packaging/Duo-SDK-Feed/maven/v1'

+1. Select **Sync Now** in the notification bar.

+### Create and update required fragment

+1. In **app** > **src** > **main**> **java** > **com.example(your app name)**. Create the following Android fragments:

+ - _MSGraphRequestWrapper_

+ - _OnFragmentInteractionListener_

+ - _SingleAccountModeFragment_

+1. Open _MSGraphRequestWrapper.java_ and replace the code with following code snippet to call the Microsoft Graph API using the token provided by MSAL:

+ ```java

+ package com.azuresamples.msalandroidapp;

+ import android.content.Context;

+ import android.util.Log;

+ import androidx.annotation.NonNull;

+ import com.android.volley.DefaultRetryPolicy;

+ import com.android.volley.Request;

+ import com.android.volley.RequestQueue;

+ import com.android.volley.Response;

+ import com.android.volley.toolbox.JsonObjectRequest;

+ import com.android.volley.toolbox.Volley;

+ import org.json.JSONObject;

+ import java.util.HashMap;

+ import java.util.Map;

+ public class MSGraphRequestWrapper {

+ private static final String TAG = MSGraphRequestWrapper.class.getSimpleName();

+ // See: https://docs.microsoft.com/en-us/graph/deployments#microsoft-graph-and-graph-explorer-service-root-endpoints

+ public static final String MS_GRAPH_ROOT_ENDPOINT = "https://graph.microsoft.com/";

+ /**

+ * Use Volley to make an HTTP request with

+ * 1) a given MSGraph resource URL

+ * 2) an access token

+ * to obtain MSGraph data.

+ **/

+ public static void callGraphAPIUsingVolley(@NonNull final Context context,

+ @NonNull final String graphResourceUrl,

+ @NonNull final String accessToken,

+ @NonNull final Response.Listener<JSONObject> responseListener,

+ @NonNull final Response.ErrorListener errorListener) {

+ Log.d(TAG, "Starting volley request to graph");

+ /* Make sure we have a token to send to graph */

+ if (accessToken == null || accessToken.length() == 0) {

+ return;

+ }

+ RequestQueue queue = Volley.newRequestQueue(context);

+ JSONObject parameters = new JSONObject();

+ try {

+ parameters.put("key", "value");

+ } catch (Exception e) {

+ Log.d(TAG, "Failed to put parameters: " + e.toString());

+ JsonObjectRequest request = new JsonObjectRequest(Request.Method.GET, graphResourceUrl,

+ parameters, responseListener, errorListener) {

+ @Override

+ public Map<String, String> getHeaders() {

+ Map<String, String> headers = new HashMap<>();

+ headers.put("Authorization", "Bearer " + accessToken);

+ return headers;

+ }

+ };

+ Log.d(TAG, "Adding HTTP GET to Queue, Request: " + request.toString());

+ request.setRetryPolicy(new DefaultRetryPolicy(

+ 3000,

+ DefaultRetryPolicy.DEFAULT_MAX_RETRIES,

+ DefaultRetryPolicy.DEFAULT_BACKOFF_MULT));

+ queue.add(request);

+ ```

+1. Open _OnFragmentInteractionListener.java_ and replace the code with following code snippet to allow communication between different fragments:

+ ```java

+ package com.azuresamples.msalandroidapp;

+ /**

+ * This interface must be implemented by activities that contain this

+ * fragment to allow an interaction in this fragment to be communicated

+ * to the activity and potentially other fragments contained in that

+ * activity.

+ * <p>

+ * See the Android Training lesson <a href=

+ * "http://developer.android.com/training/basics/fragments/communicating.html"

+ * >Communicating with Other Fragments</a> for more information.

+ */

+ public interface OnFragmentInteractionListener {

+ ```

+1. Open _SingleAccountModeFragment.java_ and replace the code with following code snippet to initialize a single-account application, loads a user account, and gets a token to call the Microsoft Graph API:

+ ```java

+ package com.azuresamples.msalandroidapp;

+ import android.os.Bundle;

+ import androidx.annotation.NonNull;

+ import androidx.annotation.Nullable;

+ import androidx.fragment.app.Fragment;

+ import android.util.Log;

+ import android.view.LayoutInflater;

+ import android.view.View;

+ import android.view.ViewGroup;

+ import android.widget.Button;

+ import android.widget.TextView;

+ import android.widget.Toast;

+ import com.android.volley.Response;

+ import com.android.volley.VolleyError;

+ import com.microsoft.identity.client.AuthenticationCallback;

+ import com.microsoft.identity.client.IAccount;

+ import com.microsoft.identity.client.IAuthenticationResult;

+ import com.microsoft.identity.client.IPublicClientApplication;

+ import com.microsoft.identity.client.ISingleAccountPublicClientApplication;

+ import com.microsoft.identity.client.PublicClientApplication;

+ import com.microsoft.identity.client.SilentAuthenticationCallback;

+ import com.microsoft.identity.client.exception.MsalClientException;

+ import com.microsoft.identity.client.exception.MsalException;

+ import com.microsoft.identity.client.exception.MsalServiceException;

+ import com.microsoft.identity.client.exception.MsalUiRequiredException;

+ import org.json.JSONObject;

+ /**

+ * Implementation sample for 'Single account' mode.

+ * <p>

+ * If your app only supports one account being signed-in at a time, this is for you.

+ * This requires "account_mode" to be set as "SINGLE" in the configuration file.

+ * (Please see res/raw/auth_config_single_account.json for more info).

+ * <p>

+ * Please note that switching mode (between 'single' and 'multiple' might cause a loss of data.

+ */

+ public class SingleAccountModeFragment extends Fragment {

+ private static final String TAG = SingleAccountModeFragment.class.getSimpleName();

+ /* UI & Debugging Variables */

+ Button signInButton;

+ Button signOutButton;

+ Button callGraphApiInteractiveButton;

+ Button callGraphApiSilentButton;

+ TextView scopeTextView;

+ TextView graphResourceTextView;

+ TextView logTextView;

+ TextView currentUserTextView;

+ TextView deviceModeTextView;

+ /* Azure AD Variables */

+ private ISingleAccountPublicClientApplication mSingleAccountApp;

+ private IAccount mAccount;

+ @Override

+ public View onCreateView(LayoutInflater inflater,

+ ViewGroup container,

+ Bundle savedInstanceState) {

+ // Inflate the layout for this fragment

+ final View view = inflater.inflate(R.layout.fragment_single_account_mode, container, false);

+ initializeUI(view);

+ // Creates a PublicClientApplication object with res/raw/auth_config_single_account.json

+ PublicClientApplication.createSingleAccountPublicClientApplication(getContext(),

+ R.raw.auth_config_single_account,

+ new IPublicClientApplication.ISingleAccountApplicationCreatedListener() {

+ @Override

+ public void onCreated(ISingleAccountPublicClientApplication application) {

+ /**

+ * This test app assumes that the app is only going to support one account.

+ * This requires "account_mode" : "SINGLE" in the config json file.

+ **/

+ mSingleAccountApp = application;

+ loadAccount();

+ }

+ @Override

+ public void onError(MsalException exception) {

+ displayError(exception);

+ }

+ });

+ return view;

+ }

+ /**

+ * Initializes UI variables and callbacks.

+ */

+ private void initializeUI(@NonNull final View view) {

+ signInButton = view.findViewById(R.id.btn_signIn);

+ signOutButton = view.findViewById(R.id.btn_removeAccount);

+ callGraphApiInteractiveButton = view.findViewById(R.id.btn_callGraphInteractively);

+ callGraphApiSilentButton = view.findViewById(R.id.btn_callGraphSilently);

+ scopeTextView = view.findViewById(R.id.scope);

+ graphResourceTextView = view.findViewById(R.id.msgraph_url);

+ logTextView = view.findViewById(R.id.txt_log);

+ currentUserTextView = view.findViewById(R.id.current_user);

+ deviceModeTextView = view.findViewById(R.id.device_mode);

+ final String defaultGraphResourceUrl = MSGraphRequestWrapper.MS_GRAPH_ROOT_ENDPOINT + "v1.0/me";

+ graphResourceTextView.setText(defaultGraphResourceUrl);

+ signInButton.setOnClickListener(new View.OnClickListener() {

+ public void onClick(View v) {

+ if (mSingleAccountApp == null) {

+ return;

+ }

+ mSingleAccountApp.signIn(getActivity(), null, getScopes(), getAuthInteractiveCallback());

+ });

+ signOutButton.setOnClickListener(new View.OnClickListener() {

+ public void onClick(View v) {

+ if (mSingleAccountApp == null) {

+ return;

+ }

+ /**

+ * Removes the signed-in account and cached tokens from this app (or device, if the device is in shared mode).

+ */

+ mSingleAccountApp.signOut(new ISingleAccountPublicClientApplication.SignOutCallback() {

+ @Override

+ public void onSignOut() {

+ mAccount = null;

+ updateUI();

+ showToastOnSignOut();

+ }

+ @Override

+ public void onError(@NonNull MsalException exception) {

+ displayError(exception);

+ }

+ });

+ callGraphApiInteractiveButton.setOnClickListener(new View.OnClickListener() {

+ public void onClick(View v) {

+ if (mSingleAccountApp == null) {

+ return;

+ }

+ /**

+ * If acquireTokenSilent() returns an error that requires an interaction (MsalUiRequiredException),

+ * invoke acquireToken() to have the user resolve the interrupt interactively.

+ *

+ * Some example scenarios are

+ * - password change

+ * - the resource you're acquiring a token for has a stricter set of requirement than your Single Sign-On refresh token.

+ * - you're introducing a new scope which the user has never consented for.

+ */

+ mSingleAccountApp.acquireToken(getActivity(), getScopes(), getAuthInteractiveCallback());

+ }

+ });

+ callGraphApiSilentButton.setOnClickListener(new View.OnClickListener() {

+ @Override

+ public void onClick(View v) {

+ if (mSingleAccountApp == null) {

+ return;

+ }

+ /**

+ * Once you've signed the user in,

+ * you can perform acquireTokenSilent to obtain resources without interrupting the user.

+ */

+ mSingleAccountApp.acquireTokenSilentAsync(getScopes(), mAccount.getAuthority(), getAuthSilentCallback());

+ }

+ });

+ public void onResume() {

+ super.onResume();

+ /**

+ * The account may have been removed from the device (if broker is in use).

+ *

+ * In shared device mode, the account might be signed in/out by other apps while this app is not in focus.

+ * Therefore, we want to update the account state by invoking loadAccount() here.

+ */

+ loadAccount();

+ /**

+ * Extracts a scope array from a text field,

+ * i.e. from "User.Read User.ReadWrite" to ["user.read", "user.readwrite"]

+ */

+ private String[] getScopes() {

+ return scopeTextView.getText().toString().toLowerCase().split(" ");

+ /**

+ * Load the currently signed-in account, if there's any.

+ */

+ private void loadAccount() {

+ if (mSingleAccountApp == null) {

+ return;

+ mSingleAccountApp.getCurrentAccountAsync(new ISingleAccountPublicClientApplication.CurrentAccountCallback() {

+ @Override

+ public void onAccountLoaded(@Nullable IAccount activeAccount) {

+ // You can use the account data to update your UI or your app database.

+ mAccount = activeAccount;

+ updateUI();

+ @Override

+ public void onAccountChanged(@Nullable IAccount priorAccount, @Nullable IAccount currentAccount) {

+ if (currentAccount == null) {

+ // Perform a cleanup task as the signed-in account changed.

+ showToastOnSignOut();

+ }

+ @Override

+ public void onError(@NonNull MsalException exception) {

+ displayError(exception);

+ }

+ });

+ }

+ /**

+ * Callback used in for silent acquireToken calls.

+ */

+ private SilentAuthenticationCallback getAuthSilentCallback() {

+ return new SilentAuthenticationCallback() {

+ @Override

+ public void onSuccess(IAuthenticationResult authenticationResult) {

+ Log.d(TAG, "Successfully authenticated");

+ /* Successfully got a token, use it to call a protected resource - MSGraph */

+ callGraphAPI(authenticationResult);

+ }

+ @Override

+ public void onError(MsalException exception) {

+ /* Failed to acquireToken */

+ Log.d(TAG, "Authentication failed: " + exception.toString());

+ displayError(exception);

+ if (exception instanceof MsalClientException) {

+ /* Exception inside MSAL, more info inside MsalError.java */

+ } else if (exception instanceof MsalServiceException) {

+ /* Exception when communicating with the STS, likely config issue */

+ } else if (exception instanceof MsalUiRequiredException) {

+ /* Tokens expired or no session, retry with interactive */

+ }

+ };

+ }

+ /**

+ * Callback used for interactive request.

+ * If succeeds we use the access token to call the Microsoft Graph.

+ * Does not check cache.

+ */

+ private AuthenticationCallback getAuthInteractiveCallback() {

+ return new AuthenticationCallback() {

+ @Override

+ public void onSuccess(IAuthenticationResult authenticationResult) {

+ /* Successfully got a token, use it to call a protected resource - MSGraph */

+ Log.d(TAG, "Successfully authenticated");

+ Log.d(TAG, "ID Token: " + authenticationResult.getAccount().getClaims().get("id_token"));

+ /* Update account */

+ mAccount = authenticationResult.getAccount();

+ updateUI();

+ /* call graph */

+ callGraphAPI(authenticationResult);

+ @Override

+ public void onError(MsalException exception) {

+ /* Failed to acquireToken */

+ Log.d(TAG, "Authentication failed: " + exception.toString());

+ displayError(exception);

+ if (exception instanceof MsalClientException) {

+ /* Exception inside MSAL, more info inside MsalError.java */

+ } else if (exception instanceof MsalServiceException) {

+ /* Exception when communicating with the STS, likely config issue */

+ }

+ @Override

+ public void onCancel() {

+ /* User canceled the authentication */

+ Log.d(TAG, "User cancelled login.");

+ }

+ };

+ }

+ /**

+ * Make an HTTP request to obtain MSGraph data

+ */

+ private void callGraphAPI(final IAuthenticationResult authenticationResult) {

+ MSGraphRequestWrapper.callGraphAPIUsingVolley(

+ getContext(),

+ graphResourceTextView.getText().toString(),

+ authenticationResult.getAccessToken(),

+ new Response.Listener<JSONObject>() {

+ @Override

+ public void onResponse(JSONObject response) {

+ /* Successfully called graph, process data and send to UI */

+ Log.d(TAG, "Response: " + response.toString());

+ displayGraphResult(response);

+ }

+ },

+ new Response.ErrorListener() {

+ @Override

+ public void onErrorResponse(VolleyError error) {

+ Log.d(TAG, "Error: " + error.toString());

+ displayError(error);

+ }

+ });

+ }

+ //

+ // Helper methods manage UI updates

+ // ================================

+ // displayGraphResult() - Display the graph response

+ // displayError() - Display the graph response

+ // updateSignedInUI() - Updates UI when the user is signed in

+ // updateSignedOutUI() - Updates UI when app sign out succeeds

+ //

+ /**

+ * Display the graph response

+ */

+ private void displayGraphResult(@NonNull final JSONObject graphResponse) {

+ logTextView.setText(graphResponse.toString());

+ /**

+ * Display the error message

+ */

+ private void displayError(@NonNull final Exception exception) {

+ logTextView.setText(exception.toString());

+ /**

+ * Updates UI based on the current account.

+ */

+ private void updateUI() {

+ if (mAccount != null) {

+ signInButton.setEnabled(false);

+ signOutButton.setEnabled(true);

+ callGraphApiInteractiveButton.setEnabled(true);

+ callGraphApiSilentButton.setEnabled(true);

+ currentUserTextView.setText(mAccount.getUsername());

+ } else {

+ signInButton.setEnabled(true);

+ signOutButton.setEnabled(false);

+ callGraphApiInteractiveButton.setEnabled(false);

+ callGraphApiSilentButton.setEnabled(false);

+ currentUserTextView.setText("None");

+ }

+ deviceModeTextView.setText(mSingleAccountApp.isSharedDevice() ? "Shared" : "Non-shared");

+ /**

+ * Updates UI when app sign out succeeds

+ */

+ private void showToastOnSignOut() {

+ final String signOutText = "Signed Out.";

+ currentUserTextView.setText("");

+ Toast.makeText(getContext(), signOutText, Toast.LENGTH_SHORT)

+ .show();

+ }

+ ```

+1. Open _MainActivity.java_ and replace the code with following code snippet to manage the UI.

+ ```java

+ package com.azuresamples.msalandroidapp;

+ import android.os.Bundle;

+ import androidx.annotation.NonNull;

+ import androidx.appcompat.app.ActionBarDrawerToggle;

+ import androidx.appcompat.app.AppCompatActivity;

+ import androidx.appcompat.widget.Toolbar;

+ import androidx.constraintlayout.widget.ConstraintLayout;

+ import androidx.core.view.GravityCompat;

+ import android.view.MenuItem;

+ import android.view.View;

+ import androidx.drawerlayout.widget.DrawerLayout;

+ import androidx.fragment.app.Fragment;

+ import androidx.fragment.app.FragmentTransaction;

+ import com.google.android.material.navigation.NavigationView;

+ public class MainActivity extends AppCompatActivity

+ implements NavigationView.OnNavigationItemSelectedListener,

+ OnFragmentInteractionListener{

+ enum AppFragment {

+ SingleAccount,

+ MultipleAccount,

+ B2C

+ private AppFragment mCurrentFragment;

+ private ConstraintLayout mContentMain;

+ @Override

+ protected void onCreate(Bundle savedInstanceState) {

+ super.onCreate(savedInstanceState);

+ setContentView(R.layout.activity_main);

+ mContentMain = findViewById(R.id.content_main);

+ Toolbar toolbar = findViewById(R.id.toolbar);

+ setSupportActionBar(toolbar);

+ DrawerLayout drawer = findViewById(R.id.drawer_layout);

+ NavigationView navigationView = findViewById(R.id.nav_view);

+ ActionBarDrawerToggle toggle = new ActionBarDrawerToggle(

+ this, drawer, toolbar, R.string.navigation_drawer_open, R.string.navigation_drawer_close);

+ drawer.addDrawerListener(toggle);

+ toggle.syncState();

+ navigationView.setNavigationItemSelectedListener(this);

+ //Set default fragment

+ navigationView.setCheckedItem(R.id.nav_single_account);

+ setCurrentFragment(AppFragment.SingleAccount);

+ }

+ @Override

+ public boolean onNavigationItemSelected(final MenuItem item) {

+ final DrawerLayout drawer = findViewById(R.id.drawer_layout);

+ drawer.addDrawerListener(new DrawerLayout.DrawerListener() {

+ @Override

+ public void onDrawerSlide(@NonNull View drawerView, float slideOffset) { }

+ @Override

+ public void onDrawerOpened(@NonNull View drawerView) { }

+ public void onDrawerClosed(@NonNull View drawerView) {

+ // Handle navigation view item clicks here.

+ int id = item.getItemId();

+ if (id == R.id.nav_single_account) {

+ setCurrentFragment(AppFragment.SingleAccount);

+ }

+ if (id == R.id.nav_multiple_account) {

+ setCurrentFragment(AppFragment.MultipleAccount);

+ }

+ if (id == R.id.nav_b2c) {

+ setCurrentFragment(AppFragment.B2C);

+ }

+ drawer.removeDrawerListener(this);

+ public void onDrawerStateChanged(int newState) { }

+ drawer.closeDrawer(GravityCompat.START);

+ return true;

+ }

+ private void setCurrentFragment(final AppFragment newFragment){

+ if (newFragment == mCurrentFragment) {

+ return;

+ }

+ mCurrentFragment = newFragment;

+ setHeaderString(mCurrentFragment);

+ displayFragment(mCurrentFragment);

+ }

+ private void setHeaderString(final AppFragment fragment){

+ switch (fragment) {

+ case SingleAccount:

+ getSupportActionBar().setTitle("Single Account Mode");

+ return;

+ case MultipleAccount:

+ getSupportActionBar().setTitle("Multiple Account Mode");

+ return;

+ case B2C:

+ getSupportActionBar().setTitle("B2C Mode");

+ return;

+ }

+ }

+ private void displayFragment(final AppFragment fragment){

+ switch (fragment) {

+ case SingleAccount:

+ attachFragment(new com.azuresamples.msalandroidapp.SingleAccountModeFragment());

+ return;

+ case MultipleAccount:

+ attachFragment(new MultipleAccountModeFragment());

+ return;

+ case B2C:

+ attachFragment(new B2CModeFragment());

+ return;

+ }

+ }

+ private void attachFragment(final Fragment fragment) {

+ getSupportFragmentManager()

+ .beginTransaction()

+ .setTransitionStyle(FragmentTransaction.TRANSIT_FRAGMENT_FADE)

+ .replace(mContentMain.getId(),fragment)

+ .commit();

+ }

+ ```

+> [!NOTE]

+> Ensure that you update the package name to match your Android project package name.

+If you would like to model your UI off this tutorial, the following is a sample **activity_main.xml**.

+1. In **app** > **src** > **main**> **res** > **layout** > **activity_main.xml**. Replace the content of **activity_main.xml** with the following code snippet to display buttons and text boxes:

+ ```xml

+ <?xml version="1.0" encoding="utf-8"?>

+ <LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"

+ xmlns:tools="http://schemas.android.com/tools"

+ android:id="@+id/activity_main"

+ android:layout_width="match_parent"

+ android:layout_height="match_parent"

+ android:background="#FFFFFF"

+ android:orientation="vertical"

+ tools:context=".MainActivity">

+ <LinearLayout

+ android:layout_width="match_parent"

+ android:layout_height="wrap_content"

+ android:orientation="horizontal"

+ android:paddingTop="5dp"

+ android:paddingBottom="5dp"

+ android:weightSum="10">

+ <Button

+ android:id="@+id/signIn"

+ android:layout_width="0dp"

+ android:layout_height="wrap_content"

+ android:layout_weight="5"

+ android:gravity="center"

+ android:text="Sign In"/>

+ <Button

+ android:id="@+id/clearCache"

+ android:layout_width="0dp"

+ android:layout_height="wrap_content"

+ android:layout_weight="5"

+ android:gravity="center"

+ android:text="Sign Out"

+ android:enabled="false"/>

+ </LinearLayout>

+ <LinearLayout

+ android:layout_width="match_parent"

+ android:layout_height="wrap_content"

+ android:gravity="center"

+ android:orientation="horizontal">

+ <Button

+ android:id="@+id/callGraphInteractive"

+ android:layout_width="0dp"

+ android:layout_height="wrap_content"

+ android:layout_weight="5"

+ android:text="Get Graph Data Interactively"

+ android:enabled="false"/>

+ <Button

+ android:id="@+id/callGraphSilent"

+ android:layout_width="0dp"

+ android:layout_height="wrap_content"

+ android:layout_weight="5"

+ android:text="Get Graph Data Silently"

+ android:enabled="false"/>

+ </LinearLayout>

+ <TextView

+ android:text="Getting Graph Data..."

+ android:textColor="#3f3f3f"

+ android:layout_width="match_parent"

+ android:layout_height="wrap_content"

+ android:layout_marginLeft="5dp"

+ android:id="@+id/graphData"

+ android:visibility="invisible"/>

+ <TextView

+ android:id="@+id/current_user"

+ android:layout_width="match_parent"

+ android:layout_height="0dp"

+ android:layout_marginTop="20dp"

+ android:layout_weight="0.8"

+ android:text="Account info goes here..." />

+ <TextView

+ android:id="@+id/txt_log"

+ android:layout_width="match_parent"

+ android:layout_height="0dp"

+ android:layout_marginTop="20dp"

+ android:layout_weight="0.8"

+ android:text="Output goes here..." />

+ </LinearLayout>

+ ```

+The first time any user signs into your app, they'll be prompted by Microsoft identity to consent to the permissions requested. Some Azure AD tenants have disabled user consent, which requires admins to consent on behalf of all users. To support this scenario, you'll either need to create your own tenant or receive admin consent.

+When no longer needed, delete the app object that you created in the [Register your application](#register-your-application-with-azure-ad) step.

+To explore more complex scenarios, see a completed [working code sample](https://github.com/Azure-Samples/ms-identity-android-java/) on GitHub.

+For more information about building mobile apps that call protected web APIs in our multi-part scenario series, see:

+- [Scenario: Mobile application that calls web APIs](scenario-mobile-overview.md)

+- [Code sample for complex scenarios](https://github.com/Azure-Samples/ms-identity-android-java/)

+You may not be planning to support multiple-account mode. That could be if you're not using a shared device, and the user can sign into the app with more than one account at the same time. If so, set `"account_mode"` to `"SINGLE"`. This guarantees that your app will always get `ISingleAccountPublicClientApplication`, and significantly simplifies your MSAL integration. The default value of `"account_mode"` is `"MULTIPLE"`, so it's important to change this value in the config file if you're using `"single account"` mode.

+Shared-device mode allows you to configure Android devices to be shared by multiple employees, while providing Microsoft Identity backed management of the device. Employees can sign in to their devices and access customer information quickly. When they're finished with their shift or task, they'll be able to sign-out of all apps on the shared device with a single click and the device will be immediately ready for the next employee to use.

+If your app supports multiple accounts and shared device mode, you must perform a type check and cast to the appropriate interface as shown below.

+To receive the account change broadcast, you need to register a broadcast receiver.ΓÇ» ItΓÇÖs recommended to register your broadcast receiver via the [Context-registered receivers](https://developer.android.com/guide/components/broadcasts#context-registered-receivers).

+When an account change broadcast is received, immediately [get the signed in user and determine if a user has changed on the device](#get-the-signed-in-user-and-determine-if-a-user-has-changed-on-the-device). If a change is detected, initiate data cleanup for previously signed-in account. It's recommended to properly stop any operations and do data cleanup.

+For information on how to do this, refer to [Register your application](./tutorial-v2-android.md#register-your-application-with-azure-ad).

+You should select **Make this change for me** and then provide the values the quickstart asks for in the Azure portal. When that's done, we'll generate all the configuration files you need.

+Download the Microsoft Authenticator App from the Google Play store. If you already have the app downloaded, ensure that it's the latest version.

+The Sample Application is a simple app that will call the Graph API of your organization. On first run, you'll be prompted to consent as the application is new to your employee account.

+ Title: "Tutorial: Register a web API with the Microsoft identity platform"

+description: In this tutorial, you learn how to register a web API with the Microsoft identity platform.

+#Customer intent: As an application developer, I want to know how to register my application with the Microsoft identity platform so that the security token service can issue access tokens to client applications that request them.

+# Tutorial: Register a web API with the Microsoft identity platform

+To interact with the Microsoft identity platform, Azure Active Directory (Azure AD) must be made aware of the application you create. This tutorial shows you how to register an application in a tenant on the Azure portal.

+In this tutorial:

+> [!div class="checklist"]

+> * Register a web API in a tenant

+> * Record the web API's unique identifiers

+> * Expose an API by adding a scope

+## Prerequisites

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/).

+* This Azure account must have permissions to manage applications. Use any of the following roles needed to register the application:

+ * Application administrator

+ * Application developer

+ * Cloud application administrator

+## Register the application and record identifiers

+To complete registration, provide the application a name and specify the supported account types. Once registered, the application **Overview** page will display the identifiers needed in the application source code.

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.

+1. Search for and select **Azure Active Directory**.

+1. Under **Manage**, select **App registrations > New registration**.

+1. Enter a **Name** for the application, such as *NewWebAPI1*.

+1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select **Help me choose** option.

+1. Select **Register**.

+ :::image type="content" source="./media/web-api-tutorial-01-register-app/register-application.png" alt-text="Screenshot that shows how to enter a name and select the account type.":::

+1. The application's **Overview** pane is displayed when registration is complete. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in your application source code.

+ :::image type="content" source="./media/web-api-tutorial-01-register-app/record-identifiers.png" alt-text="Screenshot that shows the identifier values on the overview page.":::

+>[!NOTE]

+> The **Supported account types** can be changed by referring to [Modify the accounts supported by an application](howto-modify-supported-accounts.md).

+## Expose an API

+Once the API is registered, you can configure its permission by defining the scopes that the API exposes to client applications. Client applications request permission to perform operations by passing an access token along with its requests to the protected web API. The web API then performs the requested operation only if the access token it receives contains the required scopes.

+1. Under **Manage**, select **Expose an API > Add a scope**. Accept the proposed **Application ID URI** `(api://{clientId})` by selecting **Save and continue**. The `{clientId}` will be the value recorded from the **Overview** page. Then enter the following information:

+ 1. For **Scope name**, enter `Forecast.Read`.

+ 1. For **Who can consent**, ensure that the **Admins and users** option is selected.

+ 1. In the **Admin consent display name** box, enter `Read forecast data`.

+ 1. In the **Admin consent description** box, enter `Allows the application to read weather forecast data`.

+ 1. In the **User consent display name** box, enter `Read forecast data`.

+ 1. In the **User consent description** box, enter `Allows the application to read weather forecast data`.

+ 1. Ensure that the **State** is set to **Enabled**.

+1. Select **Add scope**. If the scope has been entered correctly, it'll be listed in the **Expose an API** pane.

+ :::image type="content" source="./media/web-api-tutorial-01-register-app/add-a-scope-inline.png" alt-text="Screenshot that shows the field values when adding the scope to an API." lightbox="./media/web-api-tutorial-01-register-app/add-a-scope-expanded.png":::

+## Next steps

+> [!div class="nextstepaction"]

+> [Tutorial: Create an ASP.NET Core project and configure the API](web-api-tutorial-02-prepare-api.md)

+ Title: "Tutorial: Create and configure an ASP.NET Core project for authentication"

+description: "Create and configure the API in an IDE, add configuration for authentication and install required packages"

+#Customer intent: As an application developer, I want to create an ASP.NET Core project in an IDE, then configure it in such a way that I can add authentication with Azure AD.

+# Tutorial: Create and configure an ASP.NET Core project for authentication

+After registration is complete, a ASP.NET Core project can be created using an integrated development environment (IDE). This tutorial demonstrates how to create an ASP.NET Core project using an IDE and configure for authentication and authorization.

+In this tutorial:

+> [!div class="checklist"]

+> * Create an **ASP.NET Core Empty**

+> * Configure the settings for the application

+> * Identify and install the required NuGet packages

+## Prerequisites

+* Completion of the prerequisites and steps in [Tutorial: Register web API with the Microsoft identity platform](web-api-tutorial-01-register-app.md).

+* You can download the IDEs used in this tutorial from the [Downloads](https://visualstudio.microsoft.com/downloads) page.

+ - Visual Studio 2022

+ - Visual Studio Code

+ - Visual Studio 2022 for Mac

+- A minimum requirement of [.NET Core 6.0 SDK](https://dotnet.microsoft.com/download/dotnet).

+## Create an ASP.NET Core project

+Use the following tabs to create an ASP.NET Core project within an IDE.

+### [Visual Studio](#tab/visual-studio)

+1. Open Visual Studio, and then select **Create a new project**.

+1. Search for and choose the **ASP.NET Core Empty** template, and then select **Next**.

+1. Enter a name for the project, such as *NewWebAPILocal*.

+1. Choose a location for the project or accept the default option, and then select **Next**.

+1. Accept the default for the **Framework** and **Configure for HTTPS**.

+1. Select **Create**.

+### [Visual Studio Code](#tab/visual-studio-code)

+1. Open Visual Studio Code, select **File > Open Folder...**. Navigate to and select the location in which to create your project.

+1. Open up a new terminal by selecting **Terminal** in the top bar, then **New Terminal**.

+1. Create a new folder using the **New Folder...** icon in the **Explorer** pane. Provide a name similar to the one registered previously, for example, *NewWebAPILocal*.

+1. Open a new terminal by selecting **Terminal > New Terminal**.

+1. To create an **ASP.NET Core Empty** template, run the following commands in the terminal to change into the directory and create the project:

+ ```powershell

+ cd NewWebAPILocal

+ dotnet new web

+ ```

+### [Visual Studio for Mac](#tab/visual-studio-for-mac)

+1. Open Visual Studio, and then select **New**.

+1. Under **Web and Console** in the left navigation bar, select **App**.

+1. Under **ASP.NET Core**, select **API** and ensure **C#** is selected in the drop down menu, then select **Continue**.

+1. Accept the default for the **Target Framework** and **Advanced**, then select **Continue**.

+1. Enter a name for the **Project name**, this will be reflected in **Solution Name**. Provide a similar name to the one registered on the Azure portal, such as *NewAPI1*.

+1. Accept the default location for the project or choose a different location, and then select **Create**.

+## Configure the ASP.NET Core project

+The values recorded earlier will be used in *appsettings.json* to configure the application for authentication. *appsettings.json* is a configuration file that is used to store application settings used during run-time.

+1. Open *appsettings.json* and replace the file contents with the following code snippet:

+ ```json

+ {

+ "AzureAd": {

+ "Instance": "https://login.microsoftonline.com/",

+ "ClientId": "Enter the client ID here",

+ "TenantId": "Enter the tenant ID here",

+ "Scopes": "Forecast.Read"

+ },

+ "Logging": {

+ "LogLevel": {

+ "Default": "Information",

+ "Microsoft.AspNetCore": "Warning"

+ }

+ },

+ "AllowedHosts": "*"

+ }

+ ```

+ * `Instance` - The endpoint of the cloud provider. Check with the different available endpoints in [National clouds](authentication-national-cloud.md#azure-ad-authentication-endpoints).

+ * `TenantId` - The identifier of the tenant where the application is registered. Replace the text in quotes with the **Directory (tenant) ID** value that was recorded earlier from the overview page of the registered application.

+ * `ClientId` - The identifier of the application, also referred to as the client. Replace the text in quotes with the **Application (client) ID** value that was recorded earlier from the overview page of the registered application.

+ * `Scopes` - The scope that is used to request access to the application. For this tutorial, the scope is `Forecast.Read`.

+1. Save the changes to the file.

+## Install identity packages

+Identity related **NuGet packages** must be installed in the project for authentication of users to be enabled.

+### [Visual Studio](#tab/visual-studio)

+1. In the top menu, select **Tools** > **NuGet Package Manager** > **Manage NuGet Packages for Solution**.

+1. With the **Browse** tab selected, search for **Microsoft.Identity.Web**, select the `Microsoft.Identity.Web` package, select the **Project** checkbox, and then select **Install**.

+1. Select **Ok** or **I Accept** for other windows that may appear.

+### [Visual Studio Code](#tab/visual-studio-code)

+1. In the terminal opened in the previous section, enter the following command:

+ ```powershell

+ dotnet add package Microsoft.Identity.Web

+ ```

+### [Visual Studio for Mac](#tab/visual-studio-for-mac)

+1. In the top menu, select **Tools** > **Manage NuGet Packages**.

+1. Search for **Microsoft.Identity.Web**, select the `Microsoft.Identity.Web` package, select **Project**, and then select **Add Package**.

+1. In the pop-up, ensure the correct project is selected, then select **Ok**.

+1. Select **Accept** if other **License Acceptance** windows appear.

+## Next steps

+> [!div class="nextstepaction"]

+> [Tutorial: Implement a protected endpoint to your API](web-api-tutorial-03-protect-endpoint.md)

+ Title: "Tutorial: Implement a protected endpoint to your API"

+description: Protect the endpoint of an API, then run it to ensure it's listening for HTTP requests.

+#Customer intent: As an application developer I want to protect the endpoint of my API and run it to ensure it is listening for HTTP requests

+# Tutorial: Implement a protected endpoint to your API

+Protecting an API endpoint ensures that only authorized users are permitted access. The Microsoft identity platform provides a way to protect API endpoints by using the [Microsoft.Identity.Web](https://www.nuget.org/packages/Microsoft.Identity.Web/) NuGet package.

+In this tutorial:

+> [!div class="checklist"]

+> * Implement authentication

+> * Add weather information for the API to display

+> * Test the API with an unauthenticated GET request

+## Prerequisites

+* Completion of the prerequisites and steps in [Tutorial: Create and configure an ASP.NET Core project for authentication](web-api-tutorial-02-prepare-api.md).

+## Implement authorization

+1. Open the *Program.cs* file and replace the contents with the following snippet:

+ ```csharp

+ using Microsoft.AspNetCore.Authentication.JwtBearer;

+ using Microsoft.AspNetCore.Authorization;

+ using Microsoft.Identity.Web;

+ var builder = WebApplication.CreateBuilder(args);

+ builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)

+ .AddMicrosoftIdentityWebApi(options =>

+ {

+ builder.Configuration.Bind("AzureAd", options);

+ options.TokenValidationParameters.NameClaimType = "name";

+ }, options => { builder.Configuration.Bind("AzureAd", options); });

+ builder.Services.AddAuthorization(config =>

+ {

+ config.AddPolicy("AuthZPolicy", policyBuilder =>

+ policyBuilder.Requirements.Add(new ScopeAuthorizationRequirement() { RequiredScopesConfigurationKey = $"AzureAd:Scopes" }));

+ });

+ // Add services to the container.

+ builder.Services.AddRazorPages();

+ var app = builder.Build();

+ app.UseAuthentication();

+ app.UseAuthorization();

+ var weatherSummaries = new[]

+ {

+ "Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching"

+ };

+ app.MapGet("/weatherforecast", [Authorize(Policy = "AuthZPolicy")] () =>

+ {

+ var forecast = Enumerable.Range(1, 5).Select(index =>

+ new WeatherForecast

+ (

+ DateTime.Now.AddDays(index),

+ Random.Shared.Next(-20, 55),

+ weatherSummaries[Random.Shared.Next(weatherSummaries.Length)]

+ ))

+ .ToArray();

+ return forecast;

+ })

+ .WithName("GetWeatherForecast");

+ // Configure the HTTP request pipeline.

+ if (!app.Environment.IsDevelopment())

+ {

+ app.UseExceptionHandler("/Error");

+ // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.

+ app.UseHsts();

+ }

+ app.UseHttpsRedirection();

+ app.UseStaticFiles();

+ app.UseRouting();

+ app.UseAuthorization();

+ app.MapRazorPages();

+ app.Run();

+ record WeatherForecast(DateTime Date, int TemperatureC, string? Summary)

+ {

+ public int TemperatureF => 32 + (int)(TemperatureC / 0.5556);

+ }

+ ```

+## Test the application

+### [Visual Studio](#tab/visual-studio)

+1. In Visual Studio, select **Start without debugging**.

+### [Visual Studio Code](#tab/visual-studio-code)

+1. Start the application by typing the following in the terminal:

+ ```powershell

+ dotnet run

+ ```

+1. A similar output to the following should be displayed in the terminal. This confirms that the application is running on `http://localhost:{port}` and listening for requests.

+ ```powershell

+ Building...

+ info: Microsoft.Hosting.Lifetime[0]

+ Now listening on: http://localhost:{port}

+ info: Microsoft.Hosting.Lifetime[0]

+ Application started. Press Ctrl+C to shut down.

+ ...

+ ```

+### [Visual Studio for Mac](#tab/visual-studio-for-mac)

+1. Start the application by selecting **Play the executing solution**.

+The web page `http://localhost:{host}` displays an output similar to the following image. This is because the API is being called without authentication. In order to make an authorized call, refer to [Next steps](#next-steps) for how-to guides on how to access a protected web API.

+## Next steps

+> [!div class="nextstepaction"]

+>

+> [How-to: Call an API using Postman](howto-call-a-web-api-with-postman.md)

+>

+> [How-to: Call an API using cURL](howto-call-a-web-api-with-curl.md)

+ Title: "Tutorial: Register an application with the Microsoft identity platform"

+description: In this tutorial, you learn how to register a web application with the Microsoft identity platform.

+#Customer intent: As an application developer, I want to know how to register my application with the Microsoft identity platform so that the security token service can issue access tokens to client applications that request them.

+# Tutorial: Register an application with the Microsoft identity platform

+To interact with the Microsoft identity platform, Azure Active Directory (Azure AD) must be made aware of the application you create. This tutorial shows you how to register an application in a tenant on the Azure portal.

+In this tutorial:

+> [!div class="checklist"]

+> * Register a web application in a tenant

+> * Record the web application's unique identifiers

+## Prerequisites

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/).

+* This Azure account must have permissions to manage applications. Use any of the following roles needed to register the application:

+ * Application administrator

+ * Application developer

+ * Cloud application administrator

+## Register the application and record identifiers

+To complete registration, provide the application a name and specify the supported account types. Once registered, the application **Overview** page will display the identifiers needed in the application source code.

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.

+1. Search for and select **Azure Active Directory**.

+1. Under **Manage**, select **App registrations > New registration**.

+1. Enter a **Name** for the application, such as *NewWebApp1*.

+1. For Supported account types, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option.

+ - The **Redirect URI (optional)** will be configured at a later stage.

+1. Select **Register**.

+ :::image type="content" source="./media/web-app-tutorial-01-register-application/register-application.png" alt-text="Screenshot of process to enter a name and select the account type.":::

+1. The application's **Overview** pane is displayed when registration is complete. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in your application source code.

+ :::image type="content" source="./media/web-app-tutorial-01-register-application/record-identifiers.png" alt-text="Screenshot of recording the identifier values on the overview page.":::

+>[!NOTE]

+> The **Supported account types** can be changed by referring to [Modify the accounts supported by an application](howto-modify-supported-accounts.md).

+## Next steps

+> [!div class="nextstepaction"]

+> [Tutorial: Prepare a web application for authentication](web-app-tutorial-02-prepare-application.md)

+ Title: "Tutorial: Prepare a web application for authentication"

+description: Prepare an ASP.NET Core application for authentication using Visual Studio.

+#Customer intent: As an application developer, I want to use an IDE to set up an ASP.NET Core project, set up and upload a self signed certificate to the Azure portal and configure the application for authentication.

+# Tutorial: Prepare an application for authentication

+After registration is complete, an ASP.NET web application can be created using an integrated development environment (IDE). This tutorial demonstrates how to create an **ASP.NET Core Web App** using an IDE. You'll also create and upload a self-signed certificate to the Azure portal and configure the application for authentication.

+In this tutorial:

+> [!div class="checklist"]

+> * Create an **ASP.NET Core Web App**

+> * Create a self-signed certificate

+> * Configure the settings for the application

+> * Define platform settings and URLs

+## Prerequisites

+* Completion of the prerequisites and steps in [Tutorial: Register an application with the Microsoft identity platform](web-app-tutorial-01-register-application.md).

+* You can download an IDE used in this tutorial [here](https://visualstudio.microsoft.com/downloads).

+ - Visual Studio 2022

+ - Visual Studio Code

+ - Visual Studio 2022 for Mac

+* A minimum requirement of [.NET Core 6.0 SDK](https://dotnet.microsoft.com/download/dotnet).

+## Create an ASP.NET Core project

+Use the following tabs to create an ASP.NET Core project within an IDE.

+### [Visual Studio](#tab/visual-studio)

+1. Open Visual Studio, and then select **Create a new project**.

+1. Search for and choose the **ASP.NET Core Web App** template, and then select **Next**.

+1. Enter a name for the project, such as *NewWebAppLocal*.

+1. Choose a location for the project or accept the default option, and then select **Next**.

+1. Accept the default for the **Framework**, **Authentication type**, and **Configure for HTTPS**. **Authentication type** can be set to none as this tutorial will cover this process.

+1. Select **Create**.

+### [Visual Studio Code](#tab/visual-studio-code)

+1. Open Visual Studio Code, select **File > Open Folder...**. Navigate to and select the location in which to create your project.

+1. Create a new folder using the **New Folder...** icon in the **Explorer** pane. Provide a name similar to the one registered previously, for example, *NewWebAppLocal*.

+1. Open a new terminal by selecting **Terminal > New Terminal**.

+1. To create an **ASP.NET Core Web App** template, run the following commands in the terminal to change into the directory and create the project:

+ ```powershell

+ cd NewWebAppLocal

+ dotnet new webapp

+ ```

+### [Visual Studio for Mac](#tab/visual-studio-for-mac)

+1. Open Visual Studio, and then select **New**.

+1. Under **Web and Console** in the left navigation bar, select **App**.

+1. Under **ASP.NET Core**, select **Web Application** and ensure **C#** is selected in the drop down menu, then select **Continue**.

+1. Ensure the **Target Framework** is set to **.NET 6.0** at a minimum.

+1. Enter a name for **Project name**, this is reflected in **Solution Name**. Provide a similar name to the one registered on the Azure portal, such as *NewWebAppLocal*.

+1. Accept the default location for the project or choose a different location, and then select **Create**.

+## Create and upload a self-signed certificate

+The use of certificates is a suggested way of securing communication between client and server. For the purpose of this tutorial, a self-signed certificate will be created in the project directory. Learn more about self-signed certificates [here](howto-create-self-signed-certificate.md).

+### [Visual Studio](#tab/visual-studio)

+1. Select **Tools > Command Line > Developer Command Prompt**.

+1. Enter the following command to create a new self-signed certificate:

+ ```powershell

+ dotnet dev-certs https -ep ./certificate.crt --trust

+ ```

+### [Visual Studio Code](#tab/visual-studio-code)

+1. In the **Terminal**, enter the following command to create a new self-signed certificate:

+ ```powershell

+ dotnet dev-certs https -ep ./certificate.crt --trust

+ ```

+### [Visual Studio for Mac](#tab/visual-studio-for-mac)

+1. Locate the **Terminal** option in your project.

+1. Enter the following command to create a new self-signed certificate:

+ ```powershell

+ dotnet dev-certs https -ep ./certificate.crt --trust

+ ```

+### Upload certificate to the portal

+To make the certificate available to the application, it must be uploaded into the tenant.

+1. Starting from the **Overview** page of the app created earlier, under **Manage**, select **Certificates & secrets** and select the **Certificates (0)** tab.

+1. Select **Upload certificate**.

+ :::image type="content" source="./media/web-app-tutorial-02-prepare-application/upload-certificate-inline.png" alt-text="Screenshot of uploading a certificate into an Azure Active Directory tenant." lightbox="./media/web-app-tutorial-02-prepare-application/upload-certificate-expanded.png":::

+1. Select the **folder** icon, then browse for and select the certificate that was previously created.

+1. Enter a description for the certificate and select **Add**.

+1. Record the **Thumbprint** value, which will be used in the next step.

+ :::image type="content" source="./media/web-app-tutorial-02-prepare-application/copy-certificate-thumbprint.png" alt-text="Screenshot showing copying the certificate thumbprint.":::

+## Configure the application for authentication and API reference

+The values recorded earlier will be used in *appsettings.json* to configure the application for authentication. *appsettings.json* is a configuration file that is used to store application settings used during run-time. As the application will also call into a web API, it must also contain a reference to it.

+1. In your IDE, open *appsettings.json* and replace the file contents with the following snippet:

+

+ :::code language="json" source="~/ms-identity-docs-code-dotnet/web-app-aspnet/appsettings.json" :::

+ * `Instance` - The authentication endpoint. Check with the different available endpoints in [National clouds](authentication-national-cloud.md#azure-ad-authentication-endpoints).

+ * `TenantId` - The identifier of the tenant where the application is registered. Replace the text in quotes with the **Directory (tenant) ID** value that was recorded earlier from the overview page of the registered application.

+ * `ClientId` - The identifier of the application, also referred to as the client. Replace the text in quotes with the **Application (client) ID** value that was recorded earlier from the overview page of the registered application.

+ * `ClientCertificates` - A self-signed certificate is used for authentication in the application. Replace the text of the `CertificateThumbprint` with the thumbprint of the certificate that was previously recorded.

+ * `CallbackPath` - Is an identifier to help the server redirect a response to the appropriate application.

+ * `DownstreamApi` - Is an identifier that defines an endpoint for accessing Microsoft Graph. The application URI is combined with the specified scope. To define the configuration for an application owned by the organization, the value of the `Scopes` attribute is slightly different.

+1. Save changes to the file.

+1. In the **Properties** folder, open the *launchSettings.json* file.

+1. Find and record the `https` value `applicationURI` within *launchSettings.json*, for example `https://localhost:{port}`. This URL will be used when defining the **Redirect URI**.

+## Define the platform and URLs

+1. In the Azure portal, under **Manage**, select **App registrations**, and then select the application that was previously created.

+1. In the left menu, under **Manage**, select **Authentication**.

+1. In **Platform configurations**, select **Add a platform**, and then select **Web**.

+ :::image type="content" source="./media/web-app-tutorial-02-prepare-application/select-platform-inline.png" alt-text="Screenshot on how to select the platform for the application." lightbox="./media/web-app-tutorial-02-prepare-application/select-platform-expanded.png":::

+1. Under **Redirect URIs**, enter the `applicationURL` and the `CallbackPath`, `/signin-oidc`, in the form of `https://localhost:{port}/signin-oidc`.

+1. Under **Front-channel logout URL**, enter the following URL for signing out, `https://localhost:{port}/signout-oidc`.

+1. Select **Configure**.

+## Next steps

+> [!div class="nextstepaction"]

+> [Tutorial: Add sign-in to an application](web-app-tutorial-03-sign-in-users.md)

+ Title: "Tutorial: Add sign in to an application"

+description: Add sign in to an ASP.NET Core application using Visual Studio.

+#Customer intent: As an application developer, I want to install the NuGet packages necessary for authentication in my IDE, and implement authentication in my web app.

+# Tutorial: Add sign in to an application

+In the [previous tutorial](web-app-tutorial-02-prepare-application.md), an ASP.NET Core project was created and configured for authentication. This tutorial will install the required packages and add code that implements authentication to the sign in and sign out experience.

+In this tutorial:

+> [!div class="checklist"]

+> * Identify and install the NuGet packages that are needed for authentication

+> * Implement authentication in the code

+> * Add the sign in and sign out experiences

+## Prerequisites

+* Completion of the prerequisites and steps in [Tutorial: Prepare an application for authentication](web-app-tutorial-02-prepare-application.md).

+## Install identity packages

+Identity related **NuGet packages** must be installed in the project for authentication of users to be enabled.

+### [Visual Studio](#tab/visual-studio)

+1. In the top menu of Visual Studio, select **Tools > NuGet Package Manager > Manage NuGet Packages for Solution**.

+1. With the **Browse** tab selected, search for and select **Microsoft.Identity.Web.UI**. Select the **Project** checkbox, and then select **Install**.

+### [Visual Studio Code](#tab/visual-studio-code)

+1. In the Visual Studio Code terminal, navigate to *NewWebAppLocal*.

+1. Enter the following commands to install the relevant NuGet packages:

+ ```powershell

+ dotnet add package Microsoft.Identity.Web.UI

+ dotnet add package Microsoft.Identity.Web.Diagnostics

+ ```

+### [Visual Studio for Mac](#tab/visual-studio-for-mac)

+1. In the top menu, select **Tools** > **Manage NuGet Packages**.

+1. Search for **Microsoft.Identity.Web**, select the `Microsoft.Identity.Web` package, select **Project**, and then select **Add Package**.

+1. Modify your search to read **Microsoft.Identity.Web.UI** and select **Add Packages**.

+1. In the pop-up, ensure the correct project is selected, then select **Ok**.

+1. Select **Accept** if additional **License Acceptance** windows appear.

+## Implement authentication and acquire tokens

+1. Open *Program.cs* and replace the entire file contents with the following snippet:

+

+ :::code language="csharp" source="~/ms-identity-docs-code-dotnet/web-app-aspnet/Program.cs" :::

+## Add the sign in and sign out experience

+After installing the NuGet packages and adding necessary code for authentication, add the sign in and sign out experiences.

+### Create the *_LoginPartial.cshtml* file

+### [Visual Studio](#tab/visual-studio)

+1. Expand **Pages**, right-click **Shared**, and then select **Add > Razor page**.

+1. Select **Razor Page - Empty**, and then select **Add**.

+1. Enter *_LoginPartial.cshtml* for the name, and then select **Add**.

+### [Visual Studio Code](#tab/visual-studio-code)

+1. In the Explorer bar, select **Pages**, right-click **Shared**, and select **New File**. Give it the name *_LoginPartial.cshtml*.

+### [Visual Studio for Mac](#tab/visual-studio-for-mac)

+1. Expand **Pages**, right-click **Shared**, and then select **Add > Razor page**.

+1. Select **Razor Page - Empty**, and then select **Add**.

+1. Enter *_LoginPartial.cshtml* for the name, and then select **Add**.

+### Edit the *_LoginPartial.cshtml* file

+1. Open *_LoginPartial.cshtml* and add the following code for adding the sign in and sign out experience:

+ :::code language="csharp" source="~/ms-identity-docs-code-dotnet/web-app-aspnet/Pages/Shared/_LoginPartial.cshtml" :::

+1. Open *_Layout.cshtml* and add a reference to `_LoginPartial` created in the previous step. This single line should be placed between `</ul>` and `</div>`:

+ :::code language="csharp" source="~/ms-identity-docs-code-dotnet/web-app-aspnet/Pages/Shared/_Layout.cshtml" range="29-31" :::

+## Next steps

+> [!div class="nextstepaction"]

+> [Tutorial: Call an API and display results](web-app-tutorial-04-call-web-api.md)

+ Title: "Tutorial: Call an API and display the results"

+description: Call an API and display the results.

+#Customer intent: As an application developer, I want to use my app to call a web API, in this case Microsoft Graph. I need to know how to modify my code so the API can be called successfully.

+# Tutorial: Call an API and display the results

+The application can now be configured to call an API. For the purposes of this tutorial, the Microsoft Graph API will be called to display the profile information of the logged-in user.

+In this tutorial:

+> [!div class="checklist"]

+> * Call the API and display the results

+> * Test the application

+## Prerequisites

+* Completion of the prerequisites and steps in [Tutorial: Add sign in to an application](web-app-tutorial-03-sign-in-users.md).

+## Call the API and display the results

+1. Under **Pages**, open the *Index.cshtml.cs* file and replace the entire contents of the file with the following snippet. Check that the project `namespace` matches your project name.

+ :::code language="csharp" source="~/ms-identity-docs-code-dotnet/web-app-aspnet/Pages/Index.cshtml.cs" :::

+1. Open *Index.cshtml* and add the following code to the bottom of the file. This will handle how the information received from the API is displayed:

+ :::code language="csharp" source="~/ms-identity-docs-code-dotnet/web-app-aspnet/Pages/Index.cshtml" range="13-17" :::

+## Test the application

+### [Visual Studio](#tab/visual-studio)

+1. Start the application by selecting **Start without debugging**.

+### [Visual Studio Code](#tab/visual-studio-code)

+1. Start the application by typing the following in the terminal:

+ #### [.NET 6.0](#tab/dotnet6)

+ ```powershell

+ dotnet run

+ ```

+ #### [.NET 7.0](#tab/dotnet7)

+ ```powershell

+ dotnet run --launch-profile https

+ ```

+### [Visual Studio for Mac](#tab/visual-studio-for-mac)

+1. Start the application by selecting the **Play** icon.

+2. Depending on your IDE, you may need to enter the application URI into the browser, for example `https://localhost:7100`. After the sign in window appears, select the account in which to sign in with. Ensure the account matches the criteria of the app registration.

+ :::image type="content" source="./media/web-app-tutorial-04-call-web-api/pick-account.png" alt-text="Screenshot depicting account options to sign in.":::

+

+1. Upon selecting the account, a second window appears indicating that a code will be sent to your email address. Select **Send code**, and check your email inbox.

+ :::image type="content" source="./media/web-app-tutorial-04-call-web-api/sign-in-send-code.png" alt-text="Screenshot depicting a screen to send a code to the user's email.":::

+

+1. Open the email from the sender **Microsoft account team**, and enter the 7-digit *single-use code*. Once entered, select **Sign in**.

+ :::image type="content" source="./media/web-app-tutorial-04-call-web-api/enter-code.png" alt-text="Screenshot depicting the single-use code sign in procedure.":::

+1. For **Stay signed in**, you can select either **No** or **Yes**.

+ :::image type="content" source="./media/web-app-tutorial-04-call-web-api/stay-signed-in.png" alt-text="Screenshot depicting the option on whether to stay signed in.":::

+1. The app will ask for permission to sign in and access data. Select **Accept** to continue.

+ :::image type="content" source="./media/web-app-tutorial-04-call-web-api/permissions-requested.png" alt-text="Screenshot depicting the permission requests.":::

+1. The web app now displays profile data acquired from the Microsoft Graph API.

+ :::image type="content" source="./media/web-app-tutorial-04-call-web-api/display-api-call-results.png" alt-text="Screenshot depicting the results of the API call.":::

+## Next steps

+Learn how to use the Microsoft identity platform by trying out the following tutorial series on how to build a web API.

+> [!div class="nextstepaction"]

+> [Tutorial: Register a web API with the Microsoft identity platform](web-api-tutorial-01-register-app.md)

+ Title: Join a new Windows 11 device with Azure AD during the out of box experience

+Windows 11 users can join new Windows devices to Azure AD during the first-run out-of-box experience (OOBE). This functionality enables you to distribute shrink-wrapped devices to your employees or students.

+ Title: Clean up unmanaged Azure Active Directory accounts

+description: Clean up unmanaged accounts using email one-time password and PowerShell modules in Azure AD

+Prior to August 2022, Azure Active Directory B2B (Azure AD B2B) supported self-service sign-up for email-verified users. With this feature, users create Azure AD accounts, when they verify email ownership. These accounts were created in unmanaged (or viral) tenants: users created accounts with an organization domain, not under IT team management. Access persists after users leave the organization.

+To learn more, see, [What is self-service sign-up for Azure AD?](./directory-self-service-signup.md)

+ > [!NOTE]

+ > Unmanaged Azure AD accounts via Azure AD B2B were deprecated. As of August 2022, new B2B invitations can't be redeemed. However, invitations prior to August 2022 were redeemable with unmanaged Azure AD accounts.

+Use the following guidance to remove unmanaged Azure AD accounts from Azure AD tenants. Tool features help identify viral users in the Azure AD tenant. You can reset the user redemption status.

+* Use the sample application in [Azure-samples/Remove-unmanaged-guests](https://github.com/Azure-Samples/Remove-Unmanaged-Guests)

+* Use PowerShell cmdlets in [AzureAD/MSIdentityTools](https://github.com/AzureAD/MSIdentityTools/wiki/)

+After you run a tool, users with unmanaged Azure AD accounts access the tenant, and re-redeem their invitations. However, Azure AD prevents users from redeeming with an unmanaged Azure AD account. They can redeem with another account type. Google Federation and SAML/WS-Federation aren't enabled by default. Therefore, users redeem with a Microsoft account (MSA) or email one-time password (OTP). MSA is recommended.

+Learn more: [Invitation redemption flow](../external-identities/redemption-experience.md#invitation-redemption-flow)

+It's possible to convert some unmanaged tenants to managed tenants.

+Learn more: [Take over an unmanaged directory as administrator in Azure AD](./domains-admin-takeover.md)

+Some overtaken domains might not be updated. For example, a missing DNS TXT record indicates an unmanaged state. Implications are:

+* For guest users from unmanaged tenants, redemption status is reset. A consent prompt appears.

+ * Redemption occurs with same account

+* The tool might identify unmanaged users as false positives after you reset unmanaged user redemption status

+## Reset redemption with a sample application

+Use the sample application on [Azure-Samples/Remove-Unmanaged-Guests](https://github.com/Azure-Samples/Remove-Unmanaged-Guests).

+MSIdentityTools PowerShell Module is a collection of cmdlets and scripts, which you use in the Microsoft identity platform and Azure AD. Use the cmdlets and scripts to augment PowerShell SDK capabilities. See, [microsoftgraph/msgraph-sdk-powershell](https://github.com/microsoftgraph/msgraph-sdk-powershell).

+* `Install-Module Microsoft.Graph -Scope CurrentUser`

+* `Install-Module MSIdentityTools`

+* `Import-Module msidentitytools,microsoft.graph`

+* `Connect-MgGraph -Scope User.ReadAll`

+* `Get-MsIdUnmanagedExternalUser`

+* `Connect-MgGraph -Scopes User.ReadWriteAll`

+* `Get-MsIdUnmanagedExternalUser | Reset-MsIdExternalUser`

+* `Connect-MgGraph -Scopes User.ReadWriteAll`

+* `Get-MsIdUnmanagedExternalUser | Remove-MgUser`

+## Resources

+See, [Get-MSIdUnmanagedExternalUser](https://github.com/AzureAD/MSIdentityTools/wiki/Get-MsIdUnmanagedExternalUser). The tool returns a list of external unmanaged users, or viral users, in the tenant.

+ Title: University multilateral federation baseline design

+description: Baseline design for a multilateral federation solution for universities.

+# Baseline architecture overview

+Microsoft frequently speaks with research universities that operate in hybrid environments in which applications are either cloud-based or hosted on-premises. In both cases, applications can use different authentication protocols. In some cases, these protocols are reaching end-of-life or are not providing the required level of security.

+[](media/multilateral-federation-baseline/typical-baseline-environment.png#lightbox)

+Applications drive much of the need for different authentication protocols and different identity management mechanisms (IdM).

+In research university environments, research apps often drive IdM requirements. A federation provider, such as Shibboleth, might be used as a primary identity provider (IdP). If this is the case, Azure AD is often configured to federate with Shibboleth. If Microsoft 365 apps are also in use, Azure AD enables you to configure integration.

+Applications used in research universities operate in various portions of the overall IT footprint:

+* Research and multilateral federation applications are made available through InCommon and EduGAIN.

+* Library applications provide access to electronic journals and other e-content providers.

+* Some applications use legacy authentication protocols such as Central Authentication Service (CAS) to enable single sign-on.

+* Student and faculty applications often use multiple authentication mechanisms. For example, some are integrated with Shibboleth or other federation providers, while others are integrated with Azure AD.

+* Microsoft 365 applications are integrated with Azure AD.

+* Windows Server Active Directory (AD) might be in use and synchronized to Azure AD.

+* Lightweight Directory Access Protocol (LDAP) is in use at many universities that might have an external LDAP directory or Identity Registry. These registries are often used to house confidential attributes, role hierarchy information, and even certain types of users, such as applicants.

+* On-premises AD, or an external LDAP directory, is often used to enable single-credential sign-in for non-web applications and various non-Microsoft operating system sign-ins.

+## Baseline architecture challenges

+Often, baseline architectures evolve over time, introducing complexity and rigidness to the design and ability to update. Some of the challenges with using the baseline architecture include:

+* **Hard to react to new requirements** - Having a complex environment makes it hard to quickly adapt and keep up with the most recent regulations and requirements. For example, if you have apps in lots of different locations and these apps are all connected in different ways with different IdMs, you run into the problem of where to locate multi-factor authentication (MFA) services and how to enforce MFA. Higher education also experiences fragmented service ownership. The people responsible for key services such as enterprise resource planning (ERP), learning management system (LMS), division, and department solutions might resist efforts to change or modify the systems they operate.

+* **Can't take advantage of all Microsoft 365 capabilities for all apps** (Intune, Conditional Access, passwordless, etc.) - Many universities want to move towards the cloud and leverage their existing investments in Azure AD. However, with a different federation provider as their primary IdP, universities can't take advantage of all the Microsoft 365 capabilities for the rest of their apps.

+* **Complexity of solution** - There are many different components to manage, with some components in the cloud and some on-premises or in IaaS instances. Apps are operated in many different places. From a user perspective, this can be a disjointed experience. For example, sometimes users see a Shibboleth login page and other times an Azure AD login page.

+We present three different solutions, designed to solve these challenges, while also addressing the following requirements:

+* Ability to participate in multilateral federations such as InCommon and eduGAIN

+* Ability to support all types of apps (even those that require legacy protocols)

+* Ability to support external directories and attribute stores

+These three solutions are presented in order from most preferred to least preferred. Each satisfies requirements but introduces tradeoff decisions expected in a complex architecture. Based on your requirements and starting point, select the one that best suits your environment. A decision tree is provided to help aid in this decision.

+## Next steps

+See these related multilateral federation articles:

+[Multilateral federation introduction](multilateral-federation-introduction.md)

+[Multilateral federation solution one - Azure AD with Cirrus Bridge](multilateral-federation-solution-one.md)

+[Multilateral federation solution two - Azure AD to Shibboleth as SP Proxy](multilateral-federation-solution-two.md)

+[Multilateral federation solution three - Azure AD with ADFS and Shibboleth](multilateral-federation-solution-three.md)

+[Multilateral federation decision tree](multilateral-federation-decision-tree.md)

+ Title: University multilateral federation decision tree

+description: Use this decision tree to help design a multilateral federation solution for universities.

+# Decision tree

+Use this decision tree to help you determine the solution best suited for your environment.

+[](media/multilateral-federation-decision-tree/tradeoff-decision-matrix.png#lightbox)

+## Migration resources

+The following are resources to help with your migration to the solutions covered in this content.

+| Migration Resource | Description | Relevant for migrating to... |

+| - | - | - |

+| [Resources for migrating applications to Azure Active Directory (Azure AD)](../manage-apps/migration-resources.md) | List of resources to help you migrate application access and authentication to Azure AD | Solution 1, Solution 2, and Solution 3 |

+| [Azure AD custom claims provider](../develop/custom-claims-provider-overview.md)|This article provides an overview to the Azure AD custom claims provider | Solution 1 |

+| [Custom security attributes documentation](../fundamentals/custom-security-attributes-manage.md) | This article describes how to manage access to custom security attributes | Solution 1 |

+| [Azure AD SSO integration with Cirrus Identity Bridge](../saas-apps/cirrus-identity-bridge-for-azure-ad-tutorial.md) | Tutorial to integrate Cirrus Identity Bridge for Azure AD with Azure AD | Solution 1 |

+| [Cirrus Identity Bridge Overview](https://blog.cirrusidentity.com/documentation/azure-bridge-setup-rev-6.0) | Link to the documentation for the Cirrus Identity Bridge | Solution 1 |

+| [Configuring Shibboleth as SAML Proxy](https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1467056889/Using+SAML+Proxying+in+the+Shibboleth+IdP+to+connect+with+Azure+AD) | Link to a Shibboleth article that describes how to use the SAML proxying feature to connect Shibboleth IdP to Azure AD | Solution 2 |

+| [Azure MFA deployment considerations](../authentication/howto-mfa-getstarted.md) | Link to guidance for configuring multi-factor authentication (MFA) using Azure AD | Solution 1 and Solution 2 |

+## Next steps

+See these additional multilateral federation articles:

+[Multilateral federation introduction](multilateral-federation-introduction.md)

+[Multilateral federation baseline design](multilateral-federation-baseline.md)

+[Multilateral federation solution one - Azure AD with Cirrus Bridge](multilateral-federation-solution-one.md)

+[Multilateral federation solution two - Azure AD to Shibboleth as SP Proxy](multilateral-federation-solution-two.md)

+[Multilateral federation solution three - Azure AD with ADFS and Shibboleth](multilateral-federation-solution-three.md)

+ Title: University multilateral federation solution design

+description: Learn how to design a multilateral federation solution for universities.

+# Introduction to multilateral federation solutions

+Research universities need to collaborate with one another. To accomplish collaboration, they require multilateral federation to enable authentication and access between universities globally.

+## Challenges with multilateral federation solutions

+Universities face many challenges. For example, one university might use one identity management system and a set of protocols while other universities use a different set of technologies, depending on their requirements. In general, universities can:

+* Use different identity management systems

+* Use different protocols

+* Use customized solutions

+* Require support for a long history of legacy functionality

+* Need to support solutions that are built in different IT generations

+Many universities are also adopting the Microsoft 365 suite of productivity and collaboration tools. These tools rely on Azure Active Directory (Azure AD) for identity management, which enables universities to configure:

+* Single sign-on (SSO) across multiple applications

+* Modern security controls, including passwordless authentication, MFA, adaptive conditional access, and Identity Protection

+* Enhanced reporting and monitoring

+Because Azure AD doesn't natively support multilateral federation, this content describes three solutions for federating authentication and access between universities with typical research university architecture. In these scenarios, non-Microsoft products are mentioned for illustrative purposes only and represent the broader class of product. For example, Shibboleth is used as an example of a federation provider.

+## Next steps

+See these other multilateral federation articles:

+[Multilateral federation baseline design](multilateral-federation-baseline.md)

+[Multilateral federation solution one - Azure AD with Cirrus Bridge](multilateral-federation-solution-one.md)

+[Multilateral federation solution two - Azure AD to Shibboleth as SP Proxy](multilateral-federation-solution-two.md)

+[Multilateral federation solution three - Azure AD with ADFS and Shibboleth](multilateral-federation-solution-three.md)

+[Multilateral federation decision tree](multilateral-federation-decision-tree.md)

+ Title: University multilateral federation design scenario one

+description: First scenario design considerations for a multilateral federation solution for universities.

+# Solution 1: Azure AD with Cirrus Bridge

+In Solution 1, Azure AD is used as the primary IdP for all applications while a managed service provides multilateral federation. In this example, Cirrus Bridge is the managed service used for integration of CAS and multilateral federation apps.

+[](media/multilateral-federation-solution-one/azure-ad-cirrus-bridge.png#lightbox)

+If on-premises Active Directory is also being used, then [AD is configured](../hybrid/whatis-hybrid-identity.md) with hybrid identities. Implementing this Azure AD with Cirrus Bridge solution provides:

+* **A Security Assertion Markup Language (SAML) bridge** - Enables you to configure multilateral federation and participation in InCommon and EduGAIN. The SAML bridge also enables you to configure Azure AD conditional access policies, app assignment, governance, and other features for each multilateral federation app.

+* **CAS bridge** - Enables you to provide protocol translation to support on-premises CAS apps to authenticate with Azure AD. The CAS bridge enables you to configure Azure AD conditional access policies, app assignment, and governance for all CAS apps, as a whole.

+Implementing Azure AD with Cirrus bridge enables you to take advantage of more capabilities available in Azure AD:

+* **External attribute store support** - [Azure AD custom claims provider](../develop/custom-claims-provider-overview.md) enables you to use an external attribute store (like an external LDAP Directory) to add additional claims into tokens on a per app basis. It uses a custom extension that calls an external REST API to fetch claims from external systems.

+* **Custom security attributes** - Provides you with the ability to add custom attributes to objects in the directory and control who can read them. [Custom security attributes](../fundamentals/custom-security-attributes-overview.md) enable you to store more of your attributes directly in Azure AD.

+## Advantages

+The following are some of the advantages of implementing Azure AD with Cirrus bridge:

+* **Seamless cloud authentication for all apps**

+ * Elimination of all on-premises identity components can lower your operational effort and potentially reduce security risks.

+ * You may realize cost savings resulting from not having to host on-premises infrastructure.

+ * This managed solution may help you save on operational administration costs and improve security posture and free up resources for other efforts.

+* **Streamlined configuration, deployment, and support model**

+ * [Cirrus Bridge](../saas-apps/cirrus-identity-bridge-for-azure-ad-tutorial.md) is registered in the Azure AD app gallery.

+ * You benefit from an established process for configuring and setting up the bridge solution.

+ * Cirrus Identity provides 24/7 support.

+* **Conditional Access (CA) support for multilateral federation apps**

+ * You receive support for [National Institutes of Health (NIH)](https://auth.nih.gov/CertAuthV3/forms/help/compliancecheckhelp.html) and Research and Education FEDerations group (REFEDS).

+ * This solution is the only architecture that enables you to configure granular Azure AD CA for multilateral federation apps.

+ * Granular CA is supported for both multilateral federation apps and CAS apps. Implementation of CA controls enables you to comply with the [NIH](https://auth.nih.gov/CertAuthV3/forms/help/compliancecheckhelp.html) and [REFEDS](https://refeds.org/category/research-and-scholarship) requirements.

+* **Enables you to use other Azure AD-related solutions for all apps** (Intune, AADJ devices, etc.)

+ * Enables you to use Azure AD Join for device management.

+ * Azure AD Join provides you with the ability to use Autopilot, Azure AD Multi-Factor Authentication, passwordless features, and supports achieving a Zero Trust posture.

+> [!NOTE]

+> Switching to Azure AD Multi-Factor Authentication may allow you to realize significant cost savings over other solutions you have in place.

+## Considerations and trade-offs

+The following are some of the trade-offs of using this solution:

+* **Limited ability to customize your authentication experience** - This scenario provides a managed solution. Therefore, this solution might not offer you the flexibility or granularity to build a custom solution using federation provider products.

+* **Limited third-party MFA integration** - You might be limited by the number of integrations available to third-party MFA solutions.

+* **One time integration effort required** - To streamline integration, you need to perform a one-time migration of all student and faculty apps to Azure AD, as well as set up the Cirrus Bridge.

+* **Subscription required for Cirrus Bridge** - An annual subscription is required for the Cirrus Bridge. The subscription fee is based on anticipated annual authentication usage of the bridge.

+## Next steps

+See these other multilateral federation articles:

+[Multilateral federation introduction](multilateral-federation-introduction.md)

+[Multilateral federation baseline design](multilateral-federation-baseline.md)

+[Multilateral federation solution two - Azure AD to Shibboleth as SP Proxy](multilateral-federation-solution-two.md)

+[Multilateral federation solution three - Azure AD with ADFS and Shibboleth](multilateral-federation-solution-three.md)

+[Multilateral federation decision tree](multilateral-federation-decision-tree.md)

+ Title: University multilateral federation design scenario three

+description: Third scenario design considerations for a multilateral federation solution for universities.

+# Solution 3: Azure AD with ADFS and Shibboleth

+In Solution 3, the federation provider is the primary IdP. As shown in this example, Shibboleth is the federation provider for integration of multilateral federation apps, on-premises CAS apps, and any LDAP directories.

+[](media/multilateral-federation-solution-three/shibboleth-adfs-azure-ad.png#lightbox)

+In this scenario, Shibboleth is the primary IdP. Participation in multilateral federations (for example, with InCommon) is done through Shibboleth, which natively supports this integration. On-premises CAS apps and the LDAP directory are also integrated with Shibboleth.

+Student apps, faculty apps, and Microsoft 365 apps are integrated with Azure AD. Any on-premises instance of AD is synced to Azure AD. Active Directory Federated Services (ADFS) is used for third-party multi-factor authentication (MFA) integration. ADFS is also used to perform protocol translation and to enable certain Azure AD features such as Azure AD Join for device management, Autopilot, and passwordless features.

+## Advantages

+The following are some of the advantages of using this solution:

+* **Customized authentication** - Enables you to customize the experience for multilateral federation apps through Shibboleth.

+* **Ease of execution** - Simple to implement in the short-term for institutions already using Shibboleth as their primary IdP. You need to migrate student and faculty apps to Azure AD and add an ADFS instance.

+* **Minimal disruption** - Allows third-party MFA so you can keep existing MFA solutions such as Duo in place until you're ready for an update.

+## Considerations and trade-offs

+The following are some of the trade-offs of using this solution:

+* **Higher complexity and security risk** - With an on-premises footprint, there may be higher complexity to the environment and extra security risks. There may also be increased overhead and fees associated with managing these on-premises components.

+* **Suboptimal authentication experiences** - For multilateral federation and CAS apps, there's no cloud-based authentication mechanism and there might be multiple redirects.

+* **No granular CA support** - This solution doesn't provide granular Conditional Access (CA) support.

+* **No Azure AD Multi-Factor Authentication support** - This solution doesn't enable Azure AD Multi-Factor Authentication support for multilateral federation or CAS apps and might cause you to miss out on potential cost savings.

+* **Significant ongoing staff allocation** - IT staff must maintain infrastructure and software for the authentication solution. Any staff attrition might introduce risk.

+## Next steps

+See these related multilateral federation articles:

+[Multilateral federation introduction](multilateral-federation-introduction.md)

+[Multilateral federation baseline design](multilateral-federation-baseline.md)

+[Multilateral federation solution one - Azure AD with Cirrus Bridge](multilateral-federation-solution-one.md)

+[Multilateral federation solution two - Azure AD to Shibboleth as SP Proxy](multilateral-federation-solution-two.md)

+[Multilateral federation decision tree](multilateral-federation-decision-tree.md)

+ Title: University multilateral federation design scenario two

+description: Second scenario design considerations for a multilateral federation solution for universities.

+# Solution 2: Azure AD to Shibboleth as SP Proxy

+In Solution 2, Azure AD acts as the primary IdP and the federation provider acts as a SAML proxy to the CAS apps and the multilateral federation apps. In this example, we show [Shibboleth acting as the SAML proxy](https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1467056889/Using+SAML+Proxying+in+the+Shibboleth+IdP+to+connect+with+Azure+AD) to provide a reference link.

+[](media/multilateral-federation-solution-two/azure-ad-shibboleth-as-sp-proxy.png#lightbox)

+Azure AD is the primary IdP so all student and faculty apps are integrated with Azure AD. All Microsoft 365 apps are also integrated with Azure AD. If Active Directory Domain Services (AD) is in use, then it also is synchronized with Azure AD.

+The SAML proxy feature of Shibboleth integrates with Azure AD. In Azure AD, Shibboleth appears as a non-gallery enterprise application. Universities can get single sign-on (SSO) for their CAS apps and can participate in the InCommon environment. Additionally, Shibboleth provides integration for Lightweight Directory Access Protocol (LDAP) directory services.

+## Advantages

+The following are some of the advantages of using this solution:

+* **Provides cloud authentication for all apps** - All apps

+ authenticate through Azure AD.

+* **Ease of execution** - This solution provides short-term

+ ease-of-execution for universities that are already using

+ Shibboleth.

+## Considerations and trade-offs

+The following are some of the trade-offs of using this solution:

+* **Limited authentication experience customization** - There are

+ limited options for customizing the authentication experience for

+ end users.

+* **Limited third-party MFA integration** - The number of integrations

+ available to third-party MFA solutions might be limited.

+* **Higher complexity and security risk** - With an on-premises

+ footprint, there might be higher complexity to the environment and

+ extra security risks. There might also be increased overhead

+ and fees associated with managing these on-premises components.

+* **Suboptimal authentication experiences** - For multilateral

+ federation and CAS apps, the authentication experience for end users

+ might be suboptimal due to redirects through Shibboleth.

+* **No granular CA support** - This solution doesn't provide

+ granular Conditional Access (CA) support, meaning that you would

+ have to decide on either the least common denominator (optimize for

+ less friction, but limited security controls) or the highest common

+ denominator (optimize for security controls, but at the expense of

+ user friction) with limited ability to make granular decisions.

+## Next steps

+See these other multilateral federation articles:

+[Multilateral federation introduction](multilateral-federation-introduction.md)

+[Multilateral federation baseline design](multilateral-federation-baseline.md)

+[Multilateral federation solution one - Azure AD with Cirrus Bridge](multilateral-federation-solution-one.md)

+[Multilateral federation solution three - Azure AD with ADFS and Shibboleth](multilateral-federation-solution-three.md)

+[Multilateral federation decision tree](multilateral-federation-decision-tree.md)

+When you link your Azure Logic App with the custom task extension task, there are certain prerequisites that must be completed before the link can be established.

+To create a Logic App, you must have:

+- A valid Azure subscription

+- A compatible resource group where the Logic App is located

+> [!NOTE]

+> The resource group needs permissions to create, update, and read the Logic App while the custom extension is being created.

+The roles on the Azure Logic App required with the custom task extension, are as follows:

+> The **Logic App Operator** role alone will not work with the custom task extension. For more information on the required **Logic App contributor** role, see: [Logic App Contributor](../../role-based-access-control/built-in-roles.md#logic-app-contributor).

+- **Launch and continue** - The Azure Logic App is started, and the following task execution immediately continues with no response expected from the Azure Logic App. This scenario is best suited if the Lifecycle workflow doesn't require any feedback (including status) from the Azure Logic App. If the Logic App is started successfully, the Lifecycle Workflow task is considered a success.

+> [!NOTE]

+> You can also deploy a custom task that calls to a third party system. To learn more about this call, see: [taskProcessingResult: resume](/graph/api/identitygovernance-taskprocessingresult-resume).

+When you create a custom task extension that waits for a response from the Logic App, you're able to define which applications can send a response

+- **System-assigned managed identity (Default)** - With this choice you Enable and utilize the Logic Apps system-assigned managed identity. For more information, see: [Authenticate access to Azure resources with managed identities in Azure Logic Apps](/azure/logic-apps/create-managed-service-identity)

+- **No authorization** - With this choice you assign a Logic App or third party application an application permission (LifecycleWorkflows.ReadWrite.All), or role assignment (Lifecycle Workflows Administrator). This choice doesn't follow least privilege access as outlined in Azure Active Directory best practices. For more information on best practices for roles, see: [Best Practices for Azure AD roles](/azure/active-directory/roles/best-practices).

+- **Existing application** - With this choice you're able to choose an existing application to respond. You are able to choose applications that are user-assigned or regular applications. For more information on managed identity types, see: [Managed identity types](../managed-identities-azure-resources/overview.md#managed-identity-types).

+Verify any settings that might have been customized for your federation design and deployment documentation. Specifically, look for customizations in **PreferredAuthenticationProtocol**, **federatedIdpMfaBehavior**, **SupportsMfa** (if **federatedIdpMfaBehavior** isn't set), and **PromptLoginBehavior**.

+Proactively communicate with your users how their experience changes, when it changes, and how to gain support if they experience issues.

+Modern authentication clients (Office 2016 and Office 2013, iOS, and Android apps) use a valid refresh token to obtain new access tokens for continued access to resources instead of returning to AD FS. These clients are immune to any password prompts resulting from the domain conversion process. The clients continue to function without extra configuration.

+The onload.js file can't be duplicated in Azure AD. If your AD FS instance is heavily customized and relies on specific customization settings in the onload.js file, verify if Azure AD can meet your current customization requirements and plan accordingly. Communicate these upcoming changes to your users.

+You can't customize Azure AD sign-in experience. No matter how your users signed-in earlier, you need a fully qualified domain name such as User Principal Name (UPN) or email to sign into Azure AD.

+>Organization branding isn't available in free Azure AD licenses unless you've a Microsoft 365 license.

+For federated domains, MFA may be enforced by Azure AD Conditional Access or by the on-premises federation provider. You can enable protection to prevent bypassing of Azure AD Multi-Factor Authentication by configuring the security setting **federatedIdpMfaBehavior**. Enable the protection for a federated domain in your Azure AD tenant. Make sure that Azure AD Multi-Factor Authentication is always performed when a federated user accesses an application that is governed by a Conditional Access policy that requires MFA. This includes performing Azure AD Multi-Factor Authentication even when federated identity provider has issued federated token claims that on-premises MFA has been performed. Enforcing Azure AD Multi-Factor Authentication every time assures that a bad actor can't bypass Azure AD Multi-Factor Authentication by imitating that identity provider already performed MFA and is highly recommended unless you perform MFA for your federated users using a third party MFA provider.

+| acceptIfMfaDoneByFederatedIdp | Azure AD accepts MFA that federated identity provider performs. If the federated identity provider didn't perform MFA, Azure AD performs the MFA. |

+| enforceMfaByFederatedIdp | Azure AD accepts MFA that federated identity provider performs. If the federated identity provider didn't perform MFA, it redirects the request to federated identity provider to perform MFA. |

+| rejectMfaByFederatedIdp | Azure AD always performs MFA and rejects MFA that federated identity provider performs. |

+- Switching between **federatedIdpMfaBehavior** and **SupportsMfa** isn't supported.

+- If the **federatedIdpMfaBehavior** property is never set, Azure AD continues to honor the **SupportsMfa** setting.

+- If neither **federatedIdpMfaBehavior** nor **SupportsMfa** is set, Azure AD defaults to `acceptIfMfaDoneByFederatedIdp` behavior.

+This section includes prework before you switch your sign-in method and convert the domains.

+Create groups for staged rollout and also for conditional access policies if you decide to add them.

+The members in a group are automatically enabled for staged rollout. Nested and dynamic groups aren't supported for staged rollout.

+### Prework for SSO

+- **For Windows 7 and 8.1 devices**, we recommend using [seamless SSO](how-to-connect-sso.md) with domain-joined to register the computer in Azure AD. You don't have to sync these accounts like you do for Windows 10 devices. However, you must complete this [prework for seamless SSO using PowerShell](how-to-connect-staged-rollout.md#pre-work-for-seamless-sso).

+### Prework for PHS and PTA

+Depending on the choice of sign-in method, complete the [prework for PHS](how-to-connect-staged-rollout.md#pre-work-for-password-hash-sync) or [for PTA](how-to-connect-staged-rollout.md#pre-work-for-pass-through-authentication).

+2. Once testing is complete, [convert domains from federated to be managed](#convert-domains-from-federated-to-managed).

+You've two options for enabling this change:

+ The domain administrator credentials aren't stored in Azure AD Connect or Azure AD and get discarded when the process successfully finishes. They are used to turn ON this feature.

+ > [!IMPORTANT]

+ > At this point, all your federated domains changes to managed authentication. Your selected User sign-in method is the new method of authentication.

+7. In the Azure portal, select **Azure Active Directory**, and then select **Azure AD Connect**.

+8. Verify these settings:

+ 

+9. In case you're switching to PTA, follow the next steps.

+3. On the **Download agent** page, select **Accept terms and download**.f

+On your Azure AD Connect server, follow the steps 1- 5 in [Option A](#option-a). Notice that on the User sign-in page, the **Do not configure** option is preselected.

+If you used staged rollout, you should remember to turn off the staged rollout features once you've finished cutting over.

+ - The user is in a managed (nonfederated) identity domain.

+If you've Azure AD Connect Health, you can [monitor usage](how-to-connect-health-adfs.md) from the Azure portal. In case the usage shows no new auth req and you validate that all users and clients are successfully authenticating via Azure AD, it's safe to remove the Microsoft 365 relying party trust.

+For a full list of steps to take to completely remove AD FS from the environment follow the [Active Directory Federation Services (AD FS) decommission guide](/windows-server/identity/ad-fs/decommission/adfs-decommission-guide).

+To approve requests, a reviewer must have the [permissions required](grant-admin-consent.md#prerequisites) to grant admin consent for the application requested. Simply designating them as a reviewer doesn't elevate their privileges.

+> You can add or remove reviewers for this workflow by modifying the **Who can review admin consent requests** list. A current limitation of this feature is that a reviewer retains the ability to review requests that were made while they were designated as a reviewer. Additionally, new reviewers will not be assigned to requests that were created before they were set as a reviewer.

+> [!IMPORTANT]

+> Starting April 2023, organizations who use auto-acceleration or smartlinks may begin to see a new screen added to the sign-in UI. This screen, termed the Domain Confirmation Dialog, is part of Microsoft's general commitment to security hardening and requires the user to confirm the domain of the tenant in which they are signing in to. If you see the Domain Confirmation Dialog and do not recognize the tenant domain listed, you should cancel the authentication flow and contact your IT Admin.

+>

+> While the Domain Confirmation Dialog does not need to be shown for every instance of auto-acceleration or smartlinks, the presence of the Domain Confirmation Dialog means auto-acceleration and smartlinks can no longer proceed seamlessly when shown. Finally, given Microsoft identity platform manages the auto-acceleration sign-in flow end-to-end, the introduction of the Domain Confirmation Dialog should not result in any application breakages.

+ Title: Configure F5 BIG-IP Access Policy Manager for form-based SSO

+Learn to configure F5 BIG-IP Access Policy Manager (APM) and Azure Active Directory (Azure AD) for secure hybrid access (SHA) to form-based applications. BIG-IP published services for Azure AD single sign-on (SSO) has benefits:

+* Improved Zero Trust governance through Azure AD preauthentication and Conditional Access

+ * See [What is Conditional Access?](../conditional-access/overview.md)

+ * See [Zero Trust security](../../security/fundamentals/zero-trust.md)

+* Full SSO between Azure AD and BIG-IP published services

+* Managed identities and access from one control plane

+ * See the [Azure portal](https://azure.microsoft.com/features/azure-portal)

+Learn more:

+* [Integrate F5 BIG-IP with Azure AD](./f5-aad-integration.md)

+* [Enable SSO for an enterprise application](add-application-portal-setup-sso.md)

+For the scenario, there's an internal legacy application configured for form-based authentication (FBA). Ideally, Azure AD manages application access, because legacy lacks modern authentication protocols. Modernization takes time and effort, introducing the risk of downtime. Instead, deploy a BIG-IP between the public internet and the internal application. This configuration gates inbound access to the application.

+With a BIG-IP in front of the application, you can overlay the service with Azure AD preauthentication and header-based SSO. The overlay improves application security posture.

+## Scenario architecture

+The SHA solution has the following components:

+* **Application** - BIG-IP published service protected by SHA.

+ * The application validates user credentials against Active Directory

+ * Use any directory, including Active Directory Lightweight Directory Services, open source, and so on

+* **Azure AD** - Security Assertion Markup Language (SAML) identity provider (IdP) that verifies user credentials, Conditional Access, and SSO to the BIG-IP.

+ * With SSO, Azure AD provides attributes to the BIG-IP, including user identifiers

+* **BIG-IP** - reverse-proxy and SAML service provider (SP) to the application.

+ * BIG-IP delegating authentication to the SAML IdP then performs header-based SSO to the back-end application.

+ * SSO uses the cached user credentials against other forms-based authentication applications

+SHA supports SP- and IdP-initiated flows. The following diagram illustrates the SP-initiated flow.

+ 

+1. User connects to application endpoint (BIG-IP).

+2. BIG-IP APM access policy redirects user to Azure AD (SAML IdP).

+3. Azure AD preauthenticates user and applies enforced Conditional Access policies.

+4. User is redirected to BIG-IP (SAML SP) and SSO occurs using issued SAML token.

+5. BIG-IP prompts the user for an application password and stores it in the cache.

+6. BIG-IP sends a request to the application and receives a sign on form.

+7. The APM scripting fills in the username and password, then submits the form.

+8. The web server serves application payload and sends it to the client.

+You need the following components:

+* An Azure subscription

+ * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/)

+* For the account, have Azure AD Application Administrator permissions

+* A BIG-IP or deploy a BIG-IP Virtual Edition (VE) in Azure

+ * See [Deploy F5 BIG-IP Virtual Edition VM in Azure](./f5-bigip-deployment-guide.md)

+* Any of the following F5 BIG-IP license SKUs:

+ * F5 BIG-IP® Best bundle

+ * F5 BIG-IP Access Policy ManagerΓäó (APM) standalone license

+ * F5 BIG-IP Access Policy Manager™ (APM) add-on license on a BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM)

+ * 90-day BIG-IP full feature trial. See [Free Trials](https://www.f5.com/trial/big-ip-trial.php)

+* User identities synchronized from an on-premises directory to Azure AD

+ * See [Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md)

+* An SSL certificate to publish services over HTTPS, or use default certificates while testing

+ * See [SSL profile](./f5-bigip-deployment-guide.md#ssl-profile)

+* A form-based authentication application, or set up an IIS FBA app for testing

+ * See [Forms-based authentication](/troubleshoot/aspnet/forms-based-authentication)

+## BIG-IP configuration

+The configuration in this article is a flexible SHA implementation: manual creation of BIG-IP configuration objects. Use this approach for scenarios the Guided Configuration templates don't cover.

+ >[!NOTE]

+ >Replace example strings or values with those from your environment.

+BIG-IP registration is the first step for SSO between entities. The app you create from the F5 BIG-IP gallery template is the relying party, representing the SAML SP for the BIG-IP published application.

+1. Sign in to the [Azure portal](https://portal.azure.com) with Application Administrator permissions.

+2. In the left pane, select the **Azure Active Directory** service.

+3. In the left menu, select **Enterprise applications**.

+4. The **All applications** pane opens.

+5. The list of applications in your Azure AD tenant appears.

+6. On the **Enterprise applications** pane, select **New application**.

+7. The **Browse Azure AD Gallery** pane opens.

+8. Tiles appear for cloud platforms, on-premises applications, and featured applications. **Featured applications** icons indicate support of federated SSO and provisioning.

+10. In the Azure gallery, search for **F5**.

+11. Select **F5 BIG-IP APM Azure AD integration**.

+12. Enter a **Name** the new application uses to recognize the application instance.

+13. Select **Add**.

+14. Select **Create**.

+Configure the BIG-IP registration to fulfill SAML tokens that BIG-IP APM requests.

+1. In left menu, in the **Manage** section, select **Single sign-on**.

+2. The **Single sign-on** pane appears.

+3. On the **Select a single sign-on method** page, select **SAML**.

+4. Select **No, I'll save later**.

+5. On the **Set up single sign-on with SAML** pane, select the **pen** icon.

+6. For **Identifier**, replace the value with the BIG-IP published application URL.

+7. For **Reply URL**, replace the value, but retain the path for the application SAML SP endpoint. With this configuration, SAML flow operates in IdP-initiated mode. Azure AD issues a SAML assertion, then the user is redirected to the BIG-IP endpoint.

+9. For SP-initiated mode, for **Sign on URL**, enter the application URL.

+10. For **Logout Url**, enter the BIG-IP APM single logout (SLO) endpoint prepended by the service host header. Then, BIG-IP APM user sessions end when they sign out of Azure AD.

+ 

+ > [!NOTE]

+ > From Traffic Management Operating System (TMOS) v16 onward, the SAML SLO endpoint is `/saml/sp/profile/redirect/slo`.

+11. Select **Save**.

+12. Close the SAML configuration pane.

+13. Skip the SSO test prompt.

+14. Make a note of the **User Attributes & Claims** section properties. Azure AD issues the properties for BIG-IP APM authentication, and SSO to the back-end application.

+15. On the **SAML Signing Certificate** pane, select **Download**.

+16. The **Federation Metadata XML** file is saved to your computer.

+ 

+ > [!NOTE]

+ > Azure AD SAML signing certificates have a lifespan of three years.

+Learn more: [Tutorial: Manage certificates for federated single sign-on](tutorial-manage-certificates-for-federated-single-sign-on.md)

+Azure AD issues tokens for users granted access to an application. To grant specific users and groups application access:

+3. Select the users and groups you want.

+4. Select **Assign**.

+## BIG-IP advanced configuration

+Use the following instructions to configure BIG-IP.

+SAML SP settings define the SAML SP properties that the APM uses to overlay the legacy application with SAML preauthentication. To configure them:

+1. Select **Access** > **Federation** > **SAML Service Provider**.

+2. Select **Local SP Services**.

+3. Select **Create**.

+ 

+4. On the **Create New SAML SP Service** pane, for **Name** and **Entity ID**, enter the defined name and entity ID.

+ 

+ > [!NOTE]

+ > **SP Name Settings** values are required if the entity ID doesn't match the hostname portion of the published URL. Or, values are required if the entity ID isn't in regular hostname-based URL format.

+5. If the entity ID is `urn:myvacation:contosoonline`, enter the application external scheme and hostname.

+### Configure an external IdP connector

+A SAML IdP connector defines settings for the BIG-IP APM to trust Azure AD as its SAML IdP. The settings connect the SAML service provider to a SAML IdP, which establishes the federation trust between the APM and Azure AD.

+To configure the connector:

+1. Select the new SAML service provider object.

+2. Select **Bind/UnbBind IdP Connectors**.

+ 

+3. In the **Create New IdP Connector** list, select **From Metadata**.

+ 

+4. On the **Create New SAML IdP Connector** pane, browse for the Federation Metadata XML file you downloaded.

+5. Enter an **Identity Provider Name** for the APM object that represents the external SAML IdP. For example, MyVacation\_AzureAD.

+ 

+6. Select **Add New Row**.

+7. Select the new **SAML IdP Connector**.

+8. Select **Update**.

+

+ 

+9. Select **OK**.

+ 

+### Configure forms-based SSO

+Create an APM SSO object for FBA SSO to back-end applications.

+Perform FBA SSO in client-initiated mode or BIG-IP-initiated mode. Both methods emulate a user sign-on by injecting credentials into the username and password tags. The form is then autosubmitted. Users provide password to access an FBA application. The password is cached and reused for other FBA applications.

+1. Select **Access** > **Single Sign-on**.

+2. Select **Forms Based**.

+3. Select **Create**.

+4. For **Name**, enter a descriptive name. For example, Contoso\FBA\sso.

+5. For **Use SSO Template**, select **None**.

+6. For **Username Source**, enter the username source to prefill the password collection form. The default `session.sso.token.last.username` works well, because it has the signed-in user Azure AD UPN.

+7. For **Password Source**, keep the default `session.sso.token.last.password`, the APM variable BIG-IP uses to cache user passwords.

+ 

+8. For **Start URI**, enter the FBA application logon URI. If the request URI matches this URI value, the APM form-based authentication executes SSO.

+9. For **Form Action**, leave it blank. Then, the original request URL is used for SSO.

+10. For **Form Parameter for Username**, enter the sign in form username field element. Use the browser dev tools to determine the element.

+11. For **Form Parameter for Password**, enter the sign in form password field element. Use the browser dev tools to determine the element.

+ 

+ 

+To learn more, go to techdocs.f5.com for [Manual Chapter: Single sign-on methods](https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-access-policy-manager-single-sign-on-concepts-configuration-14-1-0/single-sign-on-methods.html#GUID-F8588DF4-F395-4E44-881B-8D16EED91449).

+### Configure an access profile

+An access profile binds the APM elements that manage access to BIG-IP virtual servers, including access policies, SSO configuration, and UI settings.

+1. Select **Access** > **Profiles / Policies**.

+2. Select **Access Profiles (Per-Session Policies)**.

+3. Select **Create**.

+4. Enter a **Name**.

+5. For **Profile Type**, select **All**.

+6. For **SSO Configuration**, select the FBA SSO configuration object you created.

+7. For **Accepted Language**, select at least one language.

+ 

+8. In the **Per-Session Policy** column, for the profile, select **Edit**.

+9. The APM Visual Policy Editor starts.

+ 

+10. Under **fallback**, select the **+** sign.

+ 

+11. In the pop-up, select **Authentication**.

+12. Select **SAML Auth**.

+13. Select **Add Item**.

+ 

+14. On **SAML authentication SP**, change the **Name** to **Azure AD Auth**.

+15. In the **AAA Server** dropdown, enter the SAML service provider object you created.

+16. On the **Successful** branch, select the **+** sign.

+17. In the pop-up, select **Authentication**.

+18. Select **Logon Page**.

+19. Select **Add Item**.

+ 

+20. For **usesrname**, in the **Read Only** column, select **Yes**.

+ 

+21. For the sign in page fallback, select the **+** sign. This action adds an SSO credential mapping object.

+22. In the pop-up, select the **Assignment** tab.

+23. Select **SSO Credential Mapping**.

+24. Select **Add Item**.

+ 

+25. On **Variable Assign: SSO Credential Mapping**, keep the default settings.

+26. Select **Save**.

+ 

+27. In the upper **Deny** box, select the link.

+28. The **Successful** branch changes to **Allow**.

+29. Select **Save**.

+#### (Optional) Configure attribute mappings

+You can add a LogonID_Mapping configuration. Then, the BIG-IP active sessions list has the signed-in user UPN, not a session number. Use this information for analyzing logs or troubleshooting.

+1. For the **SAML Auth Successful** branch, select the **+** sign.

+2. In the pop-up, select **Assignment**.

+3. Select **Variable Assign**.

+4. Select **Add Item**.

+ 

+5. On the **Properties** tab, enter a **Name**. For example, LogonID_Mapping.

+6. Under **Variable Assign**, select **Add new entry**.

+7. Select **change**.

+ 

+8. For **Custom Variable**, use `session.logon.last.username`.

+9. For Session Variable, user `session.saml.last.identity`.

+10. Select **Finished**.

+11. Select **Save**.

+12. Select **Apply Access Policy**.

+13. Close the Visual Policy Editor.

+ 

+To enable BIG-IP to forward client traffic correctly, create a BIG-IP node object that represents the back-end server that hosts your application. Then, place that node in a BIG-IP server pool.

+1. Select **Local Traffic** > **Pools**.

+2. Select **Pool List**.

+3. Select **Create**.

+4. Enter a **Name** for a server pool object. For example, MyApps_VMs.

+ 

+5. For **Node Name**, enter a server display name. This server hosts the back-end web application.

+6. For **Address**, enter the application server host IP address.

+7. For **Service Port** enter the HTTP/S port the application is listening on.

+ 

+ >[!NOTE]

+ >Health monitors require configuration this article doesn't cover. Go to support.f5.com for [K13397: Overview of HTTP health monitor request formatting for the BIG-IP DNS system](https://support.f5.com/csp/article/K13397).

+A virtual server is a BIG-IP data-plane object represented by a virtual IP address. The server listens for client requests to the application. Any received traffic is processed and evaluated against the APM access profile associated with the virtual server. The traffic is directed according to policy.

+1. Select **Local Traffic** > **Virtual Servers**.

+2. Select **Virtual Server List**.

+3. Select **Create**.

+4. Enter a **Name**.

+5. For **Destination Address/Mask**, select **Host** and enter an IPv4 or IPv6 address. The address receives client traffic for the published back-end application.

+6. For **Service Port**, select **Port**, enter **443**, and select **HTTPS**.

+ 

+7. For **HTTP Profile (Client)**, select **http**.

+8. For **SSL Profile (Client)**, select the profile you created, or leave the default for testing. This option enables a virtual server for Transport Layer Security (TLS) to publish services over HTTPS.

+ 

+9. For **Source Address Translation**, select **Auto Map**.

+ 

+10. Under **Access Policy**, in the **Access Profile** box, enter the name you created. This action binds the Azure AD SAML preauthentication profile and FBA SSO policy to the virtual server.

+ 

+11. Under **Resources**, for **Default Pool**, select the back-end pool objects you created.

+12. Select **Finished**.

+ 

+### Configure session management settings

+BIG-IP session management settings define conditions for sessions termination and continuation. Create policy in this area.

+1. Go to **Access Policy**.

+2. Select **Access Profiles**.

+3. Select **Access Profile**.

+4. From the list, select your application.

+If you defined a single logout URI value in Azure AD, IdP-initiated sign out from MyApps ends the client and the BIG-IP APM session. The imported application federation metadata XML file provides the APM with the Azure AD SAML endpoint for SP-initiated sign out. Ensure the APM responds correctly to a user sign out.

+If there's no BIG-IP web portal, users can't instruct the APM to sign out. If the user signs out of the application, BIG-IP is oblivious. The application session can be reinstated through SSO. For SP-initiated sign out, ensure sessions terminate securely.

+You can add an SLO function to your application **sign out** button. This function redirects the client to the Azure AD SAML sign out endpoint. To locate SAML sign out endpoint, go to **App Registrations > Endpoints**.

+If you can't change the app, have the BIG-IP listen for the app sign out call and trigger SLO.

+Learn more:

+## Published application

+Your application is published and accessible with SHA with the app URL or Microsoft portals.

+The application appears as a target resource in Conditional Access. Learn more: [Building a Conditional Access policy](../conditional-access/concept-conditional-access-policies.md).

+For increased security, block direct access to the application, enforcing a path through the BIG-IP.

+## Test

+1. With a browser, connect to the application external URL, or in My Apps, select the application icon.

+2. Authenticate to Azure AD.

+3. YouΓÇÖre redirected to the BIG-IP endpoint for the application.

+4. The password prompt appears.

+5. The APM fills the username with the UPN from Azure AD. The username is read-only for session consistency. Hide this field, if needed.

+ 

+6. The information is submitted.

+7. You're signed in to the application.

+ 

+When troubleshooting, consider the following information

+* BIG-IP performs FBA SSO as it parses the sign in form at the URI

+ * BIG-IP seeks the username and password element tags from your configuration

+* Ensure element tags are consistent, or SSO fails

+* Complex forms generated dynamically might require dev tool analysis to understand the sign in form

+* Client-initiated is better for sign in pages with multiple forms

+ * You can specify form name and customize the JavaScript form handler logic

+* Both FBA SSO methods optimize user experience and security by hiding form interactions:

+ * You can validate if the credentials are injected

+ * In client-initiated mode, disable form autosubmission in your SSO profile

+ * Use dev tools to disable the two style properties that prevent the sign in page from appearing

+ 

+### Increase log verbosity

+BIG-IP logs contain information to isolating authentication and SSO issues. Increase the log verbosity level:

+1. Go to **Access Policy** > **Overview**.

+2. Select **Event Logs**.

+3. Select **Settings**.

+4. Select the row of your published application.

+5. Select **Edit**.

+6. Select **Access System Logs**.

+7. In the SSO list, select **Debug**.

+8. Select **OK**.

+9. Reproduce the issue.

+10. Review the logs.

+Revert the settings otherwise there's excessive data.

+### BIG-IP error message

+If a BIG-IP error appears after Azure AD preauthentication, the issue might relate to Azure AD and BIG-IP SSO.

+1. Go to **Access** > **Overview**.

+2. Select **Access reports**.

+3. Run the report for the last hour.

+4. Review the logs for clues.

+Use the **View session variables** link for your session to determine if the APM receives expected Azure AD claims.

+### No BIG-IP error message

+If no BIG-IP error message appears, the issue might relate to the back-end request, or BIG-IP-to-application SSO.

+1. Select **Access Policy** > **Overview**.

+2. Select **Active Sessions**.

+3. Select the active session link.

+Use the **View Variables** link in this location to help determine root cause, particularly if the APM fails to obtain correct user identifier and password.

+To learn more, go to techdocs.f5.com for [Manual Chapter: Session Variables](https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/session-variables.html).

+## Resources

+* Go to techdocs.f5.com for [Manual Chapter: Active Directory Authentication](https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/2.html)

+* [Passwordless authentication](https://www.microsoft.com/security/business/identity/passwordless)

+ Title: Configure F5 BIG-IP Access Policy Manager for header-based single sign-on

+description: Learn to configure F5 BIG-IP Access Policy Manager (APM) and Azure Active Directory SSO for header-based authentication

+# Tutorial: Configure F5 BIG-IP Access Policy Manager for header-based single sign-on

+Learn to implement secure hybrid access (SHA) with single sign-on (SSO) to header-based applications, using F5 BIG-IP advanced configuration. BIG-IP published applications and Azure AD configuration benefits:

+* Improved Zero Trust governance through Azure AD preauthentication and Conditional Access

+ * See, [What is Conditional Access?](../conditional-access/overview.md)

+ * See, [Zero Trust security](../../security/fundamentals/zero-trust.md)

+* Full SSO between Azure AD and BIG-IP published services

+* Managed identities and access from one control plane

+ * See, the [Azure portal](https://azure.microsoft.com/features/azure-portal)

+Learn more:

+* [Integrate F5 BIG-IP with Azure AD](./f5-aad-integration.md)

+* [Enable SSO for an enterprise application](add-application-portal-setup-sso.md)

+For this scenario, there's a legacy application using HTTP authorization headers to control access to protected content. Ideally, Azure AD manages application access, however legacy lacks a modern authentication protocol. Modernization takes effort and time, while introducing downtime costs and risks. Instead, deploy a BIG-IP between the public internet and the internal application to gate inbound access to the application.

+A BIG-IP in front of the application enables overlay of the service with Azure AD preauthentication and header-based SSO. The configuration improves the application security posture.

+* **Application** - BIG-IP published service to be protected by Azure AD SHA

+* **Azure AD** - Security Assertion Markup Language (SAML) identity provider (IdP) that verifies user credentials, Conditional Access, and SSO to the BIG-IP

+ * With SSO, Azure AD provides the BIG-IP required session attributes, including user identifiers

+* **BIG-IP** - reverse-proxy and SAML service provider (SP) to the application, delegating authentication to the SAML IdP, before header-based SSO to the back-end application

+The following diagram illustrates the user flow with Azure AD, BIG-IP, APM and an application.

+ 

+1. User connects to application SAML SP endpoint (BIG-IP).

+2. BIG-IP APM access policy redirects user to Azure AD (SAML IdP).

+3. Azure AD preauthenticates user and applies ConditionalAccess policies.

+4. User is redirected to BIG-IP (SAML SP) and SSO occurs using issued SAML token.

+5. BIG-IP injects Azure AD attributes as headers in request to the application.

+6. Application authorizes request and returns payload.

+For the scenario you need:

+* An Azure subscription

+ * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/)

+* For the account, have Azure AD Application Admin permissions

+* A BIG-IP or deploy a BIG-IP Virtual Edition (VE) in Azure

+ * See, [Deploy F5 BIG-IP Virtual Edition VM in Azure](./f5-bigip-deployment-guide.md)

+* Any of the following F5 BIG-IP license SKUs:

+ * F5 BIG-IP® Best bundle

+ * F5 BIG-IP Access Policy ManagerΓäó (APM) standalone license

+ * F5 BIG-IP Access Policy Manager™ (APM) add-on license on a BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM)

+ * 90-day BIG-IP full feature trial. See, [Free Trials](https://www.f5.com/trial/big-ip-trial.php).

+* User identities synchronized from an on-premises directory to Azure AD

+ * [Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md)

+* An SSL certificate to publish services over HTTPS, or use default certificates while testing

+ * See, [SSL profile](./f5-bigip-deployment-guide.md#ssl-profile)

+* A header-based application or an IIS header app for testing

+ * See, [Set up a simple IIS header app](/previous-versions/iis/6.0-sdk/ms525396(v=vs.90))

+## BIG-IP configuration method

+The following instructions are an advanced configuration method, a flexible way to implement SHA. Manually create BIG-IP configuration objects. Use this method for scenarios not included in the Guided Configuration templates.

+ >[!NOTE]

+ > Replace example strings or values with those from your environment.

+## Add F5 BIG-IP from the Azure AD gallery

+To implement SHA, the first step is to set up a SAML federation trust between BIG-IP APM and Azure AD. The trust establishes the integration for BIG-IP to hand off preauthentication and Conditional Access to Azure AD, before granting access to the published service.

+Learn more: [What is Conditional Access?](../conditional-access/overview.md)

+1. With an account that has Application Administrator permissions, sign in to the [Azure portal](https://azure.microsoft.com/features/azure-portal).

+2. In the left navigation pane, select the **Azure Active Directory** service.

+3. Go to **Enterprise Applications**.

+4. On the top ribbon, select **+ New application**.

+5. In the gallery, search for **F5**.

+6. Select **F5 BIG-IP APM Azure AD integration**.

+7. Enter an application **Name**.

+8. Select **Add/Create**.

+9. The name reflects the service.

+1. The new **F5** application properties appear

+2. Select **Manage** > **Single sign-on**

+3. On the **Select a single sign-on method** page, select **SAML**.

+4. Skip the prompt to save the single sign-on settings.

+5. Select **No, I'll save later**.

+6. On **Set up single sign-on with SAML**, for **Basic SAML Configuration**, select the **pen** icon.

+7. Replace the **Identifier** URL with the BIG-IP published service URL. For example, `https://mytravel.contoso.com`

+8. Repeat for **Reply URL** and include the APM SAML endpoint path. For example, `https://mytravel.contoso.com/saml/sp/profile/post/acs`

+ >In this configuration, the SAML flow operates in IdP mode: Azure AD issues the user a SAML assertion before being redirected to the BIG-IP service endpoint for the application. The BIG-IP APM supports IdP and SP modes.

+9. For **Logout URI** enter the BIG-IP APM Single Logout (SLO) endpoint, prepended by the service host header. The SLO URI ensures user BIG-IP APM sessions end after Azure AD sign out. For example, `https://mytravel.contoso.com/saml/sp/profile/redirect/slr`

+ 

+ >[!Note]

+ >From Traffic Management operating system (TMOS) v16 onward, the SAML SLO endpoint changed to `/saml/sp/profile/redirect/slo`.

+10. Select **Save**.

+11. Exit SAML configuration.

+12. Skip the SSO test prompt.

+13. To edit the **User Attributes & Claims > + Add new claim**, select the **pen** icon.

+14. For **Name** select **Employeeid**.

+15. For **Source attribute** select **user.employeeid**.

+16. Select **Save**

+ 

+17. Select **+ Add a group claim**

+18. Select **Groups assigned to the application** > **Source Attribute** > **sAMAccountName**.

+ 

+19. Select **Save** the configuration.

+20. Close the view.

+21. Observe the **User Attributes & Claims** section properties. Azure AD issues users properties for BIG-IP APM authentication and SSO to the back-end application.

+ 

+ > [!NOTE]

+ > Add other claims the BIG-IP published application expects as headers. More defined claims are issued if they're in Azure AD. Define directory memberships and user objects in Azure AD before claims can be issued. See, [Configure group claims for applications by using Azure AD](../hybrid/how-to-connect-fed-group-claims.md).

+22. In the **SAML Signing Certificate** section, select **Download**.

+23. The **Federation Metadata XML** file is saved on your computer.

+ 

+SAML signing certificates created by Azure AD have a lifespan of three years.

+By default, Azure AD issues tokens to users granted access to an application.

+2. Select **+ Add user** and in **Add Assignment**, select **Users and groups**.

+3. In the **Users and groups** dialog, add the user groups authorized to access the header-based application.

+4. Select **Select**.

+5. Select **Assign**.

+Azure AD SAML federation trust is complete. Next, set up BIG-IP APM to publish the web application, configured with properties to complete SAML preauthentication trust.

+Use the following sections to configure SAML, header SSO, access profile, and more.

+### SAML configuration

+Create the BIG-IP SAML service provider and corresponding SAML IdP objects to federate the published application, with Azure AD.

+1. Select **Access** > **Federation** > **SAML Service Provider** > **Local SP Services** > **Create**.

+ 

+2. Enter a **Name**.

+3. Enter the **Entity ID** defined in Azure AD.

+ 

+4. For **SP Name Settings**, make selections if the Entity ID doesn't match the hostname of the published URL, or make selections if it isn't in regular hostname-based URL format. Provide the external scheme and application hostname if entity ID is `urn:mytravel:contosoonline`.

+5. Scroll down to select the new SAML SP object.

+6. Select **Bind/UnBind IdP Connectors**.

+ 

+7. Select **Create New IdP Connector**.

+8. From the drop-down, select **From Metadata**.

+ 

+9. Browse to the federation metadata XML file you downloaded.

+10. Enter an **Identity Provider Name** for the APM object for the external SAML IdP. For example, `MyTravel_AzureAD`

+ 

+11. Select **Add New Row**.

+12. Select the new **SAML IdP Connector**.

+13. Select **Update**.

+ 

+14. Select **OK**.

+ 

+Create an APM SSO object.

+1. Select **Access** > **Profiles/Policies** > **Per-Request Policies** > **Create**.

+2. Enter a **Name**.

+3. Add at least one **Accepted Language**.

+4. Select **Finished.**

+ 

+5. For the new per-request policy, select **Edit**.

+ 

+6. The visual policy editor starts.

+7. Under **fallback**, select the **+** symbol.

+ 

+8. On the **General Purpose** tab, select **HTTP Headers** > **Add Item**.

+ 

+9. Select **Add new entry**.

+10. Create three HTTP and Header modify entries.

+11. For **Header Name**, enter **upn**.

+12. For **Header Value**, enter **%{session.saml.last.identity}**.

+13. For **Header Name**, enter **employeeid**.

+14. For **Header Value**, enter **%{session.saml.last.attr.name.employeeid}**.

+15. For **Header Name**, enter **group\_authz**.

+16. For **Header Value**, enter **%{session.saml.last.attr.name.`http://schemas.microsoft.com/ws/2008/06/identity/claims/groups`}**.

+ >APM session variables in curly brackets are case sensitive. We recommend you define attributes in lowercase.

+ 

+17. Select **Save**.

+18. Close the visual policy editor.

+ 

+1. Select **Access** > **Profiles / Policies** > **Access Profiles (Per-Session Policies)** > **Create**.

+2. For **Name**, enter **MyTravel**.

+3. For **Profile Type**, select **All**.

+4. For **Accepted Language**, select at least one language.

+5. select **Finished**.

+ 

+6. For the per-session profile you created, select **Edit**.

+ 

+7. The visual policy editor starts.

+8. Under fallback, select the **+** symbol.

+ 

+9. Select **Authentication** > **SAML Auth** > **Add Item**.

+ 

+10. For the **SAML authentication SP** configuration, from the **AAA Server** dropdown, select the SAML SP object you created.

+11. Select **Save**.

+ 

+The following instructions are optional. With a LogonID_Mapping configuration, the BIG-IP active sessions list has the signed-in user UPN, not a session number. Use this data when analyzing logs or troubleshooting.

+1. For the SAML Auth **Successful** branch, select the **+** symbol.

+ 

+2. In the pop-up, select **Assignment** > **Variable Assign** > **Add Item**.

+ 

+3. Enter a **Name**

+4. In the **Variable Assign** section, select **Add new entry** > **change**. For example, LogonID_Mapping.

+ 

+5. For **Custom Variable**, set **session.saml.last.identity**.

+6. For **Session Variable**, set **session.logon.last.username**.

+7. Select **Finished**.

+8. Select**Save**.

+9. On the Access Policy **Successful** branch, select the **Deny** terminal.

+10. Select **Allow**.

+11. Select **Save**.

+12. Select **Apply Access Policy**.

+13. Close the visual policy editor.

+### Back-end pool configuration

+To enable BIG-IP to forward client traffic correctly, create an APM node object representing the back-end server hosting your application. Place the node in an APM pool.

+1. Select **Local Traffic > Pools > Pool List > Create**.

+2. For a server pool object, enter a **Name**. For example, MyApps_VMs.

+ 

+3. Add a pool member object.

+4. For **Node Name**, enter a name for the server hosting the back-end web application.

+5. For **Address**, enter the IP address of the server hosting the application.

+6. For **Service Port** enter the HTTP/S port the application is listening on.

+7. Select **Add**.

+ 

+ >[!NOTE]

+ >To learn more go to my.f5.com for [K13397: Overview of HTTP health monitor request formatting for the BIG-IP DNS system](https://support.f5.com/csp/article/K13397).

+A virtual server is a BIG-IP data plane object represented by a virtual IP address listening for clients requests to the application. Received traffic is processed and evaluated with the APM access profile associated with the virtual server. Traffic is directed according to policy.

+1. Select **Local Traffic** > **Virtual Servers** > **Virtual Server List** > **Create**.

+2. Enter a virtual server **Name**.

+3. For **Destination Address/Mask**, select **Host**

+4. Enter an unused IP IPv4 or IPv6 to be assigned to the BIG-IP to receive client traffic.

+5. For **Service Port**, select **Port**, **443**, and **HTTPS**.

+ 

+6. For **HTTP Profile (Client)**, select **http**.

+7. For **SSL Profile (Client)**, select the client SSL profile you created, or leave the default for testing.

+ 

+8. For **Source Address Translation**, select **Auto Map**.

+ 

+9. For **Access Policy**, select the **Access Profile** created earlier. This action binds the Azure AD SAML preauthentication profile and headers SSO policy to the virtual server.

+10. For **Per-Request Policy**, select **SSO_Headers**.

+ 

+11. For **Default Pool**, select the back-end pool objects you created.

+12. Select **Finished**.

+ 

+## Session management

+Use the BIG-IPs session management setting to define the conditions for user session termination or continuation. Create policy with **Access Policy** > **Access Profiles**. Select an application from the list.

+Regarding SLO functionality, a SLO URI in Azure AD ensures an IdP initiated sign out from the MyApps portal terminates the session between the client and the BIG-IP APM. The imported application federation metadata.xml provides the APM with the Azure AD SAML sign-out endpoint, for SP initiated sign out. Therefore, enable the APM to know when a user signs out.

+If there's no BIG-IP web portal, the user can't instruct the APM to sign out. If the user signs out of the application, the BIG-IP is oblivious to the action. The application session can be reinstated through SSO. Therefore, SP-initiated sign out needs careful consideration.

+To ensure sessions terminate securely, add an SLO function to your application **Sign out** button. Enable it to redirect the client to the Azure AD SAML sign-out endpoint. For the SAML sign out endpoint for your tenant, go to **App Registrations** > **Endpoints**.

+If you can't change the app, enable the BIG-IP to listen for the app sign-out call and trigger SLO. To learn more:

+* Go to support.f5.com for [K42052145: Configuring automatic session termination (logout) based on a URI-referenced file name](https://support.f5.com/csp/article/K42052145)

+* Go to my.f5.com for [K12056: Overview of the Logout URI Include option](https://support.f5.com/csp/article/K12056)

+## Deploy

+1. Select **Deploy** to commit settings.

+2. Verify the application appears in your tenant.

+3. The application is published and accessible via SHA, with its URL or Microsoft portals.

+## Test

+1. As a user, select the application external URL, or in the MyApps portal select the application icon.

+2. Authenticate to Azure AD.

+3. You're redirected to the BIG-IP virtual server for the app and signed in with SSO.

+4. The injected header output appears by the header-based application.

+ 

+For increased security, block direct access to the application, enforcing a path through the BIG-IP.

+## Troubleshooting

+Use the following guidance for troubleshooting.

+### Log verbosity

+BIG-IP logs have information to help isolate authentication and SSO issues. Increase the log verbosity level:

+1. Go to **Access Policy** > **Overview** > **Event Logs**.

+2. Select **Settings**.

+3. Select the row of your published application.

+4. Select **Edit** > **Access System Logs**.

+5. From the SSO list, select **Debug**.

+6. Select **OK**.

+7. Reproduce the issue.

+8. Review the logs.

+9. When finished, revert the settings.

+### BIG-IP error message

+If a BIG-IP error appears after redirection, the issue likely relates to SSO from Azure AD to the BIG-IP.

+1. Navigate to **Access Policy** > **Overview**.

+2. Select **Access reports**.

+3. Run the report for the last hour.

+4. Review the logs for clues.

+5. For your session, select the **View session variables** link.

+6. Verify the APM receives the expected claims from Azure AD.

+### No BIG-IP error message

+If no BIG-IP error message appears, then the issue is probably more related to SSO from the BIG-IP to the backend application.

+1. Navigate to **Access Policy** > **Overview**.

+2. Select **Active Sessions**.

+3. Select the link for your active session.

+4. Select the **View Variables** link to determine any SSO issues.

+5. Confirm the BIG-IP APM fails or succeeds to obtain the correct user and domain identifiers.

+Learn more:

+* Go to devcentral.f5.com for [APM variable assign examples](https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107)

+* Go to techdocs.f5.com for [BIG-IP Access Policy

+## Resources

+* [Passwordless authentication](https://www.microsoft.com/security/business/identity/passwordless)

+* [What is Conditional Access?](../conditional-access/overview.md)

+* [Zero Trust framework to enable remote work](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/)

+ Title: Configure F5 BIG-IP Easy Button for Header-based SSO

+description: Learn to implement secure hybrid access (SHA) with single sign-on (SSO) to header-based applications using F5 BIG-IP Easy Button Guided Configuration.

+# Tutorial: Configure F5 BIG-IP Easy Button for header-based SSO

+Learn to secure header-based applications with Azure Active Directory (Azure AD), with F5 BIG-IP Easy Button Guided Configuration v16.1.

+* Improved Zero Trust governance through Azure AD preauthentication and Conditional Access

+ * See, [What is Conditional Access?](../conditional-access/overview.md)

+ * See, [Zero Trust security](../../security/fundamentals/zero-trust.md)

+* Full SSO between Azure AD and BIG-IP published services

+* Managed identities and access from one control plane

+ * See, the [Azure portal](https://azure.microsoft.com/features/azure-portal)

+Learn more:

+* [Integrate F5 BIG-IP with Azure AD](./f5-aad-integration.md)

+* [Enable SSO for an enterprise application](add-application-portal-setup-sso.md)

+This scenario covers the legacy application using HTTP authorization headers to manage access to protected content. Legacy lacks modern protocols to support direct integration with Azure AD. Modernization is costly, time consuming, and introduces downtime risk. Instead, use an F5 BIG-IP Application Delivery Controller (ADC) to bridge the gap between the legacy application and the modern ID control plane, with protocol transitioning.

+A BIG-IP in front of the application enables overlay of the service with Azure AD preauthentication and headers-based SSO. This configuration improves overall application security posture.

+ > [!NOTE]

+ > Organizations can have remote access to this application type with Azure AD Application Proxy. Learn more: [Remote access to on-premises applications through Azure AD Application Proxy](../app-proxy/application-proxy.md)

+The SHA solution contains:

+* **Application** - BIG-IP published service protected by Azure AD SHA

+* **Azure AD** - Security Assertion Markup Language (SAML) identity provider (IdP) that verifies user credentials, Conditional Access, and SAML-based SSO to the BIG-IP. With SSO, Azure AD provides the BIG-IP with session attributes.

+* **BIG-IP** - reverse-proxy and SAML service provider (SP) to the application, delegating authentication to the SAML IdP before performing header-based SSO to the backend application.

+For this scenario, SHA supports SP- and IdP-initiated flows. The following diagram illustrates the SP-initiated flow.

+ 

+1. User connects to application endpoint (BIG-IP).

+2. BIG-IP APM access policy redirects user to Azure AD (SAML IdP).

+3. Azure AD preauthenticates user and applies Conditional Access policies.

+4. User is redirected to BIG-IP (SAML SP) and SSO occurs using issued SAML token.

+5. BIG-IP injects Azure AD attributes as headers in application request.

+6. Application authorizes request and returns payload.

+For the scenario you need:

+* An Azure subscription

+ * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/)

+* For the account, have Azure AD Application Administrator permissions

+* A BIG-IP or deploy a BIG-IP Virtual Edition (VE) in Azure

+ * See, [Deploy F5 BIG-IP Virtual Edition VM in Azure](./f5-bigip-deployment-guide.md)

+* Any of the following F5 BIG-IP license SKUs:

+ * F5 BIG-IP Access Policy Manager™ (APM) add-on license on a BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM)

+ * 90-day BIG-IP full feature trial. See, [Free Trials](https://www.f5.com/trial/big-ip-trial.php)

+* User identities synchronized from an on-premises directory to Azure AD

+ * See, [Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md)

+* An SSL web certificate to publish services over HTTPS, or use default BIG-IP certs for testing

+ * See, [SSL profile](./f5-bigip-deployment-guide.md#ssl-profile)

+* A header-based application or set up an IIS header app for testing

+ * See, [Set up an IIS header app](/previous-versions/iis/6.0-sdk/ms525396(v=vs.90))

+## BIG-IP configuration

+This tutorial uses Guided Configuration v16.1 with an Easy button template. With the Easy Button, admins no longer go back and forth to enable SHA services. The Guided Configuration wizard and Microsoft Graph handle deployment and policy management. The BIG-IP APM and Azure AD integration ensures applications support identity federation, SSO, and Conditional Access.

+ > [!NOTE]

+ > Replace example strings or values with those in your environment.

+Before a client or service accesses Microsoft Graph, the Microsoft identity platform must trust it.

+Learn more: [Quickstart: Register an application with the Microsoft identity platform](../develop/quickstart-register-app.md)

+Create a tenant app registration to authorize the Easy Button access to Graph. With these permissions, the BIG-IP pushes the configurations to establish a trust between a SAML SP instance for published application, and Azure AD as the SAML IdP.

+1. Sign-in to the [Azure portal](https://portal.azure.com/) with Application Administrative permissions.

+2. In the left navigation, select **Azure Active Directory**.

+3. Under **Manage**, select **App registrations > New registration**.

+4. Enter an application **Name**.

+5. Specify who uses the application.

+6. Select **Accounts in this organizational directory only**.

+7. Select **Register**.

+8. Navigate to **API permissions**.

+9. Authorize the following Microsoft Graph **Application permissions**:

+8. Grant admin consent for your organization.

+9. On **Certificates & Secrets**, generate a new **Client Secret**. Make a note of the Client Secret.

+10. On **Overview**, note the Client ID and Tenant ID.

+1. Start the APM Guided Configuration.

+2. Start the **Easy Button** template.

+3. Navigate to **Access > Guided Configuration**.

+4. Select **Microsoft Integration**

+5. Select **Azure AD Application**.

+ 

+6. Review the configuration steps.

+7. Select **Next**.

+ 

+8. Use the illustrated steps sequence to publish your application.

+ 

+Use the **Configuration Properties** tab to create a BIG-IP application config and SSO object. Azure Service Account Details represent the client you registered in the Azure AD tenant. Use the settings for BIG-IP OAuth client to register a SAML SP in your tenant, with SSO properties. Easy Button performs this action for BIG-IP services published and enabled for SHA.

+You can reuse settings to publish more applications.

+1. Enter a **Configuration Name**.

+2. For **Single Sign-On (SSO) & HTTP Headers**, select **On**.

+3. For **Tenant ID**, **Client ID**, and **Client Secret**, enter what you noted.

+4. Confirm the BIG-IP connects to your tenant.

+5. Select **Next**

+ 

+In Service Provider settings, define SAML SP instance settings for the SHA-protected application.

+1. Enter a **Host**, the application public FQDN.

+2. Enter an **Entity ID**, the identifier Azure AD uses to identify the SAML SP requesting a token.

+ 

+3. (Optional) In Security Settings, select **Enable Encryption Assertion** to enable Azure AD to encrypt issued SAML assertions. Azure AD and BIG-IP APM encryption assertions help assure content tokens aren't intercepted, nor personal or corporate data compromised.

+4. In **Security Settings**, from the **Assertion Decryption Private Key** list, select **Create New**.

+ 

+5. Select **OK**.

+6. The **Import SSL Certificate and Keys** dialog appears.

+7. For **Import Type**, select **PKCS 12 (IIS)**. This action imports the certificate and private key.

+8. For **Certificate and Key Name**, select **New** and enter the input.

+9. Enter the **Password**.

+10. Select **Import**.

+11. Close the browser tab to return to the main tab.

+ 

+12. Check the box for **Enable Encrypted Assertion**.

+13. If you enabled encryption, from the **Assertion Decryption Private Key** list, select the certificate. BIG-IP APM uses this certificate private key to decrypt Azure AD assertions.

+14. If you enabled encryption, from the **Assertion Decryption Certificate** list, select the certificate. BIG-IP uploads this certificate to Azure AD to encrypt the issued SAML assertions.

+ 

+Use the following instructions to configure a new BIG-IP SAML application in your Azure AD tenant. Easy Button has application templates for Oracle PeopleSoft, Oracle E-Business Suite, Oracle JD Edwards, SAP ERP, and a generic SHA template.

+1. In **Azure Configuration**, under **Configuration Properties**, select **F5 BIG-IP APM Azure AD Integration**.

+2. Select **Add**.

+ 

+#### Azure Configuration

+1. Enter an app **Display Name** BIG-IP creates in the Azure AD tenant. Users see the name, with an icon, on Microsoft [My Apps](https://myapplications.microsoft.com/).

+2. Skip **Sign On URL (optional)**.

+ 

+3. Next to **Signing Key** and **Signing Certificate**, select **refresh** to locate the certificate you imported.

+4. In **Signing Key Passphrase**, enter the certificate password.

+6. (Optional) Enable **Signing Option** to ensure BIG-IP accepts tokens and claims signed by Azure AD.

+7. Input for **User And User Groups** is dynamically queried.

+ > [!IMPORTANT]

+ > Add a user or group for testing, otherwise all access is denied. On **User And User Groups**, select **+ Add**.

+ 

+When a user authenticates, Azure AD issues a SAML token with claims and attributes that identify the user. The **User Attributes & Claims** tab has default claims for the application. Use the tab to configure more claims.

+Include one more attribute:

+1. For **Header Name**, enter **employeeid**.

+2. For **Source Attribute**, enter **user.employeeid**.

+ 

+In the **Additional User Attributes** tab, enable session augmentation. Use this feature for distributed systems such as Oracle, SAP, and other JAVA implementations that require attributes to be stored in other directories. Attributes fetched from an LDAP source are injected as more SSO headers. This action helps control access based on roles, Partner IDs, etc.

+ 

+ >[!NOTE]

+ >This feature has no correlation to Azure Active Directory. It's an attribute source. 

+Conditional Access policies control access based on device, application, location, and risk signals.

+* In **Available Policies**, find Conditional Access policies with no user actions

+* In **Selected Policies**, find cloud app policy

+ * You can't deselect these policies or move them to Available Policies because they're enforced at a tenant level

+1. On the **Conditional Access Policy** tab, in the **Available Policies** list, select a policy.

+2. Select the **right arrow** and move it to the **Selected Policies** list.

+ > [!NOTE]

+ > You can select the **Include** or **Exclude** option for a policy. If both options are selected, the policy is unenforced.

+ 

+ > [!NOTE]

+ > The policy list appears when you select the **Conditional Access Policy** tab. Select **refresh**, and the wizard queries the tenant. Refresh appears after an application is deployed.

+A virtual server is a BIG-IP data plane object, represented by a virtual IP address. The server listens for clients requests to the application. Received traffic is processed and evaluated against the APM profile associated with the virtual server. Traffic is directed according to policy.

+1. For **Destination Address**, enter an IPv4 or IPv6 address BIG-IP uses to receive client traffic. Ensure a corresponding record in DNS that enables clients to resolve the external URL, of the BIG-IP published application, to this IP. You can use computer's localhost DNS for testing.

+2. For **Service Port**, enter **443**, and select **HTTPS**.

+3. Check the box for **Enable Redirect Port**.

+4. Enter a value for **Redirect Port**. This option redirects incoming HTTP client traffic to HTTPS.

+5. Select the **Client SSL Profile** you created, or leave the default for testing. The Client SSL Profile enables the virtual server for HTTPS, so client connections are encrypted over TLS.

+ 

+The **Application Pool** tab has services behind a BIG-IP, represented as a pool, with one or more application servers.

+1. For **Select a Pool**, select **Create New**, or select another.

+2. For **Load Balancing Method**, select **Round Robin**.

+3. For **Pool Servers**, select a node, or select an IP address and port for the server hosting the header-based application.

+ 

+ > [!NOTE]

+ > The Microsoft back-end application is on HTTP Port 80. If you select HTTPS, use **443**.

+#### Single Sign-On & HTTP Headers

+With SSO, users access BIG-IP published services without entering credentials. The Easy Button wizard supports Kerberos, OAuth Bearer, and HTTP authorization headers for SSO.

+1. On **Single Sign-On & HTTP Headers**, in **SSO Headers**, for **Header Operation**, select **insert**

+2. For **Header Name**, use **upn**.

+3. For **Header Value**, use **%{session.saml.last.identity}**.

+4. For **Header Operation**, select **insert**.

+5. For **Header Name**, use **employeeid**.

+6. For **Header Value**,use **%{session.saml.last.attr.name.employeeid}**.

+ 

+ >[!NOTE]

+ >APM session variables in curly brackets are case-sensitive. Inconsistencies cause attribute mapping failures.

+### Session Management

+Use BIG-IP session management settings to define conditions for user sessions termination or continuation.

+To learn more, go to support.f5.com for [K18390492: Security | BIG-IP APM operations guide](https://support.f5.com/csp/article/K18390492)

+Single log-out (SLO) ensures IdP, BIG-IP, and user agent sessions terminate when users sign out. When the Easy Button instantiates a SAML application in your Azure AD tenant, it populates the sign out URL, with the APM SLO endpoint. IdP-initiated sign out from My Apps terminates BIG-IP and client sessions.

+Learn more: see, [My Apps](https://myapplications.microsoft.com/)

+The SAML federation metadata for the published application is imported from your tenant. The import provides the APM with the SAML sign out endpoint for Azure AD. This action ensures SP-initiated sign out terminates client and Azure AD sessions. Ensure the APM knows when user sign out occurs.

+If the BIG-IP webtop portal accesses published applications, then th eAPM processes the sign out to call the Azure AD sign out endpoint. If the BIG-IP webtop portal isnΓÇÖt used, users can't instruct the APM to sign out. If users sign out of the application, the BIG-IP is oblivious. Thus, ensure SP-initiated sign out securely terminates sessions. You can add an SLO function to an application **Sign out** button, Then, clients are redirected to the Azure AD SAML or BIG-IP sign out endpoint. To locate the SAML sign out endpoint URL for your tenant, go to **App Registrations > Endpoints**.

+If you can't change the app, enable the BIG-IP to listen for the application sign out call and trigger SLO.

+Learn more:

+* [PeopleSoft Single Logout](./f5-big-ip-oracle-peoplesoft-easy-button.md#peoplesoft-single-logout)

+* Go to support.f5.com for:

+ * [K42052145: Configuring automatic session termination (logout) based on a URI-referenced file name](https://support.f5.com/csp/article/K42052145)

+ * [K12056: Overview of the Logout URI Include option](https://support.f5.com/csp/article/K12056).

+## Deploy

+Deployment provides a breakdown of your configurations.

+1. To commit settings, select **Deploy**.

+2. Verify the application in your tenant list of Enterprise applications.

+3. The application is published and accessible via SHA, with its URL, or on Microsoft application portals.

+## Test

+1. From a browser, connect to the application external URL or select the application icon on [My Apps](https://myapplications.microsoft.com/).

+2. Authenticate to Azure AD.

+3. YouΓÇÖre redirected to the BIG-IP virtual server for the application and signed in with SSO.

+The following screenshot is injected headers output from the header-based application.

+ 

+ > [!NOTE]

+ > You can block direct access to the application, thereby enforcing a path through the BIG-IP.

+For some scenarios, Guided Configuration templates lack flexibility.

+Learn more: [Tutorial: Configure F5 BIG-IP Access Policy Manager for header-based SSO](./f5-big-ip-header-advanced.md).

+In BIG-IP, you can disable the Guided Configuration strict management mode. Then, manually change configurations, however most configurations are automated with wizard templates.

+1. To disable strict mode, navigate to **Access > Guided Configuration**.

+2. On the row for the application configuration, select the **padlock** icon.

+3. BIG-IP objects associated with the published instance of the application are unlocked for management. Changes with the wizard are no longer possible.

+ 

+ > [!NOTE]

+ > If you re-enable strict mode and deploy a configuration, the action overwrites settings not in the Guided Configuration. We recommend the advanced configuration for production services.

+Use the following guidance when troubleshooting.

+### Log verbosity

+BIG-IP logs help isolate issues with connectivity, SSO, policy, or misconfigured variable mappings. To troubleshoot, increase the log verbosity.

+1. Navigate to **Access Policy > Overview**.

+2. Select **Event Logs**.

+3. Select **Settings**.

+4. Select the row of your published application

+5. Select **Edit**.

+6. Select **Access System Logs**.

+7. From the SSO list, select **Debug**.

+8. Select **OK**.

+9. Reproduce the issue.

+10. Inspect the logs.

+ > [!NOTE]

+ > Revert this feature when finished. Verbose mode generates excessive data.

+### BIG-IP error message

+If a BIG-IP error message appears after Azure AD preauthentication, the issue might relate to Azure AD-to-BIG-IP SSO.

+1. Navigate to **Access Policy > Overview**.

+2. Select **Access reports**.

+3. Run the report for the last hour.

+4. Review the logs for clues.

+Use the **View session** variables link, for the session, to help understand if the APM receives expected Azure AD claims.

+### No BIG-IP error message

+If no BIG-IP error message appears, the issue might be related to the back-end request, or BIG-IP-to-application SSO.

+1. Navigate to **Access Policy > Overview**.

+2. Select **Active Sessions**.

+3. Select the active session link.

+Use the **View Variables** link to help determine SSO issues, particularly if the BIG-IP APM doesn't obtain correct attributes.

+Learn more:

+* [Configuring LDAP remote authentication for Active Directory](https://support.f5.com/csp/article/K11072)

+* Go to techdocs.f5.com for [Manual Chapter: LDAP Query](https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/5.html)

+description: Learn to implement SHA with header-based SSO to Oracle EBS using F5 BIG-IP Easy Button Guided Configuration

+# Tutorial: Configure F5 BIG-IP Easy Button for SSO to Oracle EBS

+Learn to secure Oracle E-Business Suite (EBS) using Azure Active Directory (Azure AD), with F5 BIG-IP Easy Button Guided Configuration. Integrating a BIG-IP with Azure AD has many benefits:

+* Improved Zero Trust governance through Azure AD preauthentication and Conditional Access

+ * See, [What is Conditional Access?](../conditional-access/overview.md)

+ * See, [Zero Trust security](../../security/fundamentals/zero-trust.md)

+* Managed identities and access from one control plane

+ * See, the [Azure portal](https://azure.microsoft.com/features/azure-portal)

+Learn more:

+* [Integrate F5 BIG-IP with Azure AD](./f5-aad-integration.md)

+* [Enable SSO for an enterprise application](add-application-portal-setup-sso.md)

+This scenario covers the classic Oracle EBS application that uses HTTP authorization headers to manage access to protected content.

+Legacy applications lack modern protocols to support Azure AD integration. Modernization is costly, time consuming, and introduces downtime risk. Instead, use an F5 BIG-IP Application Delivery Controller (ADC) to bridge the gap between legacy applications and the modern ID control plane, with protocol transitioning.

+A BIG-IP in front of the app enables overlay of the service with Azure AD preauthentication and header-based SSO. This configuration improves application security posture.

+The secure hybrid access (SHA) solution has the following components:

+* **Oracle EBS application** - BIG-IP published service to be protected by Azure AD SHA

+* **Azure AD** - Security Assertion Markup Language (SAML) identity provider (IdP) that verifies user credentials, Conditional Access, and SAML-based SSO to the BIG-IP

+ * With SSO, Azure AD provides BIG-IP session attributes

+* **Oracle Internet Directory (OID)** - hosts the user database

+ * BIG-IP verifies authorization attributes with LDAP

+* **Oracle E-Business Suite AccessGate** - validates authorization attributes with the OID service, then issues EBS access cookies

+* **BIG-IP** - reverse-proxy and SAML service provider (SP) to the application

+ * Authentication is delegated to the SAML IdP, then header-based SSO to the Oracle application occurs

+SHA supports SP- and IdP-initiated flows. The following diagram illustrates the SP-initiated flow.

+ 

+1. User connects to application endpoint (BIG-IP).

+2. BIG-IP APM access policy redirects user to Azure AD (SAML IdP).

+3. Azure AD preauthenticates user and applies Conditional Access policies.

+4. User is redirected to BIG-IP (SAML SP) and SSO occurs using the issued SAML token.

+5. BIG-IP performs an LDAP query for the user Unique ID (UID) attribute.

+6. BIG-IP injects returned UID attribute as user_orclguid header in Oracle EBS session cookie request to Oracle AccessGate.

+7. Oracle AccessGate validates UID against OID service and issues Oracle EBS access cookie.

+8. Oracle EBS user headers and cookie sent to application and returns the payload to the user.

+You need the following components:

+* An Azure subscription

+ * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/)

+* For the account, have Azure AD Application Administrator permissions

+* A BIG-IP or deploy a BIG-IP Virtual Edition (VE) in Azure

+ * See, [Deploy F5 BIG-IP Virtual Edition VM in Azure](./f5-bigip-deployment-guide.md)

+* Any of the following F5 BIG-IP license SKUs:

+ * F5 BIG-IP Access Policy Manager™ (APM) add-on license on a BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM)

+ * 90-day BIG-IP full feature trial. See, [Free Trials](https://www.f5.com/trial/big-ip-trial.php).

+* User identities synchronized from an on-premises directory to Azure AD

+ * See, [Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md)

+* An SSL certificate to publish services over HTTPS, or use default certificates while testing

+ * See, [SSL profile](./f5-bigip-deployment-guide.md#ssl-profile)

+* An Oracle EBS, Oracle AccessGate, and an LDAP-enabled Oracle Internet Database (OID)

+## BIG-IP configuration method

+This tutorial uses the Guided Configuration v16.1 Easy Button template. With the Easy Button, admins no longer go back and forth to enable services for SHA. The APM Guided Configuration wizard and Microsoft Graph handle deployment and policy management. This integration ensures applications support identity federation, SSO, and Conditional Access, thus reducing administrative overhead.

+ >[!NOTE]

+ > Replace example strings or values with those in your environment.

+## Register the Easy Button

+Before a client or service accesses Microsoft Graph, the Microsoft identity platform must trust it.

+Learn more: [Quickstart: Register an application with the Microsoft identity platform](../develop/quickstart-register-app.md)

+Create a tenant app registration to authorize the Easy Button access to Graph. The BIG-IP pushes configurations to establish a trust between a SAML SP instance for published application, and Azure AD as the SAML IdP.

+1. Sign in to the [Azure portal](https://portal.azure.com/) with Application Administrative permissions.

+2. In the left navigation pane, select the **Azure Active Directory** service.

+3. Under **Manage**, select **App registrations > New registration**.

+4. Enter an application **Name**. For example, F5 BIG-IP Easy Button.

+5. Specify who can use the application > **Accounts in this organizational directory only**.

+6. Select **Register**.

+7. Navigate to **API permissions**.

+8. Authorize the following Microsoft Graph **Application permissions**:

+9. Grant admin consent for your organization.

+10. Go to **Certificates & Secrets**.

+11. Generate a new **Client Secret**. Make a note of the Client Secret.

+12. Go to **Overview**. Make a note of the Client ID and Tenant ID.

+## Configure the Easy Button

+1. Initiate the APM **Guided Configuration**.

+2. Start the **Easy Button** template.

+3. Navigate to **Access > Guided Configuration > Microsoft Integration**.

+4. Select **Azure AD Application**.

+ 

+5. Review the configuration options.

+6. Select **Next**.

+ 

+7. Use the graphic to help publish your application.

+ 

+The **Configuration Properties** tab creates a BIG-IP application config and SSO object. The **Azure Service Account Details** section represents the client you registered in your Azure AD tenant, as an application. With these settings, a BIG-IP OAuth client registers a SAML SP in your tenant, with SSO properties. Easy Button does this action for BIG-IP services published and enabled for SHA.

+To reduce time and effort, reuse global settings to publish other applications.

+1. Enter a **Configuration Name**.

+2. For **Single sign-on (SSO) & HTTP Headers**, select **On**.

+3. For **Tenant ID, Client ID**, and **Client Secret** enter what you noted during Easy Button client registration.

+4. Confirm the BIG-IP connects to your tenant.

+5. Select **Next**.

+ 

+Use Service Provider settings for the properties of the SAML SP instance of the protected application.

+1. For **Host**, enter the public FQDN of the application.

+2. For **Entity ID**, enter the identifier Azure AD uses for the SAML SP requesting a token.

+ 

+3. (Optional) In **Security Settings**, select or clear the **Enable Encrypted Assertion** option. Encrypting assertions between Azure AD and the BIG-IP APM means the content tokens canΓÇÖt be intercepted, nor personal or corporate data compromised.

+4. From the **Assertion Decryption Private Key** list, select **Create New**

+ 

+5. Select **OK**.

+6. The **Import SSL Certificate and Keys** dialog appears in a new tab.

+7. Select **PKCS 12 (IIS)**.

+8. The certificate and private key are imported.

+9. Close the browser tab to return to the main tab.

+ 

+6. Select **Enable Encrypted Assertion**.

+7. For enabled encryption, from the **Assertion Decryption Private Key** list, select the certificate private key BIG-IP APM uses to decrypt Azure AD assertions.

+8. For enabled encryption,from the **Assertion Decryption Certificate** list, select the certificate BIG-IP uploads to Azure AD to encrypt the issued SAML assertions.

+ 

+### Azure AD

+Easy Button has application templates for Oracle PeopleSoft, Oracle E-Business Suite, Oracle JD Edwards, SAP ERP and a generic SHA template. The following screenshot is the Oracle E-Business Suite option under Azure Configuration.

+1. Select **Oracle E-Business Suite**.

+2. Select **Add**.

+ 

+1. Enter a **Display Name** for the app BIG-IP creates in your Azure AD tenant, and the icon on MyApps.

+2. In **Sign On URL (optional)**, enter the EBS application public FQDN.

+3. Enter the default path for the Oracle EBS homepage.

+3. Next to the **Signing Key** and **Signing Certificate**, select the **refresh** icon.

+4. Locate the certificate you imported.

+5. In **Signing Key Passphrase**, enter the certificate password.

+6. (Optional) Enable **Signing Option**. This option ensures BIG-IP accepts tokens and claims signed by Azure AD.

+ 

+7. For **User And User Groups**, add a user or group for testing, otherwise all access is denied. Users and user groups are dynamically queried from the Azure AD tenant and authorize access to the application.

+ 

+When a user authenticates, Azure AD issues a SAML token with default claims and attributes identifying the user. The **User Attributes & Claims** tab has default claims to issue for the new application. Use this area to configure more claims. If needed, add Azure AD attributes, however the Oracle EBS scenario requires the default attributes.

+ 

+The **Additional User Attributes** tab supports distributed systems that require attributes stored in directories for session augmentation. Attributes fetched from an LDAP source are injected as more SSO headers to control access based on roles, partner ID, etc.

+1. Enable the **Advanced Settings** option.

+2. Check the **LDAP Attributes** check box.

+3. In **Choose Authentication Server**, select **Create New**.

+4. Depending on your setup, select **Use pool** or **Direct** server connection mode for the target LDAP service server address. For a single LDAP server, select **Direct**.

+5. For **Service Port**, enter **3060** (Default), **3161** (Secure), or another port for the Oracle LDAP service.

+6. Enter a **Base Search DN**. Use the distinguished name (DN) to search for groups in a directory.

+7. For **Admin DN**, enter the account distinguished name APM uses to authenticate LDAP queries.

+8. For **Admin Password**, enter the password.

+ 

+9. Leave the default **LDAP Schema Attributes**.

+10. Under **LDAP Query Properties**, for **Search Dn** enter the LDAP server base node for user object search.

+11. For **Required Attributes**, enter the user object attribute name to be returned from the LDAP directory. For EBS, the default is **orclguid**.

+ 

+Conditional Access policies control access based on device, application, location, and risk signals. Policies are enforced after Azure AD preauthentication. The Available Policies view has Conditional Access policies with no user actions. The Selected Policies view has policies for cloud apps. You can't deselect these policies or move them to Available Policies because they're enforced at the tenant level.

+To select a policy for the application to be published:

+1. In **Available Policies**, select a policy.

+2. Select the **right arrow**.

+3. Move the policy to **Selected Policies**.

+ > [!NOTE]

+ > The **Include** or **Exclude** option is selected for some policies. If both options are checked, the policy is unenforced.

+ 

+ > [!NOTE]

+ > Select the **Conditional Access Policy** tab and the policy list appears. Select **Refresh** and the wizard queries your tenant. Refresh appears for deployed applications.

+### Virtual Server Properties

+A virtual server is a BIG-IP data plane object represented by a virtual IP address listening for application client requests. Received traffic is processed and evaluated against the APM profile associated with the virtual server. Then, traffic is directed according to policy.

+1. Enter a **Destination Address**, an IPv4 or IPv6 address BIG-IP uses to receive client traffic. Ensure a corresponding record in DNS that enables clients to resolve the external URL, of the BIG-IP published application, to the IP. Use a test computer localhost DNS for testing.

+3. For **Service Port**, enter **443**, and select **HTTPS**.

+4. Select **Enable Redirect Port**.

+5. For **Redirect Port**, enter **80**, and select **HTTP**. This action redirects incoming HTTP client traffic to HTTPS.

+6. Select the **Client SSL Profile** you created, or leave the default for testing. Client SSL Profile enables the virtual server for HTTPS. Client connections are encrypted over TLS.

+ 

+### Pool Properties

+The **Application Pool** tab has services behind a BIG-IP, a pool with one or more application servers.

+1. From **Select a Pool**, select **Create New**, or select another option.

+2. For **Load Balancing Method**, select **Round Robin**.

+3. Under **Pool Servers**, select and enter an **IP Address/Node Name** and **Port** for the servers hosting Oracle EBS.

+4. Select **HTTPS**.

+ 

+5. Under **Access Gate Pool** confirm the **Access Gate Subpath**.

+6. For **Pool Servers** select and enter an **IP Address/Node Name** and **Port** for the servers hosting Oracle EBS.

+7. Select **HTTPS**.

+ 

+#### Single Sign-On & HTTP Headers

+The Easy Button wizard supports Kerberos, OAuth Bearer, and HTTP authorization headers for SSO to published applications. The Oracle EBS application expects headers, therefore enable HTTP headers.

+1. On **Single Sign-On & HTTP Headers**, select **HTTP Headers**.

+2. For **Header Operation**, select **replace**.

+3. For **Header Name**, enter **USER_NAME**.

+4. For **Header Value**, enter **%{session.sso.token.last.username}**.

+5. For **Header Operation**, select **replace**.

+6. For **Header Name**, enter **USER_ORCLGUID**.

+7. For **Header Value**, enter **%{session.ldap.last.attr.orclguid}**.

+ 

+ >[!NOTE]

+ >APM session variables in curly brackets are case-sensitive.

+### Session Management

+Use BIG-IP Session Management to define conditions for user session termination or continuation.

+To learn more, go to support.f5.com for [K18390492: Security | BIG-IP APM operations guide](https://support.f5.com/csp/article/K18390492)

+Single Log-Out (SLO) functionality ensures sessions between the IdP, BIG-IP, and the user agent, terminate when users sign out. When the Easy Button instantiates a SAML application in your Azure AD tenant, it populates the Logout URL with the APM SLO endpoint. Thus, IdP-initiated sign out, from the My Apps portal, terminates the session between the BIG-IP and a client.

+See, Microsoft [My Apps](https://myapplications.microsoft.com/)

+The SAML federation metadata for the published application is imported from the tenant. This action provides the APM with the SAML sign out endpoint for Azure AD. Then, SP-initiated sign out terminates the client and Azure AD session. Ensure the APM knows when a user signs out.

+If you use the BIG-IP webtop portal to access published applications, APM processes a sign out to call the Azure AD sign out endpoint. If you don't use the BIG-IP webtop portal, the user can't instruct the APM to sign out. If the user signs out of the application, the BIG-IP is oblivious to the action. Ensure SP-initiated sign out triggers secure sessions termination. Add an SLO function to the applications **Sign out** button to redirect the client to the Azure AD SAML or BIG-IP sign out endpoint. Find the SAML sign out endpoint URL for your tenant in **App Registrations > Endpoints**.

+If you can't change the app, have the BIG-IP listen for the application sign out call and then trigger SLO.

+Learn more:

+* [PeopleSoft SLO Logout](./f5-big-ip-oracle-peoplesoft-easy-button.md#peoplesoft-single-logout)

+* Go to support.f5.com for:

+ * [K42052145: Configuring automatic session termination (logout) based on a URI-referenced file name](https://support.f5.com/csp/article/K42052145

+ * [K12056: Overview of the Logout URI Include option](https://support.f5.com/csp/article/K12056)

+## Deploy

+1. Select **Deploy** to commit settings.

+2. Verify the application appears in the tenant Enterprise applications list.

+## Test

+1. From a browser, connect to the Oracle EBS application external URL, or select the application icon in the [My Apps](https://myapps.microsoft.com/).

+2. Authenticate to Azure AD.

+3. YouΓÇÖre redirected to the BIG-IP virtual server for the application and signed in by SSO.

+For increased security, block direct application access, thereby enforcing a path through the BIG-IP.

+## Advanced deployment

+Sometimes, the Guided Configuration templates lack flexibility for requirements.

+Learn more: [Tutorial: Configure F5 BIG-IPΓÇÖs Access Policy Manager for header-based SSO](./f5-big-ip-header-advanced.md).

+### Manually change configurations

+Alternatively, in BIG-IP disable the Guided Configuration strict management mode to manually change configurations. Wizard templates automate most configurations.

+1. Navigate to **Access > Guided Configuration**.

+2. On the right end of the row for your application configuration, select the **padlock** icon.

+ 

+After you disable strict mode, you can't make changes with the wizard. However, BIG-IP objects associated with the published app instance are unlocked for management.

+ > [!NOTE]

+ > If you re-enable strict mode, new configurations overwrite settings performed without the Guided Configuration. We recommend the advanced configuration method for production services.

+## Troubleshooting

+Use the following instructions to help troubleshoot issues.

+### Increase log verbosity

+Use BIG-IP logging to isolate issues with connectivity, SSO, policy violations, or misconfigured variable mappings. Increase the log verbosity level.

+1. Navigate to **Access Policy > Overview > Event Logs**.

+2. Select **Settings**.

+3. Select the row for your published application.

+4. Select **Edit > Access System Logs**.

+5. From the SSO list, select **Debug**.

+6. Select **OK**.

+7. Reproduce the issue.

+8. Inspect the logs.

+Revert the settings changes because verbose mode generates excessive data.

+### BIG-IP error message

+If a BIG-IP error appears after Azure AD preauthentication, the issue might relate to Azure AD and BIG-IP SSO.

+1. Navigate to **Access > Overview.

+2. Select **Access reports**.

+3. Run the report for the last hour.

+4. Review the logs for clues.

+Use the **View session** link for your session to confirm the APM receives expected Azure AD claims.

+### No BIG-IP error message

+If no BIG-IP error page appears, the issue might relate to the back-end request, or BIG-IP and application SSO.

+1. Navigate to **Access Policy > Overview**.

+2. Select **Active Sessions**.

+3. Select the link for your active session.

+Use the **View Variables** link to investigate SSO issues, particularly if the BIG-IP APM doesn't obtain correct attributes from Azure AD, or another source.

+Learn more:

+* Go to devcentral.f5.com for [APM variable assign examples](https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107)

+* Go to techdocs.f5.com for [Manual Chapter: Session Variables](https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/session-variables.html)

+### Validate the APM service account

+Use the following bash shell command to validate the APM service account for LDAP queries. The command authenticates and queries user objects.

+Learn more:

+* Go to support.f5.com for [K11072: Configuring LDAP remote authentication for AD](https://support.f5.com/csp/article/K11072)

+* Go to techdocs.f5.com for [Manual Chapter: LDAP Query](https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-access-policy-manager-authentication-methods/ldap-query.html)

+# SAML Request Signature Verification

+During admin consent, a Privileged Administrator may grant an application access on behalf of other users (usually, on behalf of the entire organization). Also during admin consent, applications or services provide direct access to an API, which can be used by the application if there's no signed-in user. The specific role needed to grant admin consent differs based on the permissions requested, which are outlined [here.](grant-admin-consent.md#prerequisites)

+Granting admin consent on behalf of an organization is a sensitive operation, potentially allowing the application's publisher access to significant portions of the organization's data, or the permission to do highly privileged operations. Examples of such operations might be role management, full access to all mailboxes or all sites, and full user impersonation.

+- [Configure the admin consent workflow](configure-admin-consent-workflow.md)

+// Open a connection to the server using Active Directory Managed Identity authentication.

+- **Users by name**: In this scenario, you search for a specific user by name, which enables you to evaluate the lastSignInDateTime: `https://graph.microsoft.com/v1.0/users?$filter=startswith(displayName,'markvi')&$select=displayName,signInActivity`

+- **Users by date**: In this scenario, you request a list of users with a lastSignInDateTime before a specified date: `https://graph.microsoft.com/v1.0/users?$filter=signInActivity/lastSignInDateTime le 2019-06-01T00:00:00Z`

+> [!NOTE]

+> When you request the signInActivity property while listing users, the maximum page size is 120 users. Requests with $top set higher than 120 will fail. SignInActivity supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`) *but* not with any other filterable properties.

+> **Last Sign In Date and Time for All Users**: In this scenario, you request a list of all users, and the last lastSignInDateTime for each respective user: `https://graph.microsoft.com/v1.0/users?$select=displayName,signInActivity`

+The **lastSignInDateTime** property is exposed by the [signInActivity resource type](/graph/api/resources/signinactivity) of the [Microsoft Graph API](/graph/overview#whats-in-microsoft-graph).

+To read this property, you need to grant the app the following Microsoft Graph permissions:

+- User.Read.All

+For a guided walkthrough of many of the recommendations in this article, see the migration guide [Migrate from AD FS to Microsoft Azure Active Directory for identity management](https://go.microsoft.com/fwlink/?linkid=2225005) when signed in to the Microsoft 365 Admin Center. To review best practices without signing in and activating automated setup features, go to the [M365 Setup portal](https://go.microsoft.com/fwlink/?linkid=2229256).