Updates from: 04/06/2023 01:19:15
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Customize Ui With Html https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/customize-ui-with-html.md
Azure AD B2C runs code in your customer's browser by using [Cross-Origin Resourc
### Custom HTML page content
-Create an HTML page with your own branding to serve your custom page content. This page can be a static `*.html` page, or a dynamic page like .NET, Node.js, or PHP.
+Create an HTML page with your own branding to serve your custom page content. This page can be a static `*.html` page, or a dynamic page like .NET, Node.js, or PHP,however, Azure B2C does not support any view engines. Any server-side rendering of the dynamic page must be performed by a dedicated web application.
Your custom page content can contain any HTML elements, including CSS and JavaScript, but can't include insecure elements like iframes. The only required element is a div element with `id` set to `api`, such as this one `<div id="api"></div>` within your HTML page.
active-directory-b2c Partner F5 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-f5.md
Title: Tutorial to enable Secure Hybrid Access to applications with Azure AD B2C and F5 BIG-IP
+ Title: Tutorial to enable secure hybrid access for applications with Azure Active Directory B2C and F5 BIG-IP
description: Learn how to integrate Azure AD B2C authentication with F5 BIG-IP for secure hybrid access -+ Previously updated : 10/15/2021 Last updated : 04/05/2023
-# Tutorial: Secure Hybrid Access to applications with Azure AD B2C and F5 BIG-IP
+# Tutorial: Enable secure hybrid access for applications with Azure Active Directory B2C and F5 BIG-IP
-In this sample tutorial, learn how to integrate Azure Active Directory (Azure AD) B2C with [F5 BIG-IP Access Policy Manager (APM)](https://www.f5.com/services/resources/white-papers/easily-configure-secure-access-to-all-your-applications-via-azure-active-directory). This tutorial demonstrates how legacy applications can be securely exposed to the internet through BIG-IP security combined with Azure AD B2C pre-authentication, Conditional Access (CA), and Single sign-on (SSO).
+Learn to integrate Azure Active Directory B2C (Azure AD B2C) with F5 BIG-IP Access Policy Manager (APM). You can expose legacy applications securely to the internet through BIG-IP security, with Azure AD B2C preauthentication, Conditional Access (CA), and single sign-on (SSO). F5 Inc. focuses on delivery, security, performance, and availability of connected services, including computing, storage, and network resources. It provides hardware, modularized software, and cloud-ready virtual appliance solutions.
-F5 Inc. focus on the delivery, security, performance, and availability of connected services, including the availability of computing, storage, and network resources. It provides hardware, modularized software, and cloud-ready virtual appliance solutions.
+Deploy F5 BIG-IP Application Delivery Controller (ADC) as a secure gateway between private networks and the internet. There are features for application-level inspection and customizable access controls. If deployed as a reverse proxy, use the BIG-IP to enable secure hybrid access to business applications, with a federated identity access layer managed by APM.
-F5's BIG-IP Application Delivery Controller (ADC) is often deployed as a secure gateway between private networks and the internet.
-It provides an abundance of features including application-level inspection and fully customizable access controls. When deployed as a reverse proxy, the BIG-IP can also be used to enable secure hybrid access to critical business applications, by front-ending services with a federated Identity access layer managed by F5ΓÇÖs APM.
+Go to f5.com resources and white papers for: [Easily Configure Secure Access to All Your Applications via Azure AD](https://www.f5.com/services/resources/white-papers/easily-configure-secure-access-to-all-your-applications-via-azure-active-directory)
## Prerequisites
-To get started, you'll need:
--- An [Azure AD B2C tenant](tutorial-create-tenant.md) linked to your Azure subscription--- An existing BIG-IP or deploy a trial [BIG-IP Virtual Environment (VE) on Azure](../active-directory/manage-apps/f5-bigip-deployment-guide.md)--- Any of the following F5 BIG-IP license SKUs-
- - F5 BIG-IP® Best bundle
-
- - F5 BIG-IP Access Policy ManagerΓäó standalone license
-
- - F5 BIG-IP Access Policy Manager™ add-on license on an existing BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM)
-
- - 90-day BIG-IP full feature [trial license](https://www.f5.com/trial/big-ip-trial.php)
--- An existing header-based web application or [setup an IIS app](/previous-versions/iis/6.0-sdk/ms525396(v=vs.90)) for testing--- [SSL certificate](../active-directory/manage-apps/f5-bigip-deployment-guide.md#ssl-profile) for publishing services over HTTPS or use default while testing.
+To get started, you need:
+
+* An Azure subscription
+ * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/)
+* An Azure AD B2C tenant linked to the Azure subscription
+ * See, [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md)
+* A BIG-IP or a deployed trial BIG-IP Virtual Environment (VE) on Azure
+ * See, [Deploy F5 BIG-IP Virtual Edition VM in Azure](../active-directory/manage-apps/f5-bigip-deployment-guide.md)
+* Any of the following F5 BIG-IP licenses:
+ * F5 BIG-IP® Best bundle
+ * F5 BIG-IP Access Policy ManagerΓäó standalone license
+ * F5 BIG-IP Access Policy Manager™ add-on license on a BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM)
+ * 90-day BIG-IP full feature [trial license](https://www.f5.com/trial/big-ip-trial.php)
+* A header-based web application or an IIS app for testing
+ * See, [Set up an IIS app](/previous-versions/iis/6.0-sdk/ms525396(v=vs.90))
+* SSL certificate to publish services over HTTPS, or use default while testing
+ * See, [SSL profile](../active-directory/manage-apps/f5-bigip-deployment-guide.md#ssl-profile)
## Scenario description
-**The following scenario is header-based but you can also use these methods to achieve Kerberos SSO.**
-For this scenario, we have an internal application whose access relies on receiving HTTP authorization headers from a legacy broker system, enabling sales agents to be directed to their respective areas of content. The service needs expanding to a broader consumer base, so the application either needs upgrading to offer a choice of consumer authentication options or replacing altogether with more suitable solution.
+The following scenario is header-based, but you can use these methods to achieve Kerberos SSO.
-In an ideal world, the application would be upgraded to support being directly managed and governed through a modern control plane. But as it lacks any form of modern interop, it would take considerable effort and time to modernize, introducing inevitable costs and risks of potential downtime. Instead, a BIG-IP Virtual Edition (VE) deployed between the public internet and the internal Azure VNet our application is connected to will be used to gate access with Azure AD B2C for its extensive choice of sign-in and sign-up capabilities.
+For this scenario, access for an internal application relies on receiving HTTP authorization headers from a legacy broker system. Sales agents can be directed to respective areas of content. The service needs to be expanded to a broader consumer base. The application gets upgraded for consumer authentication options, or gets replaced.
-Having a BIG-IP in front of the application enables us to overlay the service with Azure AD B2C pre-authentication and header-based SSO, significantly improving the overall security posture of the application, allowing the business to continue growing at pace, without interruption.
+Ideally, an application upgrade supports direct management and governance with a modern control plane. However, time and effort to modernize introduces costs and potential downtime. Instead, deploy a BIG-IP Virtual Edition (VE) between the public internet and the internal Azure virtual network (VNet) to gate access with Azure AD B2C. BIG-IP in front of the application enables overlay of the service with Azure AD B2C preauthentication and header-based SSO, improving the app security posture.
-The secure hybrid access solution for this scenario is made up of the following components:
+The secure hybrid access solution has of the following components:
-- **Application** - Backend service being protected by Azure AD B2C and BIG-IP secure hybrid access
+* **Application** - back-end service protected by Azure AD B2C and BIG-IP secure hybrid access
+* **Azure AD B2C** - identity provider (IdP) and Open ID Connect (OIDC) authorization server that verifies user credentials, multifactor authentication, and SSO to the BIG-IP APM
+* **BIG-IP** - reverse proxy for the application. The BIG-IP APM is the OIDC client, delegating authentication to the OIDC authorization server, before header-based SSO to the back-end service.
-- **Azure AD B2C** - The IdP and Open ID Connect (OIDC) authorization server, responsible for verification of user credentials, multifactor authentication (MFA), and SSO to the BIG-IP APM.
+The following diagram illustrates the service provider (SP) initiated flow for this scenario.
-- **BIG-IP** - As the reverse proxy for the application, the BIG-IP APM also becomes the OIDC client, delegating authentication to the OIDC authorization server, before performing header-based SSO to the backend service.
+![Screenshot of the service-provider initiated flow.](./media/partner-f5/flow-diagram.png)
-The following diagram illustrates the Service Provider (SP) initiated flow for this scenario.
+1. User connects to the application endpoint. BIG-IP is service provider.
+2. BIG-IP APM OIDC client redirects user to Azure AD B2C tenant endpoint, the OIDC authorization server
+3. Azure AD B2C tenant pre-authenticates user and applies Conditional Access policies
+4. Azure AD B2C redirects user back to the SP with authorization code
+5. OIDC client asks the authorization server to exchange authorization code for an ID token
+6. BIG-IP APM grants user access and injects the HTTP headers in the client request forwarded on to the application
-![Screenshot showing the SP initiated flow for this scenario](./media/partner-f5/flow-diagram.png)
+## Azure AD B2C configuration
-|Step| Description|
-|:-|:-|
-| 1. | User connects to the application endpoint, where BIG-IP is service provider |
-| 2. | BIG-IP APM that is the OIDC client redirects user to Azure AD B2C tenant endpoint, the OIDC authorization server |
-| 3. | Azure AD B2C tenant pre-authenticates user and applies any enforced Conditional Access policies |
-|4. | Azure AD B2C redirects user back to the SP with authorization code |
-| 5. | OIDC client asks the authorization server to exchange authorization code for an ID token |
-| 6. | BIG-IP APM grants user access and injects the HTTP headers in the client request forwarded on to the application |
+To enable a BIG-IP with Azure AD B2C authentication, use an Azure AD B2C tenant with a user flow or custom policy.
-## Azure AD B2C Configuration
-
-Enabling a BIG-IP with Azure AD B2C authentication requires an Azure AD B2C tenant with a suitable user flow or custom policy. [Set up an Azure AD B2C user flow](tutorial-create-user-flows.md).
+See, [Tutorial: Create user flows and custom policies in Azure AD B2C](tutorial-create-user-flows.md)
### Create custom attributes
-Custom attributes can be obtained from various sources, including directly from existing Azure AD B2C user objects, requested from federated IdPs, API connectors, or collected during the sign-up journey of a user. When required, they can be included in the token sent to the application.
-
-As your legacy application expects specific attributes, include these attributes in your user flow. But feel free to replace these with whatever attributes your application requires. Or if setting up a test app using the instructions in the pre-requisites then any headers will do as it
-displays them all.
-
-1. Sign into your Azure AD B2C tenant's portal
-
-2. From the left-hand pane select **User attributes**, and then select **Add** to create two custom attributes
+Obtain custom attributes from Azure AD B2C user objects, federated IdPs, API connectors, or user sign-up. Include attributes in the token that goes to the application.
- - Agent ID: String **Data Type**
+Legacy applications expect specific attributes, so include them in your user flow. You can replace them with attributes your application requires. Or if you're setting up a test app using the instructions, then user any headers.
- - Agent Geo: String **Data Type**
+1. Sign in to theΓÇ»[Azure portal](https://portal.azure.com/) as Global Administrator.
+2. In the left-hand pane, select **User attributes**.
+3. Select **Add** to create two custom attributes.
+4. For Agent ID, select String **Data Type**.
+5. For Agent Geo, select String **Data Type**.
### Add attributes to user flow
-1. From the left-hand pane go to **Policies** > **User flows**.
+1. In the left-hand menu, navigate go to **Policies** > **User flows**.
+2. Select your policy, for example, **B2C_1_SignupSignin**.
+3. Select **User attributes**.
+4. Add both custom attributes.
+5. Add the **Display Name** attribute. These attributes are collected during user sign-up.
+6. Select **Application claims**.
+7. Add both custom attributes.
+8. Add the **Display Name**. These attributes go to the BIG-IP.
+9. Select **Run user flow**.
+10. In the user flow menu, on the left navigation bar, verify the prompts for defined attributes.
-2. Select your policy, for example, **B2C_1_SignupSignin**
-
-3. Select **User attributes** and add both custom attributes, plus also the **Display Name** attribute. These are the attributes that will be collected during user sign-up.
-
-4. Select **Application claims** and add both custom attributes plus also the **Display Name**. These are the attributes that will be sent to the BIG-IP.
-
-You can use the [Run user flow](tutorial-create-user-flows.md) feature
-in the user flow menu on the left navigation bar to verify it prompts for all defined attributes.
+Learn more: [Tutorial: Create user flows and custom policies in Azure AD B2C](tutorial-create-user-flows.md)
### Azure AD B2C federation
-For the BIG-IP and Azure AD B2C to trust one another they need
-federating, so the BIG-IP must be registered in the Azure AD B2C tenant as an OIDC application.
-
-1. Still in the Azure AD B2C portal, select **App registrations** > **New registration**.
+Federate BIG-IP and Azure AD B2C for mutual trust. Register the BIG-IP in the Azure AD B2C tenant as an OIDC application.
-2. Provide a name for the application. For example, **HeaderApp1**
+1. In the portal, select **App registrations** > **New registration**.
+2. Enter an app **Name**, for example, **HeaderApp1**.
+3. Under **Supported account types**, select **Accounts in any identity provider or organizational directory (for authenticating users with user flows)**.
+4. Under **Redirect URI**, select **Web**.
+5. Enter protected service public FQDN.
+6. Enter the path.
+7. Leave the remaining selections.
+8. Select **Register**.
+9. Navigate to **Certificates & secrets** > **+ New client secret**.
+10. Enter a descriptive name
+11. Enter a TTL for the secret used by the BIG-IP.
+12. Note the Client Secret for BIG-IP configuration.
-3. Under **Supported account types**, select **Accounts in any identity provider or organizational directory (for authenticating users with user flows)**
+The redirect URI is the BIG-IP endpoint. After authentication, the authorization server (Azure AD B2C) sends users to the endpoint.
-4. Under **Redirect URI**, select **Web**, and enter the public FQDN of the service being protected, along with the path.
-
-5. Leave the rest and select **Register**.
-
-6. Head to **Certificates & secrets** > **+ New client secret**.
-
-7. Provide a descriptive name and TTL for the secret that will be used by the BIG-IP.
-
-8. Note down the client secret, you'll need this later for configuring the BIG-IP.
-
-The redirect URI is the BIG-IP endpoint to which a user is sent back to by the authorization server - Azure AD B2C, after authenticating. [Register an application](tutorial-register-applications.md) for Azure AD B2C.
+Learn more: [Tutorial: Register a web application in Azure AD B2C](tutorial-register-applications.md) for Azure AD B2C.
## BIG-IP configuration
-A BIG-IP offers several methods for configuring Azure AD secure hybrid access, including a wizard based Guided Configuration, minimizing time, and effort to implement several common scenarios. Its workflow-driven framework provides an intuitive experience tailored to specific access topologies and is used for rapid publishing of web services
-requiring minimal configuration to publish.
+For BIG-IP configuration use Guided Configuration v.7/8. The workflow framework is tailored to access topologies and it accomplishes rapid web service publishing.
-### Version check
+### Guided Configuration version
-This tutorial is based on Guided Configuration v.7/8 but may also apply to previous versions. To check your version, login to the BIG-IP web config with an admin account and go to **Access** > **Guided Configuration**. The version should be displayed in the top right-hand corner. To upgrade your BIG-IP's Guided Configuration, follow [these instructions](https://support.f5.com/csp/article/K85454683).
+1. To confirm version, sign in to the BIG-IP web config with an administrator account.
+2. Go to **Access** > **Guided Configuration**.
+3. The version appears in the top right-hand corner.
+
+To upgrade the Guided Configuration, go to my.f5.com for [K85454683: Upgrade F5 BIG-IP Guided Configuration on the BIG-IP system](https://support.f5.com/csp/article/K85454683).
### SSL profiles
-Configuring your BIG-IP with a client SSL profile will allow you to secure the client-side traffic over TLS. To do this you'll need to import a certificate matching the domain name used by the public facing URL for your application. Where possible we recommend using a public certificate authority, but the built-in BIG-IP self-signed certificates can also be used while testing.
-[Add and manage certificates](https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-13-0-0.html) in the BIG-IP VE.
+Use BIG-IP configured with a client SSL profile to secure client-side traffic over TLS. Import a certificate that matches the domain name, used by the public-facing URL for your app. We recommend you use a public certificate authority, but you can use BIG-IP self-signed certificates for testing.
-## Guided configuration
+To add and manage certificates in the BIG-IP VE, go to techdocs.f5.com for [BIG-IP System: SSL Administration](https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-13-0-0.html).
-1. In the web config, go to **Access** > **Guided Configuration** to launch the deployment wizard.
-2. Select the **Federation** > **F5 as OAuth Client and Resource
-Server**.
+## Guided Configuration
-3. Observe the summary of the flow for this scenario, then select **Next** to start the wizard.
+1. To launch the deployment wizard, in the web config, go to **Access** > **Guided Configuration**.
+2. Select **Federation** > **F5 as OAuth Client and Resource Server**.
+3. Observe the flow summary for this scenario.
+4. Select **Next**.
+5. The wizard starts.
### OAuth properties
-This section defines the properties enabling federation between the BIG-IP APM and the OAuth authorization server, your Azure AD B2C tenant. OAuth will be referenced throughout the BIG-IP configuration, but the solution will actually use OIDC, a simple identity layer on top of the OAuth 2.0 protocol allowing OIDC clients to verify the identity of users and obtaining other profile information.
-
-Pay close attention to detail, as any mistakes will impact authentication and access.
+In the following sections, define properties to enable federation between the BIG-IP APM and the OAuth authorization server, the Azure AD B2C tenant. OAuth is referred to throughout BIG-IP configuration. The solution uses OIDC, an identity layer on the OAuth 2.0 protocol. OIDC clients verify user identity and obtain other profile information.
#### Configuration name
-Providing a display name for the configuration will help you distinguish between the many deployment configs that could eventually exist in the guided configuration. Once set, the name cannot be changed, and is only visible in the Guided Configuration view.
+A configuration display name helps distinguish between deployment configurations in the Guided Configuration. You can't change the name, and it appears only in the Guided Configuration view.
#### Mode
-The BIG-IP APM will act as an OIDC client, so select the Client option only.
+The BIG-IP APM is an OIDC client, therefore select the Client option.
#### DNS resolver
-The specified target must be able to resolve the public IP addresses of your Azure AD B2C endpoints. Choose an existing public DNS resolver or create a new one.
+The specified target must resolve the public IP addresses of the Azure AD B2C endpoints. Select a public DNS resolver, or create a new one.
#### Provider settings
-Here, we'll configure Azure AD B2C as the OAuth2 IdP. YouΓÇÖll notice that the Guided Configuration v8 offers Azure AD B2C templates, but as itΓÇÖs missing several scopes, weΓÇÖll use a custom type for now. F5 is looking to include the missing scopes in a future Guided Configuration update. Add a new provider and configure it as follows:
+Configure Azure AD B2C as the OAuth2 IdP. The Guided Configuration has Azure AD B2C templates, but not certain scopes.
-- **OAuth general properties**
+Add a new provider and configure it:
+
+**OAuth general properties**
| Properties | Description | |:-|:| |OAuth provider type | Custom |
- | Choose OAuth provider | Create new (or use an existing OAuth provider if it exists) |
- | Name | A unique display name for the B2C IdP. This name will be displayed to users as a provider option to sign-in against.|
+ | Choose OAuth provider | Create new, or use an OAuth provider |
+ | Name | A display name for the B2C IdP. This name appears to users as a provider option at sign-in|
| Token type | JSON web token | -- **OAuth policy settings**
+**OAuth policy settings**
| Properties | Description | |:--|:-|
- | Scope | Leave blank, the OpenID scope to sign users in will be added automatically |
+ | Scope | Leave blank. The OpenID scope for user sign-in is added automatically |
| Grant type | Authorization code |
- | Enable OpenID Connect | Check to put the APM OAuth client in OIDC mode |
+ | Enable OpenID Connect | Select the option to put the APM OAuth client in OIDC mode |
| Flow type | Authorization code | -- **OAuth provider settings**-
- The below OpenID URI refers to the metadata endpoint used by OIDC clients to autodiscover critical IdP information such as the rollover of signing certificates. Locate the metadata endpoint for your Azure AD B2C tenant by navigating to **App registrations** > **Endpoints** and copying the Azure AD B2C OpenID Connect metadata document URI. For example, `https://wacketywackb2c .b2clogin.com/<tenantname>.onmicrosoft.com/<policyname>/v2.0/.well-known/openid-configuration`.
-
- Then update the URI with your own properties, `https://<tenantname>.b2clogin.com/WacketywackB2C.onmicrosoft.com/B2C_1_SignUpIn/v2.0/.well-known/openid-configuration`.
-
- Paste this URI into the browser to view the OIDC metadata for your Azure AD B2C tenant.
-
- | Properties | Description |
- |:-|:-|
- | Audience | The client ID of the application representing the BIG-IP in your Azure AD B2C tenant |
- | Authentication URI | The authorization endpoint in your B2C OIDC metadata |
- | Token URI | The token endpoint in your Azure AD B2C metadata |
- | Userinfo request URI | Leave empty. Azure AD B2C does not currently support this feature |
- |OpenID URI | The OpenID URI metadata endpoint you crafted above |
- | Ignore expired certificate validation | Leave unchecked |
- | Allow self-signed JWK config certificate | Check |
- | Trusted CA bundle | Select ca-bundle.crt to use the default F5 trusted authorities |
- | Discovery interval | Provide a suitable interval for the BIG-IP to query your Azure AD B2C tenant for updates. The minimum interval time offered by AGC version 16.1 0.0.19 final, is 5 minutes.|
--- **OAuth server settings**-
- This section refers to the OIDC authorization server, being your Azure AD B2C tenant.
-
- |Properties | Descriptions|
- |:|:|
- | Client ID | The client ID of the application representing the BIG-IP in your Azure AD B2C tenant. |
- | Client secret | The applicationΓÇÖs corresponding client secret. |
- |Client-server SSL profile | Setting an SSL profile will ensure the APM communicates with the Azure AD B2C IdP over TLS. Select the default `serverssl` option. |
--- **OAuth request settings**-
- The BIG-IP interestingly has all the required Azure AD B2C requests in its pre-configured request set. However, it was observed that for the build we were implementing on, these requests were malformed, and missing important parameters. So, we opted to create them manually.
--- **Token request - Enabled**-
- | Properties | Description |
- |:--|:|
- | Choose OAuth request | Create new |
- | HTTP method | POST |
- | Enable headers| Unchecked |
- | Enable parameters | Checked |
-
- | Parameter type | Parameter name | Parameter value|
- |:|:|:-|
- | client-id | client-id | |
- | nonce | nonce| |
- | redirect-uri | redirect-uri | |
- | scope | scope | |
- | response-type | response-type | |
- | client-secret | client-secret | |
- | custom | grant_type | authorization_code |
--- **Auth redirect request - Enabled**-
- | Properties | Description |
- |:--|:|
- | Choose OAuth request | Create new |
- | HTTP method | GET |
- | Prompt type | None |
- | Enable headers | Unchecked |
- | Enable parameters | Checked |
-
- | Parameter type | Parameter name | Parameter value|
- |:|:|:-|
- | client-id | client-id | |
- | redirect-uri | redirect-uri | |
- | response-type |response-type | |
- | scope | scope | |
- | nonce | nonce | |
--- **Token refresh request** - **Disabled** - Can be enabled and configured if necessary.
+**OAuth provider settings**
+
+The following OpenID URI refers to the metadata endpoint used by OIDC clients to discover IdP information such as signing certificate rollover.
+
+1. Locate the metadata endpoint for your Azure AD B2C tenant.Navigating to **App registrations** > **Endpoints**.
+2. Copy the Azure AD B2C OpenID Connect metadata document URI. For example, `https://wacketywackb2c .b2clogin.com/<tenantname>.onmicrosoft.com/<policyname>/v2.0/.well-known/openid-configuration`.
+3. Update the URI with your properties, `https://<tenantname>.b2clogin.com/WacketywackB2C.onmicrosoft.com/B2C_1_SignUpIn/v2.0/.well-known/openid-configuration`.
+4. Paste the URI into the browser.
+5. View the OIDC metadata for your Azure AD B2C tenant.
+
+| Property | Description |
+|||
+| Audience | The application client ID representing the BIG-IP in the Azure AD B2C tenant |
+| Authentication URI | The authorization endpoint in your B2C OIDC metadata |
+| Token URI | The token endpoint in your Azure AD B2C metadata |
+| Userinfo request URI | Leave empty. Azure AD B2C doesn't support this feature |
+|OpenID URI | The OpenID URI metadata endpoint you created |
+| Ignore expired certificate validation | Leave unchecked |
+| Allow self-signed JWK config certificate | Check |
+| Trusted CA bundle | Select ca-bundle.crt to use the default F5 trusted authorities |
+| Discovery interval | Provide an interval for the BIG-IP to query your Azure AD B2C tenant for updates. The minimum interval in AGC version 16.1 0.0.19, is 5 minutes.|
+
+**OAuth server settings**
+
+For the OIDC authorization server, being your Azure AD B2C tenant.
+
+|Property | Descriptions|
+|||
+| Client ID | The application Client ID representing the BIG-IP in the Azure AD B2C tenant|
+| Client Secret | The application Client Secret |
+|Client-server SSL profile | Set an SSL profile to ensure APM communicates with the Azure AD B2C IdP over TLS. Select the default **serverssl**. |
+
+**OAuth request settings**
+
+The BIG-IP has required Azure AD B2C requests in its preconfigured request set. However, the requests were malformed, and missing important parameters. So, we created them manually.
+
+**Token request: Enabled**
+
+| Property | Description |
+|||
+| Choose OAuth request | Create new |
+| HTTP method | POST |
+| Enable headers| Unchecked |
+| Enable parameters | Checked |
+
+| Parameter | Parameter name | Parameter value|
+|-|||
+| client-id | client-id |N/A |
+| nonce | nonce| N/A|
+| redirect-uri | redirect-uri | N/A|
+| scope | scope | N/A|
+| response-type | response-type | N/A|
+| client-secret | client-secret |N/A |
+| custom | grant_type | authorization_code |
+
+**Auth redirect request: Enabled**
+
+| Property | Description |
+|-|-|
+| Choose OAuth request | Create new |
+| HTTP method | GET |
+| Prompt type | None |
+| Enable headers | Unchecked |
+| Enable parameters | Checked |
+
+| Parameter | Parameter name | Parameter value|
+|||-|
+| client-id | client-id | N/A|
+| redirect-uri | redirect-uri |N/A |
+| response-type |response-type |N/A |
+| scope | scope | N/A|
+| nonce | nonce | N/A|
+
+**Token refresh request**: **Disabled** You can enable and configure as needed.
+
+**OpenID UserInfo request**: **Disabled** Not supported in global Azure AD B2C tenants.
+
+**Virtual server properties**
+
+Create a BIG-IP virtual server to intercept external client requests for the back-end service protected by secure hybrid access. Assign the virtual server an IP mapped to the public DNS record for the BIG-IP service endpoint representing the application. Use a virtual server if available, otherwise provide the following properties.
+
+| Property | Description |
+|-|-|
+| Destination address | Private or public IP that becomes the BIG-IP service endpoint for the back-end application |
+| Service port | HTTPS |
+| Enable redirect port | Select so users are auto redirected from http to https |
+| Redirect port | HTTP |
+| Client SSL profile | Swap the predefined `clientssl` profile with the one that has your SSL certificate. You can test with the default profile. but it likely causes a browser alert. |
+
+**Pool properties**
+
+Back-end services appear in the BIG-IP as a pool, with one or more application servers to which virtual servers direct inbound traffic. Select a pool, otherwise create a new one.
+
+| Property | Description |
+|||
+| Load-balancing method | Select Round Robin |
+|Pool server | Internal IP of the back-end application |
+| Port | Service port of the back-end application |
+
+ >[!NOTE]
+ >Ensure the BIG-IP has line of sight to the pool server address.
-- **OpenID UserInfo request** - **Disabled** - Not currently supported in global Azure AD B2C tenants.
+**SSO settings**
-- **Virtual server properties**
+A BIG-IP supports SSO options, but in OAuth client mode the Guided Configuration is limited to Kerberos or HTTP Headers. Enable SSO and use the following information for the APM to map defined inbound attributes to outbound headers.
- A BIG-IP virtual server must be created to intercept external client requests for the backend service being protected via secure hybrid access. The virtual server must be assigned an IP that is mapped to the public DNS record for the BIG-IP service endpoint representing the application. Go ahead and use an existing Virtual Server if available, otherwise provide the following:
+| Property | Description |
+|||
+| Header Operation |Insert|
+| Header Name | name|
+| Header Value | `%{session.oauth.client.last.id_token.name}`|
+| Header Operation |Inser|
+|Header Name|agentid|
+|Header Value | `%{session.oauth.client.last.id_token.extension_AgentGeo}`|
+
+ >[!Note]
+ > APM session variables in curly brackets are case-sensitive. Entering agentid, when the Azure AD B2C attribute name is sent as AgentID, causes an attribute mapping failure. Define attributes in lowercase. In Azure AD B2C, the user flow prompts the user for more attributes, using the attribute name in the portal. Therefore, use sentence case instead of lowercase.
- | Properties | Description |
- |:--|:|
- | Destination address | Private or Public IP that will become the BIG-IP service endpoint for the backend application |
- | Service port | HTTPS |
- | Enable redirect port | Check to have users auto redirected from http to https |
- | Redirect port | HTTP |
- | Client SSL profile | Swap the predefined `clientssl` profile with the one containing your SSL certificate. Testing with the default profile is also ok but will likely cause a browser alert. |
+ ![Screenshot of single sign-on settings, including type and headers.](./media/partner-f5/single-sign-on.png)
-- **Pool properties**
+**Customization properties**
- Backend services are represented in the BIG-IP as a pool, containing one or more application servers that virtual serverΓÇÖs direct inbound traffic to. Select an existing pool, otherwise create a new one.
+Customize the language and appearance of screens users see in the APM access policy flow. Edit screen messages and prompts, change screen layouts, colors, images, and localize captions, descriptions, and messages.
- | Properties | Description |
- |:--|:|
- | Load-balancing method | Leave as Round Robin |
- |Pool server | Internal IP of backend application |
- | Port | Service port of backend application |
-
->[!NOTE]
->The BIG-IP must have line of sight to the pool server address specified.
+In the **Form Header** text field, replace the `F5 Networks` string with a name that you want.
-- **Single sign-on settings**
+**Session management properties**
- A BIG-IP supports many SSO options, but in OAuth client mode the Guided Config is limited to Kerberos or HTTP Headers. Enable SSO and use the following information to have the APM map inbound attributes you defined earlier, to outbound headers.
+Use the BIG-IP session management settings to define conditions that terminate sessions or allow them to continue. Set limits for users and IP addresses, and error pages. We recommend implementing single log out (SLO), which terminates sessions securely, reducing risks of unauthorized access.
- | Properties | Description |
- |:--|:|
- | Header Operation |`Insert`|
- | Header Name | 'name' |
- | Header Value | `%{session.oauth.client.last.id_token.name}`|
- | Header Operation | `Insert`|
- |Header Name| `agentid`|
- |Header Value | `%{session.oauth.client.last.id_token.extension_AgentGeo}`|
-
- >[!Note]
- > APM session variables defined within curly brackets are CASE sensitive. So, entering agentid when the Azure AD B2C attribute name is being sent as AgentID will cause an attribute mapping failure. Unless necessary, we recommend defining all attributes in lowercase. In an Azure AD B2C case, the user flow prompts the user for the additional attributes using the name of the attribute as displayed in the portal, so using normal sentence case instead of lowercase might be preferable.
+## Deploy settings
- ![Screenshot shows user single sign-on settings](./media/partner-f5/single-sign-on.png)
+Select **Deploy** to commit settings and create BIG-IP and APM objects fir secure hybrid access to the application. The application appears as a target resource in Conditional Access. For increased security, block direct access to the application, thereby enforcing a path through the BIG-IP.
-- **Customization properties**
+Learn more: [Identity Protection and Conditional Access for Azure AD B2C](conditional-access-identity-protection-overview.md)
- These settings allow you to customize the language and the look and feel of the screens that your users encounter when they interact with the APM access policy flow. You can personalize the screen messages and prompts, change screen layouts, colors, images, and localize captions, descriptions, and messages that are normally customizable in the access policy items.
+### Test the sign-in sign-up flow
- Replace the ΓÇ£F5 NetworksΓÇ¥ string in the Form Header text field with the name of your own organization. For example, ΓÇ£Wacketywack Inc. Secure hybrid accessΓÇ¥.
+1. As a user, go to the application external URL.
+2. The BIG-IPΓÇÖs OAuth client sign-in page appears.
+3. Sign in using the authorization code grant. To remove this step, see the **Supplemental configurations** section.
+4. Sign up and authenticate against your Azure AD B2C tenant.
-- **Session management properties**
+The following images are the user sign in dialog and the sign-in welcome page.
- A BIG-IPs session management setting is used to define the conditions under which user sessions are terminated or allowed to continue, limits for users and IP addresses, and error pages. These are optional, but we highly recommend implementing single log out (SLO) functionality, which ensures sessions are securely terminated when no longer required, reducing the risk of someone inadvertently gaining unauthorized access to published applications.
+ ![Screenshot of the user sign-in dialog box.](./media/partner-f5/sign-in-message.png)
-## Related information
+ ![Screenshot of the sign-in welcome page.](./media/partner-f5/welcome-page.png)
-The last step provides an overview of configurations. Hitting Deploy will commit your settings and create all necessary BIG-IP and APM objects to enable secure hybrid access to the application.
-The application should also be visible as a target resource in CA. See the [guidance for building CA policies for Azure AD B2C](conditional-access-identity-protection-overview.md).
-For increased security, organizations using this pattern could also consider blocking all direct access to the application, thereby forcing a strict path through the BIG-IP.
+For increased security, block direct access to the application, thereby enforcing a path through the BIG-IP.
-## Next steps
-
-As a user, launch a browser and connect to the applicationΓÇÖs external URL. The BIG-IPΓÇÖs OAuth client logon page will prompt you to log on using Authorization code grant. Instructions for removing this step are provided in the supplemental configuration section.
-
-You will then be redirected to sign up and authenticate against your Azure AD B2C tenant.
+### Supplemental configurations
-![Screenshot shows user sign in](./media/partner-f5/sign-in-message.png)
+**Single log-out (SLO)**
-![Screenshot shows post sign in welcome message](./media/partner-f5/welcome-page.png)
+Azure AD B2C supports identity provider (IdP) and application sign-out. See, [Single sign out](session-behavior.md?pivots=b2c-custom-policy#single-sign-out).
-For increased security, organizations using this pattern could also consider blocking all direct access to the application, in that way forcing a strict path through the BIG-IP.
+To achieve SLO, enable your application sign out function to call the Azure AD B2C sign-out endpoint. Then, Azure AD B2C issues a final redirect to the BIG-IP. This action ensures the user-application APM session terminates.
-### Supplemental configurations
+An alternative SLO process is to enable the BIG-IP to listen for the request, when selecting the applications **Sign out** button. Upon detecting the request, it calls to the Azure AD B2C sign out endpoint. This approach precludes making changes to the application.
-**Single Log-Out (SLO)**
+To learn more BIG-IP iRules, go to support.f5.com for [K42052145: Configuring automatic session termination (logout) based on a URI-referenced file name](https://support.f5.com/csp/article/K42052145).
-Azure AD B2C fully supports IdP and application sign out through various [mechanisms](session-behavior.md?pivots=b2c-custom-policy#single-sign-out).
-Having your applicationΓÇÖs sign-out function call the Azure AD B2C log-out endpoint would be one way of achieving SLO. That way we can be sure Azure AD B2C issues a final redirect to the BIG-IP to ensure the APM session between the user and the application has also been terminated.
-Another alternative is to have the BIG-IP listen for the request when selecting the applications sign out button, and upon detecting the request it makes a simultaneous call to the Azure AD B2C logoff endpoint. This approach would avoid having to make any changes to the application itself yet achieves SLO. More details on using BIG-IP iRules to implement this are [available](https://support.f5.com/csp/article/K42052145).
-In either case your Azure AD B2C tenant would need to know the APMΓÇÖs logout endpoint.
+> [!NOTE]
+> Regardless of approach, ensure the Azure AD B2C tenant knows the APM sign-out endpoint.
-1. Navigate to **Manage** > **Manifest** in your Azure AD B2C portal and locate the logoutUrl property. It should read null.
+1. In the portal, navigate to **Manage** > **Manifest**.
+2. Locate the `logoutUrl` property. It reads null.
+3. Add the APM post log-out URI: `https://<mysite.com>/my.logout.php3`
-2. Add the APMΓÇÖs post logout URI: `https://<mysite.com>/my.logout.php3`, where `<mysite.com>` is the BIG-IP FQDN for your own header-based application.
+> [!NOTE]
+> `<mysite.com>` is the BIG-IP FQDN for your header-based application.
**Optimized login flow**
-One optional step for improving the user login experience would be to suppress the OAuth logon prompt displayed to users before Azure AD pre-authentication.
+To improve the user sign-in experience, suppress the OAuth user sign-in prompt that appears before Azure AD preauthentication.
-1. Navigate to **Access** > **Guided Configuration** and select the small padlock icon on the far right of the row for the header-based application to unlock the strict configuration
+1. Navigate to **Access** > **Guided Configuration**.
+2. On the far right of the row, select the **padlock** icon.
+3. The header-based application unlocks the strict configuration.
- ![Screenshot shows optimized login flow](./media/partner-f5/optimized-login-flow.png)
+ ![Screenshot of input for Status, Name, and Type; also the padlock icon.](./media/partner-f5/optimized-login-flow.png)
-Unlocking the strict configuration prevents any further changes via the wizard UI, leaving all BIG-IP objects associated with the published instance of the application open for direct management.
+Unlocking the strict configuration prevents changes with the wizard UI. BIG-IP objects are associated with the published instance of the application, and are open for direct management.
-2. Navigate to **Access** > **Profiles/ Policies** > **Access Profiles (Per-session Policies)** and select the **Per-Session Policy** Edit link for the applicationΓÇÖs policy object.
+4. Navigate to **Access** > **Profiles/ Policies** > **Access Profiles (Per-session Policies)**.
+5. For the application policy object, in the **Per-Session Policy** column, select **Edit**.
- ![Screenshot shows access profiles](./media/partner-f5/access-profile.png)
+ ![Screenshot of the Edit option under Access Policies, on the Access dialog.](./media/partner-f5/access-profile.png)
-3. Select the small cross to delete the OAuth Logon Page policy object and when prompted choose to connect to the previous node.
+6. To delete the **OAuth Logon Page** policy object, select **X**.
+7. At the prompt, connect to the previous node.
- ![Screenshot shows OAuth logon page](./media/partner-f5/oauth-logon.png)
+ ![Screenshot of the X option on the OAuth Logon Page policy object.](./media/partner-f5/oauth-logon.png)
-4. Select **Apply Access Policy** in the top left-hand corner and close the visual editor tab.
-The next attempt at connecting to the application should take you straight to the Azure AD B2C sign-in page.
+8. In the top left corner, select **Apply Access Policy**.
+9. Close the visual editor tab.
+
+When you attempt to connect to the application, the Azure AD B2C sign-in page appears.
>[!Note]
->Re-enabling strict mode and deploying a configuration will overwrite any settings performed outside of the Guided Configuration UI, so implementing this scenario by manually creating all configuration objects is recommended for production services.
+>If you re-enable strict mode and deploy a configuration, settings performed outside the Guided Configuration UI are overwritten. Implement this scenario by manually creating configuration objects for production services.
### Troubleshooting
-Failure to access the protected application could be down to any number of potential factors, including a misconfiguration.
+Use the following troubleshooting guidance if access to the protected application is prevented.
-BIG-IP logs are a great source of information for isolating all authentication and SSO issues. If troubleshooting you should increase the log verbosity level.
+#### Log verbosity
- 1. Go to **Access Policy** > **Overview** > **Event Logs** > **Settings**.
+BIG-IP logs have information to isolate authentication and SSO issues. Increase the log verbosity level.
+ 1. Go to **Access Policy** > **Overview** > **Event Logs** > **Settings**.
2. Select the row for your published application then **Edit** > **Access System Logs**.
+ 3. From the SSO list, select **Debug**.
+ 4. Select **OK**.
+ 5. Before reviewing logs, reproduce your issue.
+
+When complete, revert the previous settings.
+
+#### BIG-IP error message
- 3. Select **Debug** from the SSO list then, select **OK**. You can now reproduce your issue before looking at the logs but remember to switch this back when finished.
--- If you see a BIG-IP branded error immediately after successful Azure AD B2C authentication, itΓÇÖs possible the issue relates to SSO from Azure AD to the BIG-IP.
+If you see a BIG-IP error message after Azure AD B2C authentication, the issue might relate to SSO from Azure AD to the BIG-IP.
1. Navigate to **Access** > **Overview** > **Access reports**.
+ 2. Run the report for the last hour
+ 3. Review logs for clues.
+ 4. Select the **View session variables** link.
+ 5. Determine if the APM receives the expected Azure AD claims.
- 2. Run the report for the last hour to see logs provide any clues. The View session variables link for your session will also help understand if the APM is receiving the expected claims from Azure AD.
+#### No BIG-IP error message
-- If you donΓÇÖt see a BIG-IP error page, then the issue is probably more related to the backend request or SSO from the BIG-IP to the application.
+If no BIG-IP error message appears, the issue might be related to the back-end request, or SSO from the BIG-IP to the application.
1. Go to **Access Policy** > **Overview** > **Active Sessions**.- 2. Select the link for your active session.
+ 3. Select the **View Variables** link.
+ 4. Review to determine root cause, particularly if the BIG-IP APM obtains inaccurate session attributes.
+ 5. Use the application logs to help understand if it received the attributes as headers.
-- The View Variables link in this location may also help determine root cause, particularly if the BIG-IP APM fails to obtain the right session attributes.
-Your applicationΓÇÖs logs would then help understand if it received those attributes as headers, or not.
--- If using Guided Configuration v8, be aware of a known issue that generates the following BIG-IP error, after successful Azure AD B2C authentication.
+#### Guided Configuration v8 known issue
- ![Screenshot shows the error message](./media/partner-f5/error-message.png)
+If using Guided Configuration v8, a known issue generates the following error after successful Azure AD B2C authentication. The issue might be the AGC not enabling the Auto JWT setting during deployment. The APM can't obtain the current token signing keys. F5 engineering is investigating root cause.
-This is a policy violation due to the BIG-IPΓÇÖs inability to validate the signature of the token issued by Azure AD B2C. The same access log should be able to provide more detail on the issue.
+ ![Screenshot of the access-denied error message.](./media/partner-f5/error-message.png)
- ![Screenshot shows the access logs](./media/partner-f5/access-log.png)
+The same access log provides detail.
-Exact root cause is still being investigated by F5 engineering, but issue appears related to the AGC not enabling the Auto JWT setting during deployment, thereby preventing the APM from obtaining the current token signing keys.
+ ![Screenshot of Log Message details.](./media/partner-f5/access-log.png)
- Until resolved, one way to work around the issue is to manually enable this setting.
+**Manually enable the setting**
- 1. Navigate to **Access** > **Guided Configuration** and select the small padlock icon on the far right of the row for your header-based application.
+ 1. Navigate to **Access** > **Guided Configuration**.
+ 2. On the far-right of the row for your header-based application, select the **padlock**.
+ 3. Navigate to **Access** > **Federation** > **OAuth Client/Resource Server** > **Providers**.
+ 4. Select the provider for your Azure AD B2C configuration.
+ 5. Check the **Use Auto JWT** box.
+ 6. Select **Discover**.
+ 7. Select **Save**.
+ 8. The **Key** (JWT) field has the token signing certificate key ID (KID) from OpenID URI metadata.
+ 9. In the top-left corner, select **Apply Access Policy**.
+ 10. Select **Apply**.
- 2. With the managed configuration unlocked, navigate to **Access** > **Federation** > **OAuth Client/Resource Server** > **Providers**.
-
- 3. Select the provider for your Azure AD B2C configuration.
-
- 4. Check the **Use Auto JWT** box then select **Discover**, followed by **Save**.
-
-You should now see the Key (JWT) field populated with the key ID (KID) of the token signing certificate provided through the OpenID URI metadata.
-
- 5. Finally, select the yellow **Apply Access Policy** option in the top left-hand corner, located next to the F5 logo. Then select **Apply** again to refresh the access profile list.
+For more information, go to techdocs.f5.com for [OAuth client and resource server troubleshooting tips](https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/37.html#GUID-774384BC-CF63-469D-A589-1595D0DDFBA2)
-See F5ΓÇÖs guidance for more [OAuth client and resource server troubleshooting tips](https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/37.html#GUID-774384BC-CF63-469D-A589-1595D0DDFBA2)
active-directory How Provisioning Works https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/how-provisioning-works.md
Previously updated : 04/03/2023 Last updated : 04/04/2023
The table describes how you can configure deprovisioning actions with the Azure
|Scenario|How to configure in Azure AD| |--|--|
-|If a user is unassigned from an app, soft-deleted in Azure AD, or blocked from sign-in, do nothing.|Remove isSoftDeleted from the attribute mappings and / or set the [skip out of scope deletions](skip-out-of-scope-deletions.md) property to true.|
-|If a user is unassigned from an app, soft-deleted in Azure AD, or blocked from sign-in, set a specific attribute to true / false.|Map isSoftDeleted to the attribute that you would like to set to false.|
-|When a user is disabled in Azure AD, unassigned from an app, soft-deleted in Azure AD, or blocked from sign-in, send a DELETE request to the target application.|This is currently supported for a limited set of gallery applications where the functionality is required. It's not configurable by customers.|
-|When a user is deleted in Azure AD, do nothing in the target application.|Ensure that "Delete" isn't selected as one of the target object actions in the [attribute configuration experience](skip-out-of-scope-deletions.md).|
-|When a user is deleted in Azure AD, set the value of an attribute in the target application.|Not supported.|
-|When a user is deleted in Azure AD, delete the user in the target application|This is supported. Ensure that Delete is selected as one of the target object actions in the [attribute configuration experience](skip-out-of-scope-deletions.md).|
+|A user is unassigned from an app, soft-deleted in Azure AD, or blocked from sign-in. You don't want anything to be done.|Remove `isSoftDeleted` from the attribute mappings and / or set the [skip out of scope deletions](skip-out-of-scope-deletions.md) property to true.|
+|A user is unassigned from an app, soft-deleted in Azure AD, or blocked from sign-in. You want to set a specific attribute to `true` or `false`.|Map `isSoftDeleted` to the attribute that you would like to set to false.|
+|A user is disabled in Azure AD, unassigned from an app, soft-deleted in Azure AD, or blocked from sign-in. You want to send a DELETE request to the target application.|This is currently supported for a limited set of gallery applications where the functionality is required. It's not configurable by customers.|
+|A user is deleted in Azure AD. You don't want anything done in the target application.|Ensure that "Delete" isn't selected as one of the target object actions in the [attribute configuration experience](skip-out-of-scope-deletions.md).|
+|A user is deleted in Azure AD. You want to set the value of an attribute in the target application.|Not supported.|
+|A user is deleted in Azure AD. You want to delete the user in the target application|Ensure that Delete is selected as one of the target object actions in the [attribute configuration experience](skip-out-of-scope-deletions.md).|
**Known limitations**
-* If a user that was previously managed by the provisioning service is unassigned from an app, or from a group assigned to an app then a disable request is sent. At that point, the user isn't managed by the service and a delete request isn't sent when the user is deleted from the directory.
+* When a user or group is unassigned from an app and no longer managed with the provisioning service, a disable request is sent. At that point, the service doesn't manage the user and a delete request isn't sent when the user is deleted from the directory.
* Provisioning a user that is disabled in Azure AD isn't supported. They must be active in Azure AD before they're provisioned.
-* When a user goes from soft-deleted to active, the Azure AD provisioning service will activate the user in the target app, but won't automatically restore the group memberships. The target application should maintain the group memberships for the user in inactive state. If the target application doesn't support this, you can restart provisioning to update the group memberships.
+* When a user goes from soft-deleted to active, the Azure AD provisioning service activates the user in the target app, but doesn't automatically restore the group memberships. The target application should maintain the group memberships for the user in inactive state. If the target application doesn't support maintaining the inactive state, you can restart provisioning to update the group memberships.
**Recommendation**
active-directory Workload Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/workload-identity.md
Previously updated : 01/05/2023 Last updated : 04/04/2023
These differences make workload identities harder to manage and put them at high
> [!IMPORTANT] > Workload Identities Premium licenses are required to create or modify Conditional Access policies scoped to service principals.
-> In directories without appropriate licenses, existing Conditional Access policies for workload identities will continue to function, but can't be modified. For more information see [Microsoft Entra Workload Identities](https://www.microsoft.com/security/business/identity-access/microsoft-entra-workload-identities#office-StandaloneSKU-k3hubfz).  
+> In directories without appropriate licenses, existing Conditional Access policies for workload identities will continue to function, but can't be modified. For more information, see [Microsoft Entra Workload Identities](https://www.microsoft.com/security/business/identity-access/microsoft-entra-workload-identities#office-StandaloneSKU-k3hubfz).  
> [!NOTE] > Policy can be applied to single tenant service principals that have been registered in your tenant. Third party SaaS and multi-tenanted apps are out of scope. Managed identities are not covered by policy.
Create a location based Conditional Access policy that applies to service princi
1. Under **Assignments**, select **Users or workload identities**. 1. Under **What does this policy apply to?**, select **Workload identities**. 1. Under **Include**, choose **Select service principals**, and select the appropriate service principals from the list.
-1. Under **Cloud apps or actions**, select **All cloud apps**. The policy will apply only when a service principal requests a token.
+1. Under **Cloud apps or actions**, select **All cloud apps**. The policy applies only when a service principal requests a token.
1. Under **Conditions** > **Locations**, include **Any location** and exclude **Selected locations** where you want to allow access. 1. Under **Grant**, **Block access** is the only available option. Access is blocked when a token request is made from outside the allowed range. 1. Your policy can be saved in **Report-only** mode, allowing administrators to estimate the effects, or policy is enforced by turning policy **On**.
Create a risk-based Conditional Access policy that applies to service principals
1. Under **Assignments**, select **Users or workload identities**. 1. Under **What does this policy apply to?**, select **Workload identities**. 1. Under **Include**, choose **Select service principals**, and select the appropriate service principals from the list.
-1. Under **Cloud apps or actions**, select **All cloud apps**. The policy will apply only when a service principal requests a token.
+1. Under **Cloud apps or actions**, select **All cloud apps**. The policy applies only when a service principal requests a token.
1. Under **Conditions** > **Service principal risk** 1. Set the **Configure** toggle to **Yes**. 1. Select the levels of risk where you want this policy to trigger.
active-directory Active Directory Configurable Token Lifetimes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/active-directory-configurable-token-lifetimes.md
Previously updated : 03/07/2023 Last updated : 04/04/2023 -+ # Configurable token lifetimes in the Microsoft identity platform (preview)
-You can specify the lifetime of an access, ID, or SAML token issued by the Microsoft identity platform. You can set token lifetimes for all apps in your organization, for a multi-tenant (multi-organization) application, or for a specific service principal in your organization. However, we currently don't support configuring the token lifetimes for [managed identity service principals](../managed-identities-azure-resources/overview.md).
+You can specify the lifetime of an access, ID, or SAML token issued by the Microsoft identity platform. You can set token lifetimes for all apps in your organization or for a multi-tenant (multi-organization) application. We currently don't support configuring the token lifetimes for service principals or [managed identity service principals](../managed-identities-azure-resources/overview.md).
In Azure AD, a policy object represents a set of rules that are enforced on individual applications or on all applications in an organization. Each policy type has a unique structure, with a set of properties that are applied to objects to which they're assigned.
A token lifetime policy is a type of policy object that contains token lifetime
Reducing the Access Token Lifetime property mitigates the risk of an access token or ID token being used by a malicious actor for an extended period of time. (These tokens cannot be revoked.) The trade-off is that performance is adversely affected, because the tokens have to be replaced more often.
-For an example, see [Create a policy for web sign-in](registration-config-change-token-lifetime-how-to.md).
+For an example, see [Create a policy for web sign-in](configure-token-lifetimes.md).
Access, ID, and SAML2 token configuration are affected by the following properties and their respectively set values:
Refresh and session token configuration are affected by the following properties
Non-persistent session tokens have a Max Inactive Time of 24 hours whereas persistent session tokens have a Max Inactive Time of 90 days. Anytime the SSO session token is used within its validity period, the validity period is extended another 24 hours or 90 days. If the SSO session token isn't used within its Max Inactive Time period, it's considered expired and will no longer be accepted. Any changes to this default period should be changed using [Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md).
-You can use PowerShell to find the policies that will be affected by the retirement. Use the [PowerShell cmdlets](configure-token-lifetimes.md#get-started) to see the all policies created in your organization, or to find which apps and service principals are linked to a specific policy.
+You can use PowerShell to find the policies that will be affected by the retirement. Use the [PowerShell cmdlets](configure-token-lifetimes.md#get-started) to see the all policies created in your organization, or to find which apps are linked to a specific policy.
## Policy evaluation and prioritization
-You can create and then assign a token lifetime policy to a specific application, to your organization, and to service principals. Multiple policies might apply to a specific application. The token lifetime policy that takes effect follows these rules:
+You can create and then assign a token lifetime policy to a specific application and to your organization. Multiple policies might apply to a specific application. The token lifetime policy that takes effect follows these rules:
-* If a policy is explicitly assigned to the service principal, it's enforced.
-* If no policy is explicitly assigned to the service principal, a policy explicitly assigned to the parent organization of the service principal is enforced.
-* If no policy is explicitly assigned to the service principal or to the organization, the policy assigned to the application is enforced.
-* If no policy has been assigned to the service principal, the organization, or the application object, the default values are enforced. (See the table in [Configurable token lifetime properties](#configurable-token-lifetime-properties).)
-
-For more information about the relationship between application objects and service principal objects, see [Application and service principal objects in Azure Active Directory](app-objects-and-service-principals.md).
+* If a policy is explicitly assigned to the organization, it's enforced.
+* If no policy is explicitly assigned to the organization, the policy assigned to the application is enforced.
+* If no policy has been assigned to the organization or the application object, the default values are enforced. (See the table in [Configurable token lifetime properties](#configurable-token-lifetime-properties).)
A token's validity is evaluated at the time the token is used. The policy with the highest priority on the application that is being accessed takes effect.
All timespans used here are formatted according to the C# [TimeSpan](/dotnet/api
## REST API reference
-You can configure token lifetime policies and assign them to apps and service principals using Microsoft Graph. For more information, see the [tokenLifetimePolicy resource type](/graph/api/resources/tokenlifetimepolicy) and its associated methods.
+You can configure token lifetime policies and assign them to apps using Microsoft Graph. For more information, see the [tokenLifetimePolicy resource type](/graph/api/resources/tokenlifetimepolicy) and its associated methods.
## Cmdlet reference
-These are the cmdlets in the [Azure Active Directory PowerShell for Graph Preview module](/powershell/module/azuread/?view=azureadps-2.0-preview&preserve-view=true#service-principals).
+These are the cmdlets in the [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation).
### Manage policies
You can use the following cmdlets to manage policies.
| Cmdlet | Description | | | |
-| [New-AzureADPolicy](/powershell/module/azuread/new-azureadpolicy?view=azureadps-2.0-preview&preserve-view=true) | Creates a new policy. |
-| [Get-AzureADPolicy](/powershell/module/azuread/get-azureadpolicy?view=azureadps-2.0-preview&preserve-view=true) | Gets all Azure AD policies or a specified policy. |
-| [Get-AzureADPolicyAppliedObject](/powershell/module/azuread/get-azureadpolicyappliedobject?view=azureadps-2.0-preview&preserve-view=true) | Gets all apps and service principals that are linked to a policy. |
-| [Set-AzureADPolicy](/powershell/module/azuread/set-azureadpolicy?view=azureadps-2.0-preview&preserve-view=true) | Updates an existing policy. |
-| [Remove-AzureADPolicy](/powershell/module/azuread/remove-azureadpolicy?view=azureadps-2.0-preview&preserve-view=true) | Deletes the specified policy. |
+| [New-MgPolicyTokenLifetimePolicy](/powershell/module/microsoft.graph.identity.signins/new-mgpolicytokenlifetimepolicy) | Creates a new policy. |
+| [Get-MgPolicyTokenLifetimePolicy](/powershell/module/microsoft.graph.identity.signins/get-mgpolicytokenlifetimepolicy) | Gets all token lifetime policies or a specified policy. |
+| [Update-MgPolicyTokenLifetimePolicy](/powershell/module/microsoft.graph.identity.signins/update-mgpolicytokenlifetimepolicy) | Updates an existing policy. |
+| [Remove-MgPolicyTokenLifetimePolicy](/powershell/module/microsoft.graph.identity.signins/remove-mgpolicytokenlifetimepolicy) | Deletes the specified policy. |
### Application policies You can use the following cmdlets for application policies.</br></br> | Cmdlet | Description | | | |
-| [Add-AzureADApplicationPolicy](/powershell/module/azuread/add-azureadapplicationpolicy?view=azureadps-2.0-preview&preserve-view=true) | Links the specified policy to an application. |
-| [Get-AzureADApplicationPolicy](/powershell/module/azuread/get-azureadapplicationpolicy?view=azureadps-2.0-preview&preserve-view=true) | Gets the policy that is assigned to an application. |
-| [Remove-AzureADApplicationPolicy](/powershell/module/azuread/remove-azureadapplicationpolicy?view=azureadps-2.0-preview&preserve-view=true) | Removes a policy from an application. |
+| [New-MgApplicationTokenLifetimePolicyByRef](/powershell/module/microsoft.graph.applications/new-mgapplicationtokenlifetimepolicybyref) | Links the specified policy to an application. |
+| [Get-MgApplicationTokenLifetimePolicyByRef](/powershell/module/microsoft.graph.applications/get-mgapplicationtokenlifetimepolicybyref) | Gets the policies that are assigned to an application. |
+| [Remove-MgApplicationTokenLifetimePolicyByRef](/powershell/module/microsoft.graph.applications/remove-mgapplicationtokenlifetimepolicybyref) | Removes a policy from an application. |
### Service principal policies
-You can use the following cmdlets for service principal policies.
-
-| Cmdlet | Description |
-| | |
-| [Add-AzureADServicePrincipalPolicy](/powershell/module/azuread/add-azureadserviceprincipalpolicy?view=azureadps-2.0-preview&preserve-view=true) | Links the specified policy to a service principal. |
-| [Get-AzureADServicePrincipalPolicy](/powershell/module/azuread/get-azureadserviceprincipalpolicy?view=azureadps-2.0-preview&preserve-view=true) | Gets any policy linked to the specified service principal.|
-| [Remove-AzureADServicePrincipalPolicy](/powershell/module/azuread/remove-azureadserviceprincipalpolicy?view=azureadps-2.0-preview&preserve-view=true) | Removes the policy from the specified service principal.|
+Service principal policies are not supported.
## Next steps
active-directory Active Directory Saml Claims Customization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/active-directory-saml-claims-customization.md
For more information about identifier values, see [Table 3: Valid ID values per
Any constant (static) value can be assigned to any claim that is defined in Azure AD. The following steps outline how to assign a constant value:
-1. In the [Azure portal](https://portal.azure.com/), in the **User Attributes & Claims** section, select **Edit** to edit the claims.
+1. In the [Azure portal](https://portal.azure.com/), in the **Attributes & Claims** section, select **Edit** to edit the claims.
1. Select the required claim that you want to modify. 1. Enter the constant value without quotes in the **Source attribute** as per your organization and click **Save**.
Any constant (static) value can be assigned to any claim that is defined in Azur
:::image type="content" source="./media/active-directory-saml-claims-customization/edit-attributes-claims.png" alt-text="Screenshot of editing in the Attributes & Claims section in the Azure portal.":::
+### Directory Schema extensions (Preview)
+
+You can also configure directory schema extension attribute as non-conditional/conditional attribute in Azure AD. The following steps outline how to configure the single or multi-valued directory schema extension attribute as claim:
+
+1. In the [Azure portal](https://portal.azure.com/), in the **Attributes & Claims** section, select **Edit** to edit the claims.ΓÇ»
+2. Click **Add new claim** or edit an existing claim.ΓÇ»
+
+ :::image type="content" source="./media/active-directory-saml-claims-customization/mv-extension-1.jpg" alt-text="Screenshot of the MultiValue extension configuration section in the Azure portal.":::
+
+3. Select source application from application picker where extension property is defined.
+ :::image type="content" source="./media/active-directory-saml-claims-customization/mv-extension-2.jpg" alt-text="Screenshot of the source application selection in MultiValue extension configuration section in the Azure portal.":::
+
+4. Click **Add** to add the selection to the claims.
+
+<!
+5. To select single or multi-valued directory schema extension attribute as conditional attribute select **Directory schema extension** option from the source dropdown.
+
+ :::image type="content" source="./media/active-directory-saml-claims-customization/mv-extension-3.png" alt-text="Screenshot of the MultiValue extension configuration for conditional claims section in the Azure portal.":::
+>
+
+5. Click **Save** to commit the changes.
++ ## Special claims transformations You can use the following special claims transformations functions.
To apply a transformation to a user attribute:
1. In **Manage claim**, select *Transformation* as the claim source to open the **Manage transformation** page. 1. Select the function from the transformation dropdown. Depending on the function selected, you'll have to provide parameters and a constant value to evaluate in the transformation. Refer to the following table for more information about the available functions.
+1. Select the source of the attribute by clicking on the appropriate radio button. Directory schema extension source is in preview currently.
+
+ :::image type="content" source="./media/active-directory-saml-claims-customization/mv-extension-4.png" alt-text="Screenshot of claims transformation.":::
+
+1. Select the attribute name from the dropdown.
+ 1. **Treat source as multivalued** is a checkbox indicating whether the transform should be applied to all values or just the first. By default, transformations are only applied to the first element in a multi-value claim, by checking this box it ensures it's applied to all. This checkbox is only be enabled for multi-valued attributes, for example `user.proxyaddresses`.+ 1. To apply multiple transformations, select **Add transformation**. You can apply a maximum of two transformations to a claim. For example, you could first extract the email prefix of the `user.mail`. Then, make the string upper case.
- :::image type="content" source="./media/active-directory-saml-claims-customization/sso-saml-multiple-claims-transformation.png" alt-text="Screenshot of claims transformation.":::
You can use the following functions to transform claims.
To add a claim condition:
1. In **Manage claim**, expand the Claim conditions. 1. Select the user type. 1. Select the group(s) to which the user should belong. You can select up to 50 unique groups across all claims for a given application.
-1. Select the **Source** where the claim is going to retrieve its value. You can select a user attribute from the source attribute dropdown or apply a transformation to the user attribute before emitting it as a claim.
+1. Select the **Source** where the claim is going to retrieve its value. You can either select a user attribute from the source attribute dropdown or apply a transformation to the user attribute or a directory schema extension (preview) before emitting it as a claim.
The order in which you add the conditions are important. Azure AD first evaluates all conditions with source `Attribute` and then evaluates all conditions with source `Transformation` to decide which value to emit in the claim. Conditions with the same source are evaluated from top to bottom. The last value, which matches the expression is emitted in the claim. Transformations such as `IsNotEmpty` and `Contains` act like restrictions.
For example, Britta Simon is a guest user in the Contoso tenant. Britta belongs
First, the Microsoft identity platform verifies whether Britta's user type is **All guests**. Because this is true, the Microsoft identity platform assigns the source for the claim to `user.extensionattribute1`. Second, the Microsoft identity platform verifies whether Britta's user type is **AAD guests**, because this is also true, the Microsoft identity platform assigns the source for the claim to `user.mail`. Finally, the claim is emitted with a value of `user.mail` for Britta. As another example, consider when Britta Simon tries to sign in and the following configuration is used. Azure AD first evaluates all conditions with source `Attribute`. Because Britta's user type is **AAD guests**, `user.mail` is assigned as the source for the claim. Next, Azure AD evaluates the transformations. Because Britta is a guest, `user.extensionattribute1` is now the new source for the claim. Because Britta is in **AAD guests**, `user.othermail` is now the source for this claim. Finally, the claim is emitted with a value of `user.othermail` for Britta.
active-directory Configure Token Lifetimes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/configure-token-lifetimes.md
+
+ Title: Set lifetimes for tokens
+description: Learn how to set lifetimes for access tokens issued by Microsoft identity platform.
++++++++ Last updated : 04/04/2023++++
+# Configure token lifetime policies (preview)
+
+In the following steps, you'll implement a common policy scenario that imposes new rules for token lifetime. It's possible to specify the lifetime of an access, SAML, or ID token issued by the Microsoft identity platform. This can be set for all apps in your organization or for a specific service principal. They can also be set for multi-organizations (multi-tenant application).
+
+For more information, see [configurable token lifetimes](active-directory-configurable-token-lifetimes.md).
+
+## Get started
+
+To get started, download the latest [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation).
+
+## Create a policy for web sign-in
+
+In the following steps, you'll create a policy that requires users to authenticate less frequently in your web app. This policy sets the lifetime of the access/ID tokens for your web app.
+
+```powershell
+Connect-MgGraph -Scopes "Policy.ReadWrite.ApplicationConfiguration"
+
+# Create a token lifetime policy
+$params = @{
+ Definition = @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"4:00:00"}}')
+ DisplayName = "WebPolicyScenario"
+ IsOrganizationDefault = $false
+}
+$tokenLifetimePolicyId=(New-MgPolicyTokenLifetimePolicy -BodyParameter $params).Id
+
+# Display the policy
+Get-MgPolicyTokenLifetimePolicy -TokenLifetimePolicyId $tokenLifetimePolicyId
+
+# Assign the token lifetime policy to an app
+$params = @{
+ "@odata.id" = "https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies/$tokenLifetimePolicyId"
+}
+
+$applicationObjectId="11111111-1111-1111-1111-111111111111"
+
+New-MgApplicationTokenLifetimePolicyByRef -ApplicationId $applicationObjectId -BodyParameter $params
+
+# List the token lifetime policy on the app
+Get-MgApplicationTokenLifetimePolicy -ApplicationId $applicationObjectId
+
+# Remove the policy from the app
+Remove-MgApplicationTokenLifetimePolicyByRef -ApplicationId $applicationObjectId -TokenLifetimePolicyId $tokenLifetimePolicyId
+
+# Delete the policy
+Remove-MgPolicyTokenLifetimePolicy -TokenLifetimePolicyId $tokenLifetimePolicyId
+```
+
+## View existing policies in a tenant
+
+To see all policies that have been created in your organization, run the [Get-MgPolicyTokenLifetimePolicy](/powershell/module/microsoft.graph.identity.signins/get-mgpolicytokenlifetimepolicy) cmdlet. Any results with defined property values that differ from the defaults listed above are in scope of the retirement.
+
+```powershell
+Get-MgPolicyTokenLifetimePolicy
+```
+
+To see which apps are linked to a specific policy that you identified, run [List appliesTo](/graph/api/tokenlifetimepolicy-list-appliesto) with any of your policy IDs.
+
+```powershell
+GET https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies/4d2f137b-e8a9-46da-a5c3-cc85b2b840a4/appliesTo
+```
+
+## Next steps
+Learn about [authentication session management capabilities](../conditional-access/howto-conditional-access-session-lifetime.md) in Azure AD Conditional Access.
active-directory Howto Call A Web Api With Curl https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-call-a-web-api-with-curl.md
+
+ Title: Call an ASP.NET Core web API with cURL
+description: Learn how to call a protected ASP.NET Core Web API using the Microsoft identity platform with cURL
+++++ Last updated : 03/14/2023
+zone_pivot_groups: web-api-howto-prereq
+
+#Customer intent: As a software developer, I want to call a protected ASP.NET Core Web API using the Microsoft identity platform with cURL
++
+# Call an ASP.NET Core web API with cURL
++
+This article shows you how to call a protected ASP.NET Core web API using Client URL (cURL). cURL is a command line tool that developers use to transfer data to and from a server. In this article, you'll register a web app and a web API in a tenant on the Azure portal. The web app is used to get an access token generated by the Microsoft identity platform. Next, you'll use the token to make an authorized call to the web API using cURL.
+++
+This article shows you how to call a protected ASP.NET Core web API using Client URL (cURL). cURL is a command line tool that developers use to transfer data to and from a server. Following on from the [Tutorial: Implement a protected endpoint to your API](web-api-tutorial-03-protect-endpoint.md), where you created a protected API, you'll need to register a web application with the Microsoft identity platform to generate an access token. Next, you'll use the token to make an authorized call to the API using cURL.
++
+## Prerequisites
++
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/).
+- This Azure account must have permissions to manage applications. Any of the following Azure Active Directory (Azure AD) roles include the required permissions:
+ - Application administrator
+ - Application developer
+ - Cloud application administrator
+- [Download and install cURL](https://curl.se/download.html) on your workstation computer.
+- A minimum requirement of [.NET Core 6.0 SDK](https://dotnet.microsoft.com/download/dotnet).
+++
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/).
+- This Azure account must have permissions to manage applications. Any of the following Azure Active Directory (Azure AD) roles include the required permissions:
+ - Application administrator
+ - Application developer
+ - Cloud application administrator
+- Completion of the tutorial series:
+ - [Tutorial: Register web API with the Microsoft identity platform](web-api-tutorial-01-register-app.md).
+ - [Tutorial: Create and configure an ASP.NET Core project for authentication](web-api-tutorial-02-prepare-api.md).
+ - [Tutorial: Implement a protected endpoint to your API](web-api-tutorial-03-protect-endpoint.md).
+- [Download and install cURL](https://curl.se/download.html) on your workstation computer.
++
+## Register an application with the Microsoft identity platform
+
+The Microsoft identity platform requires your application to be registered before providing identity and access management services. The application registration allows you to specify the name, and type of the application, and the sign-in audience. The sign-in audience specifies what types of user accounts are allowed to sign-in to a given application.
++
+### Register the web API
+
+Follow these steps to create the web API registration:
+
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.
+1. Search for and select **Azure Active Directory**.
+1. Under **Manage**, select **App registrations > New registration**.
+1. Enter a **Name** for the application, such as *NewWebAPI1*.
+1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select **Help me choose** option.
+1. Select **Register**.
+
+ :::image type="content" source="./media/web-api-tutorial-01-register-app/register-application.png" alt-text="Screenshot that shows how to enter a name and select the account type.":::
+
+1. The application's **Overview** pane is displayed when registration is complete. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in your application source code.
+
+ :::image type="content" source="./media/web-api-tutorial-01-register-app/record-identifiers.png" alt-text="Screenshot that shows the identifier values on the overview page.":::
+
+> [!NOTE]
+> The **Supported account types** can be changed by referring to [Modify the accounts supported by an application](howto-modify-supported-accounts.md).
+
+#### Expose the API
+
+Once the API is registered, you can configure its permission by defining the scopes that the API exposes to client applications. Client applications request permission to perform operations by passing an access token along with its requests to the protected web API. The web API then performs the requested operation only if the access token it receives is valid.
+
+1. Under **Manage**, select **Expose an API > Add a scope**. Accept the proposed **Application ID URI** `(api://{clientId})` by selecting **Save and continue**. The `{clientId}` is the value recorded from the **Overview** page. Then enter the following information:
+ 1. For **Scope name**, enter `Forecast.Read`.
+ 1. For **Who can consent**, ensure that the **Admins and users** option is selected.
+ 1. In the **Admin consent display name** box, enter `Read forecast data`.
+ 1. In the **Admin consent description** box, enter `Allows the application to read weather forecast data`.
+ 1. In the **User consent display name** box, enter `Read forecast data`.
+ 1. In the **User consent description** box, enter `Allows the application to read weather forecast data`.
+ 1. Ensure that the **State** is set to **Enabled**.
+1. Select **Add scope**. If the scope has been entered correctly, it'll be listed in the **Expose an API** pane.
+
+ :::image type="content" source="./media/web-api-tutorial-01-register-app/add-a-scope-inline.png" alt-text="Screenshot that shows the field values when adding the scope to an API." lightbox="./media/web-api-tutorial-01-register-app/add-a-scope-expanded.png":::
+++++
+### Register the web app
+
+Having a web API isn't enough however, as a web app is also needed to obtain an access token to access the web API you've created.
+
+Follow these steps to create the web app registration:
++
+1. Select **Home** to return to the home page. Search for and select **Azure Active Directory**.
+1. Under **Manage**, select **App registrations** > **New registration**.
+1. Enter a **Name** for the application, such as `web-app-calls-web-api`.
+1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option.
+1. Under **Redirect URI (optional)**, select **Web**, and then enter `http://localhost` in the URL text box.
+1. Select **Register**.
+++
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+1. If access to multiple tenants is available, use the Directories + subscriptions filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.
+1. Search for and select **Azure Active Directory**.
+1. Under **Manage**, select **App registrations** > **New registration**.
+1. Enter a Name for the application, such as `web-app-calls-web-api`.
+1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option.
+1. Under **Redirect URI (optional)**, select **Web**, and then enter `http://localhost` in the URL text box.
+1. Select **Register**.
++
+When registration is complete, the Azure portal displays the app registration's **Overview** pane. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in later steps.
+
+#### Add a client secret
+
+A client secret is a string value your app can use to identity itself, and is sometimes referred to as an *application password*. The web app uses the client secret to prove its identity when it requests tokens.
+
+Follow these steps to configure a client secret:
+
+1. From the **Overview** pane in the Azure portal, under **Manage**, select **Certificates & secrets** > **Client secrets** > **New client secret**.
+1. Add a description for your client secret, for example *My client secret*.
+1. Select an expiration for the secret or specify a custom lifetime.
+
+ - A client secret's lifetime is limited to two years (24 months) or less. You can't specify a custom lifetime longer than 24 months.
+ - Microsoft recommends that you set an expiration value of less than 12 months.
+
+1. Select **Add**.
+1. Be sure to record the **Value** of the client secret. This secret value is **never displayed again** after you leave this page.
+
+#### Add application permissions to allow access to a web API
+
+By specifying a web API's scopes in the web app registration, the web app can obtain an access token containing the scopes provided by the Microsoft identity platform. Within the code, the web API can then provide permission-based access to its resources based on the scopes found in the access token.
+
+Follow these steps to configure the web app permissions to the web API:
+
+1. From the **Overview** pane of your web application in the Azure portal (*web-app-that-calls-web-api*), under **Manage**, select **API permissions** > **Add a permission** > **My APIs**.
+1. Select **NewWebAPI1** or the API that you wish to add permissions to.
+1. Under **Select permissions**, check the box next to **Forecast.Read**. You may need to expand the **Permission** list. This selects the permissions the client app should have on behalf of the signed-in user.
+1. Select **Add permissions** to complete the process.
+
+After adding these permissions to your API, you should see the selected permissions under **Configured permissions**.
+
+You may also notice the **User.Read** permission for the Microsoft Graph API. This permission is added automatically when you register an app in the Azure portal.
++
+## Test the web API
+
+1. Clone the [ms-identity-docs-code-dotnet](https://github.com/Azure-Samples/ms-identity-docs-code-dotnet) repository.
+
+ ```bash
+ git clone https://github.com/Azure-Samples/ms-identity-docs-code-dotnet.git
+ ```
+
+1. Navigate to `ms-identity-docs-code-dotnet/web-api` folder and open `./appsettings.json` file, replace the `{APPLICATION_CLIENT_ID}` and `{DIRECTORY_TENANT_ID}` with:
+
+ - `{APPLICATION_CLIENT_ID}` is the web API **Application (client) ID** on the app's **Overview** pane **App registrations** in the Azure portal.
+ - `{DIRECTORY_TENANT_ID}` is the web API **Directory (tenant) ID** on the app's **Overview** pane **App registrations** in the Azure portal.
+
+1. Execute the following command to start the app:
+
+ ### [.NET 6.0](#tab/dotnet6)
+
+ ```bash
+ dotnet run
+ ```
+
+ ### [.NET 7.0](#tab/dotnet7)
+
+ ```bash
+ dotnet run --launch-profile https
+ ```
+
+1. An output similar to the following will appear. Record the port number in the `https://localhost:{port}` URL.
+
+ ```bash
+ ...
+ info: Microsoft.Hosting.Lifetime[14]
+ Now listening on: https://localhost:{port}
+ ...
+ ```
+++
+## Test the web API
+
+1. Navigate to the web API that was created in [Tutorial: Create an ASP.NET Core project and configure the API](web-api-tutorial-02-prepare-api.md), for example *NewWebAPILocal*, and open the folder.
+
+1. Open a new terminal window and navigate to the folder where the web API project is located.
+
+### [.NET 6.0](#tab/dotnet6)
+
+1. Execute the following command to start the app:
+
+ ```bash
+ dotnet run
+ ```
+
+### [.NET 7.0](#tab/dotnet7)
+
+1. Execute the following command to start the app on the `https` profile:
+
+ ```bash
+ dotnet run --launch-profile https
+ ```
++
+1. An output similar to the following will appear. Record the port number in the `https://localhost:{port}` URL.
+
+ ```bash
+ ...
+ info: Microsoft.Hosting.Lifetime[14]
+ Now listening on: https://localhost:{port}
+ ...
+ ```
++
+### Request an authorization code
+
+The authorization code flow begins with the client directing the user to the `/authorize` endpoint. In this request, the client requests the `Forecast.Read` permission from the user.
+
+ ```http
+ https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize?client_id={web-app-calls-web-api_application_client_id}&response_type=code&redirect_uri=http://localhost&response_mode=query&scope=api://{web_API_application_client_id}/Forecast.Read
+ ```
+
+1. Copy the URL, replace the following parameters and paste it into your browser:
+ - `{tenant_id}` is the web app **Directory (tenant) ID**. This should be the same value across both of the applications's **Overview** pane **App registrations** in the Azure portal.
+ - `{web-app-calls-web-api_application_client_id}` is the **Application (client) ID** on the web app's (*web-app-calls-web-api*) **Overview** pane in the Azure portal.
+ - `{web_API_application_client_id}` is the **Application (client) ID** on the web API's (*NewWebAPI1*) **Overview** pane in the Azure portal.
+1. Sign in as a user in the Azure AD tenant in which the apps are registered. Consent to any requests for access, if necessary.
+1. Your browser will be redirected to `http://localhost/`. Refer to your browser's navigation bar and copy the `{authorization_code}` to use in the following steps. The URL takes the form of the following snippet:
+
+ ```http
+ http://localhost/?code={authorization_code}
+ ```
+
+### Use an authorization code and cURL to get an access token
+
+cURL can now be used to request an access token from the Microsoft identity platform.
+
+1. Copy the cURL command in the following snippet. Replace the values in parentheses with the following parameters to your terminal. Be sure to remove the parentheses:
+
+ ```bash
+ curl -X POST https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token \
+ -d 'client_id={web-app-calls-web-api_application_client_id}' \
+ -d 'api://{web_API_application_client_id}/Forecast.Read' \
+ -d 'code={authorization_code}&session_state={web-app-calls-web-api_application_client_id}' \
+ -d 'redirect_uri=http://localhost' \
+ -d 'grant_type=authorization_code' \
+ -d 'client_secret={client_secret}'
+ ```
+ - `{tenant_id}` is the web app **Directory (tenant) ID**. This should be the same value across both of the applications's **Overview** pane **App registrations** in the Azure portal.
+ - `client_id={web-app-calls-web-api_application_client_id}`, and `session_state={web-app-calls-web-api_application_client_id}` is the **Application (client) ID** on the web application's (*web-app-calls-web-api*) **Overview** pane in the Azure portal.
+ - `api://{web_API_application_client_id}/Forecast.Read` is the **Application (client) ID** on the web API's (*NewWebAPI1*) **Overview** pane in the Azure portal.
+ - `code={authorization_code}` is the authorization code that was received in [Request an authorization code](#request-an-authorization-code). This enables the cURL tool to request an access token.
+ - `client_secret={client_secret}` is the client secret **Value** recorded in [Add a client secret](#add-a-client-secret).
+
+1. Run the cURL command and if entered correctly, you should receive a JSON response similar to the following output:
+
+ ```json
+ {
+ "token_type": "Bearer",
+ "scope": "api://{web_API_application_client_id}/Forecast.Read",
+ "expires_in": 3600,
+ "ext_expires_in": 3600,
+ "access_token": "{access_token}"
+ }
+ ```
+
+### Call web API with access token
+
+By running the previous cURL command, the Microsoft identity platform has provided an access token. The acquired token can now be used as a bearer in an HTTP request to call the web API.
+
+1. To call the web API, copy the following cURL command, replace the following values in parentheses and paste it into your terminal:
+
+ ```bash
+ curl -X GET https://localhost:{port}/weatherforecast -ki \
+ -H 'Content-Type: application/json' \
+ -H "Authorization: Bearer {access_token}"
+ ```
+
+ - `{access_token}` the access token value recorded from the JSON output in the previous section.
+ - `{port}` the port number from the web API recorded when running the API in the terminal. Ensure it's the `https` port number.
+
+1. With a valid access token included in the request, the expected response is `HTTP/2 200` with output similar to the following output:
+
+ ```bash
+ HTTP/2 200
+ content-type: application/json; charset=utf-8
+ date: Day, DD Month YYYY HH:MM:SS
+ server: Kestrel
+ [{"date":"YYYY-MM-DDTHH:MM:SS","temperatureC":36,"summary":"Hot","temperatureF":96},{"date":"YYYY-MM-DDTHH:MM:SS","temperatureC":43,"summary":"Warm","temperatureF":109},{"date":"YYYY-MM-DDTHH:MM:SS","temperatureC":18,"summary":"Warm","temperatureF":64},{"date":"YYYY-MM-DDTHH:MM:SS","temperatureC":50,"summary":"Chilly","temperatureF":121},{"date":"YYYY-MM-DDTHH:MM:SS","temperatureC":3,"summary":"Bracing","temperatureF":37}]
+ ```
+
+## Next steps
+
+For more information about OAuth 2.0 authorization code flow and application types, see:
+
+- [Microsoft identity platform and OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md)
+- [Application types for the Microsoft identity platform](v2-app-types.md#web-apps)
active-directory Howto Call A Web Api With Postman https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-call-a-web-api-with-postman.md
+
+ Title: Call an ASP.NET Core web API with Postman
+description: Learn how to call a protected ASP.NET Core Web API using the Microsoft identity platform and Postman
+++++ Last updated : 03/14/2023
+zone_pivot_groups: web-api-howto-prereq
+
+#Customer intent: As a software developer, I want to call a protected ASP.NET Core Web API using the Microsoft identity platform with Postman
++
+# Call an ASP.NET Core web API with Postman
++
+This article shows you how to call a protected ASP.NET Core web API using [Postman](https://www.postman.com/). Postman is an application that lets you send HTTP requests to a web API to test its authorization and access control (authentication) policies. In this article, you'll register a web app and a web API in a tenant on the Azure portal. The web app is used to get an access token generated by the Microsoft identity platform. Next, you'll use the token to make an authorized call to the web API using Postman.
+++
+This article shows you how to call a protected ASP.NET Core web API using [Postman](https://www.postman.com/). Postman is an application that lets you send HTTP requests to a web API to test its authorization and access control (authentication) policies. Following on from the [Tutorial: Implement a protected endpoint to your API](web-api-tutorial-03-protect-endpoint.md), where you created a protected API, you'll need to register a web application with the Microsoft identity platform to generate an access token. Next, you'll use the token to make an authorized call to the API using Postman.
++
+## Prerequisites
++
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/).
+- This Azure account must have permissions to manage applications. Any of the following Azure Active Directory (Azure AD) roles include the required permissions:
+ - Application administrator
+ - Application developer
+ - Cloud application administrator
+- [Download and install Postman](https://www.postman.com/downloads/).
+- A minimum requirement of [.NET Core 6.0 SDK](https://dotnet.microsoft.com/download/dotnet).
+++
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/).
+- This Azure account must have permissions to manage applications. Any of the following Azure Active Directory (Azure AD) roles include the required permissions:
+ - Application administrator
+ - Application developer
+ - Cloud application administrator
+- Completion of the tutorial series:
+ - [Tutorial: Register web API with the Microsoft identity platform](web-api-tutorial-01-register-app.md).
+ - [Tutorial: Create and configure an ASP.NET Core project for authentication](web-api-tutorial-02-prepare-api.md).
+ - [Tutorial: Implement a protected endpoint to your API](web-api-tutorial-03-protect-endpoint.md).
+- [Download and install Postman](https://www.postman.com/downloads/).
++
+## Register an application with the Microsoft identity platform
+
+The Microsoft identity platform requires your application to be registered before providing identity and access management services. The application registration allows you to specify the name and type of the application and the sign-in audience. The sign-in audience specifies what types of user accounts are allowed to sign-in to a given application.
++
+### Register the web API
+
+Follow these steps to create the web API registration:
+
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.
+1. Search for and select **Azure Active Directory**.
+1. Under **Manage**, select **App registrations > New registration**.
+1. Enter a **Name** for the application, such as *NewWebAPI1*.
+1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select **Help me choose** option.
+1. Select **Register**.
+
+ :::image type="content" source="./media/web-api-tutorial-01-register-app/register-application.png" alt-text="Screenshot that shows how to enter a name and select the account type.":::
+
+1. The application's **Overview** pane is displayed when registration is complete. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in your application source code.
+
+ :::image type="content" source="./media/web-api-tutorial-01-register-app/record-identifiers.png" alt-text="Screenshot that shows the identifier values on the overview page.":::
+
+> [!NOTE]
+> The **Supported account types** can be changed by referring to [Modify the accounts supported by an application](howto-modify-supported-accounts.md).
+
+#### Expose the API
+
+Once the API is registered, you can configure its permission by defining the scopes that the API exposes to client applications. Client applications request permission to perform operations by passing an access token along with its requests to the protected web API. The web API then performs the requested operation only if the access token it receives is valid.
+
+1. Under **Manage**, select **Expose an API > Add a scope**. Accept the proposed **Application ID URI** `(api://{clientId})` by selecting **Save and continue**. The `{clientId}` is the value recorded from the **Overview** page. Then enter the following information:
+ 1. For **Scope name**, enter `Forecast.Read`.
+ 1. For **Who can consent**, ensure that the **Admins and users** option is selected.
+ 1. In the **Admin consent display name** box, enter `Read forecast data`.
+ 1. In the **Admin consent description** box, enter `Allows the application to read weather forecast data`.
+ 1. In the **User consent display name** box, enter `Read forecast data`.
+ 1. In the **User consent description** box, enter `Allows the application to read weather forecast data`.
+ 1. Ensure that the **State** is set to **Enabled**.
+1. Select **Add scope**. If the scope has been entered correctly, it's listed in the **Expose an API** pane.
+
+ :::image type="content" source="./media/web-api-tutorial-01-register-app/add-a-scope-inline.png" alt-text="Screenshot that shows the field values when adding the scope to an API." lightbox="./media/web-api-tutorial-01-register-app/add-a-scope-expanded.png":::
+
++++
+### Register the web app
+
+Having a web API isn't enough however, as a web app is also needed to obtain an access token to access the web API you've created.
+
+Follow these steps to create the web app registration:
++
+1. Select **Home** to return to the home page. Search for and select **Azure Active Directory**.
+1. Under **Manage**, select **App registrations** > **New registration**.
+1. Enter a **Name** for the application, such as `web-app-calls-web-api`.
+1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option.
+1. Under **Redirect URI (optional)**, select **Web**, and then enter `http://localhost` in the URL text box.
+1. Select **Register**.
+++
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+1. If access to multiple tenants is available, use the Directories + subscriptions filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.
+1. Search for and select **Azure Active Directory**.
+1. Under **Manage**, select **App registrations** > **New registration**.
+1. Enter a Name for the application, such as `web-app-calls-web-api`.
+1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option.
+1. Under **Redirect URI (optional)**, select **Web**, and then enter `http://localhost` in the URL text box.
+1. Select **Register**.
++
+When registration is complete, the Azure portal displays the app registration's **Overview** pane. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in later steps.
+
+#### Add a client secret
+
+A client secret is a string value your app can use to identity itself, and is sometimes referred to as an *application password*. The web app uses the client secret to prove its identity when it requests tokens.
+
+Follow these steps to configure a client secret:
+
+1. From the **Overview** pane in the Azure portal, under **Manage**, select **Certificates & secrets** > **Client secrets** > **New client secret**.
+1. Add a description for your client secret, for example *My client secret*.
+1. Select an expiration for the secret or specify a custom lifetime.
+
+ - A client secret's lifetime is limited to two years (24 months) or less. You can't specify a custom lifetime longer than 24 months.
+ - Microsoft recommends that you set an expiration value of less than 12 months.
+
+1. Select **Add**.
+1. Be sure to record the **Value** of the client secret. This secret value is **never displayed again** after you leave this page.
+
+#### Add permissions to access your web API
+
+By specifying a web API's scopes, the web app can obtain an access token containing the scopes provided by the Microsoft identity platform. Within the code, the web API can then provide permission-based access to its resources based on the scopes found in the access token.
+
+Follow these steps to configure client's permissions to the web API:
+
+1. From the **Overview** pane of your application in the Azure portal, under **Manage**, select **API permissions** > **Add a permission** > **My APIs**.
+1. Select **NewWebAPI1** or the API that you wish to add permissions to.
+1. Under **Select permissions**, check the box next to **Forecast.Read**. You may need to expand the **Permission** list. This selects the permissions the client app should have on behalf of the signed-in user.
+1. Select **Add permissions** to complete the process.
+
+After adding these permissions to your API, you should see the selected permissions under **Configured permissions**.
+
+You may also notice the **User.Read** permission for the Microsoft Graph API. This permission is added automatically when you register an app in the Azure portal.
++
+## Test the web API
+
+1. Clone the [ms-identity-docs-code-dotnet](https://github.com/Azure-Samples/ms-identity-docs-code-dotnet) repository.
+
+ ```bash
+ git clone https://github.com/Azure-Samples/ms-identity-docs-code-dotnet.git
+ ```
+
+1. Navigate to `ms-identity-docs-code-dotnet/web-api` folder and open `appsettings.json`, replace the `{APPLICATION_CLIENT_ID}` and `{DIRECTORY_TENANT_ID}` with:
+
+ - `{APPLICATION_CLIENT_ID}` is the web API **Application (client) ID** on the app's **Overview** pane **App registrations** in the Azure portal.
+ - `{DIRECTORY_TENANT_ID}` is the web API **Directory (tenant) ID** on the app's **Overview** pane **App registrations** in the Azure portal.
+
+1. Execute the following command to start the app:
+
+ ```bash
+ dotnet run
+ ```
+
+1. An output similar to the following will appear. Record the port number in the `https://localhost:{port}` URL.
+
+ ```bash
+ ...
+ info: Microsoft.Hosting.Lifetime[14]
+ Now listening on: https://localhost:{port}
+ ...
+ ```
+++
+## Test the web API
+
+1. Navigate to the web API that was created in [Tutorial: Create an ASP.NET Core project and configure the API](web-api-tutorial-02-prepare-api.md), for example *NewWebAPILocal*, and open the folder.
+
+1. Open a new terminal window and navigate to the folder where the web API project is located.
+
+ ### [.NET 6.0](#tab/dotnet6)
+
+ 1. Execute the following command to start the app:
+
+ ```bash
+ dotnet run
+ ```
+
+ ### [.NET 7.0](#tab/dotnet7)
+
+ 1. Open a new terminal and execute the following command to start the app on the `https` profile:
+
+ ```bash
+ dotnet run -launch-profile https`
+ ```
+
+
+1. An output similar to the following will appear. Record the port number in the `https://localhost:{port}` URL.
+
+ ```bash
+ ...
+ info: Microsoft.Hosting.Lifetime[14]
+ Now listening on: https://localhost:{port}
+ ...
+ ```
++
+### Configure an authorized request to the web API in Postman
+
+1. Launch the **Postman** application.
+1. In the main Postman window, find **Create a new request** and select **HTTP Request**.
+1. In the top bar, ensure that **GET** is selected from the dropdown menu.
+1. For the request URL, enter the URL of the endpoint exposed by the web API, `https://localhost:{port}/weatherforecast`.
+1. Select the **Authorization** tab to configure Postman to obtain a token from the Microsoft Identity platform that will grant access to the web API.
+1. Enter the following values in the **Authorization** tab:
+
+ | Setting | Value |
+ |--|-|
+ | Auth URL | `https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize` <br/> Replace `{tenantId}` with the **Directory (tenant) ID** |
+ | Access Token URL | `https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token` <br/> Replace `{tenantId}` with the **Directory (tenant) ID** |
+ | Client ID | The **Application (client) ID** value of your web app registration |
+ | Client Secret | The client secret **Value** of your web app registration |
+ | Scope | `api://{application_client_id}/Forecast.Read` <br/> Navigate to your web app registration, under **Manage**, select **API permissions**, then select **Forecast.Read** <br/> Copy the value in the textbox, which contains the **Scope** value |
+
+#### Get an access token and send a request to the web API
+
+1. Once these values are entered select the **Get New Access Token** button. This launches a Postman browser window where you authenticate with your user credentials. Be sure to allow pop ups from the Postman application in the browser.
+1. After authenticating, a new Postman generated pop-up window will appear. Select the **Use Token** button in Postman to provide the access token in the request.
+1. Select **Send** to send the request to the protected web API endpoint.
+
+With a valid access token included in the request, the expected response is 200 OK with output similar to:
+
+```json
+[
+ {
+ "date": "YYYY-MM-DDTHH:MM:SS",
+ "temperatureC": -16,
+ "summary": "Scorching",
+ "temperatureF": 4
+ },
+ {
+ "date": "YYYY-MM-DDTHH:MM:SS",
+ "temperatureC": 1,
+ "summary": "Sweltering",
+ "temperatureF": 33
+ },
+ {
+ "date": "YYYY-MM-DDTHH:MM:SS",
+ "temperatureC": 26,
+ "summary": "Freezing",
+ "temperatureF": 78
+ },
+ {
+ "date": "YYYY-MM-DDTHH:MM:SS",
+ "temperatureC": 54,
+ "summary": "Mild",
+ "temperatureF": 129
+ },
+ {
+ "date": "YYYY-MM-DDTHH:MM:SS",
+ "temperatureC": 11,
+ "summary": "Bracing",
+ "temperatureF": 51
+ }
+]
+```
+
+## Next steps
+
+For more information about OAuth 2.0 authorization code flow and application types, see:
+
+- [Microsoft identity platform and OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md)
+- [Application types for the Microsoft identity platform](v2-app-types.md#web-apps)
active-directory Registration Config Change Token Lifetime How To https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/registration-config-change-token-lifetime-how-to.md
- Title: Change token lifetime defaults for custom Azure AD apps
-description: How to update Token Lifetime policies for your application that you are developing on Azure AD
-------- Previously updated : 10/23/2020-----
-# How to change the token lifetime defaults for a custom-developed application
-
-This article shows how to use Azure AD PowerShell to set an access token lifetime policy. Azure AD Premium allows app developers and tenant admins to configure the lifetime of tokens issued for non-confidential clients. Token lifetime policies are set on a tenant-wide basis or the resources being accessed.
-
-> [!IMPORTANT]
-> After May 2020, tenants will no longer be able to configure refresh and session token lifetimes. Azure Active Directory will stop honoring existing refresh and session token configuration in policies after January 30, 2021. You can still configure access token lifetimes after the deprecation. For more information, read [Configurable token lifetimes in Azure AD](./active-directory-configurable-token-lifetimes.md).
-> We’ve implemented [authentication session management capabilities](../conditional-access/howto-conditional-access-session-lifetime.md) in Azure AD Conditional Access. You can use this new feature to configure refresh token lifetimes by setting sign in frequency.
-
-To set an access token lifetime policy, download the [Azure AD PowerShell Module](https://www.powershellgallery.com/packages/AzureADPreview).
-Run the **Connect-AzureAD -Confirm** command.
-
-HereΓÇÖs an example policy that requires users to authenticate less frequently in your web app. This policy sets the lifetime of the access to the service principal of your web app. Create the policy and assign it to your service principal. You also need to get the ObjectId of your service principal.
-
-```powershell
-$policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"02:00:00"}}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
-
-$sp = Get-AzureADServicePrincipal -Filter "DisplayName eq '<service principal display name>'"
-
-Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id
-```
-
-## Next steps
-
-* See [Configurable token lifetimes in Azure AD](./active-directory-configurable-token-lifetimes.md) to learn how to configure token lifetimes issued by Azure AD, including how to set token lifetimes for all apps in your organization, for a multi-tenant app, or for a specific service principal in your organization.
-* [Azure AD Token Reference](./id-tokens.md)
active-directory Scenario Web App Call Api Acquire Token https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-web-app-call-api-acquire-token.md
public ModelAndView getUserFromGraph(HttpServletRequest httpRequest, HttpServlet
# [Python](#tab/python)
-In the Python sample, the code that calls Microsoft Graph is in [app.py#L53-L62](https://github.com/Azure-Samples/ms-identity-python-webapp/blob/48637475ed7d7733795ebeac55c5d58663714c60/app.py#L53-L62).
-
-The code attempts to get a token from the token cache. Then, after setting the authorization header, it calls the web API. If it can't get a token, it signs the user in again.
-
-```python
-@app.route("/graphcall")
-def graphcall():
- token = _get_token_from_cache(app_config.SCOPE)
- if not token:
- return redirect(url_for("login"))
- graph_data = requests.get( # Use token to call downstream service.
- app_config.ENDPOINT,
- headers={'Authorization': 'Bearer ' + token['access_token']},
- ).json()
- return render_template('display.html', result=graph_data)
-```
+In the Python sample, the code that calls the API is in [app.py#L60-71](https://github.com/Azure-Samples/ms-identity-python-webapp/blob/0.5.0/app.py#L60-71).
+
+The code attempts to get a token from the token cache. If it can't get a token, it redirects the user to the sign-in route. Otherwise, it can proceed to call the API.
+ ## Next steps
+# [ASP.NET Core](#tab/aspnetcore)
+
+Move on to the next article in this scenario,
+[Call a web API](scenario-web-app-call-api-call-api.md?tabs=aspnetcore).
+
+# [ASP.NET](#tab/aspnet)
+ Move on to the next article in this scenario,
-[Call a web API](scenario-web-app-call-api-call-api.md).
+[Call a web API](scenario-web-app-call-api-call-api.md?tabs=aspnet).
+
+# [Java](#tab/java)
+
+Move on to the next article in this scenario,
+[Call a web API](scenario-web-app-call-api-call-api.md?tabs=java).
+
+# [Python](#tab/python)
+
+Move on to the next article in this scenario,
+[Call a web API](scenario-web-app-call-api-call-api.md?tabs=python).
++
active-directory Scenario Web App Call Api App Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-web-app-call-api-app-configuration.md
Instead of a client secret, you can provide a client certificate. The following
## Startup.cs
-Your web app will need to acquire a token for the downstream API. You specify it by adding the `.EnableTokenAcquisitionToCallDownstreamApi()` line after `.AddMicrosoftIdentityWebApp(Configuration)`. This line exposes the `ITokenAcquisition` service that you can use in your controller and page actions. However, as you'll see in the following two options, it can be done more simply. You'll also need to choose a token cache implementation, for example `.AddInMemoryTokenCaches()`, in *Startup.cs*:
+Your web app needs to acquire a token for the downstream API. You specify it by adding the `.EnableTokenAcquisitionToCallDownstreamApi()` line after `.AddMicrosoftIdentityWebApp(Configuration)`. This line exposes the `ITokenAcquisition` service that you can use in your controller and page actions. However, as you'll see in the following two options, it can be done more simply. You'll also need to choose a token cache implementation, for example `.AddInMemoryTokenCaches()`, in *Startup.cs*:
```csharp using Microsoft.Identity.Web;
Your web app will need to acquire a token for the downstream API. You specify it
} ```
-The scopes passed to `EnableTokenAcquisitionToCallDownstreamApi` are optional, and enable your web app to request the scopes and the user's consent to those scopes when they log in. If you don't specify the scopes, *Microsoft.Identity.Web* will enable an incremental consent experience.
+The scopes passed to `EnableTokenAcquisitionToCallDownstreamApi` are optional, and enable your web app to request the scopes and the user's consent to those scopes when they sign in. If you don't specify the scopes, *Microsoft.Identity.Web* enables an incremental consent experience.
If you don't want to acquire the token yourself, *Microsoft.Identity.Web* provides two mechanisms for calling a web API from a web app. The option you choose depends on whether you want to call Microsoft Graph or another API.
To call a web API other than Microsoft Graph, *Microsoft.Identity.Web* provides
As with web APIs, you can choose various token cache implementations. For details, see [Microsoft.Identity.Web - Token cache serialization](https://aka.ms/ms-id-web/token-cache-serialization) on GitHub.
-The following image shows the various possibilities of *Microsoft.Identity.Web* and their impact on the *Startup.cs* file:
+The following image shows the various possibilities of *Microsoft.Identity.Web* and their effect on the *Startup.cs* file:
:::image type="content" source="media/scenarios/microsoft-identity-web-startup-cs.svg" alt-text="Block diagram showing service configuration options in startup dot C S for calling a web API and specifying a token cache implementation":::
For ASP.NET, you'll subscribe to middleware OIDC events:
- You'll let ASP.NET Core request an authorization code by means of the Open ID Connect middleware. ASP.NET or ASP.NET Core will let the user sign in and consent. - You'll subscribe the web app to receive the authorization code. This subscription is done by using a C# delegate.-- When the authorization code is received, you'll use MSAL libraries to redeem it. The resulting access tokens and refresh tokens are stored in the token cache. The cache can be used in other parts of the application, such as controllers, to acquire other tokens silently.
+- When the authorization code is received, the code uses MSAL libraries to redeem it. The resulting access tokens and refresh tokens are stored in the token cache. The cache can be used in other parts of the application, such as controllers, to acquire other tokens silently.
Code examples in this article and the following one are extracted from the [ASP.NET Web app sample](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect). You might want to refer to that sample for full implementation details.
The sample currently lets MSAL for Java produce the authorization-code URL and h
# [Python](#tab/python)
-Code examples in this article and the following one are extracted from the [Python web application calling Microsoft Graph](https://github.com/Azure-Samples/ms-identity-python-webapp), a web-app sample that uses MSAL.Python.
-The sample currently lets MSAL.Python produce the authorization-code URL and handles the navigation to the authorization endpoint for the Microsoft identity platform. You might want to refer to the sample for full implementation details.
+Code snippets in this article and the following are extracted from the [Python web application calling Microsoft graph](https://github.com/Azure-Samples/ms-identity-python-webapp) sample using the [identity package](https://pypi.org/project/identity/) (a wrapper around MSAL Python).
+
+The sample uses the identity package to produce the authorization-code URL and handles the navigation to the authorization endpoint for the Microsoft identity platform. You might want to refer to the sample for full implementation details.
Microsoft.Identity.Web simplifies your code by setting the correct OpenID Connec
# [ASP.NET](#tab/aspnet)
-ASP.NET handles things similarly to ASP.NET Core, except that the configuration of OpenID Connect and the subscription to the `OnAuthorizationCodeReceived` event happen in the [App_Start\Startup.Auth.cs](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/blob/a2da310539aa613b77da1f9e1c17585311ab22b7/WebApp/App_Start/Startup.Auth.cs) file. The concepts are also similar to those in ASP.NET Core, except that in ASP.NET you must specify the `RedirectUri` in [Web.config#L15](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/blob/master/WebApp/Web.config#L15). This configuration is a bit less robust than the one in ASP.NET Core, because you'll need to change it when you deploy your application.
+ASP.NET handles things similarly to ASP.NET Core, except that the configuration of OpenID Connect and the subscription to the `OnAuthorizationCodeReceived` event happen in the [App_Start\Startup.Auth.cs](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/blob/a2da310539aa613b77da1f9e1c17585311ab22b7/WebApp/App_Start/Startup.Auth.cs) file. The concepts are also similar to those in ASP.NET Core, except that in ASP.NET you must specify the `RedirectUri` in [Web.config#L15](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/blob/master/WebApp/Web.config#L15). This configuration is a bit less robust than the one in ASP.NET Core, because you need to change it when you deploy your application.
Here's the code for Startup.Auth.cs:
The `getAuthResultByAuthCode` method is defined in [AuthHelper.java#L176](https:
# [Python](#tab/python)
-The authorization code flow is requested as shown in [Web app that signs in users: Code configuration](scenario-web-app-sign-user-app-configuration.md?tabs=python#initialization-code). The code is then received on the `authorized` function, which Flask routes from the `/getAToken` URL. See [app.py#L30-L44](https://github.com/Azure-Samples/ms-identity-python-webapp/blob/e03be352914bfbd58be0d4170eba1fb7a4951d84/app.py#L30-L44) for the full context of this code:
-
-```python
- @app.route("/getAToken") # Its absolute URL must match your app's redirect_uri set in AAD.
-def authorized():
- if request.args['state'] != session.get("state"):
- return redirect(url_for("login"))
- cache = _load_cache()
- result = _build_msal_app(cache).acquire_token_by_authorization_code(
- request.args['code'],
- scopes=app_config.SCOPE, # Misspelled scope would cause an HTTP 400 error here.
- redirect_uri=url_for("authorized", _external=True))
- if "error" in result:
- return "Login failure: %s, %s" % (
- result["error"], result.get("error_description"))
- session["user"] = result.get("id_token_claims")
- _save_cache(cache)
- return redirect(url_for("index"))
-```
+See [Web app that signs in users: Code configuration](scenario-web-app-sign-user-app-configuration.md?tabs=python#initialization-code) to understand how the Python sample gets the authorization code.
+
+The Microsoft sign-in screen sends the authorization code to the `/getAToken` URL that was specified in the app registration. The `auth_response` route handles that URL, calling `auth.complete_login` to process the authorization code, and then either returning an error or redirecting to the home page.
++
+See [app.py](https://github.com/Azure-Samples/ms-identity-python-webapp/blob/0.5.0/app.py#L36-41) for the full context of that code.
-Instead of a client secret, the confidential client application can also prove its identity by using a client certificate, or a client assertion.
+Instead of a client secret, the confidential client application can also prove its identity by using a client certificate or a client assertion.
The use of client assertions is an advanced scenario, detailed in [Client assertions](msal-net-client-assertions.md). ## Token cache
The use of client assertions is an advanced scenario, detailed in [Client assert
# [ASP.NET Core](#tab/aspnetcore)
-The ASP.NET core tutorial uses dependency injection to let you decide the token cache implementation in the Startup.cs file for your application. Microsoft.Identity.Web comes with pre-built token-cache serializers described in [Token cache serialization](msal-net-token-cache-serialization.md). An interesting possibility is to choose ASP.NET Core [distributed memory caches](/aspnet/core/performance/caching/distributed#distributed-memory-cache):
+The ASP.NET core tutorial uses dependency injection to let you decide the token cache implementation in the Startup.cs file for your application. Microsoft.Identity.Web comes with prebuilt token-cache serializers described in [Token cache serialization](msal-net-token-cache-serialization.md). An interesting possibility is to choose ASP.NET Core [distributed memory caches](/aspnet/core/performance/caching/distributed#distributed-memory-cache):
```csharp // Use a distributed token cache by adding:
The web-app implementation can use the ASP.NET session or the server memory. For
First, to use these implementations:-- add the Microsoft.Identity.Web NuGet package. These token cache serializers are not brought in MSAL.NET directly to avoid unwanted dependencies. In addition to a higher level for ASP.NET Core, Microsoft.Identity.Web brings classes that are helpers for MSAL.NET,
+- add the Microsoft.Identity.Web NuGet package. These token cache serializers aren't brought in MSAL.NET directly to avoid unwanted dependencies. In addition to a higher level for ASP.NET Core, Microsoft.Identity.Web brings classes that are helpers for MSAL.NET,
- In your code, use the Microsoft.Identity.Web namespace: ```csharp
public static class MsalAppBuilder
} ```
-Instead of `clientapp.AddInMemoryTokenCache()`, you can also use more advanced cache serialization implementations like Redis, SQL, CosmosDB, or distributed memory. Here's an example for Redis:
+Instead of `clientapp.AddInMemoryTokenCache()`, you can also use more advanced cache serialization implementations like Redis, SQL, Cosmos DB, or distributed memory. Here's an example for Redis:
```csharp clientapp.AddDistributedTokenCache(services =>
The detail of the `SessionManagementHelper` class is provided in the [MSAL sampl
# [Python](#tab/python)
-In the Python sample, one cache per account is ensured by recreating a confidential client application for each request and then serializing it in the Flask session cache:
-
-```python
-from flask import Flask, render_template, session, request, redirect, url_for
-from flask_session import Session # https://pythonhosted.org/Flask-Session
-import msal
-import app_config
+In the Python sample, the identity package takes care of the token cache, using the global `session` object for storage.
+Flask has built-in support for sessions stored in a cookie, but due to the length of the identity cookies, the sample uses the [Flask-session](https://flask-session.readthedocs.io/) package instead. Everything is initialized in *app.py*:
-app = Flask(__name__)
-app.config.from_object(app_config)
-Session(app)
-# Code omitted here for simplicity
+Due to the `SESSION_TYPE="filesystem"` setting in `app_config.py`, the Flask-session package stores sessions using the local file system.
-def _load_cache():
- cache = msal.SerializableTokenCache()
- if session.get("token_cache"):
- cache.deserialize(session["token_cache"])
- return cache
-
-def _save_cache(cache):
- if cache.has_state_changed:
- session["token_cache"] = cache.serialize()
-
-def _build_msal_app(cache=None):
- return msal.ConfidentialClientApplication(
- app_config.CLIENT_ID, authority=app_config.AUTHORITY,
- client_credential=app_config.CLIENT_SECRET, token_cache=cache)
-```
+For production, you should use [a setting](https://flask-session.readthedocs.io/en/latest/#configuration) that persists across multiple instances and deploys of your app, such as "sqlachemy" or "redis".
def _build_msal_app(cache=None):
At this point, when the user signs in, a token is stored in the token cache. Let's see how it's then used in other parts of the web app.
-[Remove accounts from the cache on global sign-out](scenario-web-app-call-api-sign-in.md)
+# [ASP.NET Core](#tab/aspnetcore)
+
+Move on to the next article in this scenario,
+[Remove accounts from the cache on global sign out](scenario-web-app-call-api-sign-in.md?tabs=aspnetcore).
+
+# [ASP.NET](#tab/aspnet)
+
+Move on to the next article in this scenario,
+[Remove accounts from the cache on global sign out](scenario-web-app-call-api-sign-in.md?tabs=aspnet).
+
+# [Java](#tab/java)
+
+Move on to the next article in this scenario,
+[Remove accounts from the cache on global sign out](scenario-web-app-call-api-sign-in.md?tabs=java).
+
+# [Python](#tab/python)
+
+Move on to the next article in this scenario,
+[Remove accounts from the cache on global sign out](scenario-web-app-call-api-sign-in.md?tabs=python).
++
active-directory Scenario Web App Call Api Call Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-web-app-call-api-call-api.md
private String getUserInfoFromGraph(String accessToken) throws Exception {
# [Python](#tab/python)
-```python
-@app.route("/graphcall")
-def graphcall():
- token = _get_token_from_cache(app_config.SCOPE)
- if not token:
- return redirect(url_for("login"))
- graph_data = requests.get( # Use token to call downstream service.
- app_config.ENDPOINT,
- headers={'Authorization': 'Bearer ' + token['access_token']},
- ).json()
- return render_template('display.html', result=graph_data)
-```
+After successfully retrieving a token, the code uses the requests package to query the API endpoint and retrieve a JSON result.
++
active-directory Scenario Web App Sign User App Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-web-app-sign-user-app-configuration.md
You might want to refer to this sample for full implementation details.
# [Python](#tab/python)
-Code snippets in this article and the following are extracted from the [Python web application calling Microsoft graph](https://github.com/Azure-Samples/ms-identity-python-webapp) sample in MSAL Python.
+Code snippets in this article and the following are extracted from the [Python web application calling Microsoft graph](https://github.com/Azure-Samples/ms-identity-python-webapp) sample using the [identity package](https://pypi.org/project/identity/) (a wrapper around MSAL Python).
You might want to refer to this sample for full implementation details.
You might want to refer to this sample for full implementation details.
## Configuration files
-Web applications that sign in users by using the Microsoft identity platform are configured through configuration files. These are the values you're required to specify in the configuration:
+Web applications that sign in users by using the Microsoft identity platform are configured through configuration files. Those files must specify the following values:
-- The cloud instance (`Instance`) if you want your app to run in national clouds, for example. The different options include;
+- The cloud **instance** if you want your app to run in national clouds, for example. The different options include;
- `https://login.microsoftonline.com/` for Azure public cloud - `https://login.microsoftonline.us/` for Azure US government - `https://login.microsoftonline.de/` for Azure AD Germany - `https://login.partner.microsoftonline.cn/common` for Azure AD China operated by 21Vianet-- The audience in the tenant ID (`TenantId`). The options vary depending on whether your app is single tenant or multitenant.
- - `TenantId` for a GUID obtained from the Azure portal to sign in users in your organization. You can also use a domain name.
+- The audience in the **tenant ID**. The options vary depending on whether your app is single tenant or multitenant.
+ - The tenant GUID obtained from the Azure portal to sign in users in your organization. You can also use a domain name.
- `organizations` to sign in users in any work or school account - `common` to sign in users with any work or school account or Microsoft personal account - `consumers` to sign in users with a Microsoft personal account only-- The client ID (`ClientId`) for your application, as copied from the Azure portal
+- The **client ID** for your application, as copied from the Azure portal
-You might also see references to the `Authority`. The `Authority` value is the concatenation of the `Instance` and `TenantId` values.
+You might also see references to the **authority**, a concatenation of the **instance** and **tenant ID** values.
# [ASP.NET Core](#tab/aspnetcore)
For simplicity in this article, the client secret is stored in the configuration
# [Python](#tab/python)
-Here's the Python configuration file in [app_config.py](https://github.com/Azure-Samples/ms-identity-python-webapp/blob/0.1.0/app_config.py):
+The configuration parameters are set in *.env* as environment variables:
-```Python
-CLIENT_SECRET = "Enter_the_Client_Secret_Here"
-AUTHORITY = "https://login.microsoftonline.com/common"
-CLIENT_ID = "Enter_the_Application_Id_here"
-ENDPOINT = 'https://graph.microsoft.com/v1.0/users'
-SCOPE = ["User.ReadBasic.All"]
-SESSION_TYPE = "filesystem" # So the token cache will be stored in a server-side session
+```bash
+CLIENT_ID=<client id>
+CLIENT_SECRET=<client secret>
+TENANT_ID=<tenant id>
```
-For simplicity in this article, the client secret is stored in the configuration file. In the production app, consider using a key vault or an environment variable as described in [Flask's documentation](https://flask.palletsprojects.com/en/1.1.x/config/#configuring-from-environment-variables) to store your secret.
+Those environment variables are referenced in *app_config.py*:
++
+The *.env* file should never be checked into source control, since it contains secrets. The quickstart sample includes a *.gitignore* file that prevents the *.env* file from being checked in.
+
-```python
-CLIENT_SECRET = os.getenv("CLIENT_SECRET")
-if not CLIENT_SECRET:
- raise ValueError("Need to define CLIENT_SECRET environment variable")
-```
The initialization code differences are platform dependant. For ASP.NET Core and
In ASP.NET Core web apps (and web APIs), the application is protected because you have a `Authorize` attribute on the controllers or the controller actions. This attribute checks that the user is authenticated. Prior to the release of .NET 6, the code initialization was in the *Startup.cs* file. New ASP.NET Core projects with .NET 6 no longer contain a *Startup.cs* file. Taking its place is the *Program.cs* file. The rest of this tutorial pertains to .NET 5 or lower. > [!NOTE]
-> If you want to start directly with the new ASP.NET Core templates for Microsoft identity platform, that leverage Microsoft.Identity.Web, you can download a preview NuGet package containing project templates for .NET 5.0. Then, once installed, you can directly instantiate ASP.NET Core web applications (MVC or Blazor). See [Microsoft.Identity.Web web app project templates](https://aka.ms/ms-id-web/webapp-project-templates) for details. This is the simplest approach as it will do all the steps below for you.
+> If you want to start directly with the new ASP.NET Core templates for Microsoft identity platform, that leverage Microsoft.Identity.Web, you can download a preview NuGet package containing project templates for .NET 5.0. Then, once installed, you can directly instantiate ASP.NET Core web applications (MVC or Blazor). See [Microsoft.Identity.Web web app project templates](https://aka.ms/ms-id-web/webapp-project-templates) for details. This is the simplest approach as it will do all the following steps for you.
> > If you prefer to start your project with the current default ASP.NET Core web project within Visual Studio or by using `dotnet new mvc --auth SingleOrg` or `dotnet new webapp --auth SingleOrg`, you'll see code like the following: >
In ASP.NET Core web apps (and web APIs), the application is protected because yo
> > This code uses the legacy **Microsoft.AspNetCore.Authentication.AzureAD.UI** NuGet package which is used to create an Azure AD v1.0 application. This article explains how to create a Microsoft identity platform (Azure AD v2.0) application which replaces that code.
-1. Add the [Microsoft.Identity.Web](https://www.nuget.org/packages/Microsoft.Identity.Web) and [Microsoft.Identity.Web.UI](https://www.nuget.org/packages/Microsoft.Identity.Web.UI) NuGet packages to your project. Remove the `Microsoft.AspNetCore.Authentication.AzureAD.UI` NuGet package if it is present.
+1. Add the [Microsoft.Identity.Web](https://www.nuget.org/packages/Microsoft.Identity.Web) and [Microsoft.Identity.Web.UI](https://www.nuget.org/packages/Microsoft.Identity.Web.UI) NuGet packages to your project. Remove the `Microsoft.AspNetCore.Authentication.AzureAD.UI` NuGet package if it's present.
2. Update the code in `ConfigureServices` so that it uses the `AddMicrosoftIdentityWebAppAuthentication` and `AddMicrosoftIdentityUI` methods.
In ASP.NET Core web apps (and web APIs), the application is protected because yo
} ```
-In the code above:
+In that code:
- The `AddMicrosoftIdentityWebAppAuthentication` extension method is defined in **Microsoft.Identity.Web**, which; - Adds the authentication service. - Configures options to read the configuration file (here from the "AzureAD" section)
For details about the authorization code flow that this method triggers, see the
# [Node.js](#tab/nodejs)
-Node sample the Express framework. MSAL is initialized in *auth* route handler:
+The Node sample uses the Express framework. MSAL is initialized in *auth* route handler:
:::code language="js" source="~/ms-identity-node/App/routes/auth.js" range="6-16"::: # [Python](#tab/python)
-The Python sample uses Flask. The initialization of Flask and MSAL Python is done in [app.py#L1-L28](https://github.com/Azure-Samples/ms-identity-python-webapp/blob/e03be352914bfbd58be0d4170eba1fb7a4951d84/app.py#L1-L28).
+The Python sample is built with the Flask framework, though other frameworks like Django could be used as well. The Flask app is initialized with the app configuration at the top of *app.py*:
-```Python
-import uuid
-import requests
-from flask import Flask, render_template, session, request, redirect, url_for
-from flask_session import Session # https://pythonhosted.org/Flask-Session
-import msal
-import app_config
-app = Flask(__name__)
-app.config.from_object(app_config)
-Session(app)
-```
+Then the code constructs an [`auth` object](https://identity-library.readthedocs.io/en/latest/#identity.web.Auth) using the [identity package](https://pypi.org/project/identity/).
+
active-directory Scenario Web App Sign User App Registration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-web-app-sign-user-app-registration.md
You can use these links to bootstrap the creation of your web application:
1. When the **Register an application page** appears, enter your application's registration information: 1. Enter a **Name** for your application, for example `java-webapp`. Users of your app might see this name, and you can change it later.
- 1. Select **Accounts in any organizational directory and personal Microsoft Accounts (e.g. Skype, Xbox, Outlook.com)**.
+ 1. Select **Accounts in any organizational directory and personal Microsoft Accounts**.
1. Select **Register** to register the application. 1. Under **Manage**, select **Authentication** > **Add a platform**. 1. Select **Web**.
By default, the sample uses:
1. Change **Supported account types** to **Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com)**. 1. In the **Redirect URI (optional)** section, select **Web** in the combo box and enter the following redirect URI: `http://localhost:5000/getAToken`. 1. Select **Register** to create the application.
-1. On the app's **Overview** page, find the **Application (client) ID** value and record it for later. You'll need it to configure the Visual Studio configuration file for this project.
+1. On the app's **Overview** page, find the **Application (client) ID** value and record it for later. You'll need it to configure the *.env* file for this project.
1. Under **Manage**, select **Certificates & secrets**. 1. In the **Client Secrets** section, select **New client secret**, and then:
- 1. Enter a key description.
- 1. Select a key duration of **In 1 year**.
+ 1. Enter a key description. Leave the default expiration.
1. Select **Add**.
- 1. When the key value appears, copy it. You'll need it later.
+ 1. Save the **Value** of the **Client Secret** in a safe location. You'll need it to configure the code, and you can't retrieve it later.
## Register an app by using PowerShell
Here's an idea of the code. For a fully functioning code, see [this sample](http
```PowerShell # Connect to the Microsoft Graph API, non-interactive is not supported for the moment (Oct 2021)
- Write-Host "Connecting to Microsoft Graph"
- if ($tenantId -eq "") {
- Connect-MgGraph -Scopes "User.Read.All Organization.Read.All Application.ReadWrite.All" -Environment $azureEnvironmentName
- }
- else {
- Connect-MgGraph -TenantId $tenantId -Scopes "User.Read.All Organization.Read.All Application.ReadWrite.All" -Environment $azureEnvironmentName
- }
-
- $context = Get-MgContext
- $tenantId = $context.TenantId
-
- # Get the user running the script
- $currentUserPrincipalName = $context.Account
- $user = Get-MgUser -Filter "UserPrincipalName eq '$($context.Account)'"
-
- # get the tenant we signed in to
- $Tenant = Get-MgOrganization
- $tenantName = $Tenant.DisplayName
-
- $verifiedDomain = $Tenant.VerifiedDomains | where {$_.Isdefault -eq $true}
- $verifiedDomainName = $verifiedDomain.Name
- $tenantId = $Tenant.Id
-
- Write-Host ("Connected to Tenant {0} ({1}) as account '{2}'. Domain is '{3}'" -f $Tenant.DisplayName, $Tenant.Id, $currentUserPrincipalName, $verifiedDomainName)
-
- # Create the webApp AAD application
- Write-Host "Creating the AAD application (WebApp)"
- # create the application
- $webAppAadApplication = New-MgApplication -DisplayName "WebApp" `
- -Web `
- @{ `
- RedirectUris = "https://localhost:44321/", "https://localhost:44321/signin-oidc"; `
- HomePageUrl = "https://localhost:44321/"; `
- LogoutUrl = "https://localhost:44321/signout-oidc"; `
- } `
- -SignInAudience AzureADandPersonalMicrosoftAccount `
- #end of command
-
- $currentAppId = $webAppAadApplication.AppId
- $currentAppObjectId = $webAppAadApplication.Id
-
- $tenantName = (Get-MgApplication -ApplicationId $currentAppObjectId).PublisherDomain
- #Update-MgApplication -ApplicationId $currentAppObjectId -IdentifierUris @("https://$tenantName/WebApp")
-
- # create the service principal of the newly created application
- $webAppServicePrincipal = New-MgServicePrincipal -AppId $currentAppId -Tags {WindowsAzureActiveDirectoryIntegratedApp}
-
- # add the user running the script as an app owner if needed
- $owner = Get-MgApplicationOwner -ApplicationId $currentAppObjectId
- if ($owner -eq $null)
- {
- New-MgApplicationOwnerByRef -ApplicationId $currentAppObjectId -BodyParameter = @{"@odata.id" = "htps://graph.microsoft.com/v1.0/directoryObjects/$user.ObjectId"}
- Write-Host "'$($user.UserPrincipalName)' added as an application owner to app '$($webAppServicePrincipal.DisplayName)'"
- }
- Write-Host "Done creating the webApp application (WebApp)"
+Write-Host "Connecting to Microsoft Graph"
+if ($tenantId -eq "") {
+ Connect-MgGraph -Scopes "User.Read.All Organization.Read.All Application.ReadWrite.All" -Environment $azureEnvironmentName
+}
+else {
+ Connect-MgGraph -TenantId $tenantId -Scopes "User.Read.All Organization.Read.All Application.ReadWrite.All" -Environment $azureEnvironmentName
+}
+
+$context = Get-MgContext
+$tenantId = $context.TenantId
+
+# Get the user running the script
+$currentUserPrincipalName = $context.Account
+$user = Get-MgUser -Filter "UserPrincipalName eq '$($context.Account)'"
+
+# get the tenant we signed in to
+$Tenant = Get-MgOrganization
+$tenantName = $Tenant.DisplayName
+
+$verifiedDomain = $Tenant.VerifiedDomains | where {$_.Isdefault -eq $true}
+$verifiedDomainName = $verifiedDomain.Name
+$tenantId = $Tenant.Id
+
+Write-Host ("Connected to Tenant {0} ({1}) as account '{2}'. Domain is '{3}'" -f $Tenant.DisplayName, $Tenant.Id, $currentUserPrincipalName, $verifiedDomainName)
+
+# Create the webApp AAD application
+Write-Host "Creating the AAD application (WebApp)"
+# create the application
+$webAppAadApplication = New-MgApplication -DisplayName "WebApp" `
+ -Web `
+ @{ `
+ RedirectUris = "https://localhost:44321/", "https://localhost:44321/signin-oidc"; `
+ HomePageUrl = "https://localhost:44321/"; `
+ LogoutUrl = "https://localhost:44321/signout-oidc"; `
+ } `
+ -SignInAudience AzureADandPersonalMicrosoftAccount `
+ #end of command
+
+$currentAppId = $webAppAadApplication.AppId
+$currentAppObjectId = $webAppAadApplication.Id
+
+$tenantName = (Get-MgApplication -ApplicationId $currentAppObjectId).PublisherDomain
+#Update-MgApplication -ApplicationId $currentAppObjectId -IdentifierUris @("https://$tenantName/WebApp")
+
+# create the service principal of the newly created application
+$webAppServicePrincipal = New-MgServicePrincipal -AppId $currentAppId -Tags {WindowsAzureActiveDirectoryIntegratedApp}
+
+# add the user running the script as an app owner if needed
+$owner = Get-MgApplicationOwner -ApplicationId $currentAppObjectId
+if ($owner -eq $null)
+{
+ New-MgApplicationOwnerByRef -ApplicationId $currentAppObjectId -BodyParameter = @{"@odata.id" = "htps://graph.microsoft.com/v1.0/directoryObjects/$user.ObjectId"}
+ Write-Host "'$($user.UserPrincipalName)' added as an application owner to app '$($webAppServicePrincipal.DisplayName)'"
+}
+Write-Host "Done creating the webApp application (WebApp)"
``` ## Next steps
+# [ASP.NET Core](#tab/aspnetcore)
+
+Move on to the next article in this scenario,
+[App's code configuration](scenario-web-app-sign-user-app-configuration.md?tabs=aspnetcore).
+
+# [ASP.NET](#tab/aspnet)
+ Move on to the next article in this scenario,
-[App's code configuration](scenario-web-app-sign-user-app-configuration.md).
+[App's code configuration](scenario-web-app-sign-user-app-configuration.md?tabs=aspnet).
+
+# [Java](#tab/java)
+
+Move on to the next article in this scenario,
+[App's code configuration](scenario-web-app-sign-user-app-configuration.md?tabs=java).
+
+# [Node.js](#tab/nodejs)
+
+Move on to the next article in this scenario,
+[App's code configuration](scenario-web-app-sign-user-app-configuration.md?tabs=nodejs).
+
+# [Python](#tab/python)
+
+Move on to the next article in this scenario,
+[App's code configuration](scenario-web-app-sign-user-app-configuration.md?tabs=python).
++
active-directory Scenario Web App Sign User Sign In https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-web-app-sign-user-sign-in.md
This template is served via the main (index) route of the app:
# [Python](#tab/python)
-In the Python quickstart, there's no sign-in button. The code-behind automatically prompts the user for sign-in when it's reaching the root of the web app. See [app.py#L14-L18](https://github.com/Azure-Samples/ms-identity-python-webapp/blob/0.1.0/app.py#L14-L18).
-
-```Python
-@app.route("/")
-def index():
- if not session.get("user"):
- return redirect(url_for("login"))
- return render_template('https://docsupdatetracker.net/index.html', user=session["user"])
-```
+In the Python quickstart, the code for the sign-in link is located in *login.html* template file.
++
+When an unauthenticated user visits the home page, the `index` route in *app.py* redirects the user to the `login` route.
++
+The `login` route figures out the appropriate `auth_uri` and renders the *login.html* template.
+
When the user selects the **Sign in** link, which triggers the `/auth/signin` ro
# [Python](#tab/python)
-Unlike other platforms, MSAL Python takes care of letting the user sign in from the login page. See [app.py#L20-L28](https://github.com/Azure-Samples/ms-identity-python-webapp/blob/e03be352914bfbd58be0d4170eba1fb7a4951d84/app.py#L20-L28).
-
-```Python
-@app.route("/login")
-def login():
- session["state"] = str(uuid.uuid4())
- auth_url = _build_msal_app().get_authorization_request_url(
- app_config.SCOPE, # Technically we can use an empty list [] to just sign in
- # Here we choose to also collect user consent up front
- state=session["state"],
- redirect_uri=url_for("authorized", _external=True))
- return "<a href='%s'>Login with Microsoft Identity</a>" % auth_url
-```
+When the user selects the **Sign in** link, they're brought to the Microsoft Identity Platform authorization endpoint.
-The `_build_msal_app()` method is defined in [app.py#L81-L88](https://github.com/Azure-Samples/ms-identity-python-webapp/blob/e03be352914bfbd58be0d4170eba1fb7a4951d84/app.py#L81-L88) as follows:
-
-```Python
-def _load_cache():
- cache = msal.SerializableTokenCache()
- if session.get("token_cache"):
- cache.deserialize(session["token_cache"])
- return cache
-
-def _save_cache(cache):
- if cache.has_state_changed:
- session["token_cache"] = cache.serialize()
-
-def _build_msal_app(cache=None):
- return msal.ConfidentialClientApplication(
- app_config.CLIENT_ID, authority=app_config.AUTHORITY,
- client_credential=app_config.CLIENT_SECRET, token_cache=cache)
-
-def _get_token_from_cache(scope=None):
- cache = _load_cache() # This web app maintains one cache per session
- cca = _build_msal_app(cache)
- accounts = cca.get_accounts()
- if accounts: # So all accounts belong to the current signed-in user
- result = cca.acquire_token_silent(scope, account=accounts[0])
- _save_cache(cache)
- return result
+A successful sign-in redirects the user to the `auth_response` route, which completes the sign-in process using [`auth.complete_login`](https://identity-library.readthedocs.io/en/latest/#identity.web.Auth.complete_log_in), renders errors if any, and redirects the now authenticated user to the home page.
-```
In our Java quickstart, the sign-out button is located in the main/resources/tem
# [Python](#tab/python)
-In the Python quickstart, the sign-out button is located in the [templates/https://docsupdatetracker.net/index.html#L10](https://github.com/Azure-Samples/ms-identity-python-webapp/blob/e03be352914bfbd58be0d4170eba1fb7a4951d84/templates/https://docsupdatetracker.net/index.html#L10) file.
+In the Python quickstart, the sign-out button is located in the *templates/https://docsupdatetracker.net/index.html* file.
+
-```html
-<!DOCTYPE html>
-<html lang="en">
-<head>
- <meta charset="UTF-8">
-</head>
-<body>
- <h1>Microsoft Identity Python web app</h1>
- Welcome {{ user.get("name") }}!
- <li><a href='/graphcall'>Call Microsoft Graph API</a></li>
- <li><a href="/logout">Logout</a></li>
-</body>
-</html>
-```
When the user selects the **Sign out** button, the app triggers the `/signout` r
# [Python](#tab/python)
-The code that signs out the user is in [app.py#L46-L52](https://github.com/Azure-Samples/ms-identity-python-webapp/blob/48637475ed7d7733795ebeac55c5d58663714c60/app.py#L47-L48).
+When the user selects **Logout**, the app triggers the `logout` route, which redirects the browser to the Microsoft identity platform sign-out endpoint.
+
-```Python
-@app.route("/logout")
-def logout():
- session.clear() # Wipe out the user and the token cache from the session
- return redirect( # Also need to log out from the Microsoft Identity platform
- "https://login.microsoftonline.com/common/oauth2/v2.0/logout"
- "?post_logout_redirect_uri=" + url_for("index", _external=True))
-```
In the Node quickstart, the post-logout redirect URI is used to redirect the bro
# [Python](#tab/python)
-In the Python quickstart, the post-logout redirect URI just displays the https://docsupdatetracker.net/index.html page.
+In the Python quickstart, the post-logout redirect URI just displays the *https://docsupdatetracker.net/index.html* page.
active-directory Single Page App Tutorial 01 Register App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/single-page-app-tutorial-01-register-app.md
+
+ Title: "Tutorial: Register a Single-page application with the Microsoft identity platform"
+description: Register an application in an Azure Active Directory tenant.
+++++ Last updated : 02/27/2023
+#Customer intent: As a React developer, I want to know how to register my application with the Microsoft identity platform so that the security token service can issue access tokens to client applications that request them.
++
+# Tutorial: Register a Single-page application with the Microsoft identity platform
+
+To interact with the Microsoft identity platform, Azure Active Directory (Azure AD) must be made aware of the application you create. This tutorial shows you how to register a single-page application (SPA) in a tenant on the Azure portal.
+
+In this tutorial:
+
+> [!div class="checklist"]
+> * Register the application in a tenant
+> * Add a Redirect URI to the application
+> * Record the application's unique identifiers
+
+## Prerequisites
+
+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/).
+* This Azure account must have permissions to manage applications. Any of the following Azure AD roles include the required permissions:
+ * Application administrator
+ * Application developer
+ * Cloud application administrator
+
+## Register the application and record identifiers
+
+To complete registration, provide the application a name, specify the supported account types, and add a redirect URI. Once registered, the application **Overview** pane displays the identifiers needed in the application source code.
+
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which to register the application.
+1. Search for and select **Azure Active Directory**.
+1. Under **Manage**, select **App registrations > New registration**.
+1. Enter a **Name** for the application, such as *NewSPA1*.
+1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option.
+1. Under **Redirect URI (optional)**, use the drop-down menu to select **Single-page-application (SPA)** and enter `http://localhost:3000` into the text box.
+1. Select **Register**.
+
+ :::image type="content" source="./media/single-page-app-tutorial-01-register-app/register-application.png" alt-text="Screenshot that shows how to enter a name and select the account type in the Azure portal.":::
+
+1. The application's **Overview** pane is displayed when registration is complete. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in your application source code.
+
+ :::image type="content" source="./media/single-page-app-tutorial-01-register-app/record-identifiers.png" alt-text="Screenshot that shows the identifier values on the overview page on the Azure portal.":::
+
+ >[!NOTE]
+ > The **Supported account types** can be changed by referring to [Modify the accounts supported by an application](howto-modify-supported-accounts.md).
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Tutorial: Prepare an application for authentication](single-page-app-tutorial-02-prepare-spa.md)
active-directory Single Page App Tutorial 02 Prepare Spa https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/single-page-app-tutorial-02-prepare-spa.md
+
+ Title: "Tutorial: Prepare an application for authentication"
+description: Register a tenant application and configure it for a React SPA.
+++++ Last updated : 02/27/2023
+#Customer intent: As a React developer, I want to know how to create a new React project in an IDE and add authentication.
++
+# Tutorial: Prepare a Single-page application for authentication
+
+After registration is complete, a React project can be created using an integrated development environment (IDE). This tutorial demonstrates how to create a single-page React application using `npm` and create files needed for authentication and authorization.
+
+In this tutorial:
+
+> [!div class="checklist"]
+> * Create a new React project
+> * Configure the settings for the application
+> * Install identity and bootstrap packages
+> * Add authentication code to the application
+
+## Prerequisites
+
+* Completion of the prerequisites and steps in [Tutorial: Register an application](single-page-app-tutorial-01-register-app.md).
+* Although any IDE that supports React applications can be used, the following Visual Studio IDEs are used for this tutorial. They can be downloaded from the [Downloads](https://visualstudio.microsoft.com/downloads) page. For macOS users, it's recommended to use Visual Studio Code.
+ - Visual Studio 2022
+ - Visual Studio Code
+* [Node.js](https://nodejs.org/en/download/).
+
+## Create a new React project
+
+Use the following tabs to create a React project within the IDE.
+
+### [Visual Studio](#tab/visual-studio)
+
+1. Open Visual Studio, and then select **Create a new project**.
+1. Search for and choose the **Standalone JavaScript React Project** template, and then select **Next**.
+1. Enter a name for the project, such as *reactspalocal*.
+1. Choose a location for the project or accept the default option, and then select **Next**.
+1. In **Additional information**, select **Create**.
+1. From the toolbar, select **Start Without Debugging** to launch the application. A web browser will open with the address `http://localhost:3000/` by default. The browser remains open and re-renders for every saved change.
+
+### [Visual Studio Code](#tab/visual-studio-code)
+
+1. Open Visual Studio Code, select **File** > **Open Folder...**. Navigate to and select the location in which to create your project.
+1. Open a new terminal by selecting **Terminal** > **New Terminal**.
+1. Run the following commands to create a new React project with the name *reactspalocal*, change to the new directory and start the React project. A web browser will open with the address `http://localhost:3000/` by default. The browser remains open and re-renders for every saved change.
+
+ ```powershell
+ npx create-react-app reactspalocal
+ cd reactspalocal
+ npm start
+ ```
++
+## Install identity and bootstrap packages
+
+Identity related **npm** packages must be installed in the project to enable user authentication. For project styling, **Bootstrap** will be used.
+
+### [Visual Studio](#tab/visual-studio)
+
+1. In the **Solution Explorer**, right-click the **npm** option and select **Install new npm packages**.
+1. Search for **@azure/msal-browser**, then select **Install Package**. Repeat for **@azure/msal-react** and **@azure/msal-common**.
+1. Search for and install **react-bootstrap**.
+1. Select **Close**.
+
+### [Visual Studio Code](#tab/visual-studio-code)
+
+1. In the **Terminal** bar, select the **+** icon to create a new terminal. A separate terminal window will open with the previous node terminal continuing to run in the background.
+1. Ensure that the correct directory is selected (*reactspalocal*) then enter the following into the terminal to install the relevant `msal` and `bootstrap` packages.
+
+ ```powershell
+ npm install @azure/msal-browser @azure/msal-react
+ npm install react-bootstrap bootstrap
+ ```
++
+To learn more about these packages refer to the documentation in [msal-browser](/javascript/api/@azure/msal-browser), [msal-common](/javascript/api/@azure/msal-common), [msal-react](/javascript/api/@azure/msal-react).
+
+## Creating the authentication configuration file
+
+### [Visual Studio](#tab/visual-studio)
+
+1. In the **Solution Explorer**, right-click the *src* folder and select **Add** > **New Item**.
+1. Name the file *authConfig.js*, and select **Add**.
+1. Open *authConfig.js* and replace the code with the following code snippet.
+
+ :::code language="javascript" source="~/ms-identity-docs-code-javascript/react-spa/src/authConfig.js" :::
+
+1. Replace the following values with the values from the Azure portal.
+ - `clientId` - The identifier of the application, also referred to as the client. Replace `Enter_the_Application_Id_Here` with the **Application (client) ID** value that was recorded earlier from the overview page of the registered application.
+ - `authority` - This is composed of two parts:
+ - The *Instance* is endpoint of the cloud provider. Check with the different available endpoints in [National clouds](authentication-national-cloud.md#azure-ad-authentication-endpoints).
+ - The *Tenant ID* is the identifier of the tenant where the application is registered. Replace the `_Enter_the_Tenant_Info_Here` with the **Directory (tenant) ID** value that was recorded earlier from the overview page of the registered application.
+
+### [Visual Studio Code](#tab/visual-studio-code)
+
+1. In the *src* folder, create a new file called *authConfig.js*.
+1. Open *authConfig.js* and add the following code snippet:
+
+ :::code language="javascript" source="~/ms-identity-docs-code-javascript/react-spa/src/authConfig.js" :::
+
+1. Replace the following values with the values from the Azure portal.
+ - `clientId` - The identifier of the application, also referred to as the client. Replace `Enter_the_Application_Id_Here` with the **Application (client) ID** value that was recorded earlier from the overview page of the registered application.
+ - `authority` - This is composed of two parts:
+ - The *Instance* is endpoint of the cloud provider. Check with the different available endpoints in [National clouds](authentication-national-cloud.md#azure-ad-authentication-endpoints).
+ - The *Tenant ID* is the identifier of the tenant where the application is registered. Replace the `_Enter_the_Tenant_Info_Here` with the **Directory (tenant) ID** value that was recorded earlier from the overview page of the registered application.
+++
+## Modify *index.js* to include the authentication provider
+
+All parts of the app that require authentication must be wrapped in the [`MsalProvider`](/javascript/api/@azure/msal-react/#@azure-msal-react-msalprovider) component. You instantiate a [PublicClientApplication](/javascript/api/@azure/msal-browser/publicclientapplication) then pass it to `MsalProvider`.
+
+1. In the *src* folder, open the *index.js* file and replace the contents of the file with the following code snippet to use the `msal` packages and bootstrap styling:
+
+ :::code language="javascript" source="~/ms-identity-docs-code-javascript/react-spa/src/index.js" :::
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Tutorial: Create components for sign in and sign out in a React single-page app](single-page-app-tutorial-03-sign-in-users.md)
active-directory Single Page App Tutorial 03 Sign In Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/single-page-app-tutorial-03-sign-in-users.md
+
+ Title: "Tutorial: Create components for sign in and sign out in a React single-page app"
+description: Add sign in and sign out components to your React single-page app
++++ Last updated : 02/28/2023
+#Customer intent: As a React developer, I want to know how to use functional components to add sign in and sign out experiences in my React application.
++
+# Tutorial: Create components for sign in and sign out in a React single page app
+
+Functional components are the building blocks of React apps. This tutorial demonstrates how functional components can be used to build the sign in and sign out experience in a React single-page app (SPA). The `useMsal` hook is used to retrieve an access token to allow user sign in.
+
+In this tutorial:
+
+> [!div class="checklist"]
+>
+> - Add components to the application
+> - Create a way of displaying the user's profile information
+> - Create a layout that displays the sign in and sign out experience
+> - Add the sign in and sign out experiences
+
+## Prerequisites
+
+* Completion of the prerequisites and steps in [Tutorial: Prepare an application for authentication](single-page-app-tutorial-02-prepare-spa.md).
+
+## Adding components to the application
+
+The project needs extra files to be created for the page layout, displaying profile data, sign in and sign out options.
+
+### [Visual Studio](#tab/visual-studio)
+
+1. In the Solution Explorer, open the *src* folder.
+1. Select **Add** > **New Folder** and name it *components*.
+1. Open the *components* folder, and select **Add** > **New Item**.
+1. Search for and select **JSX file**, and create the following four files:
+ - *PageLayout.jsx*
+ - *ProfileData.jsx*
+ - *SignInButton.jsx*
+ - *SignOutButton.jsx*
+
+### [Visual Studio Code](#tab/visual-studio-code)
+
+1. Navigate to the *src* folder in the left panel.
+1. Right click on *src*, select **New Folder** and call it *components*.
+1. Right click on *components* and using the **New File** option, create the following four files;
+ - *PageLayout.jsx*
+ - *ProfileData.jsx*
+ - *SignInButton.jsx*
+ - *SignOutButton.jsx*
+++
+Once complete, you should have the following folder structure.
+
+```txt
+reactspalocal/
+Γö£ΓöÇΓöÇ src/
+Γöé Γö£ΓöÇΓöÇ components/
+Γöé Γöé Γö£ΓöÇΓöÇ PageLayout.jsx
+Γöé Γöé Γö£ΓöÇΓöÇ ProfileData.jsx
+Γöé Γöé Γö£ΓöÇΓöÇ SignInButton.jsx
+Γöé Γöé ΓööΓöÇΓöÇ SignOutButton.jsx
+Γöé ΓööΓöÇΓöÇ ...
+ΓööΓöÇΓöÇ ...
+```
+
+### Adding the page layout
+
+1. Open *PageLayout.jsx* and add the following code to render the page layout. The [useIsAuthenticated](/javascript/api/@azure/msal-react) hook returns whether or not a user is currently signed-in.
+
+ ```javascript
+ /*
+ * Copyright (c) Microsoft Corporation. All rights reserved.
+ * Licensed under the MIT License.
+ */
+
+ import React from "react";
+ import Navbar from "react-bootstrap/Navbar";
+
+ import { useIsAuthenticated } from "@azure/msal-react";
+ import { SignInButton } from "./SignInButton";
+ import { SignOutButton } from "./SignOutButton";
+
+ /**
+ * Renders the navbar component with a sign in or sign out button depending on whether or not a user is authenticated
+ * @param props
+ */
+ export const PageLayout = (props) => {
+ const isAuthenticated = useIsAuthenticated();
+
+ return (
+ <>
+ <Navbar bg="primary" variant="dark" className="navbarStyle">
+ <a className="navbar-brand" href="/">
+ Microsoft Identity Platform
+ </a>
+ <div className="collapse navbar-collapse justify-content-end">
+ {isAuthenticated ? <SignOutButton /> : <SignInButton />}
+ </div>
+ </Navbar>
+ <br />
+ <br />
+ <h5>
+ <center>
+ Welcome to the Microsoft Authentication Library For Javascript -
+ React SPA Tutorial
+ </center>
+ </h5>
+ <br />
+ <br />
+ {props.children}
+ </>
+ );
+ };
+ ```
+
+1. Save the file.
+
+### Display profile information
+
+1. Open the *ProfileData.jsx* and add the following code, which creates a component that displays the user's profile information:
+
+ ```javascript
+ import React from "react";
+ /**
+ * Renders information about the user obtained from MS Graph
+ * @param props
+ */
+ export const ProfileData = (props) => {
+ return (
+ <div id="profile-div">
+ <p>
+ <strong>First Name: </strong> {props.graphData.givenName}
+ </p>
+ <p>
+ <strong>Last Name: </strong> {props.graphData.surname}
+ </p>
+ <p>
+ <strong>Email: </strong> {props.graphData.userPrincipalName}
+ </p>
+ <p>
+ <strong>Id: </strong> {props.graphData.id}
+ </p>
+ </div>
+ );
+ };
+ ```
+
+1. Save the file.
+
+### Adding the sign in experience
+
+1. Open *SignInButton.jsx* and add the following code, which creates a button that signs in the user using either a popup or redirect.
+
+ ```javascript
+ import React from "react";
+ import { useMsal } from "@azure/msal-react";
+ import { loginRequest } from "../authConfig";
+ import DropdownButton from "react-bootstrap/DropdownButton";
+ import Dropdown from "react-bootstrap/Dropdown";
+
+ /**
+ * Renders a drop down button with child buttons for logging in with a popup or redirect
+ * Note the [useMsal] package
+ */
+
+ export const SignInButton = () => {
+ const { instance } = useMsal();
+
+ const handleLogin = (loginType) => {
+ if (loginType === "popup") {
+ instance.loginPopup(loginRequest).catch((e) => {
+ console.log(e);
+ });
+ } else if (loginType === "redirect") {
+ instance.loginRedirect(loginRequest).catch((e) => {
+ console.log(e);
+ });
+ }
+ };
+ return (
+ <DropdownButton
+ variant="secondary"
+ className="ml-auto"
+ drop="start"
+ title="Sign In"
+ >
+ <Dropdown.Item as="button" onClick={() => handleLogin("popup")}>
+ Sign in using Popup
+ </Dropdown.Item>
+ <Dropdown.Item as="button" onClick={() => handleLogin("redirect")}>
+ Sign in using Redirect
+ </Dropdown.Item>
+ </DropdownButton>
+ );
+ };
+ ```
+
+1. Save the file.
+
+### Adding the sign out experience
+
+1. Open *SignOutButton.jsx* and add the following code, which creates a button that signs out the user using either a pop-up or redirect.
+
+ ```javascript
+ import React from "react";
+ import { useMsal } from "@azure/msal-react";
+ import DropdownButton from "react-bootstrap/DropdownButton";
+ import Dropdown from "react-bootstrap/Dropdown";
+
+ /**
+ * Renders a sign out button
+ */
+ export const SignOutButton = () => {
+ const { instance } = useMsal();
+
+ const handleLogout = (logoutType) => {
+ if (logoutType === "popup") {
+ instance.logoutPopup({
+ postLogoutRedirectUri: "/",
+ mainWindowRedirectUri: "/",
+ });
+ } else if (logoutType === "redirect") {
+ instance.logoutRedirect({
+ postLogoutRedirectUri: "/",
+ });
+ }
+ };
+
+ return (
+ <DropdownButton
+ variant="secondary"
+ className="ml-auto"
+ drop="start"
+ title="Sign Out"
+ >
+ <Dropdown.Item as="button" onClick={() => handleLogout("popup")}>
+ Sign out using Popup
+ </Dropdown.Item>
+ <Dropdown.Item as="button" onClick={() => handleLogout("redirect")}>
+ Sign out using Redirect
+ </Dropdown.Item>
+ </DropdownButton>
+ );
+ };
+ ```
+
+1. Save the file.
+
+<!-- ::: zone pivot="devlang-javascript"
+<!-- ::: zone-end -->
+
+> [!div class="nextstepaction"]
+> [Tutorial: Call an API from a React single-page app](single-page-app-tutorial-04-call-api.md)
active-directory Single Page App Tutorial 04 Call Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/single-page-app-tutorial-04-call-api.md
+
+ Title: "Tutorial: Call an API from a React single-page app"
+description: Call an API from a React single-page app.
++++ Last updated : 11/28/2022
+#Customer intent: As a React developer, I want to know how to create a user interface and access the Microsoft Graph API
++
+# Tutorial: Call an API from a React single-page app
+
+Before being able to interact with the single-page app (SPA), we need to initiate an API call to Microsoft Graph and create the user interface (UI) for the application. After this is added, we can sign in to the application and get profile data information from the Microsoft Graph API.
+
+In this tutorial, you learn how to:
+
+> [!div class="checklist"]
+> * Create the API call to Microsoft Graph
+> * Create a UI for the application
+> * Import and use components in the application
+> * Create a component that renders the user's profile information
+> * Call the API from the application
+
+## Prerequisites
+
+* Completion of the prerequisites and steps in [Tutorial: Create components for sign in and sign out in a React single-page app](single-page-app-tutorial-03-sign-in-users.md).
+
+## Creating a helper the Microsoft Graph client
+
+To allow the SPA to request access to Microsoft Graph, a reference to the `graphConfig` object needs to be added. This contains the Graph REST API endpoint defined in *authConfig.js* file.
+
+### [Visual Studio](#tab/visual-studio)
+
+1. Right click on the *src* folder, select **Add** > **New Item**. Create a new file called *graph.js* and select **Add**.
+1. Replace the contents of the file with the following code snippet to request access to Microsoft Graph;
+
+ :::code language="javascript" source="~/ms-identity-docs-code-javascript/react-spa/src/graph.js" :::
+
+### [Visual Studio Code](#tab/visual-studio-code)
+
+1. In the *src* folder, create a new file called *graph.js*.
+1. Add the following code snippet to request access to Microsoft Graph;
+
+ :::code language="javascript" source="~/ms-identity-docs-code-javascript/react-spa/src/graph.js" :::
+++
+## Change filename and add required imports
+
+By default, the application runs via a JavaScript file called *App.js*. It needs to be changed to *App.jsx* file, which is an extension that allows a developer to write HTML in React.
+
+1. Rename *App.js* to *App.jsx*.
+1. Replace the existing imports with the following snippet;
+
+ ```javascript
+ import React, { useState } from 'react';
+
+ import { PageLayout } from './components/PageLayout';
+ import { loginRequest } from './authConfig';
+ import { callMsGraph } from './graph';
+ import { ProfileData } from './components/ProfileData';
+
+ import { AuthenticatedTemplate, UnauthenticatedTemplate, useMsal } from '@azure/msal-react';
+
+ import './App.css';
+
+ import Button from 'react-bootstrap/Button';
+ ```
+
+### Adding the `ProfileContent` function
+
+The `ProfileContent` function is used to render the user's profile information. In the *App.jsx* file, add the following code below your imports:
+
+```javascript
+
+/**
+* Renders information about the signed-in user or a button to retrieve data about the user
+*/
+const ProfileContent = () => {
+ const { instance, accounts } = useMsal();
+ const [graphData, setGraphData] = useState(null);
+
+ function RequestProfileData() {
+ // Silently acquires an access token which is then attached to a request for MS Graph data
+ instance
+ .acquireTokenSilent({
+ ...loginRequest,
+ account: accounts[0],
+ })
+ .then((response) => {
+ callMsGraph(response.accessToken).then((response) => setGraphData(response));
+ });
+ }
+
+ return (
+ <>
+ <h5 className="card-title">Welcome {accounts[0].name}</h5>
+ <br/>
+ {graphData ? (
+ <ProfileData graphData={graphData} />
+ ) : (
+ <Button variant="secondary" onClick={RequestProfileData}>
+ Request Profile Information
+ </Button>
+ )}
+ </>
+ );
+};
+```
+
+### Replacing the default function to render authenticated information
+
+The following code will render based on whether the user is authenticated or not. Replace the default function `App()` to render authenticated information with the following code:
+
+```javascript
+/**
+* If a user is authenticated the ProfileContent component above is rendered. Otherwise a message indicating a user is not authenticated is rendered.
+*/
+const MainContent = () => {
+ return (
+ <div className="App">
+ <AuthenticatedTemplate>
+ <ProfileContent />
+ </AuthenticatedTemplate>
+
+ <UnauthenticatedTemplate>
+ <h5>
+ <center>
+ Please sign-in to see your profile information.
+ </center>
+ </h5>
+ </UnauthenticatedTemplate>
+ </div>
+ );
+};
+
+export default function App() {
+ return (
+ <PageLayout>
+ <center>
+ <MainContent />
+ </center>
+ </PageLayout>
+ );
+}
+```
+
+## Calling the API from the application
+
+All the required code snippets have been added, so the application can now be called and tested in a web browser.
+
+1. Navigate to the browser previously opened in [Tutorial: Prepare an application for authentication](./single-page-app-tutorial-02-prepare-spa.md). If your browser is closed, open a new window with the address `http://localhost:3000/`.
+
+1. Select the **Sign In** button. For the purposes of this tutorial, choose the **Sign in using Popup** option.
+
+ :::image type="content" source="./media/single-page-app-tutorial-04-call-api/sign-in-window.png" alt-text="Screenshot of React App sign-in window.":::
+
+1. After the popup window appears with the sign-in options, select the account with which to sign-in.
+
+ :::image type="content" source="./media/single-page-app-tutorial-04-call-api/pick-account.png" alt-text="Screenshot requesting user to choose Microsoft account to sign into.":::
+
+1. A second window may appear indicating that a code will be sent to your email address. If this happens, select **Send code**. Open the email from the sender **Microsoft account team**, and enter the 7-digit single-use code. Once entered, select **Sign in**.
+
+ :::image type="content" source="./media/single-page-app-tutorial-04-call-api/enter-code.png" alt-text="Screenshot prompting user to enter verification code to sign-in.":::
+
+1. For **Stay signed in**, you can select either **No** or **Yes**.
+
+ :::image type="content" source="./media/single-page-app-tutorial-04-call-api/stay-signed-in.png" alt-text="Screenshot prompting user to decide whether to stay signed in or not.":::
+
+1. The app will now ask for permission to sign-in and access data. Select **Accept** to continue.
+
+ :::image type="content" source="./media/single-page-app-tutorial-04-call-api/permissions-requested.png" alt-text="Screenshot prompting user to allow the application to access permissions.":::
+
+1. The SPA will now display a button saying **Request Profile Information**. Select it to display the Microsoft Graph profile data acquired from the Microsoft Graph API.
+
+ :::image type="content" source="./media/single-page-app-tutorial-04-call-api/display-api-call-results.png" alt-text="Screenshot of React App depicting the results of the API call.":::
+
+## Next steps
+
+Learn how to use the Microsoft identity platform by trying out the following tutorial series on how to build a web API.
+
+> [!div class="nextstepaction"]
+> [Tutorial: Register a web API with the Microsoft identity platform](web-api-tutorial-01-register-app.md)
active-directory Troubleshoot Required Resource Access Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/troubleshoot-required-resource-access-limits.md
In general, all applications with more than 400 permissions have exceeded the co
## Resolution steps
-If the application isn't needed anymore, the first option you should consider is to delete the app registration entirely. (You can restore recently deleted applications, in case you discover soon afterwards that it was still needed.)
+If the application isn't needed anymore, the first option you should consider is to delete the app registration entirely. (You can [restore recently deleted applications](/azure/active-directory/fundamentals/recover-from-deletions#applications-and-service-principals), in case you discover soon afterwards that it was still needed.)
If you still need the application or are unsure, the following steps will help you resolve this issue:
active-directory Tutorial V2 Android https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-android.md
Previously updated : 11/26/2019 Last updated : 04/04/2023
# Tutorial: Sign in users and call the Microsoft Graph API from an Android application
-In this tutorial, you build an Android app that integrates with the Microsoft identity platform to sign in users and get an access token to call the Microsoft Graph API.
+In this tutorial, you build an Android app that integrates with the Azure Active Directory (Azure AD) to sign in users and get an access token to call the Microsoft Graph API.
-When you've completed this tutorial, your application will accept sign-ins of personal Microsoft accounts (including outlook.com, live.com, and others) as well as work or school accounts from any company or organization that uses Azure Active Directory.
+When you've completed this tutorial, your application will accept sign-ins of personal Microsoft accounts (including outlook.com, live.com, and others) and work or school accounts from any company or organization that uses Azure AD.
-In this tutorial:
+In this tutorial:
> [!div class="checklist"]
-> * Create an Android app project in *Android Studio*
-> * Register the app in the Azure portal
-> * Add code to support user sign-in and sign-out
-> * Add code to call the Microsoft Graph API
-> * Test the app
+>
+> - Create an Android app project in _Android Studio_
+> - Register the app in the Azure portal
+> - Add code to support user sign-in and sign-out
+> - Add code to call the Microsoft Graph API
+> - Test the app
## Prerequisites
-* Android Studio 3.5+
+- [Android Studio](https://developer.android.com/studio)
+- [Android documentation on generating a key](https://developer.android.com/studio/publish/app-signing#generate-key)
## How this tutorial works
In this tutorial:
The app in this tutorial will sign in users and get data on their behalf. This data will be accessed through a protected API (Microsoft Graph API) that requires authorization and is protected by the Microsoft identity platform.
-More specifically:
-
-* Your app will sign in the user either through a browser or the Microsoft Authenticator and Intune Company Portal.
-* The end user will accept the permissions your application has requested.
-* Your app will be issued an access token for the Microsoft Graph API.
-* The access token will be included in the HTTP request to the web API.
-* Process the Microsoft Graph response.
-
-This sample uses the Microsoft Authentication Library for Android (MSAL) to implement Authentication: [com.microsoft.identity.client](https://javadoc.io/doc/com.microsoft.identity.client/msal).
-
-MSAL will automatically renew tokens, deliver single sign-on (SSO) between other apps on the device, and manage the Account(s).
-
-This tutorial demonstrates simplified examples of working with MSAL for Android. For simplicity, it uses Single Account Mode only. To explore more complex scenarios, see a completed [working code sample](https://github.com/Azure-Samples/ms-identity-android-java/) on GitHub.
+This sample uses the Microsoft Authentication Library (MSAL) for Android to implement Authentication: [com.microsoft.identity.client](https://javadoc.io/doc/com.microsoft.identity.client/msal).
## Create a project
-If you do not already have an Android application, follow these steps to set up a new project.
+
+Follow these steps to create a new project if you don't already have an Android application.
1. Open Android Studio, and select **Start a new Android Studio project**. 2. Select **Basic Activity** and select **Next**.
-3. Name your application.
-4. Save the package name. You will enter it later into the Azure portal.
+3. Enter a name for the application, such as _MSALAndroidapp_.
+4. Record the package name to be used in the Azure portal in later steps.
5. Change the language from **Kotlin** to **Java**.
-6. Set the **Minimum API level** to **API 19** or higher, and click **Finish**.
-7. In the project view, choose **Project** in the dropdown to display source and non-source project files, open **app/build.gradle** and set `targetSdkVersion` to `28`.
-
-## Integrate with the Microsoft Authentication Library
+6. Set the **Minimum SDK API level** to **API 19** or higher, and select **Finish**.
-### Register your application
+### Register your application with Azure AD
1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. 1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. 1. Search for and select **Azure Active Directory**. 1. Under **Manage**, select **App registrations** > **New registration**. 1. Enter a **Name** for your application. Users of your app might see this name, and you can change it later.
+1. For **Supported account types**, select **Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**. For information on different account types, select the **Help me choose** option.
1. Select **Register**. 1. Under **Manage**, select **Authentication** > **Add a platform** > **Android**. 1. Enter your project's Package Name. If you downloaded the code, this value is `com.azuresamples.msalandroidapp`.
-1. In the **Signature hash** section of the **Configure your Android app** page, select **Generating a development Signature Hash.** and copy the KeyTool command to use for your platform.
-
+1. In the **Signature hash** section of the **Configure your Android app** pane, select **Generating a development Signature Hash.** and copy the KeyTool command to your command line.
- KeyTool.exe is installed as part of the Java Development Kit (JDK). You must also install the OpenSSL tool to execute the KeyTool command. Refer to the [Android documentation on generating a key](https://developer.android.com/studio/publish/app-signing#generate-key) for more information.
+ - KeyTool.exe is installed as part of the Java Development Kit (JDK). You must also install the OpenSSL tool to execute the KeyTool command. For more information, see [Android documentation on generating a key](https://developer.android.com/studio/publish/app-signing#generate-key) for more information.
1. Enter the **Signature hash** generated by KeyTool.
-1. Select **Configure** and save the **MSAL Configuration** that appears in the **Android configuration** page so you can enter it when you configure your app later.
+1. Select **Configure** and save the **MSAL Configuration** that appears in the **Android configuration** pane so you can enter it when you configure your app later.
1. Select **Done**. ### Configure your application 1. In Android Studio's project pane, navigate to **app\src\main\res**.
-1. Right-click **res** and choose **New** > **Directory**. Enter `raw` as the new directory name and click **OK**.
+1. Right-click **res** and choose **New** > **Directory**. Enter `raw` as the new directory name and select **OK**.
1. In **app** > **src** > **main** > **res** > **raw**, create a new JSON file called `auth_config_single_account.json` and paste the MSAL Configuration that you saved earlier.
- Below the redirect URI, paste:
- ```json
- "account_mode" : "SINGLE",
- ```
- Your config file should resemble this example:
- ```json
- {
- "client_id" : "0984a7b6-bc13-4141-8b0d-8f767e136bb7",
- "authorization_user_agent" : "DEFAULT",
- "redirect_uri" : "msauth://com.azuresamples.msalandroidapp/1wIqXSqBj7w%2Bh11ZifsnqwgyKrY%3D",
- "broker_redirect_uri_registered" : true,
- "account_mode" : "SINGLE",
- "authorities" : [
- {
- "type": "AAD",
- "audience": {
- "type": "AzureADandPersonalMicrosoftAccount",
- "tenant_id": "common"
- }
- }
- ]
+ Below the redirect URI, paste:
+
+ ```json
+ "account_mode" : "SINGLE",
+ ```
+
+ Your config file should resemble this example:
+
+ ```json
+ {
+ "client_id": "00001111-aaaa-bbbb-3333-cccc4444",
+ "authorization_user_agent": "DEFAULT",
+ "redirect_uri": "msauth://com.azuresamples.msalandroidapp/00001111%cccc4444%3D",
+ "broker_redirect_uri_registered": true,
+ "account_mode": "SINGLE",
+ "authorities": [
+ {
+ "type": "AAD",
+ "audience": {
+ "type": "AzureADandPersonalMicrosoftAccount",
+ "tenant_id": "common"
+ }
+ }
+ ]
+ }
+ ```
+
+ As this tutorial only demonstrates how to configure an app in Single Account mode, see [single vs. multiple account mode](./single-multi-account.md) and [configuring your app](./msal-configuration.md) for more information
+
+1. In **app** > **src** > **main** > **AndroidManifest.xml**, add the `BrowserTabActivity` activity as a child of the `<application>` element. This entry allows Azure AD to call back to your application after it completes the authentication:
+
+ ```xml
+ <!--Intent filter to capture System Browser or Authenticator calling back to our app after sign-in-->
+ <activity
+ android:name="com.microsoft.identity.client.BrowserTabActivity"
+ android:exported="true">
+ <intent-filter>
+ <action android:name="android.intent.action.VIEW" />
+ <category android:name="android.intent.category.DEFAULT" />
+ <category android:name="android.intent.category.BROWSABLE" />
+ <data android:scheme="msauth"
+ android:host="Enter_the_Package_Name"
+ android:path="/Enter_the_Signature_Hash" />
+ </intent-filter>
+ </activity>
+ ```
+
+ - Use your Azure portal **Package name** to replace `android:host=.` value. It should look like `com.azuresamples.msalandroidapp`.
+ - Use your Azure portal **Signature Hash** to replace `android:path=` value. Ensure that there's a leading `/` at the beginning of your Signature Hash. It should look like `/1wIqXSqBj7w+h11ZifsnqwgyKrY=`.
+
+ You can find these values in the Authentication blade of your app registration as well.
+
+### Add MSAL and relevant libraries to your project
+
+1. In the Android Studio project window, navigate to **app** > **build.gradle** and add the following libraries in the _dependencies_ section:
+
+ ```gradle
+ implementation 'com.microsoft.identity.client:msal:4.2.0'
+ implementation 'com.android.volley:volley:1.2.1'
+ ```
+
+1. In the Android Studio project window, open **settings.gradle** and declare the following maven repository in **dependencyResolutionManagement** > **repositories** section:
+
+ ```gradle
+ maven {
+ url 'https://pkgs.dev.azure.com/MicrosoftDeviceSDK/DuoSDK-Public/_packaging/Duo-SDK-Feed/maven/v1'
} ```
- This tutorial only demonstrates how to configure an app in Single Account mode. View the documentation for more information on [single vs. multiple account mode](./single-multi-account.md) and [configuring your app](./msal-configuration.md)
-
-4. In **app** > **src** > **main** > **AndroidManifest.xml**, add the `BrowserTabActivity` activity below to the application body. This entry allows Microsoft to call back to your application after it completes the authentication:
-
- ```xml
- <!--Intent filter to capture System Browser or Authenticator calling back to our app after sign-in-->
- <activity
- android:name="com.microsoft.identity.client.BrowserTabActivity">
- <intent-filter>
- <action android:name="android.intent.action.VIEW" />
- <category android:name="android.intent.category.DEFAULT" />
- <category android:name="android.intent.category.BROWSABLE" />
- <data android:scheme="msauth"
- android:host="Enter_the_Package_Name"
- android:path="/Enter_the_Signature_Hash" />
- </intent-filter>
- </activity>
- ```
-
- Substitute the package name you registered in the Azure portal for the `android:host=` value.
- Substitute the key hash you registered in the Azure portal for the `android:path=` value. The Signature Hash should **not** be URL-encoded. Ensure that there is a leading `/` at the beginning of your Signature Hash.
-
- The "Package Name" you will replace the `android:host` value with should look similar to: `com.azuresamples.msalandroidapp`.
- The "Signature Hash" you will replace your `android:path` value with should look similar to: `/1wIqXSqBj7w+h11ZifsnqwgyKrY=`.
-
- You will also be able to find these values in the Authentication blade of your app registration. Note that your redirect URI will look similar to: `msauth://com.azuresamples.msalandroidapp/1wIqXSqBj7w%2Bh11ZifsnqwgyKrY%3D`. While the Signature Hash is URL-encoded at the end of this value, the Signature Hash should **not** be URL-encoded in your `android:path` value.
-
-## Use MSAL
-
-### Add MSAL to your project
-
-1. In the Android Studio project window, navigate to **app** > **build.gradle** and add the following:
-
- ```gradle
- apply plugin: 'com.android.application'
-
- allprojects {
- repositories {
- mavenCentral()
- google()
- mavenLocal()
- maven {
- url 'https://pkgs.dev.azure.com/MicrosoftDeviceSDK/DuoSDK-Public/_packaging/Duo-SDK-Feed/maven/v1'
- }
- maven {
- name "vsts-maven-adal-android"
- url "https://identitydivision.pkgs.visualstudio.com/_packaging/AndroidADAL/maven/v1"
- credentials {
- username System.getenv("ENV_VSTS_MVN_ANDROIDADAL_USERNAME") != null ? System.getenv("ENV_VSTS_MVN_ANDROIDADAL_USERNAME") : project.findProperty("vstsUsername")
- password System.getenv("ENV_VSTS_MVN_ANDROIDADAL_ACCESSTOKEN") != null ? System.getenv("ENV_VSTS_MVN_ANDROIDADAL_ACCESSTOKEN") : project.findProperty("vstsMavenAccessToken")
+1. Select **Sync Now** in the notification bar.
+
+### Create and update required fragment
+
+1. In **app** > **src** > **main**> **java** > **com.example(your app name)**. Create the following Android fragments:
+
+ - _MSGraphRequestWrapper_
+ - _OnFragmentInteractionListener_
+ - _SingleAccountModeFragment_
+
+1. Open _MSGraphRequestWrapper.java_ and replace the code with following code snippet to call the Microsoft Graph API using the token provided by MSAL:
+
+ ```java
+ package com.azuresamples.msalandroidapp;
+
+ import android.content.Context;
+ import android.util.Log;
+
+ import androidx.annotation.NonNull;
+
+ import com.android.volley.DefaultRetryPolicy;
+ import com.android.volley.Request;
+ import com.android.volley.RequestQueue;
+ import com.android.volley.Response;
+ import com.android.volley.toolbox.JsonObjectRequest;
+ import com.android.volley.toolbox.Volley;
+
+ import org.json.JSONObject;
+
+ import java.util.HashMap;
+ import java.util.Map;
+
+ public class MSGraphRequestWrapper {
+ private static final String TAG = MSGraphRequestWrapper.class.getSimpleName();
+
+ // See: https://docs.microsoft.com/en-us/graph/deployments#microsoft-graph-and-graph-explorer-service-root-endpoints
+ public static final String MS_GRAPH_ROOT_ENDPOINT = "https://graph.microsoft.com/";
+
+ /**
+ * Use Volley to make an HTTP request with
+ * 1) a given MSGraph resource URL
+ * 2) an access token
+ * to obtain MSGraph data.
+ **/
+ public static void callGraphAPIUsingVolley(@NonNull final Context context,
+ @NonNull final String graphResourceUrl,
+ @NonNull final String accessToken,
+ @NonNull final Response.Listener<JSONObject> responseListener,
+ @NonNull final Response.ErrorListener errorListener) {
+ Log.d(TAG, "Starting volley request to graph");
+
+ /* Make sure we have a token to send to graph */
+ if (accessToken == null || accessToken.length() == 0) {
+ return;
+ }
+
+ RequestQueue queue = Volley.newRequestQueue(context);
+ JSONObject parameters = new JSONObject();
+
+ try {
+ parameters.put("key", "value");
+ } catch (Exception e) {
+ Log.d(TAG, "Failed to put parameters: " + e.toString());
}+
+ JsonObjectRequest request = new JsonObjectRequest(Request.Method.GET, graphResourceUrl,
+ parameters, responseListener, errorListener) {
+ @Override
+ public Map<String, String> getHeaders() {
+ Map<String, String> headers = new HashMap<>();
+ headers.put("Authorization", "Bearer " + accessToken);
+ return headers;
+ }
+ };
+
+ Log.d(TAG, "Adding HTTP GET to Queue, Request: " + request.toString());
+
+ request.setRetryPolicy(new DefaultRetryPolicy(
+ 3000,
+ DefaultRetryPolicy.DEFAULT_MAX_RETRIES,
+ DefaultRetryPolicy.DEFAULT_BACKOFF_MULT));
+ queue.add(request);
}
- jcenter()
- }
}
- dependencies{
- implementation 'com.microsoft.identity.client:msal:2.+'
- implementation 'com.microsoft.graph:microsoft-graph:1.5.+'
- }
- packagingOptions{
- exclude("META-INF/jersey-module-version")
+
+ ```
+
+1. Open _OnFragmentInteractionListener.java_ and replace the code with following code snippet to allow communication between different fragments:
+
+ ```java
+ package com.azuresamples.msalandroidapp;
+
+ /**
+ * This interface must be implemented by activities that contain this
+ * fragment to allow an interaction in this fragment to be communicated
+ * to the activity and potentially other fragments contained in that
+ * activity.
+ * <p>
+ * See the Android Training lesson <a href=
+ * "http://developer.android.com/training/basics/fragments/communicating.html"
+ * >Communicating with Other Fragments</a> for more information.
+ */
+ public interface OnFragmentInteractionListener {
}
- ```
- [More on the Microsoft Graph SDK](https://github.com/microsoftgraph/msgraph-sdk-java/)
-
-### Required Imports
-
-Add the following to the top of **app** > **src** > **main**> **java** > **com.example(yourapp)** > **MainActivity.java**
-
-```java
-import android.os.Bundle;
-import android.util.Log;
-import android.view.View;
-import android.widget.Button;
-import android.widget.TextView;
-import android.widget.Toast;
-import androidx.annotation.NonNull;
-import androidx.annotation.Nullable;
-import androidx.appcompat.app.AppCompatActivity;
-import com.google.gson.JsonObject;
-import com.microsoft.graph.authentication.IAuthenticationProvider; //Imports the Graph sdk Auth interface
-import com.microsoft.graph.concurrency.ICallback;
-import com.microsoft.graph.core.ClientException;
-import com.microsoft.graph.http.IHttpRequest;
-import com.microsoft.graph.models.extensions.*;
-import com.microsoft.graph.requests.extensions.GraphServiceClient;
-import com.microsoft.identity.client.AuthenticationCallback; // Imports MSAL auth methods
-import com.microsoft.identity.client.*;
-import com.microsoft.identity.client.exception.*;
-```
-
-## Instantiate PublicClientApplication
-#### Initialize Variables
-```java
-private final static String[] SCOPES = {"Files.Read"};
-/* Azure AD v2 Configs */
-final static String AUTHORITY = "https://login.microsoftonline.com/common";
-private ISingleAccountPublicClientApplication mSingleAccountApp;
-
-private static final String TAG = MainActivity.class.getSimpleName();
-
-/* UI & Debugging Variables */
-Button signInButton;
-Button signOutButton;
-Button callGraphApiInteractiveButton;
-Button callGraphApiSilentButton;
-TextView logTextView;
-TextView currentUserTextView;
-```
-
-### onCreate
-Inside the `MainActivity` class, refer to the following onCreate() method to instantiate MSAL using the `SingleAccountPublicClientApplication`.
-
-```java
-@Override
-protected void onCreate(Bundle savedInstanceState) {
- super.onCreate(savedInstanceState);
- setContentView(R.layout.activity_main);
-
- initializeUI();
-
- PublicClientApplication.createSingleAccountPublicClientApplication(getApplicationContext(),
- R.raw.auth_config_single_account, new IPublicClientApplication.ISingleAccountApplicationCreatedListener() {
- @Override
- public void onCreated(ISingleAccountPublicClientApplication application) {
- mSingleAccountApp = application;
- loadAccount();
+ ```
+
+1. Open _SingleAccountModeFragment.java_ and replace the code with following code snippet to initialize a single-account application, loads a user account, and gets a token to call the Microsoft Graph API:
+
+ ```java
+ package com.azuresamples.msalandroidapp;
+
+ import android.os.Bundle;
+
+ import androidx.annotation.NonNull;
+ import androidx.annotation.Nullable;
+ import androidx.fragment.app.Fragment;
+
+ import android.util.Log;
+ import android.view.LayoutInflater;
+ import android.view.View;
+ import android.view.ViewGroup;
+ import android.widget.Button;
+ import android.widget.TextView;
+ import android.widget.Toast;
+
+ import com.android.volley.Response;
+ import com.android.volley.VolleyError;
+ import com.microsoft.identity.client.AuthenticationCallback;
+ import com.microsoft.identity.client.IAccount;
+ import com.microsoft.identity.client.IAuthenticationResult;
+ import com.microsoft.identity.client.IPublicClientApplication;
+ import com.microsoft.identity.client.ISingleAccountPublicClientApplication;
+ import com.microsoft.identity.client.PublicClientApplication;
+ import com.microsoft.identity.client.SilentAuthenticationCallback;
+ import com.microsoft.identity.client.exception.MsalClientException;
+ import com.microsoft.identity.client.exception.MsalException;
+ import com.microsoft.identity.client.exception.MsalServiceException;
+ import com.microsoft.identity.client.exception.MsalUiRequiredException;
+
+ import org.json.JSONObject;
+
+ /**
+ * Implementation sample for 'Single account' mode.
+ * <p>
+ * If your app only supports one account being signed-in at a time, this is for you.
+ * This requires "account_mode" to be set as "SINGLE" in the configuration file.
+ * (Please see res/raw/auth_config_single_account.json for more info).
+ * <p>
+ * Please note that switching mode (between 'single' and 'multiple' might cause a loss of data.
+ */
+ public class SingleAccountModeFragment extends Fragment {
+ private static final String TAG = SingleAccountModeFragment.class.getSimpleName();
+
+ /* UI & Debugging Variables */
+ Button signInButton;
+ Button signOutButton;
+ Button callGraphApiInteractiveButton;
+ Button callGraphApiSilentButton;
+ TextView scopeTextView;
+ TextView graphResourceTextView;
+ TextView logTextView;
+ TextView currentUserTextView;
+ TextView deviceModeTextView;
+
+ /* Azure AD Variables */
+ private ISingleAccountPublicClientApplication mSingleAccountApp;
+ private IAccount mAccount;
+
+ @Override
+ public View onCreateView(LayoutInflater inflater,
+ ViewGroup container,
+ Bundle savedInstanceState) {
+ // Inflate the layout for this fragment
+ final View view = inflater.inflate(R.layout.fragment_single_account_mode, container, false);
+ initializeUI(view);
+
+ // Creates a PublicClientApplication object with res/raw/auth_config_single_account.json
+ PublicClientApplication.createSingleAccountPublicClientApplication(getContext(),
+ R.raw.auth_config_single_account,
+ new IPublicClientApplication.ISingleAccountApplicationCreatedListener() {
+ @Override
+ public void onCreated(ISingleAccountPublicClientApplication application) {
+ /**
+ * This test app assumes that the app is only going to support one account.
+ * This requires "account_mode" : "SINGLE" in the config json file.
+ **/
+ mSingleAccountApp = application;
+ loadAccount();
+ }
+
+ @Override
+ public void onError(MsalException exception) {
+ displayError(exception);
+ }
+ });
+
+ return view;
+ }
+
+ /**
+ * Initializes UI variables and callbacks.
+ */
+ private void initializeUI(@NonNull final View view) {
+ signInButton = view.findViewById(R.id.btn_signIn);
+ signOutButton = view.findViewById(R.id.btn_removeAccount);
+ callGraphApiInteractiveButton = view.findViewById(R.id.btn_callGraphInteractively);
+ callGraphApiSilentButton = view.findViewById(R.id.btn_callGraphSilently);
+ scopeTextView = view.findViewById(R.id.scope);
+ graphResourceTextView = view.findViewById(R.id.msgraph_url);
+ logTextView = view.findViewById(R.id.txt_log);
+ currentUserTextView = view.findViewById(R.id.current_user);
+ deviceModeTextView = view.findViewById(R.id.device_mode);
+
+ final String defaultGraphResourceUrl = MSGraphRequestWrapper.MS_GRAPH_ROOT_ENDPOINT + "v1.0/me";
+ graphResourceTextView.setText(defaultGraphResourceUrl);
+
+ signInButton.setOnClickListener(new View.OnClickListener() {
+ public void onClick(View v) {
+ if (mSingleAccountApp == null) {
+ return;
+ }
+
+ mSingleAccountApp.signIn(getActivity(), null, getScopes(), getAuthInteractiveCallback());
}
- @Override
- public void onError(MsalException exception) {
- displayError(exception);
+ });
+
+ signOutButton.setOnClickListener(new View.OnClickListener() {
+ public void onClick(View v) {
+ if (mSingleAccountApp == null) {
+ return;
+ }
+
+ /**
+ * Removes the signed-in account and cached tokens from this app (or device, if the device is in shared mode).
+ */
+ mSingleAccountApp.signOut(new ISingleAccountPublicClientApplication.SignOutCallback() {
+ @Override
+ public void onSignOut() {
+ mAccount = null;
+ updateUI();
+ showToastOnSignOut();
+ }
+
+ @Override
+ public void onError(@NonNull MsalException exception) {
+ displayError(exception);
+ }
+ });
} });
-}
-```
-### loadAccount
+ callGraphApiInteractiveButton.setOnClickListener(new View.OnClickListener() {
+ public void onClick(View v) {
+ if (mSingleAccountApp == null) {
+ return;
+ }
-```java
-//When app comes to the foreground, load existing account to determine if user is signed in
-private void loadAccount() {
- if (mSingleAccountApp == null) {
- return;
- }
+ /**
+ * If acquireTokenSilent() returns an error that requires an interaction (MsalUiRequiredException),
+ * invoke acquireToken() to have the user resolve the interrupt interactively.
+ *
+ * Some example scenarios are
+ * - password change
+ * - the resource you're acquiring a token for has a stricter set of requirement than your Single Sign-On refresh token.
+ * - you're introducing a new scope which the user has never consented for.
+ */
+ mSingleAccountApp.acquireToken(getActivity(), getScopes(), getAuthInteractiveCallback());
+ }
+ });
+
+ callGraphApiSilentButton.setOnClickListener(new View.OnClickListener() {
+ @Override
+ public void onClick(View v) {
+ if (mSingleAccountApp == null) {
+ return;
+ }
+
+ /**
+ * Once you've signed the user in,
+ * you can perform acquireTokenSilent to obtain resources without interrupting the user.
+ */
+ mSingleAccountApp.acquireTokenSilentAsync(getScopes(), mAccount.getAuthority(), getAuthSilentCallback());
+ }
+ });
- mSingleAccountApp.getCurrentAccountAsync(new ISingleAccountPublicClientApplication.CurrentAccountCallback() {
- @Override
- public void onAccountLoaded(@Nullable IAccount activeAccount) {
- // You can use the account data to update your UI or your app database.
- updateUI(activeAccount);
} @Override
- public void onAccountChanged(@Nullable IAccount priorAccount, @Nullable IAccount currentAccount) {
- if (currentAccount == null) {
- // Perform a cleanup task as the signed-in account changed.
- performOperationOnSignOut();
- }
+ public void onResume() {
+ super.onResume();
+
+ /**
+ * The account may have been removed from the device (if broker is in use).
+ *
+ * In shared device mode, the account might be signed in/out by other apps while this app is not in focus.
+ * Therefore, we want to update the account state by invoking loadAccount() here.
+ */
+ loadAccount();
}
- @Override
- public void onError(@NonNull MsalException exception) {
- displayError(exception);
+ /**
+ * Extracts a scope array from a text field,
+ * i.e. from "User.Read User.ReadWrite" to ["user.read", "user.readwrite"]
+ */
+ private String[] getScopes() {
+ return scopeTextView.getText().toString().toLowerCase().split(" ");
}
- });
-}
-```
-
-### initializeUI
-Listen to buttons and call methods or log errors accordingly.
-```java
-private void initializeUI(){
- signInButton = findViewById(R.id.signIn);
- callGraphApiSilentButton = findViewById(R.id.callGraphSilent);
- callGraphApiInteractiveButton = findViewById(R.id.callGraphInteractive);
- signOutButton = findViewById(R.id.clearCache);
- logTextView = findViewById(R.id.txt_log);
- currentUserTextView = findViewById(R.id.current_user);
-
- //Sign in user
- signInButton.setOnClickListener(new View.OnClickListener(){
- public void onClick(View v) {
- if (mSingleAccountApp == null) {
- return;
- }
- mSingleAccountApp.signIn(MainActivity.this, null, SCOPES, getAuthInteractiveCallback());
+
+ /**
+ * Load the currently signed-in account, if there's any.
+ */
+ private void loadAccount() {
+ if (mSingleAccountApp == null) {
+ return;
}
- });
- //Sign out user
- signOutButton.setOnClickListener(new View.OnClickListener() {
- @Override
- public void onClick(View v) {
- if (mSingleAccountApp == null){
- return;
+ mSingleAccountApp.getCurrentAccountAsync(new ISingleAccountPublicClientApplication.CurrentAccountCallback() {
+ @Override
+ public void onAccountLoaded(@Nullable IAccount activeAccount) {
+ // You can use the account data to update your UI or your app database.
+ mAccount = activeAccount;
+ updateUI();
}
- mSingleAccountApp.signOut(new ISingleAccountPublicClientApplication.SignOutCallback() {
- @Override
- public void onSignOut() {
- updateUI(null);
- performOperationOnSignOut();
+
+ @Override
+ public void onAccountChanged(@Nullable IAccount priorAccount, @Nullable IAccount currentAccount) {
+ if (currentAccount == null) {
+ // Perform a cleanup task as the signed-in account changed.
+ showToastOnSignOut();
}
- @Override
- public void onError(@NonNull MsalException exception){
- displayError(exception);
+ }
+
+ @Override
+ public void onError(@NonNull MsalException exception) {
+ displayError(exception);
+ }
+ });
+ }
+
+ /**
+ * Callback used in for silent acquireToken calls.
+ */
+ private SilentAuthenticationCallback getAuthSilentCallback() {
+ return new SilentAuthenticationCallback() {
+
+ @Override
+ public void onSuccess(IAuthenticationResult authenticationResult) {
+ Log.d(TAG, "Successfully authenticated");
+
+ /* Successfully got a token, use it to call a protected resource - MSGraph */
+ callGraphAPI(authenticationResult);
+ }
+
+ @Override
+ public void onError(MsalException exception) {
+ /* Failed to acquireToken */
+ Log.d(TAG, "Authentication failed: " + exception.toString());
+ displayError(exception);
+
+ if (exception instanceof MsalClientException) {
+ /* Exception inside MSAL, more info inside MsalError.java */
+ } else if (exception instanceof MsalServiceException) {
+ /* Exception when communicating with the STS, likely config issue */
+ } else if (exception instanceof MsalUiRequiredException) {
+ /* Tokens expired or no session, retry with interactive */
}
- });
- }
- });
+ }
+ };
+ }
- //Interactive
- callGraphApiInteractiveButton.setOnClickListener(new View.OnClickListener() {
- @Override
- public void onClick(View v) {
- if (mSingleAccountApp == null) {
- return;
+ /**
+ * Callback used for interactive request.
+ * If succeeds we use the access token to call the Microsoft Graph.
+ * Does not check cache.
+ */
+ private AuthenticationCallback getAuthInteractiveCallback() {
+ return new AuthenticationCallback() {
+
+ @Override
+ public void onSuccess(IAuthenticationResult authenticationResult) {
+ /* Successfully got a token, use it to call a protected resource - MSGraph */
+ Log.d(TAG, "Successfully authenticated");
+ Log.d(TAG, "ID Token: " + authenticationResult.getAccount().getClaims().get("id_token"));
+
+ /* Update account */
+ mAccount = authenticationResult.getAccount();
+ updateUI();
+
+ /* call graph */
+ callGraphAPI(authenticationResult);
}
- mSingleAccountApp.acquireToken(MainActivity.this, SCOPES, getAuthInteractiveCallback());
- }
- });
- //Silent
- callGraphApiSilentButton.setOnClickListener(new View.OnClickListener() {
- @Override
- public void onClick(View v) {
- if (mSingleAccountApp == null){
- return;
+ @Override
+ public void onError(MsalException exception) {
+ /* Failed to acquireToken */
+ Log.d(TAG, "Authentication failed: " + exception.toString());
+ displayError(exception);
+
+ if (exception instanceof MsalClientException) {
+ /* Exception inside MSAL, more info inside MsalError.java */
+ } else if (exception instanceof MsalServiceException) {
+ /* Exception when communicating with the STS, likely config issue */
+ }
}
- mSingleAccountApp.acquireTokenSilentAsync(SCOPES, AUTHORITY, getAuthSilentCallback());
- }
- });
- }
-```
-> [!Important]
-> Signing out with MSAL removes all known information about a user from the application, but the user will still have an active session on their device. If the user attempts to sign in again they may see sign-in UI, but may not need to reenter their credentials because the device session is still active.
+ @Override
+ public void onCancel() {
+ /* User canceled the authentication */
+ Log.d(TAG, "User cancelled login.");
+ }
+ };
+ }
-### getAuthInteractiveCallback
-Callback used for interactive requests.
+ /**
+ * Make an HTTP request to obtain MSGraph data
+ */
+ private void callGraphAPI(final IAuthenticationResult authenticationResult) {
+ MSGraphRequestWrapper.callGraphAPIUsingVolley(
+ getContext(),
+ graphResourceTextView.getText().toString(),
+ authenticationResult.getAccessToken(),
+ new Response.Listener<JSONObject>() {
+ @Override
+ public void onResponse(JSONObject response) {
+ /* Successfully called graph, process data and send to UI */
+ Log.d(TAG, "Response: " + response.toString());
+ displayGraphResult(response);
+ }
+ },
+ new Response.ErrorListener() {
+ @Override
+ public void onErrorResponse(VolleyError error) {
+ Log.d(TAG, "Error: " + error.toString());
+ displayError(error);
+ }
+ });
+ }
-```java
-private AuthenticationCallback getAuthInteractiveCallback() {
- return new AuthenticationCallback() {
- @Override
- public void onSuccess(IAuthenticationResult authenticationResult) {
- /* Successfully got a token, use it to call a protected resource - MSGraph */
- Log.d(TAG, "Successfully authenticated");
- /* Update UI */
- updateUI(authenticationResult.getAccount());
- /* call graph */
- callGraphAPI(authenticationResult);
+ //
+ // Helper methods manage UI updates
+ // ================================
+ // displayGraphResult() - Display the graph response
+ // displayError() - Display the graph response
+ // updateSignedInUI() - Updates UI when the user is signed in
+ // updateSignedOutUI() - Updates UI when app sign out succeeds
+ //
+
+ /**
+ * Display the graph response
+ */
+ private void displayGraphResult(@NonNull final JSONObject graphResponse) {
+ logTextView.setText(graphResponse.toString());
}
- @Override
- public void onError(MsalException exception) {
- /* Failed to acquireToken */
- Log.d(TAG, "Authentication failed: " + exception.toString());
- displayError(exception);
+ /**
+ * Display the error message
+ */
+ private void displayError(@NonNull final Exception exception) {
+ logTextView.setText(exception.toString());
}
- @Override
- public void onCancel() {
- /* User canceled the authentication */
- Log.d(TAG, "User cancelled login.");
+
+ /**
+ * Updates UI based on the current account.
+ */
+ private void updateUI() {
+ if (mAccount != null) {
+ signInButton.setEnabled(false);
+ signOutButton.setEnabled(true);
+ callGraphApiInteractiveButton.setEnabled(true);
+ callGraphApiSilentButton.setEnabled(true);
+ currentUserTextView.setText(mAccount.getUsername());
+ } else {
+ signInButton.setEnabled(true);
+ signOutButton.setEnabled(false);
+ callGraphApiInteractiveButton.setEnabled(false);
+ callGraphApiSilentButton.setEnabled(false);
+ currentUserTextView.setText("None");
+ }
+
+ deviceModeTextView.setText(mSingleAccountApp.isSharedDevice() ? "Shared" : "Non-shared");
}
- };
-}
-```
-
-### getAuthSilentCallback
-Callback used for silent requests
-```java
-private SilentAuthenticationCallback getAuthSilentCallback() {
- return new SilentAuthenticationCallback() {
- @Override
- public void onSuccess(IAuthenticationResult authenticationResult) {
- Log.d(TAG, "Successfully authenticated");
- callGraphAPI(authenticationResult);
+
+ /**
+ * Updates UI when app sign out succeeds
+ */
+ private void showToastOnSignOut() {
+ final String signOutText = "Signed Out.";
+ currentUserTextView.setText("");
+ Toast.makeText(getContext(), signOutText, Toast.LENGTH_SHORT)
+ .show();
}
- @Override
- public void onError(MsalException exception) {
- Log.d(TAG, "Authentication failed: " + exception.toString());
- displayError(exception);
+ }
+
+ ```
+
+1. Open _MainActivity.java_ and replace the code with following code snippet to manage the UI.
+
+ ```java
+ package com.azuresamples.msalandroidapp;
+
+ import android.os.Bundle;
+
+ import androidx.annotation.NonNull;
+ import androidx.appcompat.app.ActionBarDrawerToggle;
+ import androidx.appcompat.app.AppCompatActivity;
+ import androidx.appcompat.widget.Toolbar;
+ import androidx.constraintlayout.widget.ConstraintLayout;
+ import androidx.core.view.GravityCompat;
+
+ import android.view.MenuItem;
+ import android.view.View;
+
+ import androidx.drawerlayout.widget.DrawerLayout;
+ import androidx.fragment.app.Fragment;
+ import androidx.fragment.app.FragmentTransaction;
++
+ import com.google.android.material.navigation.NavigationView;
+
+ public class MainActivity extends AppCompatActivity
+ implements NavigationView.OnNavigationItemSelectedListener,
+ OnFragmentInteractionListener{
+
+ enum AppFragment {
+ SingleAccount,
+ MultipleAccount,
+ B2C
}
- };
-}
-```
-## Call Microsoft Graph API
+ private AppFragment mCurrentFragment;
-The following code demonstrates how to call the GraphAPI using the Graph SDK.
+ private ConstraintLayout mContentMain;
-### callGraphAPI
+ @Override
+ protected void onCreate(Bundle savedInstanceState) {
+ super.onCreate(savedInstanceState);
+ setContentView(R.layout.activity_main);
+
+ mContentMain = findViewById(R.id.content_main);
+
+ Toolbar toolbar = findViewById(R.id.toolbar);
+ setSupportActionBar(toolbar);
+ DrawerLayout drawer = findViewById(R.id.drawer_layout);
+ NavigationView navigationView = findViewById(R.id.nav_view);
+ ActionBarDrawerToggle toggle = new ActionBarDrawerToggle(
+ this, drawer, toolbar, R.string.navigation_drawer_open, R.string.navigation_drawer_close);
+ drawer.addDrawerListener(toggle);
+ toggle.syncState();
+ navigationView.setNavigationItemSelectedListener(this);
+
+ //Set default fragment
+ navigationView.setCheckedItem(R.id.nav_single_account);
+ setCurrentFragment(AppFragment.SingleAccount);
+ }
-```java
-private void callGraphAPI(IAuthenticationResult authenticationResult) {
+ @Override
+ public boolean onNavigationItemSelected(final MenuItem item) {
+ final DrawerLayout drawer = findViewById(R.id.drawer_layout);
+ drawer.addDrawerListener(new DrawerLayout.DrawerListener() {
+ @Override
+ public void onDrawerSlide(@NonNull View drawerView, float slideOffset) { }
- final String accessToken = authenticationResult.getAccessToken();
+ @Override
+ public void onDrawerOpened(@NonNull View drawerView) { }
- IGraphServiceClient graphClient =
- GraphServiceClient
- .builder()
- .authenticationProvider(new IAuthenticationProvider() {
- @Override
- public void authenticateRequest(IHttpRequest request) {
- Log.d(TAG, "Authenticating request," + request.getRequestUrl());
- request.addHeader("Authorization", "Bearer " + accessToken);
- }
- })
- .buildClient();
- graphClient
- .me()
- .drive()
- .buildRequest()
- .get(new ICallback<Drive>() {
@Override
- public void success(final Drive drive) {
- Log.d(TAG, "Found Drive " + drive.id);
- displayGraphResult(drive.getRawObject());
+ public void onDrawerClosed(@NonNull View drawerView) {
+ // Handle navigation view item clicks here.
+ int id = item.getItemId();
+
+ if (id == R.id.nav_single_account) {
+ setCurrentFragment(AppFragment.SingleAccount);
+ }
+
+ if (id == R.id.nav_multiple_account) {
+ setCurrentFragment(AppFragment.MultipleAccount);
+ }
+
+ if (id == R.id.nav_b2c) {
+ setCurrentFragment(AppFragment.B2C);
+ }
+
+ drawer.removeDrawerListener(this);
} @Override
- public void failure(ClientException ex) {
- displayError(ex);
- }
+ public void onDrawerStateChanged(int newState) { }
});
-}
-```
-
-## Add UI
-### Activity
-If you would like to model your UI off this tutorial, the following methods provide a guide to updating text and listening to buttons.
-
-#### updateUI
-Enable/disable buttons based on sign-in state and set text.
-```java
-private void updateUI(@Nullable final IAccount account) {
- if (account != null) {
- signInButton.setEnabled(false);
- signOutButton.setEnabled(true);
- callGraphApiInteractiveButton.setEnabled(true);
- callGraphApiSilentButton.setEnabled(true);
- currentUserTextView.setText(account.getUsername());
- } else {
- signInButton.setEnabled(true);
- signOutButton.setEnabled(false);
- callGraphApiInteractiveButton.setEnabled(false);
- callGraphApiSilentButton.setEnabled(false);
- currentUserTextView.setText("");
- logTextView.setText("");
+
+ drawer.closeDrawer(GravityCompat.START);
+ return true;
+ }
+
+ private void setCurrentFragment(final AppFragment newFragment){
+ if (newFragment == mCurrentFragment) {
+ return;
+ }
+
+ mCurrentFragment = newFragment;
+ setHeaderString(mCurrentFragment);
+ displayFragment(mCurrentFragment);
+ }
+
+ private void setHeaderString(final AppFragment fragment){
+ switch (fragment) {
+ case SingleAccount:
+ getSupportActionBar().setTitle("Single Account Mode");
+ return;
+
+ case MultipleAccount:
+ getSupportActionBar().setTitle("Multiple Account Mode");
+ return;
+
+ case B2C:
+ getSupportActionBar().setTitle("B2C Mode");
+ return;
+ }
+ }
+
+ private void displayFragment(final AppFragment fragment){
+ switch (fragment) {
+ case SingleAccount:
+ attachFragment(new com.azuresamples.msalandroidapp.SingleAccountModeFragment());
+ return;
+
+ case MultipleAccount:
+ attachFragment(new MultipleAccountModeFragment());
+ return;
+
+ case B2C:
+ attachFragment(new B2CModeFragment());
+ return;
+ }
+ }
+
+ private void attachFragment(final Fragment fragment) {
+ getSupportFragmentManager()
+ .beginTransaction()
+ .setTransitionStyle(FragmentTransaction.TRANSIT_FRAGMENT_FADE)
+ .replace(mContentMain.getId(),fragment)
+ .commit();
+ }
}
-}
-```
-#### displayError
-```java
-private void displayError(@NonNull final Exception exception) {
- logTextView.setText(exception.toString());
- }
-```
-
-#### displayGraphResult
-
-```java
-private void displayGraphResult(@NonNull final JsonObject graphResponse) {
- logTextView.setText(graphResponse.toString());
- }
-```
-#### performOperationOnSignOut
-Method to update text in UI to reflect sign out.
-
-```java
-private void performOperationOnSignOut() {
- final String signOutText = "Signed Out.";
- currentUserTextView.setText("");
- Toast.makeText(getApplicationContext(), signOutText, Toast.LENGTH_SHORT)
- .show();
-}
-```
+
+ ```
+
+> [!NOTE]
+> Ensure that you update the package name to match your Android project package name.
+ ### Layout
-Sample `activity_main.xml` file to display buttons and text boxes.
-
-```xml
-<?xml version="1.0" encoding="utf-8"?>
-<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
- xmlns:tools="http://schemas.android.com/tools"
- android:id="@+id/activity_main"
- android:layout_width="match_parent"
- android:layout_height="match_parent"
- android:background="#FFFFFF"
- android:orientation="vertical"
- tools:context=".MainActivity">
-
- <LinearLayout
- android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:orientation="horizontal"
- android:paddingTop="5dp"
- android:paddingBottom="5dp"
- android:weightSum="10">
-
- <Button
- android:id="@+id/signIn"
- android:layout_width="0dp"
- android:layout_height="wrap_content"
- android:layout_weight="5"
- android:gravity="center"
- android:text="Sign In"/>
-
- <Button
- android:id="@+id/clearCache"
- android:layout_width="0dp"
- android:layout_height="wrap_content"
- android:layout_weight="5"
- android:gravity="center"
- android:text="Sign Out"
- android:enabled="false"/>
-
- </LinearLayout>
- <LinearLayout
- android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:gravity="center"
- android:orientation="horizontal">
-
- <Button
- android:id="@+id/callGraphInteractive"
- android:layout_width="0dp"
- android:layout_height="wrap_content"
- android:layout_weight="5"
- android:text="Get Graph Data Interactively"
- android:enabled="false"/>
-
- <Button
- android:id="@+id/callGraphSilent"
- android:layout_width="0dp"
- android:layout_height="wrap_content"
- android:layout_weight="5"
- android:text="Get Graph Data Silently"
- android:enabled="false"/>
- </LinearLayout>
-
- <TextView
- android:text="Getting Graph Data..."
- android:textColor="#3f3f3f"
- android:layout_width="match_parent"
- android:layout_height="wrap_content"
- android:layout_marginLeft="5dp"
- android:id="@+id/graphData"
- android:visibility="invisible"/>
-
- <TextView
- android:id="@+id/current_user"
- android:layout_width="match_parent"
- android:layout_height="0dp"
- android:layout_marginTop="20dp"
- android:layout_weight="0.8"
- android:text="Account info goes here..." />
-
- <TextView
- android:id="@+id/txt_log"
- android:layout_width="match_parent"
- android:layout_height="0dp"
- android:layout_marginTop="20dp"
- android:layout_weight="0.8"
- android:text="Output goes here..." />
-</LinearLayout>
-```
+If you would like to model your UI off this tutorial, the following is a sample **activity_main.xml**.
+
+1. In **app** > **src** > **main**> **res** > **layout** > **activity_main.xml**. Replace the content of **activity_main.xml** with the following code snippet to display buttons and text boxes:
+
+ ```xml
+ <?xml version="1.0" encoding="utf-8"?>
+ <LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
+ xmlns:tools="http://schemas.android.com/tools"
+ android:id="@+id/activity_main"
+ android:layout_width="match_parent"
+ android:layout_height="match_parent"
+ android:background="#FFFFFF"
+ android:orientation="vertical"
+ tools:context=".MainActivity">
+
+ <LinearLayout
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:orientation="horizontal"
+ android:paddingTop="5dp"
+ android:paddingBottom="5dp"
+ android:weightSum="10">
+
+ <Button
+ android:id="@+id/signIn"
+ android:layout_width="0dp"
+ android:layout_height="wrap_content"
+ android:layout_weight="5"
+ android:gravity="center"
+ android:text="Sign In"/>
+
+ <Button
+ android:id="@+id/clearCache"
+ android:layout_width="0dp"
+ android:layout_height="wrap_content"
+ android:layout_weight="5"
+ android:gravity="center"
+ android:text="Sign Out"
+ android:enabled="false"/>
+
+ </LinearLayout>
+ <LinearLayout
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:gravity="center"
+ android:orientation="horizontal">
+
+ <Button
+ android:id="@+id/callGraphInteractive"
+ android:layout_width="0dp"
+ android:layout_height="wrap_content"
+ android:layout_weight="5"
+ android:text="Get Graph Data Interactively"
+ android:enabled="false"/>
+
+ <Button
+ android:id="@+id/callGraphSilent"
+ android:layout_width="0dp"
+ android:layout_height="wrap_content"
+ android:layout_weight="5"
+ android:text="Get Graph Data Silently"
+ android:enabled="false"/>
+ </LinearLayout>
+
+ <TextView
+ android:text="Getting Graph Data..."
+ android:textColor="#3f3f3f"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:layout_marginLeft="5dp"
+ android:id="@+id/graphData"
+ android:visibility="invisible"/>
+
+ <TextView
+ android:id="@+id/current_user"
+ android:layout_width="match_parent"
+ android:layout_height="0dp"
+ android:layout_marginTop="20dp"
+ android:layout_weight="0.8"
+ android:text="Account info goes here..." />
+
+ <TextView
+ android:id="@+id/txt_log"
+ android:layout_width="match_parent"
+ android:layout_height="0dp"
+ android:layout_marginTop="20dp"
+ android:layout_weight="0.8"
+ android:text="Output goes here..." />
+ </LinearLayout>
+ ```
## Test your app
Sample `activity_main.xml` file to display buttons and text boxes.
Build and deploy the app to a test device or emulator. You should be able to sign in and get tokens for Azure AD or personal Microsoft accounts. After you sign in, the app will display the data returned from the Microsoft Graph `/me` endpoint.
-PR 4
+ ### Consent
-The first time any user signs into your app, they will be prompted by Microsoft identity to consent to the permissions requested. Some Azure AD tenants have disabled user consent which requires admins to consent on behalf of all users. To support this scenario, you will either need to create your own tenant or receive admin consent.
+The first time any user signs into your app, they'll be prompted by Microsoft identity to consent to the permissions requested. Some Azure AD tenants have disabled user consent, which requires admins to consent on behalf of all users. To support this scenario, you'll either need to create your own tenant or receive admin consent.
## Clean up resources
-When no longer needed, delete the app object that you created in the [Register your application](#register-your-application) step.
+When no longer needed, delete the app object that you created in the [Register your application](#register-your-application-with-azure-ad) step.
[!INCLUDE [Help and support](../../../includes/active-directory-develop-help-support-include.md)] ## Next steps
-Learn more about building mobile apps that call protected web APIs in our multi-part scenario series.
+To explore more complex scenarios, see a completed [working code sample](https://github.com/Azure-Samples/ms-identity-android-java/) on GitHub.
+
+For more information about building mobile apps that call protected web APIs in our multi-part scenario series, see:
-> [!div class="nextstepaction"]
-> [Scenario: Mobile application that calls web APIs](scenario-mobile-overview.md)
+- [Scenario: Mobile application that calls web APIs](scenario-mobile-overview.md)
+- [Code sample for complex scenarios](https://github.com/Azure-Samples/ms-identity-android-java/)
active-directory Tutorial V2 Asp Webapp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-asp-webapp.md
- Title: "Tutorial: Create an ASP.NET web app that uses the Microsoft identity platform for authentication"
-description: In this tutorial, you build an ASP.NET web application that uses the Microsoft identity platform and OWIN middleware to enable user login.
-------- Previously updated : 07/20/2022-----
-# Tutorial: Add sign-in to Microsoft to an ASP.NET web app
-
-In this tutorial, you build an ASP.NET MVC web app that signs in users by using the Open Web Interface for .NET (OWIN) middleware and the Microsoft identity platform.
-
-When you've completed this guide, your application will be able to accept sign-ins of personal accounts from the likes of outlook.com and live.com. Additionally, work and school accounts from any company or organization that's integrated with the Microsoft identity platform will be able to sign in to your app.
-
-In this tutorial:
-
-> [!div class="checklist"]
->
-> - Create an _ASP.NET Web Application_ project in Visual Studio
-> - Add the Open Web Interface for .NET (OWIN) middleware components
-> - Add code to support user sign-in and sign-out
-> - Register the app in the Azure portal
-> - Test the app
-
-## Prerequisites
--- [Visual Studio 2019](https://visualstudio.microsoft.com/vs/) with the **ASP.NET and web development** workload installed-
-## How the sample app generated by this guide works
-
-![Shows how the sample app generated by this tutorial works](media/active-directory-develop-guidedsetup-aspnetwebapp-intro/aspnetbrowsergeneral.svg)
-
-The sample application you create is based on a scenario where you use the browser to access an ASP.NET website that prompts a user to authenticate through a sign-in button. In this scenario, most of the work to render the web page occurs on the server side.
-
-## Libraries
-
-This guide uses the following libraries:
-
-| Library | Description |
-| -- | -- |
-| [Microsoft.Owin.Security.OpenIdConnect](https://www.nuget.org/packages/Microsoft.Owin.Security.OpenIdConnect/) | Middleware that enables an application to use OpenIdConnect for authentication |
-| [Microsoft.Owin.Security.Cookies](https://www.nuget.org/packages/Microsoft.Owin.Security.Cookies) | Middleware that enables an application to maintain a user session by using cookies |
-| [Microsoft.Owin.Host.SystemWeb](https://www.nuget.org/packages/Microsoft.Owin.Host.SystemWeb) | Middleware that enables OWIN-based applications to run on Internet Information Services (IIS) by using the ASP.NET request pipeline |
-
-## Set up your project
-
-This section describes how to install and configure the authentication pipeline through OWIN middleware on an ASP.NET project by using OpenID Connect.
-
-> Prefer to download this sample's Visual Studio project instead? [Download a project](https://github.com/AzureADQuickStarts/AppModelv2-WebApp-OpenIDConnect-DotNet/archive/master.zip) and skip to the [Register your application](#register-your-application) to configure the code sample before executing.
-
-### Create your ASP.NET project
-
-1. In Visual Studio: Go to **File** > **New** > **Project**.
-2. Under **Visual C#\Web**, select **ASP.NET Web Application (.NET Framework)**.
-3. Name your application and select **OK**.
-4. Select **Empty**, and then select the check box to add **MVC** references.
-
-## Add authentication components
-
-1. In Visual Studio: Go to **Tools** > **NuGet Package Manager** > **Package Manager Console**.
-2. Add _OWIN middleware NuGet packages_ by typing the following in the Package Manager Console window:
-
- ```powershell
- Install-Package Microsoft.Owin.Security.OpenIdConnect
- Install-Package Microsoft.Owin.Security.Cookies
- Install-Package Microsoft.Owin.Host.SystemWeb
- ```
-
-### About these libraries
-
-These libraries enable single sign-on (SSO) by using OpenID Connect through cookie-based authentication. After authentication is completed and the token representing the user is sent to your application, OWIN middleware creates a session cookie. The browser then uses this cookie on subsequent requests so that the user doesn't have to retype the password, and no other verification is needed.
-
-## Configure the authentication pipeline
-
-The following steps are used to create an OWIN middleware Startup class to configure OpenID Connect authentication. This class is executed automatically when your IIS process starts.
-
-> [!TIP]
-> If your project doesn't have a `Startup.cs` file in the root folder:
->
-> 1. Right-click the project's root folder, and then select **Add** > **New Item** > **OWIN Startup class**.<br/>
-> 2. Name it **Startup.cs**.
->
-> > Make sure the class selected is an OWIN Startup class and not a standard C# class. Confirm this by verifying that you see [assembly: OwinStartup(typeof({NameSpace}.Startup))] above the namespace.
-
-1. Add _OWIN_ and _Microsoft.IdentityModel_ references to Startup.cs:
-
- ```csharp
- using Microsoft.Owin;
- using Owin;
- using Microsoft.IdentityModel.Protocols.OpenIdConnect;
- using Microsoft.IdentityModel.Tokens;
- using Microsoft.Owin.Security;
- using Microsoft.Owin.Security.Cookies;
- using Microsoft.Owin.Security.OpenIdConnect;
- using Microsoft.Owin.Security.Notifications;
- ```
-
-2. Replace Startup class with the following code:
-
- ```csharp
- public class Startup
- {
- // The Client ID is used by the application to uniquely identify itself to Microsoft identity platform.
- string clientId = System.Configuration.ConfigurationManager.AppSettings["ClientId"];
-
- // RedirectUri is the URL where the user will be redirected to after they sign in.
- string redirectUri = System.Configuration.ConfigurationManager.AppSettings["RedirectUri"];
-
- // Tenant is the tenant ID (e.g. contoso.onmicrosoft.com, or 'common' for multi-tenant)
- static string tenant = System.Configuration.ConfigurationManager.AppSettings["Tenant"];
-
- // Authority is the URL for authority, composed of the Microsoft identity platform and the tenant name (e.g. https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0)
- string authority = String.Format(System.Globalization.CultureInfo.InvariantCulture, System.Configuration.ConfigurationManager.AppSettings["Authority"], tenant);
-
- /// <summary>
- /// Configure OWIN to use OpenIdConnect
- /// </summary>
- /// <param name="app"></param>
- public void Configuration(IAppBuilder app)
- {
- app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
-
- app.UseCookieAuthentication(new CookieAuthenticationOptions());
- app.UseOpenIdConnectAuthentication(
- new OpenIdConnectAuthenticationOptions
- {
- // Sets the ClientId, authority, RedirectUri as obtained from web.config
- ClientId = clientId,
- Authority = authority,
- RedirectUri = redirectUri,
- // PostLogoutRedirectUri is the page that users will be redirected to after sign-out. In this case, it is using the home page
- PostLogoutRedirectUri = redirectUri,
- Scope = OpenIdConnectScope.OpenIdProfile,
- // ResponseType is set to request the code id_token - which contains basic information about the signed-in user
- ResponseType = OpenIdConnectResponseType.CodeIdToken,
- // ValidateIssuer set to false to allow personal and work accounts from any organization to sign in to your application
- // To only allow users from a single organizations, set ValidateIssuer to true and 'tenant' setting in web.config to the tenant name
- // To allow users from only a list of specific organizations, set ValidateIssuer to true and use ValidIssuers parameter
- TokenValidationParameters = new TokenValidationParameters()
- {
- ValidateIssuer = false // This is a simplification
- },
- // OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method
- Notifications = new OpenIdConnectAuthenticationNotifications
- {
- AuthenticationFailed = OnAuthenticationFailed
- }
- }
- );
- }
-
- /// <summary>
- /// Handle failed authentication requests by redirecting the user to the home page with an error in the query string
- /// </summary>
- /// <param name="context"></param>
- /// <returns></returns>
- private Task OnAuthenticationFailed(AuthenticationFailedNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> context)
- {
- context.HandleResponse();
- context.Response.Redirect("/?errormessage=" + context.Exception.Message);
- return Task.FromResult(0);
- }
- }
- ```
-
-> [!NOTE]
-> Setting `ValidateIssuer = false` is a simplification for this quickstart. In real applications, you must validate the issuer.
-> See the samples to learn how to do that.
-
-### More information
-
-The parameters you provide in _OpenIDConnectAuthenticationOptions_ serve as coordinates for the application to communicate with Microsoft identity platform. Because the OpenID Connect middleware uses cookies in the background, you must also set up cookie authentication as the preceding code shows. The _ValidateIssuer_ value tells OpenIdConnect not to restrict access to one specific organization.
-
-## Add a controller to handle sign-in and sign-out requests
-
-To create a new controller to expose sign-in and sign-out methods, follow these steps:
-
-1. Right-click the **Controllers** folder and select **Add** > **Controller**.
-2. Select **MVC (.NET version) Controller ΓÇô Empty**.
-3. Select **Add**.
-4. Name it **HomeController** and then select **Add**.
-5. Add OWIN references to the class:
-
- ```csharp
- using Microsoft.Owin.Security;
- using Microsoft.Owin.Security.Cookies;
- using Microsoft.Owin.Security.OpenIdConnect;
- ```
-
-6. Add the following two methods to handle sign-in and sign-out to your controller by initiating an authentication challenge:
-
- ```csharp
- /// <summary>
- /// Send an OpenID Connect sign-in request.
- /// Alternatively, you can just decorate the SignIn method with the [Authorize] attribute
- /// </summary>
- public void SignIn()
- {
- if (!Request.IsAuthenticated)
- {
- HttpContext.GetOwinContext().Authentication.Challenge(
- new AuthenticationProperties{ RedirectUri = "/" },
- OpenIdConnectAuthenticationDefaults.AuthenticationType);
- }
- }
-
- /// <summary>
- /// Send an OpenID Connect sign-out request.
- /// </summary>
- public void SignOut()
- {
- HttpContext.GetOwinContext().Authentication.SignOut(
- OpenIdConnectAuthenticationDefaults.AuthenticationType,
- CookieAuthenticationDefaults.AuthenticationType);
- }
- ```
-
-## Create the app's home page for user sign-in
-
-In Visual Studio, create a new view to add the sign-in button and to display user information after authentication:
-
-1. Right-click the **Views\Home** folder and select **Add View**.
-2. Name the new view **Index**.
-3. Add the following HTML, which includes the sign-in button, to the file:
-
- ```html
- <html>
- <head>
- <meta name="viewport" content="width=device-width" />
- <title>Sign in with Microsoft Guide</title>
- </head>
- <body>
- @if (!Request.IsAuthenticated)
- {
- <!-- If the user is not authenticated, display the sign-in button -->
- <a href="@Url.Action("SignIn", "Home")" style="text-decoration: none;">
- <svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" width="300px" height="50px" viewBox="0 0 3278 522" class="SignInButton">
- <style type="text/css">.fil0:hover {fill: #4B4B4B;} .fnt0 {font-size: 260px;font-family: 'Segoe UI Semibold', 'Segoe UI'; text-decoration: none;}</style>
- <rect class="fil0" x="2" y="2" width="3174" height="517" fill="black" />
- <rect x="150" y="129" width="122" height="122" fill="#F35325" />
- <rect x="284" y="129" width="122" height="122" fill="#81BC06" />
- <rect x="150" y="263" width="122" height="122" fill="#05A6F0" />
- <rect x="284" y="263" width="122" height="122" fill="#FFBA08" />
- <text x="470" y="357" fill="white" class="fnt0">Sign in with Microsoft</text>
- </svg>
- </a>
- }
- else
- {
- <span><br/>Hello @System.Security.Claims.ClaimsPrincipal.Current.FindFirst("name").Value;</span>
- <br /><br />
- @Html.ActionLink("See Your Claims", "Index", "Claims")
- <br /><br />
- @Html.ActionLink("Sign out", "SignOut", "Home")
- }
- @if (!string.IsNullOrWhiteSpace(Request.QueryString["errormessage"]))
- {
- <div style="background-color:red;color:white;font-weight: bold;">Error: @Request.QueryString["errormessage"]</div>
- }
- </body>
- </html>
- ```
-
-### More information
-
-This page adds a sign-in button in SVG format with a black background:<br/>![Sign in with Microsoft button](medi "Branding guidelines").
-
-## Add a controller to display user's claims
-
-This controller demonstrates the uses of the `[Authorize]` attribute to protect a controller. This attribute restricts access to the controller by allowing only authenticated users. The following code makes use of the attribute to display user claims that were retrieved as part of sign-in:
-
-1. Right-click the **Controllers** folder, and then select **Add** > **Controller**.
-2. Select **MVC {version} Controller ΓÇô Empty**.
-3. Select **Add**.
-4. Name it **ClaimsController**.
-5. Replace the code of your controller class with the following code. The code adds the `[Authorize]` attribute to the class:
-
- ```csharp
- [Authorize]
- public class ClaimsController : Controller
- {
- /// <summary>
- /// Add user's claims to viewbag
- /// </summary>
- /// <returns></returns>
- public ActionResult Index()
- {
- var userClaims = User.Identity as System.Security.Claims.ClaimsIdentity;
-
- //You get the user's first and last name below:
- ViewBag.Name = userClaims?.FindFirst("name")?.Value;
-
- // The 'preferred_username' claim can be used for showing the username
- ViewBag.Username = userClaims?.FindFirst("preferred_username")?.Value;
-
- // The subject/ NameIdentifier claim can be used to uniquely identify the user across the web
- ViewBag.Subject = userClaims?.FindFirst(System.Security.Claims.ClaimTypes.NameIdentifier)?.Value;
-
- // TenantId is the unique Tenant Id - which represents an organization in Azure AD
- ViewBag.TenantId = userClaims?.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid")?.Value;
-
- return View();
- }
- }
- ```
-
-### More information
-
-Because of the use of the `[Authorize]` attribute, all methods of this controller can be executed only if the user is authenticated. If the user isn't authenticated and tries to access the controller, OWIN initiates an authentication challenge, and forces the user to authenticate. The preceding code looks at the list of claims for specific user attributes included in the user's ID token. These attributes include the user's full name and username, and the global user identifier subject. It also contains the _Tenant ID_, which represents the ID for the user's organization.
-
-## Create a view to display the user's claims
-
-In Visual Studio, create a new view to display the user's claims in a web page:
-
-1. Right-click the **Views\Claims** folder, and then select **Add View**.
-2. Name the new view **Index**.
-3. Add the following HTML to the file:
-
- ```html
- <html>
- <head>
- <meta name="viewport" content="width=device-width" />
- <title>Sign in with Microsoft Sample</title>
- <link href="@Url.Content("~/Content/bootstrap.min.css")" rel="stylesheet"
- type="text/css" />
- </head>
- <body style="padding:50px">
- <h3>Main Claims:</h3>
- <table class="table table-striped table-bordered table-hover">
- <tr>
- <td>Name</td>
- <td>@ViewBag.Name</td>
- </tr>
- <tr>
- <td>Username</td>
- <td>@ViewBag.Username</td>
- </tr>
- <tr>
- <td>Subject</td>
- <td>@ViewBag.Subject</td>
- </tr>
- <tr>
- <td>TenantId</td>
- <td>@ViewBag.TenantId</td>
- </tr>
- </table>
- <br />
- <h3>All Claims:</h3>
- <table
- class="table table-striped table-bordered table-hover table-condensed"
- >
- @foreach (var claim in
- System.Security.Claims.ClaimsPrincipal.Current.Claims) {
- <tr>
- <td>@claim.Type</td>
- <td>@claim.Value</td>
- </tr>
- }
- </table>
- <br />
- <br />
- @Html.ActionLink("Sign out", "SignOut", "Home", null, new { @class = "btn
- btn-primary" })
- </body>
- </html>
- ```
-
-## Register your application
-
-To register your application and add your application registration information to your solution, you have two options:
-
-### Option 1: Express mode
-
-To quickly register your application, follow these steps:
-
-1. Go to the <a href="https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade/quickStartType/AspNetWebAppQuickstartPage/sourceType/docs" target="_blank">Azure portal - App registrations</a> quickstart experience.
-1. Enter a name for your application and select **Register**.
-1. Follow the instructions to download and automatically configure your new application in a single click.
-
-### Option 2: Advanced mode
-
-To register your application and add the app's registration information to your solution manually, follow these steps:
-
-1. Open Visual Studio, and then:
- 1. in Solution Explorer, select the project and view the Properties window (if you don't see a Properties window, press F4).
- 1. Change **SSL Enabled** to `True`.
- 1. Right-click the project in Visual Studio, select **Properties**, and then select the **Web** tab. In the **Servers** section, change the **Project Url** setting to the **SSL URL**.
- 1. Copy the SSL URL. You'll add this URL to the list of Redirect URIs in the Registration portal's list of Redirect URIs in the next step.<br/><br/>![Project properties](media/active-directory-develop-guidedsetup-aspnetwebapp-configure/vsprojectproperties.png)<br />
-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.
-1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.
-1. Search for and select **Azure Active Directory**.
-1. Under **Manage**, select **App registrations** > **New registration**.
-1. Enter a **Name** for your application, for example `ASPNET-Tutorial`. Users of your app might see this name, and you can change it later.
-1. Add the SSL URL you copied from Visual Studio in step 1 (for example, `https://localhost:44368/`) in **Redirect URI**.
-1. Select **Register**.
-1. Under **Manage**, select **Authentication**.
-1. In the **Implicit grant and hybrid flows** section, select **ID tokens**, and then select **Save**.
-1. Add the following code in the web.config file, located in the root folder in the `configuration\appSettings` section:
-
- ```xml
- <add key="ClientId" value="Enter_the_Application_Id_here" />
- <add key="redirectUri" value="Enter_the_Redirect_URL_here" />
- <add key="Tenant" value="common" />
- <add key="Authority" value="https://login.microsoftonline.com/{0}/v2.0" />
- ```
-
-1. Replace `ClientId` with the Application ID you registered.
-1. Replace `redirectUri` with the SSL URL of your project.
-
-## Test your code
-
-To test your application in Visual Studio, press F5 to run your project. The browser opens to the http://<span></span>localhost:{port} location, and you see the **Sign in with Microsoft** button. Select the button to start the sign-in process.
-
-When you're ready to run your test, use an Azure AD account (work, or school account) or a personal Microsoft account (<span>live.</span>com or <span>outlook.</span>com) to sign in.
-
-![Sign in with Microsoft button shown on browser logon page in browser](media/active-directory-develop-guidedsetup-aspnetwebapp-test/aspnetbrowsersignin.png)
-<br/><br/>
-![Sign in to your Microsoft account](media/active-directory-develop-guidedsetup-aspnetwebapp-test/aspnetbrowsersignin2.png)
-
-#### Permissions and consent in the Microsoft identity platform
-
-Applications that integrate with the Microsoft identity platform follow an authorization model that gives users and administrators control over how data can be accessed. After a user authenticates with the Microsoft identity platform to access this application, they'll be prompted to consent to the permissions requested by the application ("View your basic profile", and "Maintain access to data you've given it access to"). The user consent to permissions and continue to application results. However, the user may instead be prompted with a **Need admin consent** page if either of the following occur:
--- The application developer adds any more permissions that require **Admin consent**.-- Or the tenant is configured (in **Enterprise Applications -> User Settings**) where users can't consent to apps accessing company data on their behalf.-
-For more information, see [Permissions and consent in the Microsoft identity platform](./v2-permissions-and-consent.md).
-
-### View application results
-
-After you sign in, the user is redirected to the home page of your website. The home page is the HTTPS URL that's specified in your application registration info in the Microsoft Application Registration Portal. The home page includes a _"Hello \<user>"_ welcome message, a link to sign out, and a link to view the user's claims. The link for the user's claims connects to the Claims controller that you created earlier.
-
-### View the user's claims
-
-To view the user's claims, select the link to browse to the controller view that's available only to authenticated users.
-
-#### View the claims results
-
-After you browse to the controller view, you should see a table that contains the basic properties for the user:
-
-| Property | Value | Description |
-| - | - | -- |
-| **Name** | User's full name | The user's first and last name |
-| **Username** | user<span>@domain.com</span> | The username that's used to identify the user |
-| **Subject** | Subject | A string that uniquely identifies the user across the web |
-| **Tenant ID** | Guid | A **guid** that uniquely represents the user's Azure AD organization |
-
-Additionally, you should see a table of all claims that are in the authentication request. For more information, see the [list of claims that are in an ID token](./id-tokens.md).
-
-### Test access to a method that has an Authorize attribute (optional)
-
-To test access as an anonymous user to a controller that's protected by the `Authorize` attribute, follow these steps:
-
-1. Select the link to sign out the user, and complete the sign-out process.
-2. In your browser, type http://<span></span>localhost:{port}/claims to access your controller that's protected by the `Authorize` attribute.
-
-#### Expected results after access to a protected controller
-
-You're prompted to authenticate to use the protected controller view.
-
-## Advanced options
-
-### Protect your entire website
-
-To protect your entire website, in the **Global.asax** file, add the `AuthorizeAttribute` attribute to the `GlobalFilters` filter in the `Application_Start` method:
-
-```csharp
-GlobalFilters.Filters.Add(new AuthorizeAttribute());
-```
-
-### Restrict who can sign in to your application
-
-By default when you build the application created by this guide, your application will accept sign-ins of personal accounts (including outlook.com, live.com, and others) as well as work and school accounts from any company or organization that's integrated with Microsoft identity platform. This is a recommended option for SaaS applications.
-
-To restrict user sign-in access for your application, multiple options are available.
-
-#### Option 1: Restrict users from only one organization's Active Directory instance to sign in to your application (single-tenant)
-
-This option is frequently used for _LOB applications_: If you want your application to accept sign-ins only from accounts that belong to a specific Azure AD instance (including _guest accounts_ of that instance), follow these steps:
-
-1. In the web.config file, change the value for the `Tenant` parameter from `Common` to the tenant name of the organization, such as `contoso.onmicrosoft.com`.
-2. In your [OWIN Startup class](#configure-the-authentication-pipeline), set the `ValidateIssuer` argument to `true`.
-
-#### Option 2: Restrict access to users in a specific list of organizations
-
-You can restrict sign-in access to only those user accounts that are in an Azure AD organization that's on the list of allowed organizations:
-
-1. In your [OWIN Startup class](#configure-the-authentication-pipeline), set the `ValidateIssuer` argument to `true`.
-2. Set the value of the `ValidIssuers` parameter to the list of allowed organizations.
-
-#### Option 3: Use a custom method to validate issuers
-
-You can implement a custom method to validate issuers by using the **IssuerValidator** parameter. For more information about how to use this parameter, see [TokenValidationParameters](/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters) class.
--
-## Next steps
-
-Learn about calling protected web APIs from web apps with the Microsoft identity platform:
-
-> [!div class="nextstepaction"]
-> [Web apps calling web APIs](scenario-web-app-sign-user-overview.md)
active-directory Tutorial V2 React https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-react.md
- Title: "Tutorial: Create a React single-page app that uses auth code flow"
-description: In this tutorial, you create a React SPA that can sign in users and use the auth code flow to obtain an access token from the Microsoft identity platform and call the Microsoft Graph API.
------- Previously updated : 01/24/2023-----
-# Tutorial: Sign in users and call the Microsoft Graph API from a React single-page app (SPA) using auth code flow
-
-In this tutorial, you build a React single-page application (SPA) that signs in users and calls Microsoft Graph by using the authorization code flow with PKCE. The SPA you build uses the Microsoft Authentication Library (MSAL) for React.
-
-In this tutorial:
-> [!div class="checklist"]
-> * Create a React project with `npm`
-> * Register the application in the Azure portal
-> * Add code to support user sign-in and sign-out
-> * Add code to call Microsoft Graph API
-> * Test the app
-
-MSAL React supports the authorization code flow in the browser instead of the implicit grant flow. MSAL React does **NOT** support the implicit flow.
-
-## Prerequisites
-
-* [Node.js](https://nodejs.org/en/download/) for running a local webserver
-* [Visual Studio Code](https://code.visualstudio.com/download) or another code editor
-
-## How the tutorial app works
--
-The application you create in this tutorial enables a React SPA to query the Microsoft Graph API by acquiring security tokens from the Microsoft identity platform. It uses the MSAL for React, a wrapper of the MSAL.js v2 library. MSAL React enables React 16+ applications to authenticate enterprise users by using Azure Active Directory (Azure AD), and also users with Microsoft accounts and social identities like Facebook, Google, and LinkedIn. The library also enables applications to get access to Microsoft cloud services and Microsoft Graph.
-
-In this scenario, after a user signs in, an access token is requested and added to HTTP requests in the authorization header. Token acquisition and renewal are handled by the MSAL for React (MSAL React).
-
-### Libraries
-
-This tutorial uses the following libraries:
-
-|Library|Description|
-|||
-|[MSAL React](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-react)|Microsoft Authentication Library for JavaScript React Wrapper|
-|[MSAL Browser](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-browser)|Microsoft Authentication Library for JavaScript v2 browser package|
-
-## Get the completed code sample
-
-Prefer to download this tutorial's completed sample project instead? To run the project by using a local web server, such as Node.js, clone the [ms-identity-javascript-react-spa](https://github.com/Azure-Samples/ms-identity-javascript-react-spa) repository:
-
-`git clone https://github.com/Azure-Samples/ms-identity-javascript-react-spa`
-
-Then, to configure the code sample before you execute it, skip to the [configuration step](#register-your-application).
-
-To continue with the tutorial and build the application yourself, move on to the next section, [Create your project](#create-your-project).
-
-## Create your project
-
-Once you have [Node.js](https://nodejs.org/en/download/) installed, open up a terminal window and then run the following commands:
-
-```console
-npx create-react-app msal-react-tutorial # Create a new React app
-cd msal-react-tutorial # Change to the app directory
-npm install @azure/msal-browser @azure/msal-react @azure/msal-common # Install the MSAL packages
-npm install react-bootstrap bootstrap # Install Bootstrap for styling
-```
-
-You've now bootstrapped a small React project using [Create React App](https://create-react-app.dev/docs/getting-started). This will be the starting point the rest of this tutorial will build on. If you'd like to see the changes to your app as you're working through this tutorial you can run the following command:
-
-```console
-npm start
-```
-
-A browser window should be opened to your app automatically. If it doesn't, open your browser and navigate to http://localhost:3000. Each time you save a file with updated code the page will reload to reflect the changes.
-
-## Register your application
-
-Follow the steps in [Single-page application: App registration](./scenario-spa-app-registration.md) to create an app registration for your SPA by using the Azure portal.
-
-In the [Redirect URI: MSAL.js 2.0 with auth code flow](scenario-spa-app-registration.md#redirect-uri-msaljs-20-with-auth-code-flow) step, enter `http://localhost:3000`, the default location where create-react-app will serve your application.
-
-### Configure your JavaScript SPA
-
-1. Create a file named *authConfig.js* in the *src* folder to contain your configuration parameters for authentication, and then add the following code:
-
- ```javascript
- export const msalConfig = {
- auth: {
- clientId: "Enter_the_Application_Id_Here",
- authority: "Enter_the_Cloud_Instance_Id_Here/Enter_the_Tenant_Info_Here", // This is a URL (e.g. https://login.microsoftonline.com/{your tenant ID})
- redirectUri: "Enter_the_Redirect_Uri_Here",
- },
- cache: {
- cacheLocation: "sessionStorage", // This configures where your cache will be stored
- storeAuthStateInCookie: false, // Set this to "true" if you are having issues on IE11 or Edge
- }
- };
-
- // Add scopes here for ID token to be used at Microsoft identity platform endpoints.
- export const loginRequest = {
- scopes: ["User.Read"]
- };
-
- // Add the endpoints here for Microsoft Graph API services you'd like to use.
- export const graphConfig = {
- graphMeEndpoint: "Enter_the_Graph_Endpoint_Here/v1.0/me"
- };
- ```
-
-1. Modify the values in the `msalConfig` section as described here:
-
- |Value name| About|
- |-||
- |`Enter_the_Application_Id_Here`| The **Application (client) ID** of the application you registered.|
- |`Enter_the_Cloud_Instance_Id_Here`| The Azure cloud instance in which your application is registered. For the main (or *global*) Azure cloud, enter `https://login.microsoftonline.com`. For **national** clouds (for example, China), you can find appropriate values in [National clouds](authentication-national-cloud.md).
- |`Enter_the_Tenant_Info_Here`| Set to one of the following options: If your application supports *accounts in this organizational directory*, replace this value with the directory (tenant) ID or tenant name (for example, **contoso.microsoft.com**). If your application supports *accounts in any organizational directory*, replace this value with **organizations**. If your application supports *accounts in any organizational directory and personal Microsoft accounts*, replace this value with **common**. To restrict support to *personal Microsoft accounts only*, replace this value with **consumers**. |
- |`Enter_the_Redirect_Uri_Here`|Replace with **http://localhost:3000**.|
- |`Enter_the_Graph_Endpoint_Here`| The instance of the Microsoft Graph API the application should communicate with. For the **global** Microsoft Graph API endpoint, replace both instances of this string with `https://graph.microsoft.com`. For endpoints in **national** cloud deployments, see [National cloud deployments](/graph/deployments) in the Microsoft Graph documentation.|
-
- For more information about available configurable options, see [Initialize client applications](msal-js-initializing-client-applications.md).
-
-1. Open up the *src/index.js* file and add the following imports:
-
- ```javascript
- import "bootstrap/dist/css/bootstrap.min.css";
- import { PublicClientApplication } from "@azure/msal-browser";
- import { MsalProvider } from "@azure/msal-react";
- import { msalConfig } from "./authConfig";
- ```
-
-2. Underneath the imports in *src/index.js* create a `PublicClientApplication` instance using the configuration from step 1.
-
- ```javascript
- const msalInstance = new PublicClientApplication(msalConfig);
- ```
-
-3. Find the `<App />` component in *src/index.js* and wrap it in the `MsalProvider` component. Your render function should look like this:
-
- ```jsx
- root.render(
- <React.StrictMode>
- <MsalProvider instance={msalInstance}>
- <App />
- </MsalProvider>
- </React.StrictMode>
- );
- ```
-
-## Sign in users
-
-Create a folder in *src* called *components* and create a file inside this folder named *SignInButton.jsx*. Add the code from either of the following sections to invoke login using a pop-up window or a full-frame redirect:
-
-### Sign in using pop-ups
-
-Add the following code to *src/components/SignInButton.jsx* to create a button component that will invoke a pop-up login when selected:
-
-```jsx
-import React from "react";
-import { useMsal } from "@azure/msal-react";
-import { loginRequest } from "../authConfig";
-import Button from "react-bootstrap/Button";
--
-/**
- * Renders a button which, when selected, will open a popup for login
- */
-export const SignInButton = () => {
- const { instance } = useMsal();
-
- const handleLogin = (loginType) => {
- if (loginType === "popup") {
- instance.loginPopup(loginRequest).catch(e => {
- console.log(e);
- });
- }
- }
- return (
- <Button variant="secondary" className="ml-auto" onClick={() => handleLogin("popup")}>Sign in using Popup</Button>
- );
-}
-```
-
-### Sign in using redirects
-
-Add the following code to *src/components/SignInButton.jsx* to create a button component that will invoke a redirect login when selected:
-
-```jsx
-import React from "react";
-import { useMsal } from "@azure/msal-react";
-import { loginRequest } from "../authConfig";
-import Button from "react-bootstrap/Button";
--
-/**
- * Renders a button which, when selected, will redirect the page to the login prompt
- */
-export const SignInButton = () => {
- const { instance } = useMsal();
-
- const handleLogin = (loginType) => {
- if (loginType === "redirect") {
- instance.loginRedirect(loginRequest).catch(e => {
- console.log(e);
- });
- }
- }
- return (
- <Button variant="secondary" className="ml-auto" onClick={() => handleLogin("redirect")}>Sign in using Redirect</Button>
- );
-}
-```
-
-### Add the sign-in button
-
-1. Create another file in the *components* folder named *PageLayout.jsx* and add the following code to create a navbar component that will contain the sign-in button you just created:
-
- ```jsx
- import React from "react";
- import Navbar from "react-bootstrap/Navbar";
- import { useIsAuthenticated } from "@azure/msal-react";
- import { SignInButton } from "./SignInButton";
-
- /**
- * Renders the navbar component with a sign-in button if a user is not authenticated
- */
- export const PageLayout = (props) => {
- const isAuthenticated = useIsAuthenticated();
-
- return (
- <>
- <Navbar bg="primary" variant="dark">
- <a className="navbar-brand" href="/">MSAL React Tutorial</a>
- { isAuthenticated ? <span>Signed In</span> : <SignInButton /> }
- </Navbar>
- <h5><center>Welcome to the Microsoft Authentication Library For React Tutorial</center></h5>
- <br />
- <br />
- {props.children}
- </>
- );
- };
- ```
-
-1. Now open *src/App.js* and add replace the existing content with the following code:
-
- ```jsx
- import React from "react";
- import { PageLayout } from "./components/PageLayout";
-
- function App() {
- return (
- <PageLayout>
- <p>This is the main app content!</p>
- </PageLayout>
- );
- }
-
- export default App;
- ```
-
-Your app now has a sign-in button, which is only displayed for unauthenticated users!
-
-When a user selects the **Sign in using Popup** or **Sign in using Redirect** button for the first time, the `onClick` handler calls `loginPopup` (or `loginRedirect`) to sign in the user. The `loginPopup` method opens a pop-up window with the *Microsoft identity platform endpoint* to prompt and validate the user's credentials. After a successful sign-in, *msal.js* initiates the [authorization code flow](v2-oauth2-auth-code-flow.md).
-
-At this point, a PKCE-protected authorization code is sent to the CORS-protected token endpoint and is exchanged for tokens. An ID token, access token, and refresh token are received by your application and processed by *msal.js*, and the information contained in the tokens is cached.
-
-## Sign users out
-
-In *src/components* create a file named *SignOutButton.jsx*. Add the code from either of the following sections to invoke logout using a pop-up window or a full-frame redirect:
-
-### Sign out using pop-ups
-
-Add the following code to *src/components/SignOutButton.jsx* to create a button component that will invoke a pop-up logout when selected:
-
-```jsx
-import React from "react";
-import { useMsal } from "@azure/msal-react";
-import Button from "react-bootstrap/Button";
-
-/**
- * Renders a button which, when selected, will open a popup for logout
- */
-export const SignOutButton = () => {
- const { instance } = useMsal();
-
- const handleLogout = (logoutType) => {
- if (logoutType === "popup") {
- instance.logoutPopup({
- postLogoutRedirectUri: "/",
- mainWindowRedirectUri: "/" // redirects the top level app after logout
- });
- }
- }
-
- return (
- <Button variant="secondary" className="ml-auto" onClick={() => handleLogout("popup")}>Sign out using Popup</Button>
- );
-}
-```
-
-### Sign out using redirects
-
-Add the following code to *src/components/SignOutButton.jsx* to create a button component that will invoke a redirect logout when selected:
-
-```jsx
-import React from "react";
-import { useMsal } from "@azure/msal-react";
-import Button from "react-bootstrap/Button";
-
-/**
- * Renders a button which, when selected, will redirect the page to the logout prompt
- */
-export const SignOutButton = () => {
- const { instance } = useMsal();
-
- const handleLogout = (logoutType) => {
- if (logoutType === "redirect") {
- instance.logoutRedirect({
- postLogoutRedirectUri: "/",
- });
- }
- }
-
- return (
- <Button variant="secondary" className="ml-auto" onClick={() => handleLogout("redirect")}>Sign out using Redirect</Button>
- );
-}
-```
-
-### Add the sign-out button
-
-Update your `PageLayout` component in *src/components/PageLayout.jsx* to render the new `SignOutButton` component for authenticated users. Your code should look like this:
-
-```jsx
-import React from "react";
-import Navbar from "react-bootstrap/Navbar";
-import { useIsAuthenticated } from "@azure/msal-react";
-import { SignInButton } from "./SignInButton";
-import { SignOutButton } from "./SignOutButton";
-
-/**
- * Renders the navbar component with a sign-in button if a user is not authenticated
- */
-export const PageLayout = (props) => {
- const isAuthenticated = useIsAuthenticated();
-
- return (
- <>
- <Navbar bg="primary" variant="dark">
- <a className="navbar-brand" href="/">MSAL React Tutorial</a>
- { isAuthenticated ? <SignOutButton /> : <SignInButton /> }
- </Navbar>
- <h5><center>Welcome to the Microsoft Authentication Library For React Tutorial</center></h5>
- <br />
- <br />
- {props.children}
- </>
- );
-};
-```
-
-## Conditionally render components
-
-In order to render certain components only for authenticated or unauthenticated users use the `AuthenticateTemplate` and/or `UnauthenticatedTemplate` as demonstrated below.
-
-1. Add the following import to *src/App.js*:
-
- ```javascript
- import { AuthenticatedTemplate, UnauthenticatedTemplate } from "@azure/msal-react";
- ```
-
-1. In order to render certain components only for authenticated users update your `App` function in *src/App.js* with the following code:
-
- ```jsx
- function App() {
- return (
- <PageLayout>
- <AuthenticatedTemplate>
- <p>You are signed in!</p>
- </AuthenticatedTemplate>
- </PageLayout>
- );
- }
- ```
-
-1. To render certain components only for unauthenticated users, such as a suggestion to login, update your `App` function in *src/App.js* with the following code:
-
- ```jsx
- function App() {
- return (
- <PageLayout>
- <AuthenticatedTemplate>
- <p>You are signed in!</p>
- </AuthenticatedTemplate>
- <UnauthenticatedTemplate>
- <p>You are not signed in! Please sign in.</p>
- </UnauthenticatedTemplate>
- </PageLayout>
- );
- }
- ```
-
-## Acquire a token
-
-1. Before calling an API, such as Microsoft Graph, you'll need to acquire an access token. Add a new component to *src/App.js* called `ProfileContent` with the following code:
-
- ```jsx
- function ProfileContent() {
- const { instance, accounts, inProgress } = useMsal();
- const [accessToken, setAccessToken] = useState(null);
-
- const name = accounts[0] && accounts[0].name;
-
- function RequestAccessToken() {
- const request = {
- ...loginRequest,
- account: accounts[0]
- };
-
- // Silently acquires an access token which is then attached to a request for Microsoft Graph data
- instance.acquireTokenSilent(request).then((response) => {
- setAccessToken(response.accessToken);
- }).catch((e) => {
- instance.acquireTokenPopup(request).then((response) => {
- setAccessToken(response.accessToken);
- });
- });
- }
-
- return (
- <>
- <h5 className="card-title">Welcome {name}</h5>
- {accessToken ?
- <p>Access Token Acquired!</p>
- :
- <Button variant="secondary" onClick={RequestAccessToken}>Request Access Token</Button>
- }
- </>
- );
- };
- ```
-
-1. Update your imports in *src/App.js* to match the following snippet:
-
- ```js
- import React, { useState } from "react";
- import { PageLayout } from "./components/PageLayout";
- import { AuthenticatedTemplate, UnauthenticatedTemplate, useMsal } from "@azure/msal-react";
- import { loginRequest } from "./authConfig";
- import Button from "react-bootstrap/Button";
- ```
-
-1. Finally, add your new `ProfileContent` component as a child of the `AuthenticatedTemplate` in your `App` component in *src/App.js*. Your `App` component should look like this:
-
- ```jsx
- function App() {
- return (
- <PageLayout>
- <AuthenticatedTemplate>
- <ProfileContent />
- </AuthenticatedTemplate>
- <UnauthenticatedTemplate>
- <p>You are not signed in! Please sign in.</p>
- </UnauthenticatedTemplate>
- </PageLayout>
- );
- }
- ```
-
-The code above will render a button for signed in users, allowing them to request an access token for Microsoft Graph when the button is selected.
-
-After a user signs in, your app shouldn't ask users to reauthenticate every time they need to access a protected resource (that is, to request a token). To prevent such reauthentication requests, call `acquireTokenSilent` which will first look for a cached, unexpired access token then, if needed, use the refresh token to obtain a new access token. There are some situations, however, where you might need to force users to interact with the Microsoft identity platform. For example:
--- Users need to re-enter their credentials because the session has expired.-- The refresh token has expired.-- Your application is requesting access to a resource and you need the user's consent.-- Two-factor authentication is required.-
-Calling `acquireTokenPopup` opens a pop-up window (or `acquireTokenRedirect` redirects users to the Microsoft identity platform). In that window, users need to interact by confirming their credentials, giving consent to the required resource, or completing the two-factor authentication.
-
-If you're using Internet Explorer, we recommend that you use the `loginRedirect` and `acquireTokenRedirect` methods due to a [known issue](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/internet-explorer.md#popups) with Internet Explorer and pop-up windows.
-
-## Call the Microsoft Graph API
-
-1. Create file named *graph.js* in the *src* folder and add the following code for making REST calls to the Microsoft Graph API:
-
- ```javascript
- import { graphConfig } from "./authConfig";
-
- /**
- * Attaches a given access token to a Microsoft Graph API call. Returns information about the user
- */
- export async function callMsGraph(accessToken) {
- const headers = new Headers();
- const bearer = `Bearer ${accessToken}`;
-
- headers.append("Authorization", bearer);
-
- const options = {
- method: "GET",
- headers: headers
- };
-
- return fetch(graphConfig.graphMeEndpoint, options)
- .then(response => response.json())
- .catch(error => console.log(error));
- }
- ```
-
-1. Next create a file named *ProfileData.jsx* in *src/components* and add the following code:
-
- ```javascript
- import React from "react";
-
- /**
- * Renders information about the user obtained from Microsoft Graph
- */
- export const ProfileData = (props) => {
- return (
- <div id="profile-div">
- <p><strong>First Name: </strong> {props.graphData.givenName}</p>
- <p><strong>Last Name: </strong> {props.graphData.surname}</p>
- <p><strong>Email: </strong> {props.graphData.userPrincipalName}</p>
- <p><strong>Id: </strong> {props.graphData.id}</p>
- </div>
- );
- };
- ```
-
-1. Next, open *src/App.js* and add the following imports:
-
- ```javascript
- import { ProfileData } from "./components/ProfileData";
- import { callMsGraph } from "./graph";
- ```
-
-1. Finally, update your `ProfileContent` component in *src/App.js* to call Microsoft Graph and display the profile data after acquiring the token. Your `ProfileContent` component should look like this:
-
- ```javascript
- function ProfileContent() {
- const { instance, accounts } = useMsal();
- const [graphData, setGraphData] = useState(null);
-
- const name = accounts[0] && accounts[0].name;
-
- function RequestProfileData() {
- const request = {
- ...loginRequest,
- account: accounts[0]
- };
-
- // Silently acquires an access token which is then attached to a request for Microsoft Graph data
- instance.acquireTokenSilent(request).then((response) => {
- callMsGraph(response.accessToken).then(response => setGraphData(response));
- }).catch((e) => {
- instance.acquireTokenPopup(request).then((response) => {
- callMsGraph(response.accessToken).then(response => setGraphData(response));
- });
- });
- }
-
- return (
- <>
- <h5 className="card-title">Welcome {name}</h5>
- {graphData ?
- <ProfileData graphData={graphData} />
- :
- <Button variant="secondary" onClick={RequestProfileData}>Request Profile Information</Button>
- }
- </>
- );
- };
- ```
-
-In the changes made above, the `callMSGraph()` method is used to make an HTTP `GET` request against a protected resource that requires a token. The request then returns the content to the caller. This method adds the acquired token in the *HTTP Authorization header*. In the sample application created in this tutorial, the protected resource is the Microsoft Graph API *me* endpoint which displays the signed-in user's profile information.
-
-## Test your application
-
-You've completed creation of the application and are now ready to launch the web server and test the app's functionality.
-
-1. Serve your app by running the following command from within the root of your project folder:
-
- ```console
- npm start
- ```
-1. A browser window should be opened to your app automatically. If it doesn't, open your browser and navigate to `http://localhost:3000`. You should see a page that looks like the one below.
-
- :::image type="content" source="media/tutorial-v2-react/react-01-unauthenticated.png" alt-text="Web browser displaying sign-in dialog":::
-
-1. Select the sign-in button to sign in.
-
-### Provide consent for application access
-
-The first time you sign in to your application, you're prompted to grant it access to your profile and sign you in:
--
-If you consent to the requested permissions, the web applications displays your name, signifying a successful login:
--
-### Call the Graph API
-
-After you sign in, select **See Profile** to view the user profile information returned in the response from the call to the Microsoft Graph API:
--
-### More information about scopes and delegated permissions
-
-The Microsoft Graph API requires the *user.read* scope to read a user's profile. By default, this scope is automatically added in every application that's registered in the Azure portal. Other APIs for Microsoft Graph, as well as custom APIs for your back-end server, might require additional scopes. For example, the Microsoft Graph API requires the *Mail.Read* scope in order to list the user's email.
-
-As you add scopes, your users might be prompted to provide additional consent for the added scopes.
--
-## Next steps
-
-If you'd like to dive deeper into JavaScript single-page application development on the Microsoft identity platform, see our multi-part scenario series:
-
-> [!div class="nextstepaction"]
-> [Scenario: Single-page application](scenario-spa-overview.md)
active-directory Tutorial V2 Shared Device Mode https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-shared-device-mode.md
Refer to the [configuration documentation](./msal-configuration.md) for more inf
Set `"shared_device_mode_supported"` to `true` in your MSAL configuration file.
-You may not be planning to support multiple-account mode. That could be if you're not using a shared device, and the user can sign into the app with more than one account at the same time. If so, set `"account_mode"` to `"SINGLE"`. This guarantees that your app will always get `ISingleAccountPublicClientApplication`, and significantly simplifies your MSAL integration. The default value of `"account_mode"` is `"MULTIPLE"`, so it is important to change this value in the config file if you're using `"single account"` mode.
+You may not be planning to support multiple-account mode. That could be if you're not using a shared device, and the user can sign into the app with more than one account at the same time. If so, set `"account_mode"` to `"SINGLE"`. This guarantees that your app will always get `ISingleAccountPublicClientApplication`, and significantly simplifies your MSAL integration. The default value of `"account_mode"` is `"MULTIPLE"`, so it's important to change this value in the config file if you're using `"single account"` mode.
Here's an example of the auth_config.json file included in the **app**>**main**>**res**>**raw** directory of the sample app:
Here's an example of the auth_config.json file included in the **app**>**main**>
### Detect shared-device mode
-Shared-device mode allows you to configure Android devices to be shared by multiple employees, while providing Microsoft Identity backed management of the device. Employees can sign in to their devices and access customer information quickly. When they are finished with their shift or task, they will be able to sign-out of all apps on the shared device with a single click and the device will be immediately ready for the next employee to use.
+Shared-device mode allows you to configure Android devices to be shared by multiple employees, while providing Microsoft Identity backed management of the device. Employees can sign in to their devices and access customer information quickly. When they're finished with their shift or task, they'll be able to sign-out of all apps on the shared device with a single click and the device will be immediately ready for the next employee to use.
Use `isSharedDevice()` to determine if an app is running on a device that is in shared-device mode. Your app could use this flag to determine if it should modify UX accordingly.
PublicClientApplication.create(this.getApplicationCOntext(),
If you're writing an app that will only be used for first-line workers on a shared device, we recommend you write your app to only support single-account mode. This includes most applications that are task focused such as medical records apps, invoice apps, and most line-of-business apps. This will simplify your development as many features of the SDK won't need to be accommodated.
-If your app supports multiple accounts as well as shared device mode, you must perform a type check and cast to the appropriate interface as shown below.
+If your app supports multiple accounts and shared device mode, you must perform a type check and cast to the appropriate interface as shown below.
```java private IPublicClientApplication mApplication;
private void onSignOutClicked()
### Receive broadcast to detect global sign out initiated from other applications
-To receive the account change broadcast, you'll need to register a broadcast receiver.ΓÇ» ItΓÇÖs recommended to register your broadcast receiver via the [Context-registered receivers](https://developer.android.com/guide/components/broadcasts#context-registered-receivers).
+To receive the account change broadcast, you need to register a broadcast receiver.ΓÇ» ItΓÇÖs recommended to register your broadcast receiver via the [Context-registered receivers](https://developer.android.com/guide/components/broadcasts#context-registered-receivers).
-When an account change broadcast is received, immediately [get the signed in user and determine if a user has changed on the device](#get-the-signed-in-user-and-determine-if-a-user-has-changed-on-the-device). If a change is detected, initiate data cleanup for previously signed-in account. It is recommended to properly stop any operations and do data cleanup.
+When an account change broadcast is received, immediately [get the signed in user and determine if a user has changed on the device](#get-the-signed-in-user-and-determine-if-a-user-has-changed-on-the-device). If a change is detected, initiate data cleanup for previously signed-in account. It's recommended to properly stop any operations and do data cleanup.
The following code snippet shows how you could register a broadcast receiver.
The following steps describe setting up your application in the Azure portal and
First, register your application within your organizational tenant. Then provide these values below in auth_config.json in order for your application to run correctly.
-For information on how to do this, refer to [Register your application](./tutorial-v2-android.md#register-your-application).
+For information on how to do this, refer to [Register your application](./tutorial-v2-android.md#register-your-application-with-azure-ad).
> [!NOTE] > When you register your app, please use the quickstart guide on the left-hand side and then select **Android**. This will lead you to a page where you'll be asked to provide the **Package Name** and **Signature Hash** for your app. These are very important to ensure your app configuration will work. You'll then receive a configuration object that you can use for your app that you'll cut and paste into your auth_config.json file. :::image type="content" source="media/tutorial-v2-shared-device-mode/register-app.png" alt-text="Configure your Android app page in Azure portal quickstart":::
-You should select **Make this change for me** and then provide the values the quickstart asks for in the Azure portal. When that's done, we will generate all the configuration files you need.
+You should select **Make this change for me** and then provide the values the quickstart asks for in the Azure portal. When that's done, we'll generate all the configuration files you need.
:::image type="content" source="media/tutorial-v2-shared-device-mode/config-info.png" alt-text="Configure your project page in Azure portal quickstart":::
For testing purposes, set up the following in your tenant: at least two employee
### Download the Authenticator App
-Download the Microsoft Authenticator App from the Google Play store. If you already have the app downloaded, ensure that it is the latest version.
+Download the Microsoft Authenticator App from the Google Play store. If you already have the app downloaded, ensure that it's the latest version.
### Authenticator app settings & registering the device in the cloud
Once you've put a device in shared-mode, it becomes known to your organization a
## Running the sample app
-The Sample Application is a simple app that will call the Graph API of your organization. On first run you'll be prompted to consent as the application is new to your employee account.
+The Sample Application is a simple app that will call the Graph API of your organization. On first run, you'll be prompted to consent as the application is new to your employee account.
:::image type="content" source="media/tutorial-v2-shared-device-mode/run-app-permissions-requested.png" alt-text="Application configuration info screen":::
active-directory Web Api Tutorial 01 Register App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-api-tutorial-01-register-app.md
+
+ Title: "Tutorial: Register a web API with the Microsoft identity platform"
+description: In this tutorial, you learn how to register a web API with the Microsoft identity platform.
+++++ Last updated : 11/1/2022
+#Customer intent: As an application developer, I want to know how to register my application with the Microsoft identity platform so that the security token service can issue access tokens to client applications that request them.
++
+# Tutorial: Register a web API with the Microsoft identity platform
+
+To interact with the Microsoft identity platform, Azure Active Directory (Azure AD) must be made aware of the application you create. This tutorial shows you how to register an application in a tenant on the Azure portal.
+
+In this tutorial:
+
+> [!div class="checklist"]
+> * Register a web API in a tenant
+> * Record the web API's unique identifiers
+> * Expose an API by adding a scope
+
+## Prerequisites
+
+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/).
+* This Azure account must have permissions to manage applications. Use any of the following roles needed to register the application:
+ * Application administrator
+ * Application developer
+ * Cloud application administrator
+
+## Register the application and record identifiers
+
+To complete registration, provide the application a name and specify the supported account types. Once registered, the application **Overview** page will display the identifiers needed in the application source code.
+
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.
+1. Search for and select **Azure Active Directory**.
+1. Under **Manage**, select **App registrations > New registration**.
+1. Enter a **Name** for the application, such as *NewWebAPI1*.
+1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select **Help me choose** option.
+1. Select **Register**.
+
+ :::image type="content" source="./media/web-api-tutorial-01-register-app/register-application.png" alt-text="Screenshot that shows how to enter a name and select the account type.":::
+
+1. The application's **Overview** pane is displayed when registration is complete. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in your application source code.
+
+ :::image type="content" source="./media/web-api-tutorial-01-register-app/record-identifiers.png" alt-text="Screenshot that shows the identifier values on the overview page.":::
+
+>[!NOTE]
+> The **Supported account types** can be changed by referring to [Modify the accounts supported by an application](howto-modify-supported-accounts.md).
+
+## Expose an API
+
+Once the API is registered, you can configure its permission by defining the scopes that the API exposes to client applications. Client applications request permission to perform operations by passing an access token along with its requests to the protected web API. The web API then performs the requested operation only if the access token it receives contains the required scopes.
+
+1. Under **Manage**, select **Expose an API > Add a scope**. Accept the proposed **Application ID URI** `(api://{clientId})` by selecting **Save and continue**. The `{clientId}` will be the value recorded from the **Overview** page. Then enter the following information:
+ 1. For **Scope name**, enter `Forecast.Read`.
+ 1. For **Who can consent**, ensure that the **Admins and users** option is selected.
+ 1. In the **Admin consent display name** box, enter `Read forecast data`.
+ 1. In the **Admin consent description** box, enter `Allows the application to read weather forecast data`.
+ 1. In the **User consent display name** box, enter `Read forecast data`.
+ 1. In the **User consent description** box, enter `Allows the application to read weather forecast data`.
+ 1. Ensure that the **State** is set to **Enabled**.
+1. Select **Add scope**. If the scope has been entered correctly, it'll be listed in the **Expose an API** pane.
+
+ :::image type="content" source="./media/web-api-tutorial-01-register-app/add-a-scope-inline.png" alt-text="Screenshot that shows the field values when adding the scope to an API." lightbox="./media/web-api-tutorial-01-register-app/add-a-scope-expanded.png":::
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Tutorial: Create an ASP.NET Core project and configure the API](web-api-tutorial-02-prepare-api.md)
active-directory Web Api Tutorial 02 Prepare Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-api-tutorial-02-prepare-api.md
+
+ Title: "Tutorial: Create and configure an ASP.NET Core project for authentication"
+description: "Create and configure the API in an IDE, add configuration for authentication and install required packages"
+++++ Last updated : 11/1/2022
+#Customer intent: As an application developer, I want to create an ASP.NET Core project in an IDE, then configure it in such a way that I can add authentication with Azure AD.
++
+# Tutorial: Create and configure an ASP.NET Core project for authentication
+
+After registration is complete, a ASP.NET Core project can be created using an integrated development environment (IDE). This tutorial demonstrates how to create an ASP.NET Core project using an IDE and configure for authentication and authorization.
+
+In this tutorial:
+
+> [!div class="checklist"]
+> * Create an **ASP.NET Core Empty**
+> * Configure the settings for the application
+> * Identify and install the required NuGet packages
+
+## Prerequisites
+
+* Completion of the prerequisites and steps in [Tutorial: Register web API with the Microsoft identity platform](web-api-tutorial-01-register-app.md).
+* You can download the IDEs used in this tutorial from the [Downloads](https://visualstudio.microsoft.com/downloads) page.
+ - Visual Studio 2022
+ - Visual Studio Code
+ - Visual Studio 2022 for Mac
+- A minimum requirement of [.NET Core 6.0 SDK](https://dotnet.microsoft.com/download/dotnet).
+
+## Create an ASP.NET Core project
+
+Use the following tabs to create an ASP.NET Core project within an IDE.
+
+### [Visual Studio](#tab/visual-studio)
+
+1. Open Visual Studio, and then select **Create a new project**.
+1. Search for and choose the **ASP.NET Core Empty** template, and then select **Next**.
+1. Enter a name for the project, such as *NewWebAPILocal*.
+1. Choose a location for the project or accept the default option, and then select **Next**.
+1. Accept the default for the **Framework** and **Configure for HTTPS**.
+1. Select **Create**.
+
+### [Visual Studio Code](#tab/visual-studio-code)
+
+1. Open Visual Studio Code, select **File > Open Folder...**. Navigate to and select the location in which to create your project.
+1. Open up a new terminal by selecting **Terminal** in the top bar, then **New Terminal**.
+1. Create a new folder using the **New Folder...** icon in the **Explorer** pane. Provide a name similar to the one registered previously, for example, *NewWebAPILocal*.
+1. Open a new terminal by selecting **Terminal > New Terminal**.
+1. To create an **ASP.NET Core Empty** template, run the following commands in the terminal to change into the directory and create the project:
+
+ ```powershell
+ cd NewWebAPILocal
+ dotnet new web
+ ```
+
+### [Visual Studio for Mac](#tab/visual-studio-for-mac)
+
+1. Open Visual Studio, and then select **New**.
+1. Under **Web and Console** in the left navigation bar, select **App**.
+1. Under **ASP.NET Core**, select **API** and ensure **C#** is selected in the drop down menu, then select **Continue**.
+1. Accept the default for the **Target Framework** and **Advanced**, then select **Continue**.
+1. Enter a name for the **Project name**, this will be reflected in **Solution Name**. Provide a similar name to the one registered on the Azure portal, such as *NewAPI1*.
+1. Accept the default location for the project or choose a different location, and then select **Create**.
++
+## Configure the ASP.NET Core project
+
+The values recorded earlier will be used in *appsettings.json* to configure the application for authentication. *appsettings.json* is a configuration file that is used to store application settings used during run-time.
+
+1. Open *appsettings.json* and replace the file contents with the following code snippet:
+
+ ```json
+ {
+ "AzureAd": {
+ "Instance": "https://login.microsoftonline.com/",
+ "ClientId": "Enter the client ID here",
+ "TenantId": "Enter the tenant ID here",
+ "Scopes": "Forecast.Read"
+ },
+ "Logging": {
+ "LogLevel": {
+ "Default": "Information",
+ "Microsoft.AspNetCore": "Warning"
+ }
+ },
+ "AllowedHosts": "*"
+ }
+ ```
+
+ * `Instance` - The endpoint of the cloud provider. Check with the different available endpoints in [National clouds](authentication-national-cloud.md#azure-ad-authentication-endpoints).
+ * `TenantId` - The identifier of the tenant where the application is registered. Replace the text in quotes with the **Directory (tenant) ID** value that was recorded earlier from the overview page of the registered application.
+ * `ClientId` - The identifier of the application, also referred to as the client. Replace the text in quotes with the **Application (client) ID** value that was recorded earlier from the overview page of the registered application.
+ * `Scopes` - The scope that is used to request access to the application. For this tutorial, the scope is `Forecast.Read`.
+1. Save the changes to the file.
+
+## Install identity packages
+
+Identity related **NuGet packages** must be installed in the project for authentication of users to be enabled.
+
+### [Visual Studio](#tab/visual-studio)
+
+1. In the top menu, select **Tools** > **NuGet Package Manager** > **Manage NuGet Packages for Solution**.
+1. With the **Browse** tab selected, search for **Microsoft.Identity.Web**, select the `Microsoft.Identity.Web` package, select the **Project** checkbox, and then select **Install**.
+1. Select **Ok** or **I Accept** for other windows that may appear.
+
+### [Visual Studio Code](#tab/visual-studio-code)
+
+1. In the terminal opened in the previous section, enter the following command:
+
+ ```powershell
+ dotnet add package Microsoft.Identity.Web
+ ```
+
+### [Visual Studio for Mac](#tab/visual-studio-for-mac)
+
+1. In the top menu, select **Tools** > **Manage NuGet Packages**.
+1. Search for **Microsoft.Identity.Web**, select the `Microsoft.Identity.Web` package, select **Project**, and then select **Add Package**.
+1. In the pop-up, ensure the correct project is selected, then select **Ok**.
+1. Select **Accept** if other **License Acceptance** windows appear.
+++
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Tutorial: Implement a protected endpoint to your API](web-api-tutorial-03-protect-endpoint.md)
active-directory Web Api Tutorial 03 Protect Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-api-tutorial-03-protect-endpoint.md
+
+ Title: "Tutorial: Implement a protected endpoint to your API"
+description: Protect the endpoint of an API, then run it to ensure it's listening for HTTP requests.
+++++ Last updated : 11/1/2022
+#Customer intent: As an application developer I want to protect the endpoint of my API and run it to ensure it is listening for HTTP requests
++
+# Tutorial: Implement a protected endpoint to your API
+
+Protecting an API endpoint ensures that only authorized users are permitted access. The Microsoft identity platform provides a way to protect API endpoints by using the [Microsoft.Identity.Web](https://www.nuget.org/packages/Microsoft.Identity.Web/) NuGet package.
+
+In this tutorial:
+
+> [!div class="checklist"]
+> * Implement authentication
+> * Add weather information for the API to display
+> * Test the API with an unauthenticated GET request
+
+## Prerequisites
+
+* Completion of the prerequisites and steps in [Tutorial: Create and configure an ASP.NET Core project for authentication](web-api-tutorial-02-prepare-api.md).
+
+## Implement authorization
+
+1. Open the *Program.cs* file and replace the contents with the following snippet:
+
+ ```csharp
+ using Microsoft.AspNetCore.Authentication.JwtBearer;
+ using Microsoft.AspNetCore.Authorization;
+ using Microsoft.Identity.Web;
+
+ var builder = WebApplication.CreateBuilder(args);
+ builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+ .AddMicrosoftIdentityWebApi(options =>
+ {
+ builder.Configuration.Bind("AzureAd", options);
+ options.TokenValidationParameters.NameClaimType = "name";
+ }, options => { builder.Configuration.Bind("AzureAd", options); });
+
+ builder.Services.AddAuthorization(config =>
+ {
+ config.AddPolicy("AuthZPolicy", policyBuilder =>
+ policyBuilder.Requirements.Add(new ScopeAuthorizationRequirement() { RequiredScopesConfigurationKey = $"AzureAd:Scopes" }));
+ });
+
+ // Add services to the container.
+ builder.Services.AddRazorPages();
+
+ var app = builder.Build();
+
+ app.UseAuthentication();
+ app.UseAuthorization();
+
+ var weatherSummaries = new[]
+ {
+ "Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching"
+ };
+
+ app.MapGet("/weatherforecast", [Authorize(Policy = "AuthZPolicy")] () =>
+ {
+ var forecast = Enumerable.Range(1, 5).Select(index =>
+ new WeatherForecast
+ (
+ DateTime.Now.AddDays(index),
+ Random.Shared.Next(-20, 55),
+ weatherSummaries[Random.Shared.Next(weatherSummaries.Length)]
+ ))
+ .ToArray();
+ return forecast;
+ })
+ .WithName("GetWeatherForecast");
+
+ // Configure the HTTP request pipeline.
+ if (!app.Environment.IsDevelopment())
+ {
+ app.UseExceptionHandler("/Error");
+ // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
+ app.UseHsts();
+ }
+
+ app.UseHttpsRedirection();
+ app.UseStaticFiles();
+
+ app.UseRouting();
+
+ app.UseAuthorization();
+
+ app.MapRazorPages();
+
+ app.Run();
+
+ record WeatherForecast(DateTime Date, int TemperatureC, string? Summary)
+ {
+ public int TemperatureF => 32 + (int)(TemperatureC / 0.5556);
+ }
+ ```
+
+## Test the application
+
+### [Visual Studio](#tab/visual-studio)
+
+1. In Visual Studio, select **Start without debugging**.
+
+### [Visual Studio Code](#tab/visual-studio-code)
+
+1. Start the application by typing the following in the terminal:
+
+ ```powershell
+ dotnet run
+ ```
+
+1. A similar output to the following should be displayed in the terminal. This confirms that the application is running on `http://localhost:{port}` and listening for requests.
+
+ ```powershell
+ Building...
+ info: Microsoft.Hosting.Lifetime[0]
+ Now listening on: http://localhost:{port}
+ info: Microsoft.Hosting.Lifetime[0]
+ Application started. Press Ctrl+C to shut down.
+ ...
+ ```
+
+### [Visual Studio for Mac](#tab/visual-studio-for-mac)
+
+1. Start the application by selecting **Play the executing solution**.
++
+The web page `http://localhost:{host}` displays an output similar to the following image. This is because the API is being called without authentication. In order to make an authorized call, refer to [Next steps](#next-steps) for how-to guides on how to access a protected web API.
++
+## Next steps
+
+> [!div class="nextstepaction"]
+>
+> [How-to: Call an API using Postman](howto-call-a-web-api-with-postman.md)
+>
+> [How-to: Call an API using cURL](howto-call-a-web-api-with-curl.md)
active-directory Web App Tutorial 01 Register Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-app-tutorial-01-register-application.md
+
+ Title: "Tutorial: Register an application with the Microsoft identity platform"
+description: In this tutorial, you learn how to register a web application with the Microsoft identity platform.
+++++ Last updated : 02/09/2023
+#Customer intent: As an application developer, I want to know how to register my application with the Microsoft identity platform so that the security token service can issue access tokens to client applications that request them.
++
+# Tutorial: Register an application with the Microsoft identity platform
+
+To interact with the Microsoft identity platform, Azure Active Directory (Azure AD) must be made aware of the application you create. This tutorial shows you how to register an application in a tenant on the Azure portal.
+
+In this tutorial:
+
+> [!div class="checklist"]
+> * Register a web application in a tenant
+> * Record the web application's unique identifiers
+
+## Prerequisites
+
+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/).
+* This Azure account must have permissions to manage applications. Use any of the following roles needed to register the application:
+ * Application administrator
+ * Application developer
+ * Cloud application administrator
+
+## Register the application and record identifiers
+
+To complete registration, provide the application a name and specify the supported account types. Once registered, the application **Overview** page will display the identifiers needed in the application source code.
+
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.
+1. Search for and select **Azure Active Directory**.
+1. Under **Manage**, select **App registrations > New registration**.
+1. Enter a **Name** for the application, such as *NewWebApp1*.
+1. For Supported account types, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option.
+ - The **Redirect URI (optional)** will be configured at a later stage.
+1. Select **Register**.
+
+ :::image type="content" source="./media/web-app-tutorial-01-register-application/register-application.png" alt-text="Screenshot of process to enter a name and select the account type.":::
+
+1. The application's **Overview** pane is displayed when registration is complete. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in your application source code.
+
+ :::image type="content" source="./media/web-app-tutorial-01-register-application/record-identifiers.png" alt-text="Screenshot of recording the identifier values on the overview page.":::
+
+>[!NOTE]
+> The **Supported account types** can be changed by referring to [Modify the accounts supported by an application](howto-modify-supported-accounts.md).
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Tutorial: Prepare a web application for authentication](web-app-tutorial-02-prepare-application.md)
active-directory Web App Tutorial 02 Prepare Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-app-tutorial-02-prepare-application.md
+
+ Title: "Tutorial: Prepare a web application for authentication"
+description: Prepare an ASP.NET Core application for authentication using Visual Studio.
+++++ Last updated : 02/09/2023
+#Customer intent: As an application developer, I want to use an IDE to set up an ASP.NET Core project, set up and upload a self signed certificate to the Azure portal and configure the application for authentication.
++
+# Tutorial: Prepare an application for authentication
+
+After registration is complete, an ASP.NET web application can be created using an integrated development environment (IDE). This tutorial demonstrates how to create an **ASP.NET Core Web App** using an IDE. You'll also create and upload a self-signed certificate to the Azure portal and configure the application for authentication.
+
+In this tutorial:
+
+> [!div class="checklist"]
+> * Create an **ASP.NET Core Web App**
+> * Create a self-signed certificate
+> * Configure the settings for the application
+> * Define platform settings and URLs
+
+## Prerequisites
+
+* Completion of the prerequisites and steps in [Tutorial: Register an application with the Microsoft identity platform](web-app-tutorial-01-register-application.md).
+* You can download an IDE used in this tutorial [here](https://visualstudio.microsoft.com/downloads).
+ - Visual Studio 2022
+ - Visual Studio Code
+ - Visual Studio 2022 for Mac
+* A minimum requirement of [.NET Core 6.0 SDK](https://dotnet.microsoft.com/download/dotnet).
+
+## Create an ASP.NET Core project
+
+Use the following tabs to create an ASP.NET Core project within an IDE.
+
+### [Visual Studio](#tab/visual-studio)
+
+1. Open Visual Studio, and then select **Create a new project**.
+1. Search for and choose the **ASP.NET Core Web App** template, and then select **Next**.
+1. Enter a name for the project, such as *NewWebAppLocal*.
+1. Choose a location for the project or accept the default option, and then select **Next**.
+1. Accept the default for the **Framework**, **Authentication type**, and **Configure for HTTPS**. **Authentication type** can be set to none as this tutorial will cover this process.
+1. Select **Create**.
+
+### [Visual Studio Code](#tab/visual-studio-code)
+
+1. Open Visual Studio Code, select **File > Open Folder...**. Navigate to and select the location in which to create your project.
+1. Create a new folder using the **New Folder...** icon in the **Explorer** pane. Provide a name similar to the one registered previously, for example, *NewWebAppLocal*.
+1. Open a new terminal by selecting **Terminal > New Terminal**.
+1. To create an **ASP.NET Core Web App** template, run the following commands in the terminal to change into the directory and create the project:
+
+ ```powershell
+ cd NewWebAppLocal
+ dotnet new webapp
+ ```
+
+### [Visual Studio for Mac](#tab/visual-studio-for-mac)
+
+1. Open Visual Studio, and then select **New**.
+1. Under **Web and Console** in the left navigation bar, select **App**.
+1. Under **ASP.NET Core**, select **Web Application** and ensure **C#** is selected in the drop down menu, then select **Continue**.
+1. Ensure the **Target Framework** is set to **.NET 6.0** at a minimum.
+1. Enter a name for **Project name**, this is reflected in **Solution Name**. Provide a similar name to the one registered on the Azure portal, such as *NewWebAppLocal*.
+1. Accept the default location for the project or choose a different location, and then select **Create**.
+++
+## Create and upload a self-signed certificate
+
+The use of certificates is a suggested way of securing communication between client and server. For the purpose of this tutorial, a self-signed certificate will be created in the project directory. Learn more about self-signed certificates [here](howto-create-self-signed-certificate.md).
+
+### [Visual Studio](#tab/visual-studio)
+
+1. Select **Tools > Command Line > Developer Command Prompt**.
+
+1. Enter the following command to create a new self-signed certificate:
+
+ ```powershell
+ dotnet dev-certs https -ep ./certificate.crt --trust
+ ```
+
+### [Visual Studio Code](#tab/visual-studio-code)
+
+1. In the **Terminal**, enter the following command to create a new self-signed certificate:
+
+ ```powershell
+ dotnet dev-certs https -ep ./certificate.crt --trust
+ ```
+
+### [Visual Studio for Mac](#tab/visual-studio-for-mac)
+
+1. Locate the **Terminal** option in your project.
+
+1. Enter the following command to create a new self-signed certificate:
+
+ ```powershell
+ dotnet dev-certs https -ep ./certificate.crt --trust
+ ```
++
+### Upload certificate to the portal
+
+To make the certificate available to the application, it must be uploaded into the tenant.
+
+1. Starting from the **Overview** page of the app created earlier, under **Manage**, select **Certificates & secrets** and select the **Certificates (0)** tab.
+1. Select **Upload certificate**.
+
+ :::image type="content" source="./media/web-app-tutorial-02-prepare-application/upload-certificate-inline.png" alt-text="Screenshot of uploading a certificate into an Azure Active Directory tenant." lightbox="./media/web-app-tutorial-02-prepare-application/upload-certificate-expanded.png":::
+
+1. Select the **folder** icon, then browse for and select the certificate that was previously created.
+1. Enter a description for the certificate and select **Add**.
+1. Record the **Thumbprint** value, which will be used in the next step.
+
+ :::image type="content" source="./media/web-app-tutorial-02-prepare-application/copy-certificate-thumbprint.png" alt-text="Screenshot showing copying the certificate thumbprint.":::
+
+## Configure the application for authentication and API reference
+
+The values recorded earlier will be used in *appsettings.json* to configure the application for authentication. *appsettings.json* is a configuration file that is used to store application settings used during run-time. As the application will also call into a web API, it must also contain a reference to it.
+
+1. In your IDE, open *appsettings.json* and replace the file contents with the following snippet:
+
+ :::code language="json" source="~/ms-identity-docs-code-dotnet/web-app-aspnet/appsettings.json" :::
+
+ * `Instance` - The authentication endpoint. Check with the different available endpoints in [National clouds](authentication-national-cloud.md#azure-ad-authentication-endpoints).
+ * `TenantId` - The identifier of the tenant where the application is registered. Replace the text in quotes with the **Directory (tenant) ID** value that was recorded earlier from the overview page of the registered application.
+ * `ClientId` - The identifier of the application, also referred to as the client. Replace the text in quotes with the **Application (client) ID** value that was recorded earlier from the overview page of the registered application.
+ * `ClientCertificates` - A self-signed certificate is used for authentication in the application. Replace the text of the `CertificateThumbprint` with the thumbprint of the certificate that was previously recorded.
+ * `CallbackPath` - Is an identifier to help the server redirect a response to the appropriate application.
+ * `DownstreamApi` - Is an identifier that defines an endpoint for accessing Microsoft Graph. The application URI is combined with the specified scope. To define the configuration for an application owned by the organization, the value of the `Scopes` attribute is slightly different.
+1. Save changes to the file.
+1. In the **Properties** folder, open the *launchSettings.json* file.
+1. Find and record the `https` value `applicationURI` within *launchSettings.json*, for example `https://localhost:{port}`. This URL will be used when defining the **Redirect URI**.
+
+## Define the platform and URLs
+
+1. In the Azure portal, under **Manage**, select **App registrations**, and then select the application that was previously created.
+1. In the left menu, under **Manage**, select **Authentication**.
+1. In **Platform configurations**, select **Add a platform**, and then select **Web**.
+
+ :::image type="content" source="./media/web-app-tutorial-02-prepare-application/select-platform-inline.png" alt-text="Screenshot on how to select the platform for the application." lightbox="./media/web-app-tutorial-02-prepare-application/select-platform-expanded.png":::
+
+1. Under **Redirect URIs**, enter the `applicationURL` and the `CallbackPath`, `/signin-oidc`, in the form of `https://localhost:{port}/signin-oidc`.
+1. Under **Front-channel logout URL**, enter the following URL for signing out, `https://localhost:{port}/signout-oidc`.
+1. Select **Configure**.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Tutorial: Add sign-in to an application](web-app-tutorial-03-sign-in-users.md)
active-directory Web App Tutorial 03 Sign In Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-app-tutorial-03-sign-in-users.md
+
+ Title: "Tutorial: Add sign in to an application"
+description: Add sign in to an ASP.NET Core application using Visual Studio.
+++++ Last updated : 02/09/2023
+#Customer intent: As an application developer, I want to install the NuGet packages necessary for authentication in my IDE, and implement authentication in my web app.
++
+# Tutorial: Add sign in to an application
+
+In the [previous tutorial](web-app-tutorial-02-prepare-application.md), an ASP.NET Core project was created and configured for authentication. This tutorial will install the required packages and add code that implements authentication to the sign in and sign out experience.
+
+In this tutorial:
+
+> [!div class="checklist"]
+> * Identify and install the NuGet packages that are needed for authentication
+> * Implement authentication in the code
+> * Add the sign in and sign out experiences
+
+## Prerequisites
+
+* Completion of the prerequisites and steps in [Tutorial: Prepare an application for authentication](web-app-tutorial-02-prepare-application.md).
+
+## Install identity packages
+
+Identity related **NuGet packages** must be installed in the project for authentication of users to be enabled.
+
+### [Visual Studio](#tab/visual-studio)
+
+1. In the top menu of Visual Studio, select **Tools > NuGet Package Manager > Manage NuGet Packages for Solution**.
+1. With the **Browse** tab selected, search for and select **Microsoft.Identity.Web.UI**. Select the **Project** checkbox, and then select **Install**.
+
+### [Visual Studio Code](#tab/visual-studio-code)
+
+1. In the Visual Studio Code terminal, navigate to *NewWebAppLocal*.
+1. Enter the following commands to install the relevant NuGet packages:
+
+ ```powershell
+ dotnet add package Microsoft.Identity.Web.UI
+ dotnet add package Microsoft.Identity.Web.Diagnostics
+ ```
+
+### [Visual Studio for Mac](#tab/visual-studio-for-mac)
+
+1. In the top menu, select **Tools** > **Manage NuGet Packages**.
+1. Search for **Microsoft.Identity.Web**, select the `Microsoft.Identity.Web` package, select **Project**, and then select **Add Package**.
+1. Modify your search to read **Microsoft.Identity.Web.UI** and select **Add Packages**.
+1. In the pop-up, ensure the correct project is selected, then select **Ok**.
+1. Select **Accept** if additional **License Acceptance** windows appear.
++
+## Implement authentication and acquire tokens
+
+1. Open *Program.cs* and replace the entire file contents with the following snippet:
+
+ :::code language="csharp" source="~/ms-identity-docs-code-dotnet/web-app-aspnet/Program.cs" :::
+
+## Add the sign in and sign out experience
+
+After installing the NuGet packages and adding necessary code for authentication, add the sign in and sign out experiences.
+
+### Create the *_LoginPartial.cshtml* file
+
+### [Visual Studio](#tab/visual-studio)
+
+1. Expand **Pages**, right-click **Shared**, and then select **Add > Razor page**.
+1. Select **Razor Page - Empty**, and then select **Add**.
+1. Enter *_LoginPartial.cshtml* for the name, and then select **Add**.
+
+### [Visual Studio Code](#tab/visual-studio-code)
+
+1. In the Explorer bar, select **Pages**, right-click **Shared**, and select **New File**. Give it the name *_LoginPartial.cshtml*.
+
+### [Visual Studio for Mac](#tab/visual-studio-for-mac)
+
+1. Expand **Pages**, right-click **Shared**, and then select **Add > Razor page**.
+1. Select **Razor Page - Empty**, and then select **Add**.
+1. Enter *_LoginPartial.cshtml* for the name, and then select **Add**.
++
+### Edit the *_LoginPartial.cshtml* file
+
+1. Open *_LoginPartial.cshtml* and add the following code for adding the sign in and sign out experience:
+
+ :::code language="csharp" source="~/ms-identity-docs-code-dotnet/web-app-aspnet/Pages/Shared/_LoginPartial.cshtml" :::
+
+1. Open *_Layout.cshtml* and add a reference to `_LoginPartial` created in the previous step. This single line should be placed between `</ul>` and `</div>`:
+
+ :::code language="csharp" source="~/ms-identity-docs-code-dotnet/web-app-aspnet/Pages/Shared/_Layout.cshtml" range="29-31" :::
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Tutorial: Call an API and display results](web-app-tutorial-04-call-web-api.md)
active-directory Web App Tutorial 04 Call Web Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-app-tutorial-04-call-web-api.md
+
+ Title: "Tutorial: Call an API and display the results"
+description: Call an API and display the results.
+++++ Last updated : 02/09/2023
+#Customer intent: As an application developer, I want to use my app to call a web API, in this case Microsoft Graph. I need to know how to modify my code so the API can be called successfully.
++
+# Tutorial: Call an API and display the results
+
+The application can now be configured to call an API. For the purposes of this tutorial, the Microsoft Graph API will be called to display the profile information of the logged-in user.
+
+In this tutorial:
+
+> [!div class="checklist"]
+> * Call the API and display the results
+> * Test the application
+
+## Prerequisites
+
+* Completion of the prerequisites and steps in [Tutorial: Add sign in to an application](web-app-tutorial-03-sign-in-users.md).
+
+## Call the API and display the results
+
+1. Under **Pages**, open the *Index.cshtml.cs* file and replace the entire contents of the file with the following snippet. Check that the project `namespace` matches your project name.
+
+ :::code language="csharp" source="~/ms-identity-docs-code-dotnet/web-app-aspnet/Pages/Index.cshtml.cs" :::
+
+1. Open *Index.cshtml* and add the following code to the bottom of the file. This will handle how the information received from the API is displayed:
+
+ :::code language="csharp" source="~/ms-identity-docs-code-dotnet/web-app-aspnet/Pages/Index.cshtml" range="13-17" :::
+
+## Test the application
+
+### [Visual Studio](#tab/visual-studio)
+1. Start the application by selecting **Start without debugging**.
+
+### [Visual Studio Code](#tab/visual-studio-code)
+1. Start the application by typing the following in the terminal:
+
+ #### [.NET 6.0](#tab/dotnet6)
+
+ ```powershell
+ dotnet run
+ ```
+
+ #### [.NET 7.0](#tab/dotnet7)
+
+ ```powershell
+ dotnet run --launch-profile https
+ ```
+
+### [Visual Studio for Mac](#tab/visual-studio-for-mac)
+1. Start the application by selecting the **Play** icon.
+++
+2. Depending on your IDE, you may need to enter the application URI into the browser, for example `https://localhost:7100`. After the sign in window appears, select the account in which to sign in with. Ensure the account matches the criteria of the app registration.
+
+ :::image type="content" source="./media/web-app-tutorial-04-call-web-api/pick-account.png" alt-text="Screenshot depicting account options to sign in.":::
+
+1. Upon selecting the account, a second window appears indicating that a code will be sent to your email address. Select **Send code**, and check your email inbox.
+
+ :::image type="content" source="./media/web-app-tutorial-04-call-web-api/sign-in-send-code.png" alt-text="Screenshot depicting a screen to send a code to the user's email.":::
+
+1. Open the email from the sender **Microsoft account team**, and enter the 7-digit *single-use code*. Once entered, select **Sign in**.
+
+ :::image type="content" source="./media/web-app-tutorial-04-call-web-api/enter-code.png" alt-text="Screenshot depicting the single-use code sign in procedure.":::
+
+1. For **Stay signed in**, you can select either **No** or **Yes**.
+
+ :::image type="content" source="./media/web-app-tutorial-04-call-web-api/stay-signed-in.png" alt-text="Screenshot depicting the option on whether to stay signed in.":::
+
+1. The app will ask for permission to sign in and access data. Select **Accept** to continue.
+
+ :::image type="content" source="./media/web-app-tutorial-04-call-web-api/permissions-requested.png" alt-text="Screenshot depicting the permission requests.":::
+
+1. The web app now displays profile data acquired from the Microsoft Graph API.
+
+ :::image type="content" source="./media/web-app-tutorial-04-call-web-api/display-api-call-results.png" alt-text="Screenshot depicting the results of the API call.":::
+
+## Next steps
+
+Learn how to use the Microsoft identity platform by trying out the following tutorial series on how to build a web API.
+
+> [!div class="nextstepaction"]
+> [Tutorial: Register a web API with the Microsoft identity platform](web-api-tutorial-01-register-app.md)
active-directory Azuread Joined Devices Frx https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/azuread-joined-devices-frx.md
Title: Join a new Windows 10 device with Azure AD during the out of box experience
+ Title: Join a new Windows 11 device with Azure AD during the out of box experience
description: How users can set up Azure AD Join during OOBE.
# Azure AD join a new Windows device during the out of box experience
-Starting in Windows 10 users can join new Windows devices to Azure AD during the first-run out-of-box experience (OOBE). This functionality enables you to distribute shrink-wrapped devices to your employees or students.
+Windows 11 users can join new Windows devices to Azure AD during the first-run out-of-box experience (OOBE). This functionality enables you to distribute shrink-wrapped devices to your employees or students.
This functionality pairs well with mobile device management platforms like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and tools like [Windows Autopilot](/mem/autopilot/windows-autopilot) to ensure devices are configured according to your standards.
active-directory Clean Up Unmanaged Azure Ad Accounts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/clean-up-unmanaged-azure-ad-accounts.md
Title: Clean up unmanaged Azure AD accounts
-description: Clean up unmanaged accounts using email OTP and PowerShell modules in Azure Active Directory
+ Title: Clean up unmanaged Azure Active Directory accounts
+description: Clean up unmanaged accounts using email one-time password and PowerShell modules in Azure AD
Previously updated : 06/28/2022 Last updated : 03/28/2023
# Clean up unmanaged Azure Active Directory accounts
-Prior to August 2022, Azure AD B2B supported Self-service sign-up for email-verified users which allowed users to create Azure AD accounts if they can verify ownership of the email. These accounts were created in unmanaged (aka ΓÇ£viralΓÇ¥) tenants. This meant that the user created an account with an organizationΓÇÖs domain that is not under the lifecycle management of the organizationΓÇÖs IT and access can persist after the user leaves the organization. To learn more, see, [What is self-service sign-up for Azure Active Directory?](./directory-self-service-signup.md)
+Prior to August 2022, Azure Active Directory B2B (Azure AD B2B) supported self-service sign-up for email-verified users. With this feature, users create Azure AD accounts, when they verify email ownership. These accounts were created in unmanaged (or viral) tenants: users created accounts with an organization domain, not under IT team management. Access persists after users leave the organization.
-The creation of unmanaged Azure AD accounts via Azure AD B2B is now deprecated and new B2B invitations cannot be redeemed with these accounts as of August 2022. However, invitations sent prior to August 2022 could have been redeemed with unmanaged Azure AD accounts.
+To learn more, see, [What is self-service sign-up for Azure AD?](./directory-self-service-signup.md)
+
+ > [!NOTE]
+ > Unmanaged Azure AD accounts via Azure AD B2B were deprecated. As of August 2022, new B2B invitations can't be redeemed. However, invitations prior to August 2022 were redeemable with unmanaged Azure AD accounts.
## Remove unmanaged Azure AD accounts
-Admins can use either this sample application in [Azure-samples/Remove-unmanaged-guests](https://github.com/Azure-Samples/Remove-Unmanaged-Guests) or PowerShell cmdlets in [AzureAD/MSIdentityTools](https://github.com/AzureAD/MSIdentityTools/wiki/) to remove existing unmanaged Azure AD accounts from your Azure AD tenants. These tools allow you to identify viral users in your Azure AD tenant and reset the redemption status of these users.
+Use the following guidance to remove unmanaged Azure AD accounts from Azure AD tenants. Tool features help identify viral users in the Azure AD tenant. You can reset the user redemption status.
+
+* Use the sample application in [Azure-samples/Remove-unmanaged-guests](https://github.com/Azure-Samples/Remove-Unmanaged-Guests)
+* Use PowerShell cmdlets in [AzureAD/MSIdentityTools](https://github.com/AzureAD/MSIdentityTools/wiki/)
-Once you have run one of the available tools, when users with unmanaged Azure AD accounts try to access your tenant, they will re-redeem their invitations. However, Azure AD will prevent users from redeeming with an existing unmanaged Azure AD account and theyΓÇÖll redeem with another account type. Google Federation and SAML/WS-Fed are not enabled by default. So by default, these users will redeem with either an MSA or Email OTP, with MSA taking precedence. For a full explanation on the B2B redemption precedence, refer to the [redemption precedence flow chart](../external-identities/redemption-experience.md#invitation-redemption-flow).
+After you run a tool, users with unmanaged Azure AD accounts access the tenant, and re-redeem their invitations. However, Azure AD prevents users from redeeming with an unmanaged Azure AD account. They can redeem with another account type. Google Federation and SAML/WS-Federation aren't enabled by default. Therefore, users redeem with a Microsoft account (MSA) or email one-time password (OTP). MSA is recommended.
+
+Learn more: [Invitation redemption flow](../external-identities/redemption-experience.md#invitation-redemption-flow)
## Overtaken tenants and domains
-Some tenants created as unmanaged tenants can be taken over and
-converted to a managed tenant. See, [take over an unmanaged directory as
-administrator in Azure AD](./domains-admin-takeover.md).
+It's possible to convert some unmanaged tenants to managed tenants.
-In some cases, overtaken domains might not be updated, for example, missing a DNS TXT record and therefore become flagged as unmanaged. Implications are:
+Learn more: [Take over an unmanaged directory as administrator in Azure AD](./domains-admin-takeover.md)
-- For guest users who belong to formerly unmanaged tenants, redemption status is reset and one consent prompt appears. Redemption occurs with same account as before.
+Some overtaken domains might not be updated. For example, a missing DNS TXT record indicates an unmanaged state. Implications are:
-- After unmanaged user redemption status is reset, the tool might identify unmanaged users that are false positives.
+* For guest users from unmanaged tenants, redemption status is reset. A consent prompt appears.
+ * Redemption occurs with same account
+* The tool might identify unmanaged users as false positives after you reset unmanaged user redemption status
-## Reset redemption using a sample application
+## Reset redemption with a sample application
-Use the sample application on
- [Azure-Samples/Remove-Unmanaged-Guests](https://github.com/Azure-Samples/Remove-Unmanaged-Guests).
+Use the sample application on [Azure-Samples/Remove-Unmanaged-Guests](https://github.com/Azure-Samples/Remove-Unmanaged-Guests).
## Reset redemption using MSIdentityTools PowerShell Module
-MSIdentityTools PowerShell Module is a collection of cmdlets and
-scripts. They are for use in the Microsoft identity platform and Azure
-AD; they augment capabilities in the PowerShell SDK. See, [Microsoft
-Graph PowerShell
-SDK](https://github.com/microsoftgraph/msgraph-sdk-powershell).
+MSIdentityTools PowerShell Module is a collection of cmdlets and scripts, which you use in the Microsoft identity platform and Azure AD. Use the cmdlets and scripts to augment PowerShell SDK capabilities. See, [microsoftgraph/msgraph-sdk-powershell](https://github.com/microsoftgraph/msgraph-sdk-powershell).
Run the following cmdlets: -- `Install-Module Microsoft.Graph -Scope CurrentUser`--- `Install-Module MSIdentityTools`--- `Import-Module msidentitytools,microsoft.graph`
+* `Install-Module Microsoft.Graph -Scope CurrentUser`
+* `Install-Module MSIdentityTools`
+* `Import-Module msidentitytools,microsoft.graph`
To identify unmanaged Azure AD accounts, run: -- `Connect-MgGraph -Scope User.ReadAll`--- `Get-MsIdUnmanagedExternalUser`
+* `Connect-MgGraph -Scope User.ReadAll`
+* `Get-MsIdUnmanagedExternalUser`
To reset unmanaged Azure AD account redemption status, run: -- `Connect-MgGraph -Scopes User.ReadWriteAll`--- `Get-MsIdUnmanagedExternalUser | Reset-MsIdExternalUser`
+* `Connect-MgGraph -Scopes User.ReadWriteAll`
+* `Get-MsIdUnmanagedExternalUser | Reset-MsIdExternalUser`
To delete unmanaged Azure AD accounts, run: -- `Connect-MgGraph -Scopes User.ReadWriteAll`--- `Get-MsIdUnmanagedExternalUser | Remove-MgUser`
+* `Connect-MgGraph -Scopes User.ReadWriteAll`
+* `Get-MsIdUnmanagedExternalUser | Remove-MgUser`
-## Next steps
+## Resources
-Examples of using
-[Get-MSIdUnmanagedExternalUser](https://github.com/AzureAD/MSIdentityTools/wiki/Get-MsIdUnmanagedExternalUser)
+See, [Get-MSIdUnmanagedExternalUser](https://github.com/AzureAD/MSIdentityTools/wiki/Get-MsIdUnmanagedExternalUser). The tool returns a list of external unmanaged users, or viral users, in the tenant.
active-directory Multilateral Federation Baseline https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/multilateral-federation-baseline.md
+
+ Title: University multilateral federation baseline design
+description: Baseline design for a multilateral federation solution for universities.
+++++++ Last updated : 04/01/2023+++++
+# Baseline architecture overview
+
+Microsoft frequently speaks with research universities that operate in hybrid environments in which applications are either cloud-based or hosted on-premises. In both cases, applications can use different authentication protocols. In some cases, these protocols are reaching end-of-life or are not providing the required level of security.
+
+[![Diagram of a typical university architecture including cloud and on-premises areas with trust, synchronization, and credential validation paths.](media/multilateral-federation-baseline/typical-baseline-environment.png)](media/multilateral-federation-baseline/typical-baseline-environment.png#lightbox)
+
+Applications drive much of the need for different authentication protocols and different identity management mechanisms (IdM).
+
+In research university environments, research apps often drive IdM requirements. A federation provider, such as Shibboleth, might be used as a primary identity provider (IdP). If this is the case, Azure AD is often configured to federate with Shibboleth. If Microsoft 365 apps are also in use, Azure AD enables you to configure integration.
+
+Applications used in research universities operate in various portions of the overall IT footprint:
+
+* Research and multilateral federation applications are made available through InCommon and EduGAIN.
+
+* Library applications provide access to electronic journals and other e-content providers.
+
+* Some applications use legacy authentication protocols such as Central Authentication Service (CAS) to enable single sign-on.
+
+* Student and faculty applications often use multiple authentication mechanisms. For example, some are integrated with Shibboleth or other federation providers, while others are integrated with Azure AD.
+
+* Microsoft 365 applications are integrated with Azure AD.
+
+* Windows Server Active Directory (AD) might be in use and synchronized to Azure AD.
+
+* Lightweight Directory Access Protocol (LDAP) is in use at many universities that might have an external LDAP directory or Identity Registry. These registries are often used to house confidential attributes, role hierarchy information, and even certain types of users, such as applicants.
+
+* On-premises AD, or an external LDAP directory, is often used to enable single-credential sign-in for non-web applications and various non-Microsoft operating system sign-ins.
+
+## Baseline architecture challenges
+
+Often, baseline architectures evolve over time, introducing complexity and rigidness to the design and ability to update. Some of the challenges with using the baseline architecture include:
+
+* **Hard to react to new requirements** - Having a complex environment makes it hard to quickly adapt and keep up with the most recent regulations and requirements. For example, if you have apps in lots of different locations and these apps are all connected in different ways with different IdMs, you run into the problem of where to locate multi-factor authentication (MFA) services and how to enforce MFA. Higher education also experiences fragmented service ownership. The people responsible for key services such as enterprise resource planning (ERP), learning management system (LMS), division, and department solutions might resist efforts to change or modify the systems they operate.
+
+* **Can't take advantage of all Microsoft 365 capabilities for all apps** (Intune, Conditional Access, passwordless, etc.) - Many universities want to move towards the cloud and leverage their existing investments in Azure AD. However, with a different federation provider as their primary IdP, universities can't take advantage of all the Microsoft 365 capabilities for the rest of their apps.
+
+* **Complexity of solution** - There are many different components to manage, with some components in the cloud and some on-premises or in IaaS instances. Apps are operated in many different places. From a user perspective, this can be a disjointed experience. For example, sometimes users see a Shibboleth login page and other times an Azure AD login page.
+
+We present three different solutions, designed to solve these challenges, while also addressing the following requirements:
+
+* Ability to participate in multilateral federations such as InCommon and eduGAIN
+
+* Ability to support all types of apps (even those that require legacy protocols)
+
+* Ability to support external directories and attribute stores
+
+These three solutions are presented in order from most preferred to least preferred. Each satisfies requirements but introduces tradeoff decisions expected in a complex architecture. Based on your requirements and starting point, select the one that best suits your environment. A decision tree is provided to help aid in this decision.
++
+## Next steps
+
+See these related multilateral federation articles:
+
+[Multilateral federation introduction](multilateral-federation-introduction.md)
+
+[Multilateral federation solution one - Azure AD with Cirrus Bridge](multilateral-federation-solution-one.md)
+
+[Multilateral federation solution two - Azure AD to Shibboleth as SP Proxy](multilateral-federation-solution-two.md)
+
+[Multilateral federation solution three - Azure AD with ADFS and Shibboleth](multilateral-federation-solution-three.md)
+
+[Multilateral federation decision tree](multilateral-federation-decision-tree.md)
+
active-directory Multilateral Federation Decision Tree https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/multilateral-federation-decision-tree.md
+
+ Title: University multilateral federation decision tree
+description: Use this decision tree to help design a multilateral federation solution for universities.
+++++++ Last updated : 04/01/2023+++++
+# Decision tree
+
+Use this decision tree to help you determine the solution best suited for your environment.
+
+[![Diagram that shows decision matrix with key criteria to help choose between solutions one, two, and three.](media/multilateral-federation-decision-tree/tradeoff-decision-matrix.png)](media/multilateral-federation-decision-tree/tradeoff-decision-matrix.png#lightbox)
+
+## Migration resources
+
+The following are resources to help with your migration to the solutions covered in this content.
+
+| Migration Resource | Description | Relevant for migrating to... |
+| - | - | - |
+| [Resources for migrating applications to Azure Active Directory (Azure AD)](../manage-apps/migration-resources.md) | List of resources to help you migrate application access and authentication to Azure AD | Solution 1, Solution 2, and Solution 3 |
+| [Azure AD custom claims provider](../develop/custom-claims-provider-overview.md)|This article provides an overview to the Azure AD custom claims provider | Solution 1 |
+| [Custom security attributes documentation](../fundamentals/custom-security-attributes-manage.md) | This article describes how to manage access to custom security attributes | Solution 1 |
+| [Azure AD SSO integration with Cirrus Identity Bridge](../saas-apps/cirrus-identity-bridge-for-azure-ad-tutorial.md) | Tutorial to integrate Cirrus Identity Bridge for Azure AD with Azure AD | Solution 1 |
+| [Cirrus Identity Bridge Overview](https://blog.cirrusidentity.com/documentation/azure-bridge-setup-rev-6.0) | Link to the documentation for the Cirrus Identity Bridge | Solution 1 |
+| [Configuring Shibboleth as SAML Proxy](https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1467056889/Using+SAML+Proxying+in+the+Shibboleth+IdP+to+connect+with+Azure+AD) | Link to a Shibboleth article that describes how to use the SAML proxying feature to connect Shibboleth IdP to Azure AD | Solution 2 |
+| [Azure MFA deployment considerations](../authentication/howto-mfa-getstarted.md) | Link to guidance for configuring multi-factor authentication (MFA) using Azure AD | Solution 1 and Solution 2 |
+
+## Next steps
+
+See these additional multilateral federation articles:
+
+[Multilateral federation introduction](multilateral-federation-introduction.md)
+
+[Multilateral federation baseline design](multilateral-federation-baseline.md)
+
+[Multilateral federation solution one - Azure AD with Cirrus Bridge](multilateral-federation-solution-one.md)
+
+[Multilateral federation solution two - Azure AD to Shibboleth as SP Proxy](multilateral-federation-solution-two.md)
+
+[Multilateral federation solution three - Azure AD with ADFS and Shibboleth](multilateral-federation-solution-three.md)
active-directory Multilateral Federation Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/multilateral-federation-introduction.md
+
+ Title: University multilateral federation solution design
+description: Learn how to design a multilateral federation solution for universities.
+++++++ Last updated : 04/01/2023+++++
+# Introduction to multilateral federation solutions
+
+Research universities need to collaborate with one another. To accomplish collaboration, they require multilateral federation to enable authentication and access between universities globally.
+
+## Challenges with multilateral federation solutions
+
+Universities face many challenges. For example, one university might use one identity management system and a set of protocols while other universities use a different set of technologies, depending on their requirements. In general, universities can:
+
+* Use different identity management systems
+
+* Use different protocols
+
+* Use customized solutions
+
+* Require support for a long history of legacy functionality
+
+* Need to support solutions that are built in different IT generations
+
+Many universities are also adopting the Microsoft 365 suite of productivity and collaboration tools. These tools rely on Azure Active Directory (Azure AD) for identity management, which enables universities to configure:
+
+* Single sign-on (SSO) across multiple applications
+
+* Modern security controls, including passwordless authentication, MFA, adaptive conditional access, and Identity Protection
+
+* Enhanced reporting and monitoring
+
+Because Azure AD doesn't natively support multilateral federation, this content describes three solutions for federating authentication and access between universities with typical research university architecture. In these scenarios, non-Microsoft products are mentioned for illustrative purposes only and represent the broader class of product. For example, Shibboleth is used as an example of a federation provider.
+
+## Next steps
+
+See these other multilateral federation articles:
+
+[Multilateral federation baseline design](multilateral-federation-baseline.md)
+
+[Multilateral federation solution one - Azure AD with Cirrus Bridge](multilateral-federation-solution-one.md)
+
+[Multilateral federation solution two - Azure AD to Shibboleth as SP Proxy](multilateral-federation-solution-two.md)
+
+[Multilateral federation solution three - Azure AD with ADFS and Shibboleth](multilateral-federation-solution-three.md)
+
+[Multilateral federation decision tree](multilateral-federation-decision-tree.md)
active-directory Multilateral Federation Solution One https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/multilateral-federation-solution-one.md
+
+ Title: University multilateral federation design scenario one
+description: First scenario design considerations for a multilateral federation solution for universities.
+++++++ Last updated : 04/1/2023+++++
+# Solution 1: Azure AD with Cirrus Bridge
+
+In Solution 1, Azure AD is used as the primary IdP for all applications while a managed service provides multilateral federation. In this example, Cirrus Bridge is the managed service used for integration of CAS and multilateral federation apps.
+
+[![Diagram showing Azure AD integration with various application environments using Cirrus to provide CAS bridge and SAML bridge.](media/multilateral-federation-solution-one/azure-ad-cirrus-bridge.png)](media/multilateral-federation-solution-one/azure-ad-cirrus-bridge.png#lightbox)
+
+If on-premises Active Directory is also being used, then [AD is configured](../hybrid/whatis-hybrid-identity.md) with hybrid identities. Implementing this Azure AD with Cirrus Bridge solution provides:
+
+* **A Security Assertion Markup Language (SAML) bridge** - Enables you to configure multilateral federation and participation in InCommon and EduGAIN. The SAML bridge also enables you to configure Azure AD conditional access policies, app assignment, governance, and other features for each multilateral federation app.
+
+* **CAS bridge** - Enables you to provide protocol translation to support on-premises CAS apps to authenticate with Azure AD. The CAS bridge enables you to configure Azure AD conditional access policies, app assignment, and governance for all CAS apps, as a whole.
+
+Implementing Azure AD with Cirrus bridge enables you to take advantage of more capabilities available in Azure AD:
+
+* **External attribute store support** - [Azure AD custom claims provider](../develop/custom-claims-provider-overview.md) enables you to use an external attribute store (like an external LDAP Directory) to add additional claims into tokens on a per app basis. It uses a custom extension that calls an external REST API to fetch claims from external systems.
+
+* **Custom security attributes** - Provides you with the ability to add custom attributes to objects in the directory and control who can read them. [Custom security attributes](../fundamentals/custom-security-attributes-overview.md) enable you to store more of your attributes directly in Azure AD.
+
+## Advantages
+
+The following are some of the advantages of implementing Azure AD with Cirrus bridge:
+
+* **Seamless cloud authentication for all apps**
+
+ * Elimination of all on-premises identity components can lower your operational effort and potentially reduce security risks.
+
+ * You may realize cost savings resulting from not having to host on-premises infrastructure.
+
+ * This managed solution may help you save on operational administration costs and improve security posture and free up resources for other efforts.
+
+* **Streamlined configuration, deployment, and support model**
+
+ * [Cirrus Bridge](../saas-apps/cirrus-identity-bridge-for-azure-ad-tutorial.md) is registered in the Azure AD app gallery.
+
+ * You benefit from an established process for configuring and setting up the bridge solution.
+
+ * Cirrus Identity provides 24/7 support.
+
+* **Conditional Access (CA) support for multilateral federation apps**
+
+ * You receive support for [National Institutes of Health (NIH)](https://auth.nih.gov/CertAuthV3/forms/help/compliancecheckhelp.html) and Research and Education FEDerations group (REFEDS).
+
+ * This solution is the only architecture that enables you to configure granular Azure AD CA for multilateral federation apps.
+
+ * Granular CA is supported for both multilateral federation apps and CAS apps. Implementation of CA controls enables you to comply with the [NIH](https://auth.nih.gov/CertAuthV3/forms/help/compliancecheckhelp.html) and [REFEDS](https://refeds.org/category/research-and-scholarship) requirements.
+
+* **Enables you to use other Azure AD-related solutions for all apps** (Intune, AADJ devices, etc.)
+
+ * Enables you to use Azure AD Join for device management.
+
+ * Azure AD Join provides you with the ability to use Autopilot, Azure AD Multi-Factor Authentication, passwordless features, and supports achieving a Zero Trust posture.
+
+> [!NOTE]
+> Switching to Azure AD Multi-Factor Authentication may allow you to realize significant cost savings over other solutions you have in place.
+
+## Considerations and trade-offs
+
+The following are some of the trade-offs of using this solution:
+
+* **Limited ability to customize your authentication experience** - This scenario provides a managed solution. Therefore, this solution might not offer you the flexibility or granularity to build a custom solution using federation provider products.
+
+* **Limited third-party MFA integration** - You might be limited by the number of integrations available to third-party MFA solutions.
+
+* **One time integration effort required** - To streamline integration, you need to perform a one-time migration of all student and faculty apps to Azure AD, as well as set up the Cirrus Bridge.
+
+* **Subscription required for Cirrus Bridge** - An annual subscription is required for the Cirrus Bridge. The subscription fee is based on anticipated annual authentication usage of the bridge.
+
+## Next steps
+
+See these other multilateral federation articles:
+
+[Multilateral federation introduction](multilateral-federation-introduction.md)
+
+[Multilateral federation baseline design](multilateral-federation-baseline.md)
+
+[Multilateral federation solution two - Azure AD to Shibboleth as SP Proxy](multilateral-federation-solution-two.md)
+
+[Multilateral federation solution three - Azure AD with ADFS and Shibboleth](multilateral-federation-solution-three.md)
+
+[Multilateral federation decision tree](multilateral-federation-decision-tree.md)
active-directory Multilateral Federation Solution Three https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/multilateral-federation-solution-three.md
+
+ Title: University multilateral federation design scenario three
+description: Third scenario design considerations for a multilateral federation solution for universities.
+++++++ Last updated : 04/01/2023+++++
+# Solution 3: Azure AD with ADFS and Shibboleth
+
+In Solution 3, the federation provider is the primary IdP. As shown in this example, Shibboleth is the federation provider for integration of multilateral federation apps, on-premises CAS apps, and any LDAP directories.
+
+[![Diagram showing a design integrating Shibboleth, AD Federated Services, and Azure AD.](media/multilateral-federation-solution-three/shibboleth-adfs-azure-ad.png)](media/multilateral-federation-solution-three/shibboleth-adfs-azure-ad.png#lightbox)
+
+In this scenario, Shibboleth is the primary IdP. Participation in multilateral federations (for example, with InCommon) is done through Shibboleth, which natively supports this integration. On-premises CAS apps and the LDAP directory are also integrated with Shibboleth.
+
+Student apps, faculty apps, and Microsoft 365 apps are integrated with Azure AD. Any on-premises instance of AD is synced to Azure AD. Active Directory Federated Services (ADFS) is used for third-party multi-factor authentication (MFA) integration. ADFS is also used to perform protocol translation and to enable certain Azure AD features such as Azure AD Join for device management, Autopilot, and passwordless features.
+
+## Advantages
+
+The following are some of the advantages of using this solution:
+
+* **Customized authentication** - Enables you to customize the experience for multilateral federation apps through Shibboleth.
+
+* **Ease of execution** - Simple to implement in the short-term for institutions already using Shibboleth as their primary IdP. You need to migrate student and faculty apps to Azure AD and add an ADFS instance.
+
+* **Minimal disruption** - Allows third-party MFA so you can keep existing MFA solutions such as Duo in place until you're ready for an update.
+
+## Considerations and trade-offs
+
+The following are some of the trade-offs of using this solution:
+
+* **Higher complexity and security risk** - With an on-premises footprint, there may be higher complexity to the environment and extra security risks. There may also be increased overhead and fees associated with managing these on-premises components.
+
+* **Suboptimal authentication experiences** - For multilateral federation and CAS apps, there's no cloud-based authentication mechanism and there might be multiple redirects.
+
+* **No granular CA support** - This solution doesn't provide granular Conditional Access (CA) support.
+
+* **No Azure AD Multi-Factor Authentication support** - This solution doesn't enable Azure AD Multi-Factor Authentication support for multilateral federation or CAS apps and might cause you to miss out on potential cost savings.
+
+* **Significant ongoing staff allocation** - IT staff must maintain infrastructure and software for the authentication solution. Any staff attrition might introduce risk.
+
+## Next steps
+
+See these related multilateral federation articles:
+
+[Multilateral federation introduction](multilateral-federation-introduction.md)
+
+[Multilateral federation baseline design](multilateral-federation-baseline.md)
+
+[Multilateral federation solution one - Azure AD with Cirrus Bridge](multilateral-federation-solution-one.md)
+
+[Multilateral federation solution two - Azure AD to Shibboleth as SP Proxy](multilateral-federation-solution-two.md)
+
+[Multilateral federation decision tree](multilateral-federation-decision-tree.md)
active-directory Multilateral Federation Solution Two https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/multilateral-federation-solution-two.md
+
+ Title: University multilateral federation design scenario two
+description: Second scenario design considerations for a multilateral federation solution for universities.
+++++++ Last updated : 04/01/2023+++++
+# Solution 2: Azure AD to Shibboleth as SP Proxy
+
+In Solution 2, Azure AD acts as the primary IdP and the federation provider acts as a SAML proxy to the CAS apps and the multilateral federation apps. In this example, we show [Shibboleth acting as the SAML proxy](https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1467056889/Using+SAML+Proxying+in+the+Shibboleth+IdP+to+connect+with+Azure+AD) to provide a reference link.
+
+[![Diagram showing Shibboleth used as a SAML proxy provider.](media/multilateral-federation-solution-two/azure-ad-shibboleth-as-sp-proxy.png)](media/multilateral-federation-solution-two/azure-ad-shibboleth-as-sp-proxy.png#lightbox)
+
+Azure AD is the primary IdP so all student and faculty apps are integrated with Azure AD. All Microsoft 365 apps are also integrated with Azure AD. If Active Directory Domain Services (AD) is in use, then it also is synchronized with Azure AD.
+
+The SAML proxy feature of Shibboleth integrates with Azure AD. In Azure AD, Shibboleth appears as a non-gallery enterprise application. Universities can get single sign-on (SSO) for their CAS apps and can participate in the InCommon environment. Additionally, Shibboleth provides integration for Lightweight Directory Access Protocol (LDAP) directory services.
+
+## Advantages
+
+The following are some of the advantages of using this solution:
+
+* **Provides cloud authentication for all apps** - All apps
+ authenticate through Azure AD.
+
+* **Ease of execution** - This solution provides short-term
+ ease-of-execution for universities that are already using
+ Shibboleth.
+
+## Considerations and trade-offs
+
+The following are some of the trade-offs of using this solution:
+
+* **Limited authentication experience customization** - There are
+ limited options for customizing the authentication experience for
+ end users.
+
+* **Limited third-party MFA integration** - The number of integrations
+ available to third-party MFA solutions might be limited.
+
+* **Higher complexity and security risk** - With an on-premises
+ footprint, there might be higher complexity to the environment and
+ extra security risks. There might also be increased overhead
+ and fees associated with managing these on-premises components.
+
+* **Suboptimal authentication experiences** - For multilateral
+ federation and CAS apps, the authentication experience for end users
+ might be suboptimal due to redirects through Shibboleth.
+
+* **No granular CA support** - This solution doesn't provide
+ granular Conditional Access (CA) support, meaning that you would
+ have to decide on either the least common denominator (optimize for
+ less friction, but limited security controls) or the highest common
+ denominator (optimize for security controls, but at the expense of
+ user friction) with limited ability to make granular decisions.
+
+## Next steps
+
+See these other multilateral federation articles:
+
+[Multilateral federation introduction](multilateral-federation-introduction.md)
+
+[Multilateral federation baseline design](multilateral-federation-baseline.md)
+
+[Multilateral federation solution one - Azure AD with Cirrus Bridge](multilateral-federation-solution-one.md)
+
+[Multilateral federation solution three - Azure AD with ADFS and Shibboleth](multilateral-federation-solution-three.md)
+
+[Multilateral federation decision tree](multilateral-federation-decision-tree.md)
active-directory Lifecycle Workflow Extensibility https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/lifecycle-workflow-extensibility.md
Lifecycle Workflows allow you to create workflows that can be triggered based on
## Prerequisite Logic App roles required for integration with the custom task extension
-When linking your Azure Logic App with the custom task extension task, there are certain permissions that must be completed before the link can be established.
+When you link your Azure Logic App with the custom task extension task, there are certain prerequisites that must be completed before the link can be established.
-The roles on the Azure Logic App, which allows it to be compatible with the custom task extension, are as follows:
+To create a Logic App, you must have:
+
+- A valid Azure subscription
+- A compatible resource group where the Logic App is located
+
+> [!NOTE]
+> The resource group needs permissions to create, update, and read the Logic App while the custom extension is being created.
+
+The roles on the Azure Logic App required with the custom task extension, are as follows:
- **Logic App contributor** - **Contributor** - **Owner** > [!NOTE]
-> The **Logic App Operator** role alone will not make an Azure Logic App compatible with the custom task extension. For more information on the required **Logic App contributor** role, see: [Logic App Contributor](../../role-based-access-control/built-in-roles.md#logic-app-contributor).
+> The **Logic App Operator** role alone will not work with the custom task extension. For more information on the required **Logic App contributor** role, see: [Logic App Contributor](../../role-based-access-control/built-in-roles.md#logic-app-contributor).
## Custom task extension deployment scenarios
When creating custom task extensions, the scenarios for how it interacts with Li
:::image type="content" source="media/lifecycle-workflow-extensibility/task-extension-deployment-scenarios.png" alt-text="Screenshot of custom task deployment scenarios."::: -- **Launch and continue** - The Azure Logic App is started, and the following task execution immediately continues with no response expected from the Azure Logic App. This scenario is best suited if the Lifecycle workflow doesn't require any feedback (including status) from the Azure Logic App. With this scenario, as long as the workflow is started successfully, the workflow is viewed as a success.
+- **Launch and continue** - The Azure Logic App is started, and the following task execution immediately continues with no response expected from the Azure Logic App. This scenario is best suited if the Lifecycle workflow doesn't require any feedback (including status) from the Azure Logic App. If the Logic App is started successfully, the Lifecycle Workflow task is considered a success.
- **Launch and wait** - The Azure Logic App is started, and the following task's execution waits on the response from the Logic App. You enter a time duration for how long the custom task extension should wait for a response from the Azure Logic App. If no response is received within a customer defined duration window, the task is considered failed. :::image type="content" source="media/lifecycle-workflow-extensibility/custom-task-launch-wait.png" alt-text="Screenshot of custom task launch and wait task choice." lightbox="media/lifecycle-workflow-extensibility/custom-task-launch-wait.png":::
+> [!NOTE]
+> You can also deploy a custom task that calls to a third party system. To learn more about this call, see: [taskProcessingResult: resume](/graph/api/identitygovernance-taskprocessingresult-resume).
+ ## Response authorization
-When creating a custom task extension that waits for a response from the Logic App, you're able to define which applications can send a response
+When you create a custom task extension that waits for a response from the Logic App, you're able to define which applications can send a response
:::image type="content" source="media/lifecycle-workflow-extensibility/launch-wait-options.png" alt-text="Screenshot of custom task extension launch and wait options."::: Response authorization can be utilized in one of the following ways: -- **System-assigned managed identity (Default)** - Enables and utilizes the Logic Apps system-assigned managed identity. For more information on this, see: [Authenticate access to Azure resources with managed identities in Azure Logic Apps](/azure/logic-apps/create-managed-service-identity)-- **No authorization** - Grants no authorization to the Logic App. You're responsible for assigning an application permission, or role assignment.-- **Existing application** - You can choose an existing application to respond.--
+- **System-assigned managed identity (Default)** - With this choice you Enable and utilize the Logic Apps system-assigned managed identity. For more information, see: [Authenticate access to Azure resources with managed identities in Azure Logic Apps](/azure/logic-apps/create-managed-service-identity)
+- **No authorization** - With this choice you assign a Logic App or third party application an application permission (LifecycleWorkflows.ReadWrite.All), or role assignment (Lifecycle Workflows Administrator). This choice doesn't follow least privilege access as outlined in Azure Active Directory best practices. For more information on best practices for roles, see: [Best Practices for Azure AD roles](/azure/active-directory/roles/best-practices).
+- **Existing application** - With this choice you're able to choose an existing application to respond. You are able to choose applications that are user-assigned or regular applications. For more information on managed identity types, see: [Managed identity types](../managed-identities-azure-resources/overview.md#managed-identity-types).
## Custom task extension integration with Azure Logic Apps high-level steps
The high-level steps for the Azure Logic Apps integration are as follows:
- **Create a lifecycle workflow customTaskExtension which holds necessary information about the Azure Logic App**: Creating a custom task extension that references the configured Azure Logic App. - **Update or create a Lifecycle workflow with the ΓÇ£Run a custom task extensionΓÇ¥ task, referencing your created customTaskExtension**: Adding the newly created custom task extension to a new workflow, or updating the information to an existing workflow.
-## Logic App parameters used by the custom task
-
-When creating a custom task extension from the Azure portal, you're able to create a Logic App, or link it to an existing one.
-
-The following information is supplied to the custom task from the Logic App:
--- Subscription-- Resource group-- Logic App name--
-For a guide on supplying this information to a custom task extension via Microsoft Graph, see: [Configure a Logic App for Lifecycle Workflow use](configure-logic-app-lifecycle-workflows.md).
## Next steps
active-directory Migrate From Federation To Cloud Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/migrate-from-federation-to-cloud-authentication.md
Previously updated : 01/30/2023 Last updated : 04/04/2023 -+
Before you begin your migration, ensure that you meet these prerequisites.
For staged rollout, you need to be a Hybrid Identity Administrator on your tenant.
-To enable seamless SSO on a specific Windows Active Directory Forest, you need to be a domain administrator.
- ### Step up Azure AD Connect server Install [Azure Active Directory Connect](https://www.microsoft.com/download/details.aspx?id=47594) (Azure AD Connect) or [upgrade to the latest version](how-to-upgrade-previous-version.md). When you step up Azure AD Connect server, it reduces the time to migrate from AD FS to the cloud authentication methods from potentially hours to minutes.
To find your current federation settings, run [Get-MgDomainFederationConfigurati
Get-MgDomainFederationConfiguration ΓÇôDomainID yourdomain.com ```
-Verify any settings that might have been customized for your federation design and deployment documentation. Specifically, look for customizations in **PreferredAuthenticationProtocol**, **federatedIdpMfaBehavior**, **SupportsMfa** (if **federatedIdpMfaBehavior** is not set), and **PromptLoginBehavior**.
+Verify any settings that might have been customized for your federation design and deployment documentation. Specifically, look for customizations in **PreferredAuthenticationProtocol**, **federatedIdpMfaBehavior**, **SupportsMfa** (if **federatedIdpMfaBehavior** isn't set), and **PromptLoginBehavior**.
### Back up federation settings
When technology projects fail, it's typically because of mismatched expectations
After migrating to cloud authentication, the user sign-in experience for accessing Microsoft 365 and other resources that are authenticated through Azure AD changes. Users who are outside the network see only the Azure AD sign-in page.
-Proactively communicate with your users how their experience will change, when it will change, and how to gain support if they experience issues.
+Proactively communicate with your users how their experience changes, when it changes, and how to gain support if they experience issues.
### Plan the maintenance window
-After the domain conversion, Azure AD might continue to send some legacy authentication requests from Exchange Online to your AD FS servers for up to four hours. The delay is because the Exchange Online cache for legacy applications authentication can take up to 4 hours to be aware of the cutover from federation to cloud authentication.
-
-During this four-hour window, you may prompt users for credentials repeatedly when reauthenticating to applications that use legacy authentication. Although the user can still successfully authenticate against AD FS, Azure AD no longer accepts the user's issued token because that federation trust is now removed.
-
-Existing Legacy clients (Exchange ActiveSync, Outlook 2010/2013) aren't affected because Exchange Online keeps a cache of their credentials for a set period of time. The cache is used to silently reauthenticate the user. The user doesn't have to return to AD FS. Credentials stored on the device for these clients are used to silently reauthenticate themselves after the cached is cleared. Users aren't expected to receive any password prompts as a result of the domain conversion process.
-
-Modern authentication clients (Office 2016 and Office 2013, iOS, and Android apps) use a valid refresh token to obtain new access tokens for continued access to resources instead of returning to AD FS. These clients are immune to any password prompts resulting from the domain conversion process. The clients will continue to function without extra configuration.
+Modern authentication clients (Office 2016 and Office 2013, iOS, and Android apps) use a valid refresh token to obtain new access tokens for continued access to resources instead of returning to AD FS. These clients are immune to any password prompts resulting from the domain conversion process. The clients continue to function without extra configuration.
>[!NOTE] >When you migrate from federated to cloud authentication, the process to convert the domain from federated to managed may take up to 60 minutes. During this process, users might not be prompted for credentials for any new logins to Azure portal or other browser based applications protected with Azure AD. We recommend that you include this delay in your maintenance window.
Here are key migration considerations.
### Plan for customizations settings
-The onload.js file cannot be duplicated in Azure AD. If your AD FS instance is heavily customized and relies on specific customization settings in the onload.js file, verify if Azure AD can meet your current customization requirements and plan accordingly. Communicate these upcoming changes to your users.
+The onload.js file can't be duplicated in Azure AD. If your AD FS instance is heavily customized and relies on specific customization settings in the onload.js file, verify if Azure AD can meet your current customization requirements and plan accordingly. Communicate these upcoming changes to your users.
#### Sign-in experience
-You cannot customize Azure AD sign-in experience. No matter how your users signed-in earlier, you need a fully qualified domain name such as User Principal Name (UPN) or email to sign into Azure AD.
+You can't customize Azure AD sign-in experience. No matter how your users signed-in earlier, you need a fully qualified domain name such as User Principal Name (UPN) or email to sign into Azure AD.
#### Organization branding You can [customize the Azure AD sign-in page](../fundamentals/customize-branding.md). Some visual changes from AD FS on sign-in pages should be expected after the conversion. >[!NOTE]
->Organization branding is not available in free Azure AD licenses unless you have a Microsoft 365 license.
+>Organization branding isn't available in free Azure AD licenses unless you've a Microsoft 365 license.
### Plan for conditional access policies
Consider replacing AD FS access control policies with the equivalent Azure AD [C
### Plan support for MFA
-For federated domains, MFA may be enforced by Azure AD Conditional Access or by the on-premises federation provider. You can enable protection to prevent bypassing of Azure MFA by configuring the security setting **federatedIdpMfaBehavior**. Enabling the protection for a federated domain in your Azure AD tenant makes sure that Azure MFA is always performed when a federated user accesses an application that is governed by a Conditional Access policy requiring MFA. This includes performing Azure MFA even when federated identity provider has issued federated token claims that on-prem MFA has been performed. Enforcing Azure MFA every time assures that a bad actor cannot bypass Azure MFA by imitating that MFA has already been performed by the identity provider, and is highly recommended unless you perform MFA for your federated users using a third party MFA provider.
+For federated domains, MFA may be enforced by Azure AD Conditional Access or by the on-premises federation provider. You can enable protection to prevent bypassing of Azure AD Multi-Factor Authentication by configuring the security setting **federatedIdpMfaBehavior**. Enable the protection for a federated domain in your Azure AD tenant. Make sure that Azure AD Multi-Factor Authentication is always performed when a federated user accesses an application that is governed by a Conditional Access policy that requires MFA. This includes performing Azure AD Multi-Factor Authentication even when federated identity provider has issued federated token claims that on-premises MFA has been performed. Enforcing Azure AD Multi-Factor Authentication every time assures that a bad actor can't bypass Azure AD Multi-Factor Authentication by imitating that identity provider already performed MFA and is highly recommended unless you perform MFA for your federated users using a third party MFA provider.
The following table explains the behavior for each option. For more information, see **federatedIdpMfaBehavior**. | Value | Description | | : | : |
-| acceptIfMfaDoneByFederatedIdp | Azure AD accepts MFA that's performed by the federated identity provider. If the federated identity provider didn't perform MFA, Azure AD performs the MFA. |
-| enforceMfaByFederatedIdp | Azure AD accepts MFA that's performed by federated identity provider. If the federated identity provider didn't perform MFA, it redirects the request to federated identity provider to perform MFA. |
-| rejectMfaByFederatedIdp | Azure AD always performs MFA and rejects MFA that's performed by the federated identity provider. |
+| acceptIfMfaDoneByFederatedIdp | Azure AD accepts MFA that federated identity provider performs. If the federated identity provider didn't perform MFA, Azure AD performs the MFA. |
+| enforceMfaByFederatedIdp | Azure AD accepts MFA that federated identity provider performs. If the federated identity provider didn't perform MFA, it redirects the request to federated identity provider to perform MFA. |
+| rejectMfaByFederatedIdp | Azure AD always performs MFA and rejects MFA that federated identity provider performs. |
>[!NOTE] > The **federatedIdpMfaBehavior** setting is an evolved version of the **SupportsMfa** property of the [Set-MsolDomainFederationSettings MSOnline v1 PowerShell cmdlet](/powershell/module/msonline/set-msoldomainfederationsettings). For domains that have already set the **SupportsMfa** property, these rules determine how **federatedIdpMfaBehavior** and **SupportsMfa** work together: -- Switching between **federatedIdpMfaBehavior** and **SupportsMfa** is not supported.
+- Switching between **federatedIdpMfaBehavior** and **SupportsMfa** isn't supported.
- Once **federatedIdpMfaBehavior** property is set, Azure AD ignores the **SupportsMfa** setting.-- If the **federatedIdpMfaBehavior** property is never set, Azure AD will continue to honor the **SupportsMfa** setting.-- If neither **federatedIdpMfaBehavior** nor **SupportsMfa** is set, Azure AD will default to `acceptIfMfaDoneByFederatedIdp` behavior.
+- If the **federatedIdpMfaBehavior** property is never set, Azure AD continues to honor the **SupportsMfa** setting.
+- If neither **federatedIdpMfaBehavior** nor **SupportsMfa** is set, Azure AD defaults to `acceptIfMfaDoneByFederatedIdp` behavior.
You can check the status of protection by running [Get-MgDomainFederationConfiguration](/powershell/module/microsoft.graph.identity.directorymanagement/get-mgdomainfederationconfiguration?view=graph-powershell-beta&preserve-view=true):
For more information, see **[Migrate from Microsoft MFA Server to Azure Multi-fa
## Plan for implementation
-This section includes pre-work before you switch your sign-in method and convert the domains.
+This section includes prework before you switch your sign-in method and convert the domains.
### Create necessary groups for staged rollout *If you're not using staged rollout, skip this step.*
-Create groups for staged rollout. You will also need to create groups for conditional access policies if you decide to add them.
+Create groups for staged rollout and also for conditional access policies if you decide to add them.
We recommend you use a group mastered in Azure AD, also known as a cloud-only group. You can use Azure AD security groups or Microsoft 365 Groups for both moving users to MFA and for conditional access policies. For more information, see [creating an Azure AD security group](../fundamentals/active-directory-groups-create-azure-portal.md), and this [overview of Microsoft 365 Groups for administrators](/microsoft-365/admin/create-groups/office-365-groups).
-The members in a group are automatically enabled for staged rollout. Nested and dynamic groups are not supported for staged rollout.
+The members in a group are automatically enabled for staged rollout. Nested and dynamic groups aren't supported for staged rollout.
-### Pre-work for SSO
+### Prework for SSO
The version of SSO that you use is dependent on your device OS and join state.
The version of SSO that you use is dependent on your device OS and join state.
- **For macOS and iOS devices**, we recommend using SSO via the [Microsoft Enterprise SSO plug-in for Apple devices](../develop/apple-sso-plugin.md). This feature requires that your Apple devices are managed by an MDM. If you use Intune as your MDM then follow the [Microsoft Enterprise SSO plug-in for Apple Intune deployment guide](/mem/intune/configuration/use-enterprise-sso-plug-in-ios-ipados-macos). If you use another MDM then follow the [Jamf Pro / generic MDM deployment guide](/mem/intune/configuration/use-enterprise-sso-plug-in-ios-ipados-macos-with-jamf-pro). -- **For Windows 7 and 8.1 devices**, we recommend using [seamless SSO](how-to-connect-sso.md) with domain-joined to register the computer in Azure AD. You don't have to sync these accounts like you do for Windows 10 devices. However, you must complete this [pre-work for seamless SSO using PowerShell](how-to-connect-staged-rollout.md#pre-work-for-seamless-sso).
+- **For Windows 7 and 8.1 devices**, we recommend using [seamless SSO](how-to-connect-sso.md) with domain-joined to register the computer in Azure AD. You don't have to sync these accounts like you do for Windows 10 devices. However, you must complete this [prework for seamless SSO using PowerShell](how-to-connect-staged-rollout.md#pre-work-for-seamless-sso).
-### Pre-work for PHS and PTA
+### Prework for PHS and PTA
-Depending on the choice of sign-in method, complete the [pre-work for PHS](how-to-connect-staged-rollout.md#pre-work-for-password-hash-sync) or [for PTA](how-to-connect-staged-rollout.md#pre-work-for-pass-through-authentication).
+Depending on the choice of sign-in method, complete the [prework for PHS](how-to-connect-staged-rollout.md#pre-work-for-password-hash-sync) or [for PTA](how-to-connect-staged-rollout.md#pre-work-for-pass-through-authentication).
## Implement your solution
If you're using staged rollout, follow the steps in the links below:
1. [Enable staged rollout of a specific feature on your tenant.](how-to-connect-staged-rollout.md#enable-staged-rollout)
-2. Once testing is complete, [convert domains from federated to managed](#convert-domains-from-federated-to-managed).
+2. Once testing is complete, [convert domains from federated to be managed](#convert-domains-from-federated-to-managed).
### Without using staged rollout
-You have two options for enabling this change:
+You've two options for enabling this change:
- **Option A:** Switch using Azure AD Connect.
Sign in to the [Azure portal](https://portal.azure.com/), browse to **Azure Acti
- The computer account's Kerberos decryption key is securely shared with Azure AD. - Two Kerberos service principal names (SPNs) are created to represent two URLs that are used during Azure AD sign-in.
- The domain administrator credentials are not stored in Azure AD Connect or Azure AD and get discarded when the process successfully finishes. They are used to turn ON this feature.
+ The domain administrator credentials aren't stored in Azure AD Connect or Azure AD and get discarded when the process successfully finishes. They are used to turn ON this feature.
6. On the **Ready to configure** page, make sure that the **Start the synchronization process when configuration completes** check box is selected. Then, select **Configure**. ![Ready to configure page](media/deploy-cloud-user-authentication/ready-to-configure.png)
- > [!IMPORTANT]
- > At this point, all your federated domains will change to managed authentication. Your selected User sign-in method is the new method of authentication.
+ > [!IMPORTANT]
+ > At this point, all your federated domains changes to managed authentication. Your selected User sign-in method is the new method of authentication.
-1. In the Azure portal, select **Azure Active Directory**, and then select **Azure AD Connect**.
+7. In the Azure portal, select **Azure Active Directory**, and then select **Azure AD Connect**.
-2. Verify these settings:
+8. Verify these settings:
- **Federation** is set to **Disabled**. - **Seamless single sign-on** is set to **Enabled**. - **Password Hash Sync** is set to **Enabled**.
- ![ Reverify current user settings](media/deploy-cloud-user-authentication/reverify-settings.png)
+ ![ Reverify current user settings](media/deploy-cloud-user-authentication/reverify-settings.png)
-3. In case you're switching to PTA, follow the next steps.
+9. In case you're switching to PTA, follow the next steps.
##### Deploy more authentication agents for PTA
For most customers, two or three authentication agents are sufficient to provide
1. Select **Pass-through authentication**. 2. On the **Pass-through authentication** page, select the **Download** button.
-3. On the **Download agent** page, select **Accept terms and download**.
+3. On the **Download agent** page, select **Accept terms and download**.f
More authentication agents start to download. Install the secondary authentication agent on a domain-joined server.
For most customers, two or three authentication agents are sufficient to provide
*Available if you didn't initially configure your federated domains by using Azure AD Connect or if you're using third-party federation services.*
-On your Azure AD Connect server, follow the steps 1- 5 in [Option A](#option-a). You will notice that on the User sign-in page, the **Do not configure** option is pre-selected.
+On your Azure AD Connect server, follow the steps 1- 5 in [Option A](#option-a). Notice that on the User sign-in page, the **Do not configure** option is preselected.
![ See Do not Configure option on the user sign-in page](media/deploy-cloud-user-authentication/do-not-configure-on-user-sign-in-page.png)
Follow the steps in this link - [Validate sign-in with PHS/ PTA and seamless SSO
### Remove a user from staged rollout
-If you used staged rollout, you should remember to turn off the staged rollout features once you have finished cutting over.
+If you used staged rollout, you should remember to turn off the staged rollout features once you've finished cutting over.
**To disable the staged rollout feature, slide the control back to Off.**
If you used staged rollout, you should remember to turn off the staged rollout f
Historically, updates to the **UserPrincipalName** attribute, which uses the sync service from the on-premises environment, are blocked unless both of these conditions are true:
- - The user is in a managed (non-federated) identity domain.
+ - The user is in a managed (nonfederated) identity domain.
- The user hasn't been assigned a license. To learn how to verify or turn on this feature, see [Sync userPrincipalName updates](how-to-connect-syncservice-features.md).
For more information, see ΓÇô
### Remove relying party trust
-If you have Azure AD Connect Health, you can [monitor usage](how-to-connect-health-adfs.md) from the Azure portal. In case the usage shows no new auth req and you validate that all users and clients are successfully authenticating via Azure AD, it's safe to remove the Microsoft 365 relying party trust.
+If you've Azure AD Connect Health, you can [monitor usage](how-to-connect-health-adfs.md) from the Azure portal. In case the usage shows no new auth req and you validate that all users and clients are successfully authenticating via Azure AD, it's safe to remove the Microsoft 365 relying party trust.
If you don't use AD FS for other purposes (that is, for other relying party trusts), you can decommission AD FS at this point. ### Remove AD FS
-For a full list of steps to take to completely remove AD FS from the environment follow the [Active Directory Federation Services (AD FS) decommision guide](/windows-server/identity/ad-fs/decommission/adfs-decommission-guide).
+For a full list of steps to take to completely remove AD FS from the environment follow the [Active Directory Federation Services (AD FS) decommission guide](/windows-server/identity/ad-fs/decommission/adfs-decommission-guide).
## Next steps
active-directory Configure Admin Consent Workflow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/configure-admin-consent-workflow.md
In this article, you'll learn how to configure the admin consent workflow to ena
The admin consent workflow gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer takes action on the request, and the user is notified of the action.
-To approve requests, a reviewer must be a global administrator, cloud application administrator, or application administrator. The reviewer must already have one of these admin roles assigned; simply designating them as a reviewer doesn't elevate their privileges.
+To approve requests, a reviewer must have the [permissions required](grant-admin-consent.md#prerequisites) to grant admin consent for the application requested. Simply designating them as a reviewer doesn't elevate their privileges.
## Prerequisites
To enable the admin consent workflow and choose reviewers:
1. Select **Save**. It can take up to an hour for the workflow to become enabled. > [!NOTE]
-> You can add or remove reviewers for this workflow by modifying the **Who can review admin consent requests** list. A current limitation of this feature is that a reviewer can retain the ability to review requests that were made while they were designated as a reviewer.
+> You can add or remove reviewers for this workflow by modifying the **Who can review admin consent requests** list. A current limitation of this feature is that a reviewer retains the ability to review requests that were made while they were designated as a reviewer. Additionally, new reviewers will not be assigned to requests that were created before they were set as a reviewer.
## Configure the admin consent workflow using Microsoft Graph
active-directory Configure Authentication For Federated Users Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/configure-authentication-for-federated-users-portal.md
Some organizations configure domains in their Azure AD tenant to federate with a
For federated users with cloud-enabled credentials, such as SMS sign-in or FIDO keys, you should prevent sign-in auto-acceleration. See [Disable auto-acceleration sign-in](prevent-domain-hints-with-home-realm-discovery.md) to learn how to prevent domain hints with HRD.
+> [!IMPORTANT]
+> Starting April 2023, organizations who use auto-acceleration or smartlinks may begin to see a new screen added to the sign-in UI. This screen, termed the Domain Confirmation Dialog, is part of Microsoft's general commitment to security hardening and requires the user to confirm the domain of the tenant in which they are signing in to. If you see the Domain Confirmation Dialog and do not recognize the tenant domain listed, you should cancel the authentication flow and contact your IT Admin.
+>
+> While the Domain Confirmation Dialog does not need to be shown for every instance of auto-acceleration or smartlinks, the presence of the Domain Confirmation Dialog means auto-acceleration and smartlinks can no longer proceed seamlessly when shown. Finally, given Microsoft identity platform manages the auto-acceleration sign-in flow end-to-end, the introduction of the Domain Confirmation Dialog should not result in any application breakages.
+ ## Prerequisites To configure HRD policy for an application in Azure AD, you need:
active-directory F5 Big Ip Forms Advanced https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-forms-advanced.md
Title: Configure F5 BIG-IPΓÇÖs Access Policy Manager for form-based SSO
+ Title: Configure F5 BIG-IP Access Policy Manager for form-based SSO
description: Learn how to configure F5's BIG-IP Access Policy Manager and Azure Active Directory for secure hybrid access to form-based applications. Previously updated : 10/20/2021 Last updated : 03/27/2023 # Configure F5 BIG-IP Access Policy Manager for form-based SSO
-In this article, you'll learn how to configure F5's BIG-IP Access Policy Manager (APM) and Azure Active Directory (Azure AD) for secure hybrid access to form-based applications.
+Learn to configure F5 BIG-IP Access Policy Manager (APM) and Azure Active Directory (Azure AD) for secure hybrid access (SHA) to form-based applications. BIG-IP published services for Azure AD single sign-on (SSO) has benefits:
-Enabling BIG-IP published services for Azure Active Directory (Azure AD) SSO provides many benefits, including:
+* Improved Zero Trust governance through Azure AD preauthentication and Conditional Access
+ * See [What is Conditional Access?](../conditional-access/overview.md)
+ * See [Zero Trust security](../../security/fundamentals/zero-trust.md)
+* Full SSO between Azure AD and BIG-IP published services
+* Managed identities and access from one control plane
+ * See the [Azure portal](https://azure.microsoft.com/features/azure-portal)
-- Improved Zero Trust governance through Azure AD pre-authentication and [Conditional Access](../conditional-access/overview.md)-- Full single sign-on (SSO) between Azure AD and BIG-IP published services-- Identities and access are managed from a single control plane, the [Azure portal](https://azure.microsoft.com/features/azure-portal/)
+Learn more:
-To learn about all the benefits, see [Integrate F5 BIG-IP with Azure Active Directory](f5-aad-integration.md) and [What is application access and single sign-on with Azure AD?](../active-directory-appssoaccess-whatis.md).
+* [Integrate F5 BIG-IP with Azure AD](./f5-aad-integration.md)
+* [Enable SSO for an enterprise application](add-application-portal-setup-sso.md)
## Scenario description
-For this scenario, we have an internal legacy application that's configured for basic form-based authentication (FBA).
+For the scenario, there's an internal legacy application configured for form-based authentication (FBA). Ideally, Azure AD manages application access, because legacy lacks modern authentication protocols. Modernization takes time and effort, introducing the risk of downtime. Instead, deploy a BIG-IP between the public internet and the internal application. This configuration gates inbound access to the application.
-Ideally, application access should be managed directly by Azure AD but being legacy it lacks any form of modern authentication protocol. Modernization would take considerable effort and time, introducing inevitable costs and risk of potential downtime. Instead, a BIG-IP deployed between the public internet and the internal application will be used to gate inbound access to the application.
+With a BIG-IP in front of the application, you can overlay the service with Azure AD preauthentication and header-based SSO. The overlay improves application security posture.
-Having a BIG-IP in front of the application enables us to overlay the service with Azure AD pre-authentication and header-based SSO, significantly improving the overall security posture of the application.
+## Scenario architecture
+The SHA solution has the following components:
-## Scenario Architecture
+* **Application** - BIG-IP published service protected by SHA.
+ * The application validates user credentials against Active Directory
+ * Use any directory, including Active Directory Lightweight Directory Services, open source, and so on
+* **Azure AD** - Security Assertion Markup Language (SAML) identity provider (IdP) that verifies user credentials, Conditional Access, and SSO to the BIG-IP.
+ * With SSO, Azure AD provides attributes to the BIG-IP, including user identifiers
+* **BIG-IP** - reverse-proxy and SAML service provider (SP) to the application.
+ * BIG-IP delegating authentication to the SAML IdP then performs header-based SSO to the back-end application.
+ * SSO uses the cached user credentials against other forms-based authentication applications
-The secure hybrid access solution for this scenario is made up of:
+SHA supports SP- and IdP-initiated flows. The following diagram illustrates the SP-initiated flow.
-**Application**: BIG-IP published service to be protected by and Azure AD SHA. This particular application validates user credentials against Active Directory, but it could be any directory, including Active Directory Lightweight Directory Services, open source, and so on.
+ ![Diagram of the service-provider initiated flow.](./media/f5-big-ip-forms-advanced/flow-diagram.png)
-**Azure AD**: Security Assertion Markup Language (SAML) Identity Provider (IdP) responsible for verification of user credentials, Conditional Access (CA), and SSO to the BIG-IP. Through SSO, Azure AD provides the BIG-IP with any required attributes including a user identifier.
-
-**BIG-IP**: Reverse proxy and SAML service provider (SP) to the application, delegating authentication to the SAML IdP before performing header-based SSO to the backend application. The cached user credentials are then available for SSO against other forms-based authentication applications.
-
-SHA for this scenario supports both SP and IdP initiated flows. The following image illustrates the SP initiated flow.
-
-![Screenshot of the flow diagram, from user to application.](./media/f5-big-ip-forms-advanced/flow-diagram.png)
-
-| Step | Description|
-|-: |:-|
-| 1 | User connects to application endpoint (BIG-IP).|
-| 2 | BIG-IP APM access policy redirects user to Azure AD (SAML IdP).|
-| 3 | Azure AD pre-authenticates user and applies any enforced CA policies.|
-| 4 | User is redirected to BIG-IP (SAML SP) and SSO is performed using issued SAML token. |
-| 5 | BIG-IP prompts the user for an application password and stores it in the cache. |
-| 6 | BIG-IP sends a request to the application and receives a logon form.|
-| 7 | The APM scripting auto responds, filling in the username and password before it submits the form.|
-| 8 | The application payload is served by the web server and sent to the client. |
-| | |
+1. User connects to application endpoint (BIG-IP).
+2. BIG-IP APM access policy redirects user to Azure AD (SAML IdP).
+3. Azure AD preauthenticates user and applies enforced Conditional Access policies.
+4. User is redirected to BIG-IP (SAML SP) and SSO occurs using issued SAML token.
+5. BIG-IP prompts the user for an application password and stores it in the cache.
+6. BIG-IP sends a request to the application and receives a sign on form.
+7. The APM scripting fills in the username and password, then submits the form.
+8. The web server serves application payload and sends it to the client.
## Prerequisites
-Prior BIG-IP experience is not necessary, but you'll need:
--- An Azure AD free subscription or above--- An existing BIG-IP, or [deploy BIG-IP Virtual Edition (VE) in Azure](f5-bigip-deployment-guide.md).--- Any of the following F5 BIG-IP license SKUs:-
- - F5 BIG-IP Best bundle
- - F5 BIG-IP Access Policy Manager (APM) standalone license
- - F5 BIG-IP Access Policy Manager (APM) add-on license on existing BIG-IP F5 BIG-IP Local Traffic Manager (LTM)
- - 90-day BIG-IP full feature [trial license](https://www.f5.com/trial/big-ip-trial.php)
--- User identities [synchronized](../hybrid/how-to-connect-sync-whatis.md) from an on-premises directory to Azure AD.--- An account with Azure AD Application Admin [permissions](../roles/permissions-reference.md#application-administrator).--- [An SSL certificate](f5-bigip-deployment-guide.md#ssl-profile) for publishing services over HTTPS, or use default certificates during testing.
+You need the following components:
-- An existing form-based authentication application, or [set up an IIS FBA app](/troubleshoot/aspnet/forms-based-authentication) for testing.
+* An Azure subscription
+ * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/)
+* For the account, have Azure AD Application Administrator permissions
+* A BIG-IP or deploy a BIG-IP Virtual Edition (VE) in Azure
+ * See [Deploy F5 BIG-IP Virtual Edition VM in Azure](./f5-bigip-deployment-guide.md)
+* Any of the following F5 BIG-IP license SKUs:
+ * F5 BIG-IP® Best bundle
+ * F5 BIG-IP Access Policy ManagerΓäó (APM) standalone license
+ * F5 BIG-IP Access Policy Manager™ (APM) add-on license on a BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM)
+ * 90-day BIG-IP full feature trial. See [Free Trials](https://www.f5.com/trial/big-ip-trial.php)
+* User identities synchronized from an on-premises directory to Azure AD
+ * See [Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md)
+* An SSL certificate to publish services over HTTPS, or use default certificates while testing
+ * See [SSL profile](./f5-bigip-deployment-guide.md#ssl-profile)
+* A form-based authentication application, or set up an IIS FBA app for testing
+ * See [Forms-based authentication](/troubleshoot/aspnet/forms-based-authentication)
-## BIG-IP configuration methods
+## BIG-IP configuration
-There are many methods to configure BIG-IP for this scenario, including a template-driven guided configuration. This article covers the advanced approach, which provides a more flexible way of implementing SHA by manually creating all BIG-IP configuration objects. You would also use this approach for more complex scenarios that the guided configuration templates don't cover.
+The configuration in this article is a flexible SHA implementation: manual creation of BIG-IP configuration objects. Use this approach for scenarios the Guided Configuration templates don't cover.
-> [!NOTE]
-> You should replace all example strings or values in this article with those for your actual environment.
+ >[!NOTE]
+ >Replace example strings or values with those from your environment.
## Register F5 BIG-IP in Azure AD
-Before BIG-IP can hand off pre-authentication to Azure AD, it must be registered in your tenant. This is the first step in establishing SSO between both entities. It's no different from making any IdP aware of a SAML relying party. In this case, the app that you create from the F5 BIG-IP gallery template is the relying party that represents the SAML SP for the BIG-IP published application.
-
-1. Sign in to the [Azure portal](https://portal.azure.com) by using an account with Application Administrator permissions.
-
-2. From the left pane, select the **Azure Active Directory** service.
-
-3. On the left menu, select **Enterprise applications**. The **All applications** pane opens and displays a list of the applications in your Azure AD tenant.
-
-4. On the **Enterprise applications** pane, select **New application**.
-
-5. The **Browse Azure AD Gallery** pane opens and displays tiles for cloud platforms, on-premises applications, and featured applications. Applications listed in the **Featured applications** section have icons that indicate whether they support federated SSO and provisioning.
-
- Search for **F5** in the Azure gallery, and select **F5 BIG-IP APM Azure AD integration**.
-
-6. Provide a name for the new application to recognize the instance of the application. Select **Add/Create** to add it to your tenant.
+BIG-IP registration is the first step for SSO between entities. The app you create from the F5 BIG-IP gallery template is the relying party, representing the SAML SP for the BIG-IP published application.
+
+1. Sign in to the [Azure portal](https://portal.azure.com) with Application Administrator permissions.
+2. In the left pane, select the **Azure Active Directory** service.
+3. In the left menu, select **Enterprise applications**.
+4. The **All applications** pane opens.
+5. The list of applications in your Azure AD tenant appears.
+6. On the **Enterprise applications** pane, select **New application**.
+7. The **Browse Azure AD Gallery** pane opens.
+8. Tiles appear for cloud platforms, on-premises applications, and featured applications. **Featured applications** icons indicate support of federated SSO and provisioning.
+10. In the Azure gallery, search for **F5**.
+11. Select **F5 BIG-IP APM Azure AD integration**.
+12. Enter a **Name** the new application uses to recognize the application instance.
+13. Select **Add**.
+14. Select **Create**.
### Enable SSO to F5 BIG-IP
-Next, configure the BIG-IP registration to fulfill SAML tokens that the BIG-IP APM requests:
-
-1. In the **Manage** section of the left menu, select **Single sign-on** to open the **Single sign-on** pane for editing.
-
-2. On the **Select a single sign-on method** page, select **SAML** followed by **No, I'll save later** to skip the prompt.
-
-3. On the **Set up single sign-on with SAML** pane, select the pen icon to edit **Basic SAML Configuration**. Make these edits:
-
- 1. Replace the predefined **Identifier** value with the full URL for the BIG-IP published application.
+Configure the BIG-IP registration to fulfill SAML tokens that BIG-IP APM requests.
- 2. Replace the **Reply URL** value but retain the path for the application's SAML SP endpoint.
-
- In this configuration, the SAML flow would operate in IdP-initiated mode. In that mode, Azure AD issues a SAML assertion before the user is redirected to the BIG-IP endpoint for the application.
+1. In left menu, in the **Manage** section, select **Single sign-on**.
+2. The **Single sign-on** pane appears.
+3. On the **Select a single sign-on method** page, select **SAML**.
+4. Select **No, I'll save later**.
+5. On the **Set up single sign-on with SAML** pane, select the **pen** icon.
+6. For **Identifier**, replace the value with the BIG-IP published application URL.
+7. For **Reply URL**, replace the value, but retain the path for the application SAML SP endpoint. With this configuration, SAML flow operates in IdP-initiated mode. Azure AD issues a SAML assertion, then the user is redirected to the BIG-IP endpoint.
+9. For SP-initiated mode, for **Sign on URL**, enter the application URL.
+10. For **Logout Url**, enter the BIG-IP APM single logout (SLO) endpoint prepended by the service host header. Then, BIG-IP APM user sessions end when they sign out of Azure AD.
- 3. To use SP-initiated mode, populate **Sign on URL** with the application URL.
+ ![Screenshot of URLs in the SAML configuration.](./media/f5-big-ip-forms-advanced/basic-saml-configuration.png)
- 4. For **Logout Url**, enter the BIG-IP APM single logout (SLO) endpoint prepended by the host header of the service that's being published. This step ensures that the user's BIG-IP APM session ends after the user is signed out of Azure AD.
+ > [!NOTE]
+ > From Traffic Management Operating System (TMOS) v16 onward, the SAML SLO endpoint is `/saml/sp/profile/redirect/slo`.
- ![Screenshot showing a basic SAML configuration.](./media/f5-big-ip-forms-advanced/basic-saml-configuration.png)
+11. Select **Save**.
+12. Close the SAML configuration pane.
+13. Skip the SSO test prompt.
+14. Make a note of the **User Attributes & Claims** section properties. Azure AD issues the properties for BIG-IP APM authentication, and SSO to the back-end application.
+15. On the **SAML Signing Certificate** pane, select **Download**.
+16. The **Federation Metadata XML** file is saved to your computer.
- > [!NOTE]
- > From TMOS v16, the SAML SLO endpoint has changed to **/saml/sp/profile/redirect/slo**.
+ ![Screenshot a Download option under SAML Signing Certificate.](./media/f5-big-ip-forms-advanced/saml-certificate.png)
-4. Select **Save** before closing the SAML configuration pane and skip the SSO test prompt.
+ > [!NOTE]
+ > Azure AD SAML signing certificates have a lifespan of three years.
-5. Note the properties of the **User Attributes & Claims** section. Azure AD will issue these properties to users for BIG-IP APM authentication and for SSO to the back-end application.
-
-6. On the **SAML Signing Certificate** pane, select **Download** to save the **Federation Metadata XML** file to your computer.
-
- ![Screenshot of the 'Federation Metadata XML' download link.](./media/f5-big-ip-forms-advanced/saml-certificate.png)
-
-SAML signing certificates created by Azure AD have a lifespan of three years. For more information, see [Managed certificates for federated single sign-on](./manage-certificates-for-federated-single-sign-on.md).
+Learn more: [Tutorial: Manage certificates for federated single sign-on](tutorial-manage-certificates-for-federated-single-sign-on.md)
### Assign users and groups
-By default, Azure AD will issue tokens only for users who have been granted access to an application. To grant specific users and groups access to the application:
+Azure AD issues tokens for users granted access to an application. To grant specific users and groups application access:
1. On the **F5 BIG-IP application's overview** pane, select **Assign Users and groups**.- 2. Select **+ Add user/group**.
+3. Select the users and groups you want.
+4. Select **Assign**.
-3. Select users and groups, and then select **Assign** to assign them to your application.
-
-## BIG-IP Advanced configuration
+## BIG-IP advanced configuration
-Now you can proceed with setting up the BIG-IP configurations.
+Use the following instructions to configure BIG-IP.
### Configure SAML service provider settings
-SAML service provider settings define the SAML SP properties that the APM will use for overlaying the legacy application with SAML pre-authentication. To configure them:
+SAML SP settings define the SAML SP properties that the APM uses to overlay the legacy application with SAML preauthentication. To configure them:
-1. Select **Access** > **Federation** > **SAML Service Provider** > **Local SP Services**, and then select **Create**.
+1. Select **Access** > **Federation** > **SAML Service Provider**.
+2. Select **Local SP Services**.
+3. Select **Create**.
- ![Screenshot showing the F5 forms configuration.](./media/f5-big-ip-forms-advanced/f5-forms-configuration.png)
+ ![Screenshot of the Create option on the the SAML Service Provider tab.](./media/f5-big-ip-forms-advanced/f5-forms-configuration.png)
-1. On the **Create New SAML SP Service** pane, provide a name and the same entity ID that you defined earlier in Azure AD.
+4. On the **Create New SAML SP Service** pane, for **Name** and **Entity ID**, enter the defined name and entity ID.
- ![Screenshot of the 'Create New SAML SP Service' pane, showing the name and entity ID of the new SAML service provider service.](./media/f5-big-ip-forms-advanced/saml-sp-service.png)
+ ![Screenshot of the Name and Entity ID fields under Create New SAML SP Service.](./media/f5-big-ip-forms-advanced/saml-sp-service.png)
- The values in the **SP Name Settings** section are required only if the entity ID isn't an exact match of the hostname portion of the published URL or, equally, if the entity ID isn't in regular hostname-based URL format. Provide the external scheme and hostname of the application that's being published if the entity ID is *urn:myvacation:contosoonline*.
+ > [!NOTE]
+ > **SP Name Settings** values are required if the entity ID doesn't match the hostname portion of the published URL. Or, values are required if the entity ID isn't in regular hostname-based URL format.
-### Configure an external IdP connector
+5. If the entity ID is `urn:myvacation:contosoonline`, enter the application external scheme and hostname.
-A SAML IdP connector defines the settings that are required for the BIG-IP APM to trust Azure AD as its SAML IdP. These settings map the SAML service provider to a SAML IdP, which establishes the federation trust between the APM and Azure AD. To configure the connector:
+### Configure an external IdP connector
-1. Select the new SAML service provider object, and then select **Bind/UnbBind IdP Connectors**.
+A SAML IdP connector defines settings for the BIG-IP APM to trust Azure AD as its SAML IdP. The settings connect the SAML service provider to a SAML IdP, which establishes the federation trust between the APM and Azure AD.
- ![Screenshot showing local service provider services and the 'Bind/Unbind IdP Connectors' button.](./media/f5-big-ip-forms-advanced/local-services.png)
+To configure the connector:
-1. In the **Create New IdP Connector** dropdown list, select **From Metadata**.
+1. Select the new SAML service provider object.
+2. Select **Bind/UnbBind IdP Connectors**.
- ![Screenshot showing the 'From Metadata' option in the 'Create New IdP Connector' dropdown list.](./media/f5-big-ip-forms-advanced/from-metadata.png)
-
-1. On the **Create New SAML IdP Connector** pane, browse for the Federation Metadata XML file that you downloaded earlier, and then provide an **Identity Provider Name** for the APM object that will represent the external SAML IdP (for example, *MyVacation\_AzureAD*).
+ ![Screenshot of the Bind Unbind IdP Connectors option on the SAML Service Provider tab.](./media/f5-big-ip-forms-advanced/local-services.png)
- ![Screenshot of the 'Create New SAML IdP Connector' pane for creating a new IdP SAML connector.](./media/f5-big-ip-forms-advanced/new-idp-saml-connector.png)
+3. In the **Create New IdP Connector** list, select **From Metadata**.
-1. Select **Add New Row** to choose the new **SAML IdP Connector**, and then select **Update**.
+ ![Screenshot of the From Metadata option in the Create New IdP Connector dropdown list.](./media/f5-big-ip-forms-advanced/from-metadata.png)
- ![Screenshot showing how to add a new row.](./media/f5-big-ip-forms-advanced/add-new-row.png)
-
-1. Select **OK** to save your settings.
+4. On the **Create New SAML IdP Connector** pane, browse for the Federation Metadata XML file you downloaded.
+5. Enter an **Identity Provider Name** for the APM object that represents the external SAML IdP. For example, MyVacation\_AzureAD.
- ![Screenshot of the 'Edit SAML IdPs that use this SP' pane.](./media/f5-big-ip-forms-advanced/edit-saml-idp-using-sp.png)
+ ![Screenshot of Select File and Identity Provider name fields on Create New SAML IdP Connector.](./media/f5-big-ip-forms-advanced/new-idp-saml-connector.png)
-### Configure Forms-based SSO
+6. Select **Add New Row**.
+7. Select the new **SAML IdP Connector**.
+8. Select **Update**.
+
+ ![Screenshot of the Update option.](./media/f5-big-ip-forms-advanced/add-new-row.png)
-In this section, you create an APM SSO object for performing FBA SSO to back-end applications.
+9. Select **OK**.
-You can perform FBA SSO in either client-initiated mode or by the BIG-IP itself. Both methods emulate a user logon by injecting credentials into the username and password tags before auto submitting the form. The flow is almost transparent, except that users have to provide their password once when they access an FBA application. The password is then cached for reuse across other FBA applications.
+ ![Screenshot of the Edit SAML IdPs that use this SP dialog.](./media/f5-big-ip-forms-advanced/edit-saml-idp-using-sp.png)
-This covers the APM approach, which manages SSO directly for the back-end application.
+### Configure forms-based SSO
-Select **Access** > **Single Sign-on** > **Forms Based**, select **Create**, and then provide the following values:
+Create an APM SSO object for FBA SSO to back-end applications.
-|Property | Description |
-|:|:|
-| Name | Use a descriptive name for the configuration, because an SSO APM object can be reused by other published applications. For example, use *Contoso\FBA\sso*.|
-| Use SSO Template | None |
-| Username Source | The preferred username source for pre-filling the password collection form. You can use any APM session variable, but the default *session.sso.token.last.username* tends to work best, because it contains the logged-in users' Azure AD UPN. |
-| Password Source | Keep the default *session.sso.token.last.password*, it's the APM variable that the BIG-IP will use to cache the password that's provided by users. |
-| | |
+Perform FBA SSO in client-initiated mode or BIG-IP-initiated mode. Both methods emulate a user sign-on by injecting credentials into the username and password tags. The form is then autosubmitted. Users provide password to access an FBA application. The password is cached and reused for other FBA applications.
-![Screenshot showing a new SSO configuration.](./media/f5-big-ip-forms-advanced/new-sso-configuration.png)
+1. Select **Access** > **Single Sign-on**.
+2. Select **Forms Based**.
+3. Select **Create**.
+4. For **Name**, enter a descriptive name. For example, Contoso\FBA\sso.
+5. For **Use SSO Template**, select **None**.
+6. For **Username Source**, enter the username source to prefill the password collection form. The default `session.sso.token.last.username` works well, because it has the signed-in user Azure AD UPN.
+7. For **Password Source**, keep the default `session.sso.token.last.password`, the APM variable BIG-IP uses to cache user passwords.
-|Property | Description |
-|:|:|
-| Start URI | The logon URI of your FBA application. The APM form-based authentication executes SSO when the request URI matches this URI value.|
-| Form Actions | Leave this value blank so that the original request URL is used for SSO. |
-| Form Parameter for Username | The element name of your logon form's username field. Use your browser's dev tools to determine this.|
-| Form Parameter for Password | The element name of your logon form's password field. Use your browser's dev tools to determine this.|
-| | |
+ ![Screenshot of Name and Use SSO Template options under New SSO Configuration.](./media/f5-big-ip-forms-advanced/new-sso-configuration.png)
-![Screenshot of the SSO Method Configuration pane.](./media/f5-big-ip-forms-advanced/sso-method-configuration.png)
+8. For **Start URI**, enter the FBA application logon URI. If the request URI matches this URI value, the APM form-based authentication executes SSO.
+9. For **Form Action**, leave it blank. Then, the original request URL is used for SSO.
+10. For **Form Parameter for Username**, enter the sign in form username field element. Use the browser dev tools to determine the element.
+11. For **Form Parameter for Password**, enter the sign in form password field element. Use the browser dev tools to determine the element.
-![Screenshot of the Contoso 'My Vacation logon' webpage.](./media/f5-big-ip-forms-advanced/contoso-example.png)
+ ![Screenshot of Start URI, Form Parameter For User Name, and Form Parameter For Password fields.](./media/f5-big-ip-forms-advanced/sso-method-configuration.png)
-For more information about configuring an APM for FBA SSO, go to the F5 [Single Sign-On Methods](https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-access-policy-manager-single-sign-on-concepts-configuration-14-1-0/single-sign-on-methods.html#GUID-F8588DF4-F395-4E44-881B-8D16EED91449) site.
+ ![Screenshot of the sign in page with callouts for username field and password field.](./media/f5-big-ip-forms-advanced/contoso-example.png)
-### Configure an Access profile
+To learn more, go to techdocs.f5.com for [Manual Chapter: Single sign-on methods](https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-access-policy-manager-single-sign-on-concepts-configuration-14-1-0/single-sign-on-methods.html#GUID-F8588DF4-F395-4E44-881B-8D16EED91449).
-An access profile binds many APM elements managing access to BIG-IP virtual servers, including access policies, SSO configuration, and UI settings.
+### Configure an access profile
-1. Select **Access** > **Profiles / Policies** > **Access Profiles (Per-Session Policies)** > **Create**, and then provide the following values:
+An access profile binds the APM elements that manage access to BIG-IP virtual servers, including access policies, SSO configuration, and UI settings.
- | Property | Description |
- |:--|:-|
- | Name | For example, *MyVacation* |
- |Profile Type | All |
- | SSO Configuration | The FBA SSO configuration object you just created|
- |Accepted Language | Add at least one language|
- | | |
+1. Select **Access** > **Profiles / Policies**.
+2. Select **Access Profiles (Per-Session Policies)**.
+3. Select **Create**.
+4. Enter a **Name**.
+5. For **Profile Type**, select **All**.
+6. For **SSO Configuration**, select the FBA SSO configuration object you created.
+7. For **Accepted Language**, select at least one language.
- ![Screenshot showing how to create a new access profile.](./media/f5-big-ip-forms-advanced/create-new-access-profile.png)
+ ![Screenshot of options and selections on Access Profiles Per Session Policies, New Profile.](./media/f5-big-ip-forms-advanced/create-new-access-profile.png)
-1. Modify the session policy to present a logon page with the username pre-filled. To launch the APM Visual Policy Editor, select the **Edit** link next to the per-session profile you just created.
+8. In the **Per-Session Policy** column, for the profile, select **Edit**.
+9. The APM Visual Policy Editor starts.
- ![Screenshot showing edit per-session policy](./media/f5-big-ip-forms-advanced/edit-per-session-policy.png)
+ ![Screenshot of the Edit option in the Per-Session Policy column.](./media/f5-big-ip-forms-advanced/edit-per-session-policy.png)
-1. In the APM Visual Policy Editor, select the **+** sign next to the
- fallback.
+10. Under **fallback**, select the **+** sign.
- ![Screenshot of the APM Visual Policy Editor showing the plus sign (+) next to the fallback.](./media/f5-big-ip-forms-advanced/vpe-launched.png)
+ ![Screenshot of the APM Visual Policy Editor plus-sign option under fallback.](./media/f5-big-ip-forms-advanced/vpe-launched.png)
-1. In the pop-up window, select **Authentication**, select **SAML Auth**, and then select **Add Item**.
+11. In the pop-up, select **Authentication**.
+12. Select **SAML Auth**.
+13. Select **Add Item**.
- ![Screenshot showing the 'SAML Auth' control selected and the 'Add Items' button.](./media/f5-big-ip-forms-advanced/saml-auth-add-item.png)
+ ![Screenshot of the SAML Auth option.](./media/f5-big-ip-forms-advanced/saml-auth-add-item.png)
-1. On the **SAML authentication SP** configuration pane, change the name to **Azure AD Auth** and then, in the **AAA Server** dropdown list, enter the SAML service provider object that you created earlier.
+14. On **SAML authentication SP**, change the **Name** to **Azure AD Auth**.
+15. In the **AAA Server** dropdown, enter the SAML service provider object you created.
![Screenshot showing the Azure AD Authentication server settings.](./media/f5-big-ip-forms-advanced/azure-ad-auth-server.png)
-1. Select the **+** sign on the **Successful** branch.
-
-1. In the pop-up window, select **Authentication**, select **Logon Page**, and then select **Add Item**.
+16. On the **Successful** branch, select the **+** sign.
+17. In the pop-up, select **Authentication**.
+18. Select **Logon Page**.
+19. Select **Add Item**.
- ![Screenshot shows logon page settings](./media/f5-big-ip-forms-advanced/logon-page.png)
+ ![Screenshot of the Logon Page option on the Logon tab.](./media/f5-big-ip-forms-advanced/logon-page.png)
-1. In the **Read Only** column for the **username** field, in the dropdown list, select **Yes**.
+20. For **usesrname**, in the **Read Only** column, select **Yes**.
- ![Screenshot showing the username 'Read Only' option changed to 'Yes'.](./media/f5-big-ip-forms-advanced/set-read-only-as-yes.png)
+ ![Screenshot of the Yes option in the username row on the Properties tab.](./media/f5-big-ip-forms-advanced/set-read-only-as-yes.png)
-1. Add an SSO Credential Mapping object by selecting the plus sign (**+**) for the logon page fallback.
+21. For the sign in page fallback, select the **+** sign. This action adds an SSO credential mapping object.
-1. In the pop-up window, select the **Assignment** tab, select **SSO Credential Mapping**, and then select **Add Item**.
+22. In the pop-up, select the **Assignment** tab.
+23. Select **SSO Credential Mapping**.
+24. Select **Add Item**.
- ![Screenshot showing the 'SSO Credential Mapping' option and its description.](./media/f5-big-ip-forms-advanced/sso-credential-mapping.png)
+ ![Screenshot of the SSO Credential Mapping option on the Assignment tab.](./media/f5-big-ip-forms-advanced/sso-credential-mapping.png)
-1. On the **Variable Assign: SSO Credential Mapping** pane, keep the default settings, and then select **Save**.
+25. On **Variable Assign: SSO Credential Mapping**, keep the default settings.
+26. Select **Save**.
- ![Screenshot showing the 'Save' button on the 'Variable Assign: SSO Credential Mapping' pane.](./media/f5-big-ip-forms-advanced/save-sso-credential-mapping.png)
+ ![Screenshot of the Save option on the Properties tab.](./media/f5-big-ip-forms-advanced/save-sso-credential-mapping.png)
-1. Select the link in the upper **Deny** box to change the **Successful** branch to **Allow**, and then select **Save**.
+27. In the upper **Deny** box, select the link.
+28. The **Successful** branch changes to **Allow**.
+29. Select **Save**.
- **(Optional) Configure attribute mappings**
+#### (Optional) Configure attribute mappings
- Although it's optional, adding a LogonID_Mapping configuration enables the BIG-IP active sessions list to display the UPN of the logged-in user instead of a session number. This information is useful when you're analyzing logs or troubleshooting.
+You can add a LogonID_Mapping configuration. Then, the BIG-IP active sessions list has the signed-in user UPN, not a session number. Use this information for analyzing logs or troubleshooting.
-1. Select the plus (**+**) symbol for the **SAML Auth Successful** branch.
+1. For the **SAML Auth Successful** branch, select the **+** sign.
+2. In the pop-up, select **Assignment**.
+3. Select **Variable Assign**.
+4. Select **Add Item**.
-1. In the pop-up dialog, select **Assignment** > **Variable Assign** > **Add Item**.
+ ![Screenshot of the Variable Assign option on the Assignment tab.](./media/f5-big-ip-forms-advanced/variable-assign.png)
- ![Screenshot showing the 'Variable Assign' option and its description.](./media/f5-big-ip-forms-advanced/variable-assign.png)
+5. On the **Properties** tab, enter a **Name**. For example, LogonID_Mapping.
+6. Under **Variable Assign**, select **Add new entry**.
+7. Select **change**.
-1. On the **Properties** pane, enter a descriptive name (for example,
-*LogonID_Mapping*) and, under **Variable Assign**, select **Add new entry** > **change**.
+ ![Screenshot of the Add new entry option and the change option.](./media/f5-big-ip-forms-advanced/add-new-entry.png)
- ![Screenshot showing the 'Add new entry' field.](./media/f5-big-ip-forms-advanced/add-new-entry.png)
+8. For **Custom Variable**, use `session.logon.last.username`.
+9. For Session Variable, user `session.saml.last.identity`.
+10. Select **Finished**.
+11. Select **Save**.
+12. Select **Apply Access Policy**.
+13. Close the Visual Policy Editor.
-1. Set both variables:
-
- | Property | Description |
- |:--|:-|
- | Custom Variable | `session.logon.last.username` |
- | Session Variable | `session.saml.last.identity`|
- | | |
-
-1. Select **Finished** > **Save**.
-
-1. Commit those settings by selecting **Apply Access Policy** and then close the Visual Policy Editor.
-
- ![Screenshot showing the 'Apply Access Policy' pane.](./media/f5-big-ip-forms-advanced/apply-access-policy.png)
+ ![Screenshot of of the access policy on Apply Access Policy.](./media/f5-big-ip-forms-advanced/apply-access-policy.png)
### Configure a back-end pool
-For the BIG-IP to know where to forward client traffic, you need to create a BIG-IP node object that represents the back-end server that hosts your application. Then, place that node in a BIG-IP server pool.
-
-1. Select **Local Traffic** > **Pools** > **Pool List** > **Create** and provide a name for a server pool object. For example, enter **MyApps_VMs**.
+To enable BIG-IP to forward client traffic correctly, create a BIG-IP node object that represents the back-end server that hosts your application. Then, place that node in a BIG-IP server pool.
- ![Screenshot shows pool list](./media/f5-big-ip-forms-advanced/pool-list.png)
+1. Select **Local Traffic** > **Pools**.
+2. Select **Pool List**.
+3. Select **Create**.
+4. Enter a **Name** for a server pool object. For example, MyApps_VMs.
-1. Add a pool member object with the following resource details:
+ ![Screenshot of the Name field under New Pool.](./media/f5-big-ip-forms-advanced/pool-list.png)
- | Property | Description |
- |:--|:-|
- | Node Name: | Optional display name for the server that hosts the back-end web application |
- | Address: | IP address of the server that hosts the application |
- | Service Port: | HTTP/S port that the application is listening on |
- | | |
+5. For **Node Name**, enter a server display name. This server hosts the back-end web application.
+6. For **Address**, enter the application server host IP address.
+7. For **Service Port** enter the HTTP/S port the application is listening on.
- ![Screenshot showing the pool member properties.](./media/f5-big-ip-forms-advanced/pool-member.png)
+ ![Screenshot of the Node Name, Address, Service Port fields and the Add option.](./media/f5-big-ip-forms-advanced/pool-member.png)
->[!NOTE]
->Health monitors require [additional configuration](https://support.f5.com/csp/article/K13397) that this article doesn't cover.
+ >[!NOTE]
+ >Health monitors require configuration this article doesn't cover. Go to support.f5.com for [K13397: Overview of HTTP health monitor request formatting for the BIG-IP DNS system](https://support.f5.com/csp/article/K13397).
### Configure a virtual server
-A *virtual server* is a BIG-IP data-plane object that's represented by a virtual IP address that listens for client requests to the application. Any received traffic is processed and evaluated against the APM access profile that's associated with the virtual server. The traffic is then directed according to the policy results and settings.
+A virtual server is a BIG-IP data-plane object represented by a virtual IP address. The server listens for client requests to the application. Any received traffic is processed and evaluated against the APM access profile associated with the virtual server. The traffic is directed according to policy.
To configure a virtual server:
-1. Select **Local Traffic** > **Virtual Servers** > **Virtual Server List** > **Create**.
+1. Select **Local Traffic** > **Virtual Servers**.
+2. Select **Virtual Server List**.
+3. Select **Create**.
+4. Enter a **Name**.
+5. For **Destination Address/Mask**, select **Host** and enter an IPv4 or IPv6 address. The address receives client traffic for the published back-end application.
+6. For **Service Port**, select **Port**, enter **443**, and select **HTTPS**.
-3. Provide the virtual server with a Name value and an IPv4/IPv6 address that isn't already allocated to an existing BIG-IP object or device on the connected network. The IP address will be dedicated to receiving client traffic for the published back-end application. Then set Service Port to 443.
-
- ![Screenshot showing the virtual server properties.](./media/f5-big-ip-forms-advanced/virtual-server.png)
+ ![Screenshot of the Name, Destination Address, and Service Port fields and options.](./media/f5-big-ip-forms-advanced/virtual-server.png)
-3. Set **HTTP Profile (Client)** to **http**.
+7. For **HTTP Profile (Client)**, select **http**.
+8. For **SSL Profile (Client)**, select the profile you created, or leave the default for testing. This option enables a virtual server for Transport Layer Security (TLS) to publish services over HTTPS.
+
+ ![Screenshot of HTTP Profile Client and SSL Profile Client options.](./media/f5-big-ip-forms-advanced/ssl-profile.png)
-1. Enable a virtual server for Transport Layer Security to allow services to be published over HTTPS. For **SSL Profile (Client)**, select the profile that you created as part of the prerequisites. (Or leave the default if you're testing.)
+9. For **Source Address Translation**, select **Auto Map**.
- ![Screenshot showing an SSL profile.](./media/f5-big-ip-forms-advanced/ssl-profile.png)
+ ![Screenshot of the Auto Map selection for Source Address Translation.](./media/f5-big-ip-forms-advanced/auto-map.png)
-1. Change the **Source Address Translation** to **Auto Map**.
+10. Under **Access Policy**, in the **Access Profile** box, enter the name you created. This action binds the Azure AD SAML preauthentication profile and FBA SSO policy to the virtual server.
- ![Screenshot showing that 'Auto Map' is selected.](./media/f5-big-ip-forms-advanced/auto-map.png)
+ ![Screenshot of the Access Profile entry under Access Policy.](./media/f5-big-ip-forms-advanced/access-policy.png)
-1. Under **Access Policy**, in the **Access Profile** box, enter the name you created earlier. This action binds the Azure AD SAML pre-authentication profile and FBA SSO policy to the virtual server.
+11. Under **Resources**, for **Default Pool**, select the back-end pool objects you created.
+12. Select **Finished**.
- ![Screenshot showing the 'Access Policy' pane.](./media/f5-big-ip-forms-advanced/access-policy.png)
+ ![Screenshot of the Default Pool option under Resources.](./media/f5-big-ip-forms-advanced/default-pool.png)
-1. Set **Default Pool** to use the back-end pool objects that you created in the previous section. Then select **Finished**.
+### Configure session management settings
- ![Screenshot showing the 'Default Pool' setting on the 'Resources' pane.](./media/f5-big-ip-forms-advanced/default-pool.png)
+BIG-IP session management settings define conditions for sessions termination and continuation. Create policy in this area.
-### Configure Session management settings
+1. Go to **Access Policy**.
+2. Select **Access Profiles**.
+3. Select **Access Profile**.
+4. From the list, select your application.
-BIG-IP's session management settings define the conditions under which user sessions are terminated or allowed to continue, limits for users and IP addresses, and error pages. You can create your own policy here. Go to Access Policy > Access Profiles > Access Profile and select your application from the list.
+If you defined a single logout URI value in Azure AD, IdP-initiated sign out from MyApps ends the client and the BIG-IP APM session. The imported application federation metadata XML file provides the APM with the Azure AD SAML endpoint for SP-initiated sign out. Ensure the APM responds correctly to a user sign out.
-If you've defined a Single Logout URI value in Azure AD, it will ensure that an IdP-initiated sign-out from the MyApps portal also ends the session between the client and the BIG-IP APM. The imported application's federation metadata XML file provides the APM with the Azure AD SAML logout endpoint for SP-initiated sign-outs. But for this to be truly effective, the APM needs to know exactly when a user signs out.
+If there's no BIG-IP web portal, users can't instruct the APM to sign out. If the user signs out of the application, BIG-IP is oblivious. The application session can be reinstated through SSO. For SP-initiated sign out, ensure sessions terminate securely.
-Consider a scenario where a BIG-IP web portal is not used. The user has no way of instructing the APM to sign out. Even if the user signs out of the application itself, BIG-IP is technically oblivious to this, so the application session could easily be reinstated through SSO. For this reason, SP-initiated sign-out needs careful consideration to ensure that sessions are securely terminated when they're no longer required.
+You can add an SLO function to your application **sign out** button. This function redirects the client to the Azure AD SAML sign out endpoint. To locate SAML sign out endpoint, go to **App Registrations > Endpoints**.
-One way to achieve this is by adding an SLO function to your application's sign-out button. This function can redirect your client to the Azure AD SAML sign-out endpoint. You can find this SAML sign-out endpoint at App Registrations > Endpoints.
+If you can't change the app, have the BIG-IP listen for the app sign out call and trigger SLO.
-If you can't change the app, consider having BIG-IP listen for the app's sign-out call. When it detects the request, it should trigger SLO.
+Learn more:
-For more information about using BIG-IP iRules to achieve this, see the following F5 articles:
* [K42052145: Configuring automatic session termination (logout) based on a URI-referenced file name](https://support.f5.com/csp/article/K42052145) * [K12056: Overview of the Logout URI Include option](https://support.f5.com/csp/article/K12056)
+## Published application
-## Summary
-
-Your application should now be published and accessible via secure hybrid access, either directly via the app's URL or through the Microsoft application portals.
+Your application is published and accessible with SHA with the app URL or Microsoft portals.
-The application should also be visible as a target resource in Azure AD CA. For more information, see [Building a Conditional Access policy](../conditional-access/concept-conditional-access-policies.md).
+The application appears as a target resource in Conditional Access. Learn more: [Building a Conditional Access policy](../conditional-access/concept-conditional-access-policies.md).
-For increased security, organizations that use this pattern could also consider blocking all direct access to the application, which then forces a strict path through the BIG-IP.
+For increased security, block direct access to the application, enforcing a path through the BIG-IP.
-## Next steps
+## Test
-From a browser, connect to the application's external URL or select the application's icon in the MyApps portal. After you authenticate to Azure AD, youΓÇÖre redirected to the BIG-IP endpoint for the application and prompted for a password. Notice that the APM pre-fills the username with the UPN from Azure AD. The username that's pre-populated by the APM is read only to ensure session consistency between Azure AD and the back-end application. You can hide this field from view with an additional configuration, if necessary.
+1. With a browser, connect to the application external URL, or in My Apps, select the application icon.
+2. Authenticate to Azure AD.
+3. YouΓÇÖre redirected to the BIG-IP endpoint for the application.
+4. The password prompt appears.
+5. The APM fills the username with the UPN from Azure AD. The username is read-only for session consistency. Hide this field, if needed.
-![Screenshot showing secured SSO.](./media/f5-big-ip-forms-advanced/secured-sso.png)
+ ![Screenshot of the sign in page.](./media/f5-big-ip-forms-advanced/secured-sso.png)
-After the information is submitted, users should be automatically signed in to the application.
+6. The information is submitted.
+7. You're signed in to the application.
-![Screenshot showing a welcome message.](./media/f5-big-ip-forms-advanced/welcome-message.png)
+ ![Screenshot of Welcome page.](./media/f5-big-ip-forms-advanced/welcome-message.png)
## Troubleshoot
-Failure to access the secure hybrid access-protected application can result from any of several factors, including a misconfiguration. When you troubleshoot this issue, be aware of the following:
+When troubleshooting, consider the following information
-- FBA SSO is performed by the BIG-IP as it parses the logon form at the specified URI and looks for the username and password element tags that are defined in your configuration.
+* BIG-IP performs FBA SSO as it parses the sign in form at the URI
+ * BIG-IP seeks the username and password element tags from your configuration
+* Ensure element tags are consistent, or SSO fails
+* Complex forms generated dynamically might require dev tool analysis to understand the sign in form
+* Client-initiated is better for sign in pages with multiple forms
+ * You can specify form name and customize the JavaScript form handler logic
+* Both FBA SSO methods optimize user experience and security by hiding form interactions:
+ * You can validate if the credentials are injected
+ * In client-initiated mode, disable form autosubmission in your SSO profile
+ * Use dev tools to disable the two style properties that prevent the sign in page from appearing
-- Element tags need to be consistent, or SSO will fail. More complex forms that are generated dynamically might require you to analyze them closer by using dev tools to understand the makeup of the logon form.
+ ![Screenshot of the Properties page.](./media/f5-big-ip-forms-advanced/properties.png)
-- A client-initiated approach might be better suited for logon pages that contain multiple forms, because it lets you specify a form name and even customize the JavaScript form handler logic.
+### Increase log verbosity
-- Both FBA SSO methods optimize the user experience and security by hiding all form interactions. In some cases, though, it might be useful to validate whether the credentials are actually being injected. You can do this in client-initiated mode by disabling the form auto submit setting in your SSO profile and then using dev tools to disable the two style properties that prevent the logon page from being displayed.
+BIG-IP logs contain information to isolating authentication and SSO issues. Increase the log verbosity level:
- ![Screenshot showing the properties page.](./media/f5-big-ip-forms-advanced/properties.png)
+1. Go to **Access Policy** > **Overview**.
+2. Select **Event Logs**.
+3. Select **Settings**.
+4. Select the row of your published application.
+5. Select **Edit**.
+6. Select **Access System Logs**.
+7. In the SSO list, select **Debug**.
+8. Select **OK**.
+9. Reproduce the issue.
+10. Review the logs.
-BIG-IP logs are a great source of information for isolating all sorts of authentication and SSO issues. When you troubleshoot an issue, you should increase the log verbosity level by doing the following:
+Revert the settings otherwise there's excessive data.
-1. Go to **Access Policy** > **Overview** > **Event Logs** > **Settings**.
+### BIG-IP error message
-1. Select the row for your published application, and then select **Edit** > **Access System Logs**.
+If a BIG-IP error appears after Azure AD preauthentication, the issue might relate to Azure AD and BIG-IP SSO.
-1. In the SSO list, select **Debug**, and then select **OK**. Reproduce your issue before you look at the logs, but remember to switch this setting back when you're finished.
+1. Go to **Access** > **Overview**.
+2. Select **Access reports**.
+3. Run the report for the last hour.
+4. Review the logs for clues.
-If you see a BIG-IP branded error immediately after successful Azure AD pre-authentication, it's possible that the issue relates to SSO from Azure AD to the BIG-IP.
+Use the **View session variables** link for your session to determine if the APM receives expected Azure AD claims.
-Go to **Access** > **Overview** > **Access reports**, and then run the report for the last hour to see whether the logs provide any clues. The **View session variables** link for your session will also help you understand whether the APM is receiving the expected claims from Azure AD.
+### No BIG-IP error message
-If you don't see a BIG-IP error page, the issue is probably more related to the back-end request or SSO from the BIG-IP to the
-application. If this is the case, select **Access Policy** > **Overview** > **Active Sessions**, and then select the link for your active session.
+If no BIG-IP error message appears, the issue might relate to the back-end request, or BIG-IP-to-application SSO.
-The **View Variables** link in this location might also help determine the root cause, particularly if the APM fails to obtain the right user identifier and password.
+1. Select **Access Policy** > **Overview**.
+2. Select **Active Sessions**.
+3. Select the active session link.
-For more information, see the F5 BIG-IP [Session Variables reference](https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/session-variables.html).
+Use the **View Variables** link in this location to help determine root cause, particularly if the APM fails to obtain correct user identifier and password.
-## Additional resources
+To learn more, go to techdocs.f5.com for [Manual Chapter: Session Variables](https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/session-variables.html).
-* [Active Directory Authentication](https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/2.html) (F5 article about BIG-IP advanced configuration)
-
-* [Forget passwords, go passwordless](https://www.microsoft.com/security/business/identity/passwordless)
+## Resources
+* Go to techdocs.f5.com for [Manual Chapter: Active Directory Authentication](https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/2.html)
+* [Passwordless authentication](https://www.microsoft.com/security/business/identity/passwordless)
* [What is Conditional Access?](../conditional-access/overview.md)- * [Zero Trust framework to enable remote work](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/)
active-directory F5 Big Ip Header Advanced https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-header-advanced.md
Title: Configure F5 BIG-IP Access Policy Manager for header-based SSO
-description: Learn how to configure F5's BIG-IP Access Policy Manager (APM) and Azure Active Directory SSO for header-based authentication
+ Title: Configure F5 BIG-IP Access Policy Manager for header-based single sign-on
+description: Learn to configure F5 BIG-IP Access Policy Manager (APM) and Azure Active Directory SSO for header-based authentication
Previously updated : 11/10/2021 Last updated : 03/22/2023
-# Tutorial: Configure F5 BIG-IPΓÇÖs Access Policy Manager for header-based SSO
+# Tutorial: Configure F5 BIG-IP Access Policy Manager for header-based single sign-on
-In this article, youΓÇÖll learn to implement Secure Hybrid Access (SHA) with single sign-on (SSO) to header-based applications using F5ΓÇÖs BIG-IP advanced configuration.
+Learn to implement secure hybrid access (SHA) with single sign-on (SSO) to header-based applications, using F5 BIG-IP advanced configuration. BIG-IP published applications and Azure AD configuration benefits:
-Configuring BIG-IP published applications with Azure AD provides many benefits, including:
+* Improved Zero Trust governance through Azure AD preauthentication and Conditional Access
+ * See, [What is Conditional Access?](../conditional-access/overview.md)
+ * See, [Zero Trust security](../../security/fundamentals/zero-trust.md)
+* Full SSO between Azure AD and BIG-IP published services
+* Managed identities and access from one control plane
+ * See, the [Azure portal](https://azure.microsoft.com/features/azure-portal)
-- Improved Zero trust governance through Azure AD pre-authentication and [Conditional Access](../conditional-access/overview.md)
+Learn more:
-- Full Single sign-on (SSO) between Azure AD and BIG-IP published
- services.
--- Manage identities and access from a single control plane, the [Azure portal](https://azure.microsoft.com/features/azure-portal)-
-To learn about all of the benefits, see the article on [F5 BIG-IP and Azure AD integration](./f5-aad-integration.md) and [what is application access and single sign-on with Azure AD](/azure/active-directory/active-directory-appssoaccess-whatis).
+* [Integrate F5 BIG-IP with Azure AD](./f5-aad-integration.md)
+* [Enable SSO for an enterprise application](add-application-portal-setup-sso.md)
## Scenario description
-For this scenario, we have a legacy application using HTTP authorization headers to control access to protected content.
-
-Ideally, application access should be managed directly by Azure AD but being legacy it lacks any form of modern authentication protocol. Modernization would take considerable effort and time, introducing inevitable costs and risk of potential downtime. Instead, a BIG-IP deployed between the public internet and the internal application will be used to gate inbound access to the application.
-
-Having a BIG-IP in front of the application enables us to overlay the service with Azure AD pre-authentication and header-based SSO, significantly improving the overall security posture of the application.
+For this scenario, there's a legacy application using HTTP authorization headers to control access to protected content. Ideally, Azure AD manages application access, however legacy lacks a modern authentication protocol. Modernization takes effort and time, while introducing downtime costs and risks. Instead, deploy a BIG-IP between the public internet and the internal application to gate inbound access to the application.
+A BIG-IP in front of the application enables overlay of the service with Azure AD preauthentication and header-based SSO. The configuration improves the application security posture.
## Scenario architecture The secure hybrid access solution for this scenario is made up of: -- **Application**: BIG-IP published service to be protected by and Azure AD SHA.
+* **Application** - BIG-IP published service to be protected by Azure AD SHA
+* **Azure AD** - Security Assertion Markup Language (SAML) identity provider (IdP) that verifies user credentials, Conditional Access, and SSO to the BIG-IP
+ * With SSO, Azure AD provides the BIG-IP required session attributes, including user identifiers
+* **BIG-IP** - reverse-proxy and SAML service provider (SP) to the application, delegating authentication to the SAML IdP, before header-based SSO to the back-end application
-- **Azure AD**: Security Assertion Markup Language (SAML) Identity Provider (IdP) responsible for verification of user credentials, Conditional Access (CA), and SSO to the BIG-IP. Through SSO, Azure AD provides the BIG-IP with any required session attributes including user identifiers.
+The following diagram illustrates the user flow with Azure AD, BIG-IP, APM and an application.
-- **BIG-IP**: Reverse proxy and SAML service provider (SP) to the application, delegating authentication to the SAML IdP, before
-performing header-based SSO to the backend application.
-
-![Screenshot shows the architecture flow diagram](./media/f5-big-ip-easy-button-header/sp-initiated-flow.png)
-
-| Step | Description |
-|:-|:--|
-| 1. | User connects to application's SAML SP endpoint (BIG-IP). |
-| 2. | BIG-IP APM access policy redirects user to Azure AD (SAML IdP).|
-| 3. | Azure AD pre-authenticates user and applies any enforced CA policies. |
-| 4. | User is redirected to BIG-IP (SAML SP) and SSO is performed using issued SAML token. |
-| 5. | BIG-IP injects Azure AD attributes as headers in request to the application. |
-| 6. | Application authorizes request and returns payload. |
+ ![Diagram of the user flow with Azure AD, BIG-IP, APM and an application](./media/f5-big-ip-easy-button-header/sp-initiated-flow.png)
+1. User connects to application SAML SP endpoint (BIG-IP).
+2. BIG-IP APM access policy redirects user to Azure AD (SAML IdP).
+3. Azure AD preauthenticates user and applies ConditionalAccess policies.
+4. User is redirected to BIG-IP (SAML SP) and SSO occurs using issued SAML token.
+5. BIG-IP injects Azure AD attributes as headers in request to the application.
+6. Application authorizes request and returns payload.
## Prerequisites
-Prior BIG-IP experience isn't necessary, but you'll need:
--- An Azure AD free subscription or above--- An existing BIG-IP or [deploy a BIG-IP Virtual Edition (VE) in
- Azure](./f5-bigip-deployment-guide.md)
--- Any of the following F5 BIG-IP license SKUs-
- - F5 BIG-IP® Best bundle
-
- - F5 BIG-IP Access Policy ManagerΓäó (APM) standalone license
-
- - F5 BIG-IP Access Policy ManagerΓäó (APM) add-on license on an
- existing BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM)
-
- - 90-day BIG-IP full feature [trial
- license](https://www.f5.com/trial/big-ip-trial.php).
+For the scenario you need:
+
+* An Azure subscription
+ * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/)
+* For the account, have Azure AD Application Admin permissions
+* A BIG-IP or deploy a BIG-IP Virtual Edition (VE) in Azure
+ * See, [Deploy F5 BIG-IP Virtual Edition VM in Azure](./f5-bigip-deployment-guide.md)
+* Any of the following F5 BIG-IP license SKUs:
+ * F5 BIG-IP® Best bundle
+ * F5 BIG-IP Access Policy ManagerΓäó (APM) standalone license
+ * F5 BIG-IP Access Policy Manager™ (APM) add-on license on a BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM)
+ * 90-day BIG-IP full feature trial. See, [Free Trials](https://www.f5.com/trial/big-ip-trial.php).
+* User identities synchronized from an on-premises directory to Azure AD
+ * [Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md)
+* An SSL certificate to publish services over HTTPS, or use default certificates while testing
+ * See, [SSL profile](./f5-bigip-deployment-guide.md#ssl-profile)
+* A header-based application or an IIS header app for testing
+ * See, [Set up a simple IIS header app](/previous-versions/iis/6.0-sdk/ms525396(v=vs.90))
+
+## BIG-IP configuration method
+
+The following instructions are an advanced configuration method, a flexible way to implement SHA. Manually create BIG-IP configuration objects. Use this method for scenarios not included in the Guided Configuration templates.
-- User identities [synchronized](../hybrid/how-to-connect-sync-whatis.md)
-from an on-premises directory to Azure AD
--- An account with Azure AD application admin [permissions](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#application-administrator)--- [SSL certificate](./f5-bigip-deployment-guide.md#ssl-profile)
-for publishing services over HTTPS or use default certificates while testing
--- An existing header-based application or [setup a simple IIS header app](/previous-versions/iis/6.0-sdk/ms525396(v=vs.90)) for testing-
-## BIG-IP configuration methods
-
-There are many methods to configure BIG-IP for this scenario, including two template-based options and an advanced configuration. This article covers the advanced approach, which provides a more flexible way of implementing SHA by manually creating all BIG-IP configuration objects. You would also use this approach for scenarios that the guided configuration templates don't cover.
-
->[!NOTE]
-> All example strings or values in this article should be replaced with those for your actual environment.
-
-## Adding F5 BIG-IP from the Azure AD gallery
-
-Setting up a SAML federation trust between BIG-IP APM and Azure AD is one of the first step in implementing SHA. It establishes the integration required for BIG-IP to hand off pre-authentication and [conditional
-access](../conditional-access/overview.md) to Azure AD, before granting access to the published service.
-
-1. Sign-in to the Azure portal using an account with application administrative rights.
+ >[!NOTE]
+ > Replace example strings or values with those from your environment.
-2. From the left navigation pane, select the **Azure Active Directory** service
+## Add F5 BIG-IP from the Azure AD gallery
-3. Go to **Enterprise Applications** and from the top ribbon select **+ New application**
+To implement SHA, the first step is to set up a SAML federation trust between BIG-IP APM and Azure AD. The trust establishes the integration for BIG-IP to hand off preauthentication and Conditional Access to Azure AD, before granting access to the published service.
-4. Search for **F5** in the gallery and select **F5 BIG-IP APM Azure AD integration**
+Learn more: [What is Conditional Access?](../conditional-access/overview.md)
-5. Provide a name for the application, followed by **Add/Create** to add it to your tenant. The name should reflect that specific service.
+1. With an account that has Application Administrator permissions, sign in to the [Azure portal](https://azure.microsoft.com/features/azure-portal).
+2. In the left navigation pane, select the **Azure Active Directory** service.
+3. Go to **Enterprise Applications**.
+4. On the top ribbon, select **+ New application**.
+5. In the gallery, search for **F5**.
+6. Select **F5 BIG-IP APM Azure AD integration**.
+7. Enter an application **Name**.
+8. Select **Add/Create**.
+9. The name reflects the service.
## Configure Azure AD SSO
-1. With the new **F5** application properties in view, go to
- **Manage** > **Single sign-on**
-
-2. On the **Select a single sign-on method** page, select **SAML** and skip the prompt to save the single sign-on settings by selecting **No, I'll save later**
-
-3. On the **Set up single sign-on with SAML** blade, select the pen icon for **Basic SAML Configuration** to provide the following:
-
- a. Replace the pre-defined **Identifier** URL with the URL for your BIG-IP published service. For example, `https://mytravel.contoso.com`
-
- b. Do the same with the **Reply URL** but include the path for the APM's SAML endpoint. For example, `https://mytravel.contoso.com/saml/sp/profile/post/acs`
+1. The new **F5** application properties appear
+2. Select **Manage** > **Single sign-on**
+3. On the **Select a single sign-on method** page, select **SAML**.
+4. Skip the prompt to save the single sign-on settings.
+5. Select **No, I'll save later**.
+6. On **Set up single sign-on with SAML**, for **Basic SAML Configuration**, select the **pen** icon.
+7. Replace the **Identifier** URL with the BIG-IP published service URL. For example, `https://mytravel.contoso.com`
+8. Repeat for **Reply URL** and include the APM SAML endpoint path. For example, `https://mytravel.contoso.com/saml/sp/profile/post/acs`
>[!NOTE]
- >In this configuration the SAML flow would operate in IdP initiated mode, where Azure AD issues the user with a SAML assertion before they are redirected to the BIG-IP service endpoint for the application. The BIG-IP APM supports both, IdP and SP initiated modes.
-
- c. For the `Logout URI` enter the BIG-IP APM Single Logout (SLO) endpoint pre-pended by the host header of the service being published. Providing an SLO URI ensures the user's BIG-IP APM session has ended after being signed out of Azure AD. For example, `https://mytravel.contoso.com/saml/sp/profile/redirect/slr`
-
- ![Screenshot shows the basic saml configuration](./media/f5-big-ip-header-advanced/basic-saml-configuration.png)
-
- >[!Note]
- >From TMOS v16 the SAML SLO endpoint has changed to
-`/saml/sp/profile/redirect/slo`.
-
-4. Select **Save** before exiting the SAML configuration blade and skip the SSO test prompt
+ >In this configuration, the SAML flow operates in IdP mode: Azure AD issues the user a SAML assertion before being redirected to the BIG-IP service endpoint for the application. The BIG-IP APM supports IdP and SP modes.
-5. Select the pen icon to edit the **User Attributes & Claims > + Add new claim**
+9. For **Logout URI** enter the BIG-IP APM Single Logout (SLO) endpoint, prepended by the service host header. The SLO URI ensures user BIG-IP APM sessions end after Azure AD sign out. For example, `https://mytravel.contoso.com/saml/sp/profile/redirect/slr`
-6. Set the claim properties with the following then select **Save**
+ ![Screenshot of Basic SAML Configuration input for Identifier, Reply URL, Sign on URL, etc.](./media/f5-big-ip-header-advanced/basic-saml-configuration.png)
- | Property |Description|
- |:|:|
- |Name | Employeeid |
- | Source attribute | user.employeeid |
+ >[!Note]
+ >From Traffic Management operating system (TMOS) v16 onward, the SAML SLO endpoint changed to `/saml/sp/profile/redirect/slo`.
- ![Screenshot shows manage claims configuration](./media/f5-big-ip-header-advanced/manage-claims.png)
+10. Select **Save**.
+11. Exit SAML configuration.
+12. Skip the SSO test prompt.
+13. To edit the **User Attributes & Claims > + Add new claim**, select the **pen** icon.
+14. For **Name** select **Employeeid**.
+15. For **Source attribute** select **user.employeeid**.
+16. Select **Save**
-7. Select **+ Add a group claim** and select **Groups assigned to the application** > **Source Attribute** > **sAMAccountName**
+ ![Screenshot of input for Name and Source attribute, in the Manage claim dialog.](./media/f5-big-ip-header-advanced/manage-claims.png)
- ![Screenshot shows group claims configuration](./media/f5-big-ip-header-advanced/group-claims.png)
+17. Select **+ Add a group claim**
+18. Select **Groups assigned to the application** > **Source Attribute** > **sAMAccountName**.
-8. **Save** the configuration and close the blade
+ ![Screenshot of input for Source attribute, in the Group Claims dialog.](./media/f5-big-ip-header-advanced/group-claims.png)
- Observe the properties of the **User Attributes & Claims** section. Azure AD will issue users these properties for BIG-IP APM authentication and SSO to the backend application:
+19. Select **Save** the configuration.
+20. Close the view.
+21. Observe the **User Attributes & Claims** section properties. Azure AD issues users properties for BIG-IP APM authentication and SSO to the back-end application.
- ![Screenshot shows user attributes and claims configuration](./media/f5-big-ip-header-advanced/user-attributes-claims.png)
+ ![Screenshot of User Attributes and Claims information such as surname, email address, identity, etc.](./media/f5-big-ip-header-advanced/user-attributes-claims.png)
- Feel free to add any other specific claims your BIG-IP published application might expect as headers. Any claims defined in addition to the default set will only be issued if they exist in Azure AD. In the same way, Directory [roles or group](../hybrid/how-to-connect-fed-group-claims.md)
- memberships also need defining against a user object in Azure AD before they can be issued as a claim.
+ > [!NOTE]
+ > Add other claims the BIG-IP published application expects as headers. More defined claims are issued if they're in Azure AD. Define directory memberships and user objects in Azure AD before claims can be issued. See, [Configure group claims for applications by using Azure AD](../hybrid/how-to-connect-fed-group-claims.md).
-9. In the **SAML Signing Certificate** section, select the
- **Download** button to save the **Federation Metadata XML** file to your computer.
+22. In the **SAML Signing Certificate** section, select **Download**.
+23. The **Federation Metadata XML** file is saved on your computer.
- ![Screenshot shows saml signing certificate](./media/f5-big-ip-header-advanced/saml-signing-certificate.png)
+ ![Screenshot of the Download link for Federation Metadata XML on the SAML Signing Certificate dialog.](./media/f5-big-ip-header-advanced/saml-signing-certificate.png)
-SAML signing certificates created by Azure AD have a lifespan of three years and should be managed using the published
-[guidance](./manage-certificates-for-federated-single-sign-on.md).
+SAML signing certificates created by Azure AD have a lifespan of three years.
### Azure AD authorization
-By default, Azure AD will only issue tokens to users that have been granted access to an application.
+By default, Azure AD issues tokens to users granted access to an application.
1. In the application's configuration view, select **Users and groups**.
+2. Select **+ Add user** and in **Add Assignment**, select **Users and groups**.
+3. In the **Users and groups** dialog, add the user groups authorized to access the header-based application.
+4. Select **Select**.
+5. Select **Assign**.
-2. Select **+** **Add user** and in the **Add Assignment** blade select **Users and groups**.
-
-3. In the **Users and groups** dialog, add the groups of users
- authorized to access the internal header-based application, followed by **Select** > **Assign**
-
-This completes the Azure AD part of the SAML federation trust. The BIG-IP APM can now be set up to publish the internal web application and configured with a corresponding set of properties to complete the trust for SAML pre-authentication.
+Azure AD SAML federation trust is complete. Next, set up BIG-IP APM to publish the web application, configured with properties to complete SAML preauthentication trust.
## Advanced configuration
-### SAML configuration
+Use the following sections to configure SAML, header SSO, access profile, and more.
-The following steps create the BIG-IP SAML service provider and corresponding SAML IdP objects required to complete federating the published application, with Azure AD.
+### SAML configuration
-1. Select **Access** > **Federation** > **SAML Service Provider** > **Local SP Services** > **Create**
+Create the BIG-IP SAML service provider and corresponding SAML IdP objects to federate the published application, with Azure AD.
- ![Screenshot shows saml service provider create](./media/f5-big-ip-header-advanced/create-saml-sp.png)
+1. Select **Access** > **Federation** > **SAML Service Provider** > **Local SP Services** > **Create**.
-2. **Provide a Name** and the exact same **Entity ID** defined in Azure AD earlier
+ ![Screenshot the Create option under the SAML Service Provider tab.](./media/f5-big-ip-header-advanced/create-saml-sp.png)
- ![Screenshot shows new saml service provider service ](./media/f5-big-ip-header-advanced/new-saml-sp-information.png)
+2. Enter a **Name**.
+3. Enter the **Entity ID** defined in Azure AD.
- **SP Name Settings** are only required if the entity ID isn't an exact match of the hostname portion of the published URL, or equally if it isn't in regular hostname-based URL format. Provide the external scheme and hostname of the application being published if entity ID is
- `urn:mytravel:contosoonline`.
+ ![Screenshot of Name and Entity ID input on the Create New SAML SP Service dialog.](./media/f5-big-ip-header-advanced/new-saml-sp-information.png)
-3. Scroll down to select the new SAML SP object and select
- **Bind/UnBind IdP Connectors**.
+4. For **SP Name Settings**, make selections if the Entity ID doesn't match the hostname of the published URL, or make selections if it isn't in regular hostname-based URL format. Provide the external scheme and application hostname if entity ID is `urn:mytravel:contosoonline`.
+5. Scroll down to select the new SAML SP object.
+6. Select **Bind/UnBind IdP Connectors**.
- ![Screenshot shows new saml service provider object connectors](./media/f5-big-ip-header-advanced/idp-connectors.png)
+ ![Screenshot of the Bind Unbind IdP Connectors option under the SAML Services Provder tab.](./media/f5-big-ip-header-advanced/idp-connectors.png)
-4. Select **Create New IdP Connector** and from the drop-down menu choose **From Metadata**
+7. Select **Create New IdP Connector**.
+8. From the drop-down, select **From Metadata**.
- ![Screenshot shows edit new saml service idp](./media/f5-big-ip-header-advanced/edit-saml-idp.png)
+ ![Screenshot of the From Metadata option in the Create New IdP Connection drop-down menu.](./media/f5-big-ip-header-advanced/edit-saml-idp.png)
-5. Browse to the federation metadata XML file you downloaded earlier and provide an **Identity Provider Name** for the APM object that will represent the external SAML IdP. For example, `MyTravel_AzureAD`
+9. Browse to the federation metadata XML file you downloaded.
+10. Enter an **Identity Provider Name** for the APM object for the external SAML IdP. For example, `MyTravel_AzureAD`
- ![Screenshot shows new idp connector](./media/f5-big-ip-header-advanced/idp-name.png)
+ ![Screenshot of Select File and Identity Provider Name input under Create New SAML IdP Connector.](./media/f5-big-ip-header-advanced/idp-name.png)
-6. Select **Add New Row** to choose the new **SAML IdP Connector**, followed by **Update**
+11. Select **Add New Row**.
+12. Select the new **SAML IdP Connector**.
+13. Select **Update**.
- ![Screenshot shows how to update idp connector](./media/f5-big-ip-header-advanced/update-idp-connector.png)
+ ![Screenshot of the Update option under SAML IdP Connectors.](./media/f5-big-ip-header-advanced/update-idp-connector.png)
-7. Select **OK** to save the settings
+14. Select **OK**.
- ![Screenshot shows saving the settings](./media/f5-big-ip-header-advanced/save-settings.png)
+ ![Screenshot of saved settings](./media/f5-big-ip-header-advanced/save-settings.png)
### Header SSO configuration
-Create an APM SSO object for doing headers SSO to the backend application.
-
-1. Select **Access** > **Profiles/Policies** > **Per-Request Policies** > **Create**
+Create an APM SSO object.
-2. Provide a unique profile a name and add at least one **Accepted Language**, then select **Finished.** For example, SSO_Headers
+1. Select **Access** > **Profiles/Policies** > **Per-Request Policies** > **Create**.
+2. Enter a **Name**.
+3. Add at least one **Accepted Language**.
+4. Select **Finished.**
- ![Screenshot shows header configuration](./media/f5-big-ip-header-advanced/header-configuration.png)
+ ![Screenshot of Name and Accepted Language input.](./media/f5-big-ip-header-advanced/header-configuration.png)
-3. Select the **Edit** link for the new per-request policy you just created
+5. For the new per-request policy, select **Edit**.
- ![Screenshot shows edit per-request policy](./media/f5-big-ip-header-advanced/header-configuration-edit.png)
+ ![Screenshot of the Edit option in the Per Request Policy column.](./media/f5-big-ip-header-advanced/header-configuration-edit.png)
-4. After the visual policy editor has launched select the **+** symbol next to fallback
+6. The visual policy editor starts.
+7. Under **fallback**, select the **+** symbol.
- ![Screenshot shows visual policy editor](./media/f5-big-ip-header-advanced/visual-policy-editor.png)
+ ![Screenshot of the plus option under fallback.](./media/f5-big-ip-header-advanced/visual-policy-editor.png)
-5. In the pop-up switch to the **General Purpose** tab to select **HTTP Headers** > **Add Item**
+8. On the **General Purpose** tab, select **HTTP Headers** > **Add Item**.
- ![Screenshot shows Http header add item](./media/f5-big-ip-header-advanced/add-item.png)
+ ![Screenshot of the the HTTP Headers option.](./media/f5-big-ip-header-advanced/add-item.png)
-6. Select **Add new entry** to create 3 separate **HTTP** **Header modify** entries using the following:
-
- | Property | Description |
- |:|:-|
- | Header Name | upn |
- | Header Value | %{session.saml.last.identity}|
- | Header Name | employeeid |
- | Header Value | %{session.saml.last.attr.name.employeeid} |
- | Header Name | group\_authz |
- | Header Value | %{session.saml.last.attr.name.`http://schemas.microsoft.com/ws/2008/06/identity/claims/groups`} |
+9. Select **Add new entry**.
+10. Create three HTTP and Header modify entries.
+11. For **Header Name**, enter **upn**.
+12. For **Header Value**, enter **%{session.saml.last.identity}**.
+13. For **Header Name**, enter **employeeid**.
+14. For **Header Value**, enter **%{session.saml.last.attr.name.employeeid}**.
+15. For **Header Name**, enter **group\_authz**.
+16. For **Header Value**, enter **%{session.saml.last.attr.name.`http://schemas.microsoft.com/ws/2008/06/identity/claims/groups`}**.
>[!Note]
- >APM session variables defined within curly brackets are case sensitive. So, entering EmployeeID when the Azure AD attribute name is being sent as employeeid will cause an attribute mapping failure. Unless necessary, we recommend defining all attributes in lowercase.
+ >APM session variables in curly brackets are case sensitive. We recommend you define attributes in lowercase.
- ![Screenshot shows Http header modify](./media/f5-big-ip-header-advanced/http-header-modify.png)
+ ![Screenshot of header input, under HTTP Header Modify, on the Properties tab.](./media/f5-big-ip-header-advanced/http-header-modify.png)
-7. When done, select **Save** and close the visual policy editor.
+17. Select **Save**.
+18. Close the visual policy editor.
- ![Screenshot shows per request policy done and save](./media/f5-big-ip-header-advanced/per-request-policy-done.png)
+ ![Screenshot of the visual policy editor.](./media/f5-big-ip-header-advanced/per-request-policy-done.png)
### Access profile configuration An access profile binds many APM elements managing access to BIG-IP virtual servers, including access policies, SSO configuration, and UI settings.
-1. Select **Access** > **Profiles / Policies** > **Access Profiles (Per-Session Policies)** > **Create** to provide the following then select **Finished**:
-
- | Property | Description |
- |:--|:-|
- | Name | MyTravel |
- | Profile Type | All |
- | Accepted Language | Add at least one language|
+1. Select **Access** > **Profiles / Policies** > **Access Profiles (Per-Session Policies)** > **Create**.
+2. For **Name**, enter **MyTravel**.
+3. For **Profile Type**, select **All**.
+4. For **Accepted Language**, select at least one language.
+5. select **Finished**.
- ![Screenshot shows access profile configuration](./media/f5-big-ip-header-advanced/access-profile-configuration.png)
+ ![Screenshot of entries for Name, Profile Type, and Accepted Language.](./media/f5-big-ip-header-advanced/access-profile-configuration.png)
-2. Select the **Edit** link for the per-session profile you just
- created
+6. For the per-session profile you created, select **Edit**.
- ![Screenshot shows editing per session profile](./media/f5-big-ip-header-advanced/edit-per-session-profile.png)
+ ![Screenshot of the Edit option in the Per-Session Policy column.](./media/f5-big-ip-header-advanced/edit-per-session-profile.png)
-3. Once the visual policy editor has launched, select the **+** symbol next to fallback
+7. The visual policy editor starts.
+8. Under fallback, select the **+** symbol.
- ![Screenshot shows how to launch the visual policy editor](./media/f5-big-ip-header-advanced/visual-policy-editor-launch.png)
+ ![Screenshot of the plus option.](./media/f5-big-ip-header-advanced/visual-policy-editor-launch.png)
-4. In the pop-up select **Authentication** > **SAML Auth** > **Add Item**
+9. Select **Authentication** > **SAML Auth** > **Add Item**.
- ![Screenshot shows adding saml authentication](./media/f5-big-ip-header-advanced/add-saml-auth.png)
+ ![Screenshot of the SAML Auth option on the Authentication tab.](./media/f5-big-ip-header-advanced/add-saml-auth.png)
-5. For the **SAML authentication SP** configuration, set the **AAA Server** option to use the SAML SP object you created earlier, followed by **Save**.
+10. For the **SAML authentication SP** configuration, from the **AAA Server** dropdown, select the SAML SP object you created.
+11. Select **Save**.
- ![Screenshot shows use aaa server for saml authentication sp](./media/f5-big-ip-header-advanced/aaa-server.png)
+ ![Screenshot of the AAA Server selection.](./media/f5-big-ip-header-advanced/aaa-server.png)
### Attribute mapping
-Although optional, adding a LogonID_Mapping configuration enables the BIG-IP active sessions list to display the UPN of the logged in user instead of a session number. This is useful for when analyzing logs or troubleshooting.
-
-1. Select the **+** symbol for the SAML Auth **Successful** branch
-
- ![Screenshot shows how to create a saml authentication branch](./media/f5-big-ip-header-advanced/create-saml-auth-branch.png)
-
-2. In the pop-up select **Assignment** > **Variable Assign** > **Add Item**
-
- ![Screenshot shows how to assign a variable](./media/f5-big-ip-header-advanced/assign-variable.png)
+The following instructions are optional. With a LogonID_Mapping configuration, the BIG-IP active sessions list has the signed-in user UPN, not a session number. Use this data when analyzing logs or troubleshooting.
-3. Provide a descriptive name and in the **Variable Assign** section select **Add new entry** > **change.** For example,
-LogonID_Mapping.
+1. For the SAML Auth **Successful** branch, select the **+** symbol.
- ![Screenshot shows how to add a new entry](./media/f5-big-ip-header-advanced/assign-variable-change.png)
+ ![Screenshot of the plus symbol on the SAML Auth Successful branch.](./media/f5-big-ip-header-advanced/create-saml-auth-branch.png)
-4. Set both variables to use the following, then **Finished** >
- **Save**
+2. In the pop-up, select **Assignment** > **Variable Assign** > **Add Item**.
- | Property | Description |
- |:--|:-|
- | Custom Variable | session.saml.last.identity |
- | Session Variable | session.logon.last.username |
+ ![Screenshot of the Variable Assign option, on the Assignment tab.](./media/f5-big-ip-header-advanced/assign-variable.png)
-5. Select the **Deny** terminal of the Access Policy's **Successful** branch and change it to **Allow**, followed by **Save**
+3. Enter a **Name**
+4. In the **Variable Assign** section, select **Add new entry** > **change**. For example, LogonID_Mapping.
-6. Commit the policy by selecting **Apply Access Policy** and close the visual policy editor tab
+ ![Screenshot of the Add new entry and change options](./media/f5-big-ip-header-advanced/assign-variable-change.png)
-### Backend pool configuration
+5. For **Custom Variable**, set **session.saml.last.identity**.
+6. For **Session Variable**, set **session.logon.last.username**.
+7. Select **Finished**.
+8. Select**Save**.
+9. On the Access Policy **Successful** branch, select the **Deny** terminal.
+10. Select **Allow**.
+11. Select **Save**.
+12. Select **Apply Access Policy**.
+13. Close the visual policy editor.
-For the BIG-IP to know where to forward client traffic, you need to create an APM node object representing the backend server hosting your application, and place that node in an APM pool.
+### Back-end pool configuration
-1. Select **Local Traffic > Pools > Pool List > Create** and provide a name for a server pool object. For example, MyApps_VMs
+To enable BIG-IP to forward client traffic correctly, create an APM node object representing the back-end server hosting your application. Place the node in an APM pool.
- ![Screenshot shows how apply access policy](./media/f5-big-ip-header-advanced/apply-access-policy.png)
+1. Select **Local Traffic > Pools > Pool List > Create**.
+2. For a server pool object, enter a **Name**. For example, MyApps_VMs.
-2. Add a pool member object with the following:
+ ![Screenshot of the Apply Access Policy.](./media/f5-big-ip-header-advanced/apply-access-policy.png)
- | Property | Description |
- |:--|:-|
- | Node Name | Optional display name for the server hosting the backend web application |
- | Address | IP address of the server hosting the application|
- | Service Port | The HTTP/S port the application is listening on |
+3. Add a pool member object.
+4. For **Node Name**, enter a name for the server hosting the back-end web application.
+5. For **Address**, enter the IP address of the server hosting the application.
+6. For **Service Port** enter the HTTP/S port the application is listening on.
+7. Select **Add**.
- ![Screenshot shows how to add pool member object](./media/f5-big-ip-header-advanced/add-object.png)
+ ![Screenshot of input for Node Name, Address, Service Port, and the Add option.](./media/f5-big-ip-header-advanced/add-object.png)
->[!NOTE]
->Health monitors require additional
-[configuration](https://support.f5.com/csp/article/K13397) not covered in this tutorial.
+ >[!NOTE]
+ >To learn more go to my.f5.com for [K13397: Overview of HTTP health monitor request formatting for the BIG-IP DNS system](https://support.f5.com/csp/article/K13397).
## Virtual server configuration
-A virtual server is a BIG-IP data plane object represented by a virtual IP address listening for clients requests to the application. Any received traffic is processed and evaluated against the APM access profile associated with the virtual server, before being directed according to the policy results and settings.
+A virtual server is a BIG-IP data plane object represented by a virtual IP address listening for clients requests to the application. Received traffic is processed and evaluated with the APM access profile associated with the virtual server. Traffic is directed according to policy.
-1. Select **Local Traffic** > **Virtual Servers** > **Virtual Server List** > **Create**
+1. Select **Local Traffic** > **Virtual Servers** > **Virtual Server List** > **Create**.
+2. Enter a virtual server **Name**.
+3. For **Destination Address/Mask**, select **Host**
+4. Enter an unused IP IPv4 or IPv6 to be assigned to the BIG-IP to receive client traffic.
+5. For **Service Port**, select **Port**, **443**, and **HTTPS**.
-2. Provide the virtual server with a **Name,** an unused IP IPv4/IPv6 that can be assigned to the BIG-IP to receive client traffic, and set the **Service Port** to 443
+ ![Screenshot of entries for Name, Destination Address Mask, and Service Port.](./media/f5-big-ip-header-advanced/new-virtual-server.png)
- ![Screenshot shows how to add new virtual server](./media/f5-big-ip-header-advanced/new-virtual-server.png)
+6. For **HTTP Profile (Client)**, select **http**.
+7. For **SSL Profile (Client)**, select the client SSL profile you created, or leave the default for testing.
-3. **HTTP Profile**: Set to http
+ ![Screenshot of entries for HTTP Profile Client and SSL Profile Client.](./media/f5-big-ip-header-advanced/ssl-profile.png)
-4. **SSL Profile (Client)**: Enables Transport Layer Security (TLS), enabling services to be published over HTTPS. Select the client SSL profile you created as part of the pre-requisites or leave the default if testing
+8. For **Source Address Translation**, select **Auto Map**.
- ![Screenshot shows the ssl profile client](./media/f5-big-ip-header-advanced/ssl-profile.png)
+ ![Screenshot of the Source Address Translation option.](./media/f5-big-ip-header-advanced/change-source-address.png)
-5. Change the **Source Address Translation** option to **Auto Map**
+9. For **Access Policy**, select the **Access Profile** created earlier. This action binds the Azure AD SAML preauthentication profile and headers SSO policy to the virtual server.
+10. For **Per-Request Policy**, select **SSO_Headers**.
- ![Screenshot shows the auto map option](./media/f5-big-ip-header-advanced/change-source-address.png)
+ ![Screenshot of entries for Access Profile and Pre-Request Policy.](./media/f5-big-ip-header-advanced/set-access-profile.png)
-6. Under **Access Policy**, set the **Access Profile** created earlier. This binds the Azure AD SAML pre-authentication profile and headers SSO policy to the virtual server.
+11. For **Default Pool**, select the back-end pool objects you created.
+12. Select **Finished**.
- ![Screenshot shows how to set the access profile](./media/f5-big-ip-header-advanced/set-access-profile.png)
+ ![Screenshot of the Default Pool option under Resources.](./media/f5-big-ip-header-advanced/default-pool.png)
-7. Finally, set the **Default Pool** to use the backend pool objects created in the previous section, then select **Finished**.
+## Session management
- ![Screenshot shows how to set default pool](./media/f5-big-ip-header-advanced/default-pool.png)
+Use the BIG-IPs session management setting to define the conditions for user session termination or continuation. Create policy with **Access Policy** > **Access Profiles**. Select an application from the list.
-## Session management
+Regarding SLO functionality, a SLO URI in Azure AD ensures an IdP initiated sign out from the MyApps portal terminates the session between the client and the BIG-IP APM. The imported application federation metadata.xml provides the APM with the Azure AD SAML sign-out endpoint, for SP initiated sign out. Therefore, enable the APM to know when a user signs out.
-A BIG-IPs session management setting is used to define the conditions under which user sessions are terminated or allowed to continue, limits for users and IP addresses, and error pages. You can create your own policy by heading to **Access Policy** > **Access Profiles** and selecting your application from the list.
+If there's no BIG-IP web portal, the user can't instruct the APM to sign out. If the user signs out of the application, the BIG-IP is oblivious to the action. The application session can be reinstated through SSO. Therefore, SP-initiated sign out needs careful consideration.
-Regarding SLO functionality, having defined a SLO URI in Azure AD will ensure an IdP initiated sign out from the MyApps portal also terminates the session between the client and the BIG-IP APM. Having imported the application's federation metadata.xml then provides the APM with the Azure AD SAML log-out endpoint for SP initiated sign-outs. But for this to be truly effective, the APM needs to know exactly when a user signs-out.
+To ensure sessions terminate securely, add an SLO function to your application **Sign out** button. Enable it to redirect the client to the Azure AD SAML sign-out endpoint. For the SAML sign out endpoint for your tenant, go to **App Registrations** > **Endpoints**.
-Consider a scenario where a BIG-IP web portal isn't used, the user has no way of instructing the APM to sign out. Even if the user signs-out of the application itself, the BIG-IP is technically oblivious to this, so the application session could easily be reinstated through SSO. For this reason SP initiated sign-out needs careful consideration to ensure sessions are securely terminated when no longer required.
+If you can't change the app, enable the BIG-IP to listen for the app sign-out call and trigger SLO. To learn more:
-One way of achieving this would be to add an SLO function to your
-applications sign out button, so that it can redirect your client to the Azure AD SAML sign-out endpoint. The SAML sign-out endpoint for your tenant can be found in **App Registrations** > **Endpoints**.
+* Go to support.f5.com for [K42052145: Configuring automatic session termination (logout) based on a URI-referenced file name](https://support.f5.com/csp/article/K42052145)
+* Go to my.f5.com for [K12056: Overview of the Logout URI Include option](https://support.f5.com/csp/article/K12056)
-If making a change to the app is a no go then consider having the BIG-IP listen for the apps sign-out call, and upon detecting the request have it trigger SLO. More details on using BIG-IP iRules to achieve this are available in [article K42052145](https://support.f5.com/csp/article/K42052145) and
-[article K12056](https://support.f5.com/csp/article/K12056).
+## Deploy
-## Summary
+1. Select **Deploy** to commit settings.
+2. Verify the application appears in your tenant.
+3. The application is published and accessible via SHA, with its URL or Microsoft portals.
-This last step provides break down of all applied settings before they are committed. Select **Deploy** to commit all settings and verify that the application has appeared in your tenant.
+## Test
-Your application is now published and accessible via SHA, either directly via its URL or through Microsoft's application portals.
+1. As a user, select the application external URL, or in the MyApps portal select the application icon.
+2. Authenticate to Azure AD.
+3. You're redirected to the BIG-IP virtual server for the app and signed in with SSO.
+4. The injected header output appears by the header-based application.
+ ![Screenshot of Server Variables, such as UPN, Employee ID, and Group Authorization.](./media/f5-big-ip-header-advanced/mytravel-example.png)
-## Next steps
+For increased security, block direct access to the application, enforcing a path through the BIG-IP.
-As a user, launch a browser and connect to the application's external URL or select the application's icon in the Microsoft MyApps portal. After authenticating to Azure AD, you'll be redirected to the BIG-IP virtual server for the application and automatically signed in through SSO.
-The output of the injected headers displayed by our headers-based application is shown.
+## Troubleshooting
-![Screenshot shows the output](./media/f5-big-ip-header-advanced/mytravel-example.png)
+Use the following guidance for troubleshooting.
-For increased security, organizations using this pattern could also consider blocking all direct access to the application, in that way forcing a strict path through the BIG-IP.
+### Log verbosity
-## Troubleshooting
+BIG-IP logs have information to help isolate authentication and SSO issues. Increase the log verbosity level:
+
+1. Go to **Access Policy** > **Overview** > **Event Logs**.
+2. Select **Settings**.
+3. Select the row of your published application.
+4. Select **Edit** > **Access System Logs**.
+5. From the SSO list, select **Debug**.
+6. Select **OK**.
+7. Reproduce the issue.
+8. Review the logs.
+9. When finished, revert the settings.
-Failure to access the SHA protected application could be down to any number of potential factors, including a
-misconfiguration.
+### BIG-IP error message
-- BIG-IP logs are a great source of information for isolating all sorts of authentication & SSO issues. When troubleshooting you should increase the log verbosity level by heading to **Access Policy** > **Overview** > **Event Logs** > **Settings**. Select the row for your published application then **Edit** > **Access System Logs**. Select **Debug**
-from the SSO list then **OK**. You can now reproduce your issue before looking at the logs but remember to switch this back when finished.
+If a BIG-IP error appears after redirection, the issue likely relates to SSO from Azure AD to the BIG-IP.
-- If you see a BIG-IP branded error after being redirected following Azure AD pre-authentication, it's likely the issue relates to SSO from Azure AD to the BIG-IP. Navigate to **Access** > **Overview** > **Access reports** and run the report for the last hour to see logs provide any
-clues. The **View session variables** link for your session will also help understand if the APM is receiving the expected claims from Azure AD.
+1. Navigate to **Access Policy** > **Overview**.
+2. Select **Access reports**.
+3. Run the report for the last hour.
+4. Review the logs for clues.
+5. For your session, select the **View session variables** link.
+6. Verify the APM receives the expected claims from Azure AD.
-- If you don't see a BIG-IP error page, then the issue is probably more related to SSO from the BIG-IP to the backend application. In which case you should head to **Access Policy** > **Overview** > **Active Sessions** and select the link for your active session. The **View Variables** link in this location may also help root cause SSO issues, particularly if the BIG-IP APM fails to obtain the right user and domain identifiers.
+### No BIG-IP error message
-See [BIG-IP APM variable assign
-examples](https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107)
-and [F5 BIG-IP session variables
-reference](https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/session-variables.html) for more info.
+If no BIG-IP error message appears, then the issue is probably more related to SSO from the BIG-IP to the backend application.
-## Additional resources
+1. Navigate to **Access Policy** > **Overview**.
+2. Select **Active Sessions**.
+3. Select the link for your active session.
+4. Select the **View Variables** link to determine any SSO issues.
+5. Confirm the BIG-IP APM fails or succeeds to obtain the correct user and domain identifiers.
-For more information refer to these articles:
+Learn more:
-- [The end of passwords, go password-less](https://www.microsoft.com/security/business/identity/passwordless)
+* Go to devcentral.f5.com for [APM variable assign examples](https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107)
+* Go to techdocs.f5.com for [BIG-IP Access Policy
-- [What is Conditional Access?](../conditional-access/overview.md)
+## Resources
-- [Microsoft Zero Trust framework to enable remote
- work](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/)
+* [Passwordless authentication](https://www.microsoft.com/security/business/identity/passwordless)
+* [What is Conditional Access?](../conditional-access/overview.md)
+* [Zero Trust framework to enable remote work](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/)
active-directory F5 Big Ip Headers Easy Button https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-headers-easy-button.md
Title: Configure F5 BIG-IPΓÇÖs Easy Button for Header-based SSO
-description: learn to implement Secure Hybrid Access (SHA) with single sign-on (SSO) to header-based applications using F5ΓÇÖs BIG-IP Easy Button Guided Configuration.
+ Title: Configure F5 BIG-IP Easy Button for Header-based SSO
+description: Learn to implement secure hybrid access (SHA) with single sign-on (SSO) to header-based applications using F5 BIG-IP Easy Button Guided Configuration.
Previously updated : 01/07/2022 Last updated : 03/27/2023
-# Tutorial: Configure F5ΓÇÖs BIG-IP Easy Button for header-based SSO
+# Tutorial: Configure F5 BIG-IP Easy Button for header-based SSO
-In this article, learn to secure headers based applications with Azure Active Directory (Azure AD), through F5ΓÇÖs BIG-IP Easy Button guided configuration.
+Learn to secure header-based applications with Azure Active Directory (Azure AD), with F5 BIG-IP Easy Button Guided Configuration v16.1.
Integrating a BIG-IP with Azure AD provides many benefits, including:
+* Improved Zero Trust governance through Azure AD preauthentication and Conditional Access
+ * See, [What is Conditional Access?](../conditional-access/overview.md)
+ * See, [Zero Trust security](../../security/fundamentals/zero-trust.md)
+* Full SSO between Azure AD and BIG-IP published services
+* Managed identities and access from one control plane
+ * See, the [Azure portal](https://azure.microsoft.com/features/azure-portal)
- * [Improved Zero Trust governance](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/) through Azure AD pre-authentication and [Conditional Access](../conditional-access/overview.md)
+Learn more:
- * Full SSO between Azure AD and BIG-IP published services
-
- * Manage Identities and access from a single control plane, the [Azure portal](https://portal.azure.com/)
-
-To learn about all of the benefits, see the article on [F5 BIG-IP and Azure AD integration](./f5-aad-integration.md) and [what is application access and single sign-on with Azure AD](/azure/active-directory/active-directory-appssoaccess-whatis).
+* [Integrate F5 BIG-IP with Azure AD](./f5-aad-integration.md)
+* [Enable SSO for an enterprise application](add-application-portal-setup-sso.md)
## Scenario description
-This scenario looks at the classic legacy application using **HTTP authorization headers** to manage access to protected content.
-
-Being legacy, the application lacks modern protocols to support a direct integration with Azure AD. The application can be modernized, but it is costly, requires careful planning, and introduces risk of potential downtime. Instead, an F5 BIG-IP Application Delivery Controller (ADC) is used to bridge the gap between the legacy application and the modern ID control plane, through protocol transitioning.
+This scenario covers the legacy application using HTTP authorization headers to manage access to protected content. Legacy lacks modern protocols to support direct integration with Azure AD. Modernization is costly, time consuming, and introduces downtime risk. Instead, use an F5 BIG-IP Application Delivery Controller (ADC) to bridge the gap between the legacy application and the modern ID control plane, with protocol transitioning.
-Having a BIG-IP in front of the application enables us to overlay the service with Azure AD pre-authentication and headers-based SSO, significantly improving the overall security posture of the application.
+A BIG-IP in front of the application enables overlay of the service with Azure AD preauthentication and headers-based SSO. This configuration improves overall application security posture.
-> [!NOTE]
-> Organizations can also gain remote access to this type of application with [Azure AD Application Proxy](../app-proxy/application-proxy.md)
+ > [!NOTE]
+ > Organizations can have remote access to this application type with Azure AD Application Proxy. Learn more: [Remote access to on-premises applications through Azure AD Application Proxy](../app-proxy/application-proxy.md)
## Scenario architecture
-The SHA solution for this scenario is made up of:
-
-**Application:** BIG-IP published service to be protected by Azure AD SHA.
-
-**Azure AD:** Security Assertion Markup Language (SAML) Identity Provider (IdP) responsible for verification of user credentials, Conditional Access (CA), and SAML based SSO to the BIG-IP. Through SSO, Azure AD provides the BIG-IP with any required session attributes.
+The SHA solution contains:
-**BIG-IP:** Reverse proxy and SAML service provider (SP) to the application, delegating authentication to the SAML IdP before performing header-based SSO to the backend application.
+* **Application** - BIG-IP published service protected by Azure AD SHA
+* **Azure AD** - Security Assertion Markup Language (SAML) identity provider (IdP) that verifies user credentials, Conditional Access, and SAML-based SSO to the BIG-IP. With SSO, Azure AD provides the BIG-IP with session attributes.
+* **BIG-IP** - reverse-proxy and SAML service provider (SP) to the application, delegating authentication to the SAML IdP before performing header-based SSO to the backend application.
-SHA for this scenario supports both SP and IdP initiated flows. The following image illustrates the SP initiated flow.
+For this scenario, SHA supports SP- and IdP-initiated flows. The following diagram illustrates the SP-initiated flow.
- ![Secure hybrid access - SP initiated flow](./media/f5-big-ip-easy-button-header/sp-initiated-flow.png)
+ ![Diagram of the configuration with an SP-initiated flow.](./media/f5-big-ip-easy-button-header/sp-initiated-flow.png)
-| Steps| Description |
-| - |-|
-| 1| User connects to application endpoint (BIG-IP) |
-| 2| BIG-IP APM access policy redirects user to Azure AD (SAML IdP) |
-| 3| Azure AD pre-authenticates user and applies any enforced Conditional Access policies |
-| 4| User is redirected to BIG-IP (SAML SP) and SSO is performed using issued SAML token |
-| 5| BIG-IP injects Azure AD attributes as headers in request to the application |
-| 6| Application authorizes request and returns payload |
+1. User connects to application endpoint (BIG-IP).
+2. BIG-IP APM access policy redirects user to Azure AD (SAML IdP).
+3. Azure AD preauthenticates user and applies Conditional Access policies.
+4. User is redirected to BIG-IP (SAML SP) and SSO occurs using issued SAML token.
+5. BIG-IP injects Azure AD attributes as headers in application request.
+6. Application authorizes request and returns payload.
## Prerequisites
-Prior BIG-IP experience isnΓÇÖt necessary, but youΓÇÖll need:
-
-* An Azure AD free subscription or above
-
-* An existing BIG-IP or [deploy a BIG-IP Virtual Edition (VE) in Azure](./f5-bigip-deployment-guide.md)
-
-* Any of the following F5 BIG-IP license SKUs
+For the scenario you need:
+* An Azure subscription
+ * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/)
+* For the account, have Azure AD Application Administrator permissions
+* A BIG-IP or deploy a BIG-IP Virtual Edition (VE) in Azure
+ * See, [Deploy F5 BIG-IP Virtual Edition VM in Azure](./f5-bigip-deployment-guide.md)
+* Any of the following F5 BIG-IP license SKUs:
* F5 BIG-IP® Best bundle- * F5 BIG-IP Access Policy Manager™ (APM) standalone license
+ * F5 BIG-IP Access Policy Manager™ (APM) add-on license on a BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM)
+ * 90-day BIG-IP full feature trial. See, [Free Trials](https://www.f5.com/trial/big-ip-trial.php)
+* User identities synchronized from an on-premises directory to Azure AD
+ * See, [Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md)
+* An SSL web certificate to publish services over HTTPS, or use default BIG-IP certs for testing
+ * See, [SSL profile](./f5-bigip-deployment-guide.md#ssl-profile)
+* A header-based application or set up an IIS header app for testing
+ * See, [Set up an IIS header app](/previous-versions/iis/6.0-sdk/ms525396(v=vs.90))
- * F5 BIG-IP Access Policy Manager™ (APM) add-on license on an existing BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM)
-
- * 90-day BIG-IP full feature [trial license](https://www.f5.com/trial/big-ip-trial.php).
+## BIG-IP configuration
-* User identities [synchronized](../hybrid/how-to-connect-sync-whatis.md) from an on-premises directory to Azure AD
+This tutorial uses Guided Configuration v16.1 with an Easy button template. With the Easy Button, admins no longer go back and forth to enable SHA services. The Guided Configuration wizard and Microsoft Graph handle deployment and policy management. The BIG-IP APM and Azure AD integration ensures applications support identity federation, SSO, and Conditional Access.
-* An account with Azure AD application admin [permissions](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#application-administrator)
-
-* An [SSL Web certificate](./f5-bigip-deployment-guide.md#ssl-profile) for publishing services over HTTPS, or use default BIG-IP certs while testing
-
-* An existing header-based application or [setup a simple IIS header app](/previous-versions/iis/6.0-sdk/ms525396(v=vs.90)) for testing
-
-## BIG-IP configuration methods
-
-There are many methods to configure BIG-IP for this scenario, including two template-based options and an advanced configuration. This tutorial covers the latest Guided Configuration 16.1 offering an Easy button template. With the Easy Button, admins no longer go back and forth between Azure AD and a BIG-IP to enable services for SHA. The deployment and policy management is handled directly between the APMΓÇÖs Guided Configuration wizard and Microsoft Graph. This rich integration between BIG-IP APM and Azure AD ensures that applications can quickly, easily support identity federation, SSO, and Azure AD Conditional Access, reducing administrative overhead.
-
-> [!NOTE]
-> All example strings or values referenced throughout this guide should be replaced with those for your actual environment.
+ > [!NOTE]
+ > Replace example strings or values with those in your environment.
## Register Easy Button
-Before a client or service can access Microsoft Graph, it must be trusted by the [Microsoft identity platform.](../develop/quickstart-register-app.md)
+Before a client or service accesses Microsoft Graph, the Microsoft identity platform must trust it.
-This first step creates a tenant app registration that will be used to authorize the **Easy Button** access to Graph. Through these permissions, the BIG-IP will be allowed to push the configurations required to establish a trust between a SAML SP instance for published application, and Azure AD as the SAML IdP.
+Learn more: [Quickstart: Register an application with the Microsoft identity platform](../develop/quickstart-register-app.md)
-1. Sign-in to the [Azure portal](https://portal.azure.com/) using an account with Application Administrative rights
-2. From the left navigation pane, select the **Azure Active Directory** service
-3. Under Manage, select **App registrations > New registration**
-4. Enter a display name for your application. For example, *F5 BIG-IP Easy Button*
-5. Specify who can use the application > **Accounts in this organizational directory only**
-6. Select **Register** to complete the initial app registration
-7. Navigate to **API permissions** and authorize the following Microsoft Graph **Application permissions**:
+Create a tenant app registration to authorize the Easy Button access to Graph. With these permissions, the BIG-IP pushes the configurations to establish a trust between a SAML SP instance for published application, and Azure AD as the SAML IdP.
+
+1. Sign-in to the [Azure portal](https://portal.azure.com/) with Application Administrative permissions.
+2. In the left navigation, select **Azure Active Directory**.
+3. Under **Manage**, select **App registrations > New registration**.
+4. Enter an application **Name**.
+5. Specify who uses the application.
+6. Select **Accounts in this organizational directory only**.
+7. Select **Register**.
+8. Navigate to **API permissions**.
+9. Authorize the following Microsoft Graph **Application permissions**:
* Application.Read.All * Application.ReadWrite.All
This first step creates a tenant app registration that will be used to authorize
* Policy.ReadWrite.ConditionalAccess * User.Read.All
-8. Grant admin consent for your organization
-9. In the **Certificates & Secrets** blade, generate a new **client secret** and note it down
-10. From the **Overview** blade, note the **Client ID** and **Tenant ID**
+8. Grant admin consent for your organization.
+9. On **Certificates & Secrets**, generate a new **Client Secret**. Make a note of the Client Secret.
+10. On **Overview**, note the Client ID and Tenant ID.
## Configure Easy Button
-Initiate the APM's **Guided Configuration** to launch the **Easy Button** Template.
-
-1. Navigate to **Access > Guided Configuration > Microsoft Integration** and select **Azure AD Application**.
+1. Start the APM Guided Configuration.
+2. Start the **Easy Button** template.
+3. Navigate to **Access > Guided Configuration**.
+4. Select **Microsoft Integration**
+5. Select **Azure AD Application**.
- ![Screenshot for Configure Easy Button- Install the template](./media/f5-big-ip-easy-button-ldap/easy-button-template.png)
+ ![Screenshot of the Azure AD Application option on Guided Configuration.](./media/f5-big-ip-easy-button-ldap/easy-button-template.png)
-2. Review the list of configuration steps and select **Next**
+6. Review the configuration steps.
+7. Select **Next**.
- ![Screenshot for Configure Easy Button - List configuration steps](./media/f5-big-ip-easy-button-ldap/config-steps.png)
+ ![Screenshot of configuration steps.](./media/f5-big-ip-easy-button-ldap/config-steps.png)
-3. Follow the sequence of steps required to publish your application.
+8. Use the illustrated steps sequence to publish your application.
- ![Configuration steps flow](./media/f5-big-ip-easy-button-ldap/config-steps-flow.png#lightbox)
+ ![Diagram of the publication sequence.](./media/f5-big-ip-easy-button-ldap/config-steps-flow.png#lightbox)
### Configuration Properties
-The **Configuration Properties** tab creates a BIG-IP application config and SSO object. Consider the **Azure Service Account Details** section to represent the client you registered in your Azure AD tenant earlier, as an application. These settings allow a BIG-IP's OAuth client to individually register a SAML SP directly in your tenant, along with the SSO properties you would normally configure manually. Easy Button does this for every BIG-IP service being published and enabled for SHA.
-
-Some of these are global settings so can be re-used for publishing more applications, further reducing deployment time and effort.
-
-1. Enter a unique **Configuration Name** so admins can easily distinguish between Easy Button configurations.
-
-2. Enable **Single Sign-On (SSO) & HTTP Headers**
+Use the **Configuration Properties** tab to create a BIG-IP application config and SSO object. Azure Service Account Details represent the client you registered in the Azure AD tenant. Use the settings for BIG-IP OAuth client to register a SAML SP in your tenant, with SSO properties. Easy Button performs this action for BIG-IP services published and enabled for SHA.
-3. Enter the **Tenant Id**, **Client ID**, and **Client Secret** you noted when registering the Easy Button client in your tenant.
+You can reuse settings to publish more applications.
-4. Confirm the BIG-IP can successfully connect to your tenant, and then select **Next**
+1. Enter a **Configuration Name**.
+2. For **Single Sign-On (SSO) & HTTP Headers**, select **On**.
+3. For **Tenant ID**, **Client ID**, and **Client Secret**, enter what you noted.
+4. Confirm the BIG-IP connects to your tenant.
+5. Select **Next**
- ![Screenshot for Configuration General and Service Account properties](./media/f5-big-ip-easy-button-ldap/config-properties.png)
+ ![Screenshot of entries and options for Configuration Properties.](./media/f5-big-ip-easy-button-ldap/config-properties.png)
### Service Provider
-The Service Provider settings define the properties for the SAML SP instance of the application protected through SHA
+In Service Provider settings, define SAML SP instance settings for the SHA-protected application.
-1. Enter **Host**. This is the public FQDN of the application being secured
+1. Enter a **Host**, the application public FQDN.
+2. Enter an **Entity ID**, the identifier Azure AD uses to identify the SAML SP requesting a token.
-2. Enter **Entity ID**. This is the identifier Azure AD will use to identify the SAML SP requesting a token
+ ![Screenshot of input fields for Service Provider.](./media/f5-big-ip-easy-button-ldap/service-provider.png)
- ![Screenshot for Service Provider settings](./media/f5-big-ip-easy-button-ldap/service-provider.png)
+3. (Optional) In Security Settings, select **Enable Encryption Assertion** to enable Azure AD to encrypt issued SAML assertions. Azure AD and BIG-IP APM encryption assertions help assure content tokens aren't intercepted, nor personal or corporate data compromised.
-The optional **Security Settings** specify whether Azure AD should encrypt issued SAML assertions. Encrypting assertions between Azure AD and the BIG-IP APM provides additional assurance that the content tokens canΓÇÖt be intercepted, and personal or corporate data be compromised.
-
-3. From the **Assertion Decryption Private Key** list, select **Create New**
+4. In **Security Settings**, from the **Assertion Decryption Private Key** list, select **Create New**.
- ![Screenshot for Configure Easy Button- Create New import](./media/f5-big-ip-oracle/configure-security-create-new.png)
-
-4. Select **OK**. This opens the **Import SSL Certificate and Keys** dialog in a new tab
+ ![Screenshot of the Create New option in the Assertion Decryption Private Key list.](./media/f5-big-ip-oracle/configure-security-create-new.png)
-6. Select **PKCS 12 (IIS) ** to import your certificate and private key. Once provisioned close the browser tab to return to the main tab.
+5. Select **OK**.
+6. The **Import SSL Certificate and Keys** dialog appears.
+7. For **Import Type**, select **PKCS 12 (IIS)**. This action imports the certificate and private key.
+8. For **Certificate and Key Name**, select **New** and enter the input.
+9. Enter the **Password**.
+10. Select **Import**.
+11. Close the browser tab to return to the main tab.
- ![Screenshot for Configure Easy Button- Import new cert](./media/f5-big-ip-oracle/import-ssl-certificates-and-keys.png)
+ ![Screenshot of selections and entries for SSL Certificate Key Source.](./media/f5-big-ip-oracle/import-ssl-certificates-and-keys.png)
-6. Check **Enable Encrypted Assertion**
-7. If you have enabled encryption, select your certificate from the **Assertion Decryption Private Key** list. This is the private key for the certificate that BIG-IP APM will use to decrypt Azure AD assertions
-8. If you have enabled encryption, select your certificate from the **Assertion Decryption Certificate** list. This is the certificate that BIG-IP will upload to Azure AD for encrypting the issued SAML assertions.
+12. Check the box for **Enable Encrypted Assertion**.
+13. If you enabled encryption, from the **Assertion Decryption Private Key** list, select the certificate. BIG-IP APM uses this certificate private key to decrypt Azure AD assertions.
+14. If you enabled encryption, from the **Assertion Decryption Certificate** list, select the certificate. BIG-IP uploads this certificate to Azure AD to encrypt the issued SAML assertions.
- ![Screenshot for Service Provider security settings](./media/f5-big-ip-easy-button-ldap/service-provider-security-settings.png)
+ ![Screenshot of two entries and one option for Security Settings.](./media/f5-big-ip-easy-button-ldap/service-provider-security-settings.png)
### Azure Active Directory
-This section defines all properties that you would normally use to manually configure a new BIG-IP SAML application within your Azure AD tenant. Easy Button provides a set of pre-defined application templates for Oracle PeopleSoft, Oracle E-business Suite, Oracle JD Edwards, SAP ERP as well as generic SHA template for any other apps. For this scenario select **F5 BIG-IP APM Azure AD Integration > Add**.
+Use the following instructions to configure a new BIG-IP SAML application in your Azure AD tenant. Easy Button has application templates for Oracle PeopleSoft, Oracle E-Business Suite, Oracle JD Edwards, SAP ERP, and a generic SHA template.
- ![Screenshot for Azure configuration add BIG-IP application](./media/f5-big-ip-easy-button-ldap/azure-config-add-app.png)
+1. In **Azure Configuration**, under **Configuration Properties**, select **F5 BIG-IP APM Azure AD Integration**.
+2. Select **Add**.
-#### Azure Configuration
+ ![Screenshot of the F5 BIG-IP APM Azure AD Integration option under Configuration Properties.](./media/f5-big-ip-easy-button-ldap/azure-config-add-app.png)
-1. Enter **Display Name** of app that the BIG-IP creates in your Azure AD tenant, and the icon that the users will see on [MyApps portal](https://myapplications.microsoft.com/)
+#### Azure Configuration
-2. Do not enter anything in the **Sign On URL (optional)** to enable IdP initiated sign-on
+1. Enter an app **Display Name** BIG-IP creates in the Azure AD tenant. Users see the name, with an icon, on Microsoft [My Apps](https://myapplications.microsoft.com/).
+2. Skip **Sign On URL (optional)**.
- ![Screenshot for Azure configuration add display info](./media/f5-big-ip-easy-button-ldap/azure-configuration-properties.png)
+ ![Screenshot of Display Name input under Configuration Properties.](./media/f5-big-ip-easy-button-ldap/azure-configuration-properties.png)
-3. Select the refresh icon next to the **Signing Key** and **Signing Certificate** to locate the certificate you imported earlier
-
-5. Enter the certificateΓÇÖs password in **Signing Key Passphrase**
+3. Next to **Signing Key** and **Signing Certificate**, select **refresh** to locate the certificate you imported.
+4. In **Signing Key Passphrase**, enter the certificate password.
-6. Enable **Signing Option** (optional). This ensures that BIG-IP only accepts tokens and claims that are signed by Azure AD
+6. (Optional) Enable **Signing Option** to ensure BIG-IP accepts tokens and claims signed by Azure AD.
![Screenshot for Azure configuration - Add signing certificates info](./media/f5-big-ip-easy-button-ldap/azure-configuration-sign-certificates.png)
-7. **User and User Groups** are dynamically queried from your Azure AD tenant and used to authorize access to the application. Add a user or group that you can use later for testing, otherwise all access will be denied
+7. Input for **User And User Groups** is dynamically queried.
+
+ > [!IMPORTANT]
+ > Add a user or group for testing, otherwise all access is denied. On **User And User Groups**, select **+ Add**.
- ![Screenshot for Azure configuration - Add users and groups](./media/f5-big-ip-easy-button-ldap/azure-configuration-add-user-groups.png)
+ ![Screenshot of the Add option on User And User Groups.](./media/f5-big-ip-easy-button-ldap/azure-configuration-add-user-groups.png)
#### User Attributes & Claims
-When a user successfully authenticates, Azure AD issues a SAML token with a default set of claims and attributes uniquely identifying the user. The **User Attributes & Claims tab** shows the default claims to issue for the new application. It also lets you configure more claims.
-
-For this example, you can include one more attribute:
+When a user authenticates, Azure AD issues a SAML token with claims and attributes that identify the user. The **User Attributes & Claims** tab has default claims for the application. Use the tab to configure more claims.
-1. Enter **Header Name** as *employeeid
+Include one more attribute:
-2. Enter **Source Attribute** as *user.employeeid
+1. For **Header Name**, enter **employeeid**.
+2. For **Source Attribute**, enter **user.employeeid**.
- ![Screenshot for user attributes and claims](./media/f5-big-ip-easy-button-ldap/user-attributes-claims.png)
+ ![Screenshot of values under Additional Claims.](./media/f5-big-ip-easy-button-ldap/user-attributes-claims.png)
#### Additional User Attributes
-In the **Additional User Attributes tab**, you can enable session augmentation required by a variety of distributed systems such as Oracle, SAP, and other JAVA based implementations requiring attributes stored in other directories. Attributes fetched from an LDAP source can then be injected as additional SSO headers to further control access based on roles, Partner IDs, etc.
+In the **Additional User Attributes** tab, enable session augmentation. Use this feature for distributed systems such as Oracle, SAP, and other JAVA implementations that require attributes to be stored in other directories. Attributes fetched from an LDAP source are injected as more SSO headers. This action helps control access based on roles, Partner IDs, etc.
- ![Screenshot for additional user attributes](./media/f5-big-ip-easy-button-header/additional-user-attributes.png)
+ ![Screenshot of options under Additional User Attributes.](./media/f5-big-ip-easy-button-header/additional-user-attributes.png)
->[!NOTE]
->This feature has no correlation to Azure AD but is another source of attributes. 
+ >[!NOTE]
+ >This feature has no correlation to Azure Active Directory. It's an attribute source. 
#### Conditional Access Policy
-CA policies are enforced post Azure AD pre-authentication, to control access based on device, application, location, and risk signals.
-
-The **Available Policies** view, by default, will list all CA policies that do not include user based actions.
+Conditional Access policies control access based on device, application, location, and risk signals.
-The **Selected Policies** view, by default, displays all policies targeting All cloud apps. These policies cannot be deselected or moved to the Available Policies list as they are enforced at a tenant level.
+* In **Available Policies**, find Conditional Access policies with no user actions
+* In **Selected Policies**, find cloud app policy
+ * You can't deselect these policies or move them to Available Policies because they're enforced at a tenant level
To select a policy to be applied to the application being published:
-1. Select the desired policy in the **Available Policies** list
-2. Select the right arrow and move it to the **Selected Policies** list
+1. On the **Conditional Access Policy** tab, in the **Available Policies** list, select a policy.
+2. Select the **right arrow** and move it to the **Selected Policies** list.
-Selected policies should either have an **Include** or **Exclude** option checked. If both options are checked, the selected policy is not enforced.
+ > [!NOTE]
+ > You can select the **Include** or **Exclude** option for a policy. If both options are selected, the policy is unenforced.
- ![Screenshot for CA policies](./media/f5-big-ip-kerberos-easy-button/conditional-access-policy.png)
+ ![Screenshot of the Exclude option selected for policies in Selected Polices.](./media/f5-big-ip-kerberos-easy-button/conditional-access-policy.png)
-> [!NOTE]
-> The policy list is enumerated only once when first switching to this tab. A refresh button is available to manually force the wizard to query your tenant, but this button is displayed only when the application has been deployed.
+ > [!NOTE]
+ > The policy list appears when you select the **Conditional Access Policy** tab. Select **refresh**, and the wizard queries the tenant. Refresh appears after an application is deployed.
### Virtual Server Properties
-A virtual server is a BIG-IP data plane object represented by a virtual IP address listening for clients requests to the application. Any received traffic is processed and evaluated against the APM profile associated with the virtual server, before being directed according to the policy results and settings.
-
-1. Enter **Destination Address**. This is any available IPv4/IPv6 address that the BIG-IP can use to receive client traffic. A corresponding record should also exist in DNS, enabling clients to resolve the external URL of your BIG-IP published application to this IP, instead of the appllication itself. Using a test PC's localhost DNS is fine for testing.
-
-2. Enter **Service Port** as *443* for HTTPS
+A virtual server is a BIG-IP data plane object, represented by a virtual IP address. The server listens for clients requests to the application. Received traffic is processed and evaluated against the APM profile associated with the virtual server. Traffic is directed according to policy.
-3. Check **Enable Redirect Port** and then enter **Redirect Port**. It redirects incoming HTTP client traffic to HTTPS
+1. For **Destination Address**, enter an IPv4 or IPv6 address BIG-IP uses to receive client traffic. Ensure a corresponding record in DNS that enables clients to resolve the external URL, of the BIG-IP published application, to this IP. You can use computer's localhost DNS for testing.
+2. For **Service Port**, enter **443**, and select **HTTPS**.
+3. Check the box for **Enable Redirect Port**.
+4. Enter a value for **Redirect Port**. This option redirects incoming HTTP client traffic to HTTPS.
+5. Select the **Client SSL Profile** you created, or leave the default for testing. The Client SSL Profile enables the virtual server for HTTPS, so client connections are encrypted over TLS.
-4. The Client SSL Profile enables the virtual server for HTTPS, so that client connections are encrypted over TLS. Select the **Client SSL Profile** you created as part of the prerequisites or leave the default whilst testing
-
- ![Screenshot for Virtual server](./media/f5-big-ip-easy-button-ldap/virtual-server.png)
+ ![Screenshot of Destination Address, Service Port, and a selected profile on Virtual Server Properties.](./media/f5-big-ip-easy-button-ldap/virtual-server.png)
### Pool Properties
-The **Application Pool tab** details the services behind a BIG-IP that are represented as a pool, containing one or more application servers.
+The **Application Pool** tab has services behind a BIG-IP, represented as a pool, with one or more application servers.
-1. Choose from **Select a Pool**. Create a new pool or select an existing one
+1. For **Select a Pool**, select **Create New**, or select another.
+2. For **Load Balancing Method**, select **Round Robin**.
+3. For **Pool Servers**, select a node, or select an IP address and port for the server hosting the header-based application.
-2. Choose the **Load Balancing Method** as *Round Robin*
+ ![Screenshot of IP Address or Node name, and Port input on Pool Properties.](./media/f5-big-ip-oracle/application-pool.png)
-3. For **Pool Servers** select an existing node or specify an IP and port for the server hosting the header-based application
+ > [!NOTE]
+ > The Microsoft back-end application is on HTTP Port 80. If you select HTTPS, use **443**.
- ![Screenshot for Application pool](./media/f5-big-ip-oracle/application-pool.png)
+#### Single Sign-On & HTTP Headers
-Our backend application sits on HTTP port 80 but obviously switch to 443 if yours is HTTPS.
+With SSO, users access BIG-IP published services without entering credentials. The Easy Button wizard supports Kerberos, OAuth Bearer, and HTTP authorization headers for SSO.
-#### Single Sign-On & HTTP Headers
+1. On **Single Sign-On & HTTP Headers**, in **SSO Headers**, for **Header Operation**, select **insert**
+2. For **Header Name**, use **upn**.
+3. For **Header Value**, use **%{session.saml.last.identity}**.
+4. For **Header Operation**, select **insert**.
+5. For **Header Name**, use **employeeid**.
+6. For **Header Value**,use **%{session.saml.last.attr.name.employeeid}**.
-Enabling SSO allows users to access BIG-IP published services without having to enter credentials. The **Easy Button wizard** supports Kerberos, OAuth Bearer, and HTTP authorization headers for SSO, the latter of which weΓÇÖll enable to configure the following.
+ ![Screenshot of entries and selctions for SSO Headers.](./media/f5-big-ip-easy-button-header/sso-http-headers.png)
-* **Header Operation:** Insert
-* **Header Name:** upn
-* **Header Value:** %{session.saml.last.identity}
+ >[!NOTE]
+ >APM session variables in curly brackets are case-sensitive. Inconsistencies cause attribute mapping failures.
-* **Header Operation:** Insert
-* **Header Name:** employeeid
-* **Header Value:** %{session.saml.last.attr.name.employeeid}
+### Session Management
- ![Screenshot for SSO and HTTP headers](./media/f5-big-ip-easy-button-header/sso-http-headers.png)
+Use BIG-IP session management settings to define conditions for user sessions termination or continuation.
->[!NOTE]
->APM session variables defined within curly brackets are CASE sensitive. For example, if you enter OrclGUID when the Azure AD attribute name is being defined as orclguid, it will cause an attribute mapping failure
+To learn more, go to support.f5.com for [K18390492: Security | BIG-IP APM operations guide](https://support.f5.com/csp/article/K18390492)
-### Session Management
+Single log-out (SLO) ensures IdP, BIG-IP, and user agent sessions terminate when users sign out. When the Easy Button instantiates a SAML application in your Azure AD tenant, it populates the sign out URL, with the APM SLO endpoint. IdP-initiated sign out from My Apps terminates BIG-IP and client sessions.
-The BIG-IPs session management settings are used to define the conditions under which user sessions are terminated or allowed to continue, limits for users and IP addresses, and corresponding user info. Refer to [F5's docs](https://support.f5.com/csp/article/K18390492) for details on these settings.
+Learn more: see, [My Apps](https://myapplications.microsoft.com/)
-What isnΓÇÖt covered here however is Single Log-Out (SLO) functionality, which ensures all sessions between the IdP, the BIG-IP, and the user agent are terminated as users sign off. When the Easy Button instantiates a SAML application in your Azure AD tenant, it also populates the Logout Url with the APMΓÇÖs SLO endpoint. That way IdP initiated sign-outs from the Azure AD MyApps portal also terminate the session between the BIG-IP and a client.
+The SAML federation metadata for the published application is imported from your tenant. The import provides the APM with the SAML sign out endpoint for Azure AD. This action ensures SP-initiated sign out terminates client and Azure AD sessions. Ensure the APM knows when user sign out occurs.
-Along with this the SAML federation metadata for the published application is also imported from your tenant, providing the APM with the SAML logout endpoint for Azure AD. This ensures SP initiated sign outs terminate the session between a client and Azure AD. But for this to be truly effective, the APM needs to know exactly when a user signs-out of the application.
+If the BIG-IP webtop portal accesses published applications, then th eAPM processes the sign out to call the Azure AD sign out endpoint. If the BIG-IP webtop portal isnΓÇÖt used, users can't instruct the APM to sign out. If users sign out of the application, the BIG-IP is oblivious. Thus, ensure SP-initiated sign out securely terminates sessions. You can add an SLO function to an application **Sign out** button, Then, clients are redirected to the Azure AD SAML or BIG-IP sign out endpoint. To locate the SAML sign out endpoint URL for your tenant, go to **App Registrations > Endpoints**.
-If the BIG-IP webtop portal is used to access published applications then a sign-out from there would be processed by the APM to also call the Azure AD sign-out endpoint. But consider a scenario where the BIG-IP webtop portal isnΓÇÖt used, then the user has no way of instructing the APM to sign out. Even if the user signs-out of the application itself, the BIG-IP is technically oblivious to this. So for this reason, SP initiated sign-out needs careful consideration to ensure sessions are securely terminated when no longer required. One way of achieving this would be to add an SLO function to your applications sign out button, so that it can redirect your client to either the Azure AD SAML or BIG-IP sign-out endpoint. The URL for SAML sign-out endpoint for your tenant can be found in **App Registrations > Endpoints**.
+If you can't change the app, enable the BIG-IP to listen for the application sign out call and trigger SLO.
-If making a change to the app is a no go, then consider having the BIG-IP listen for the application's sign-out call, and upon detecting the request have it trigger SLO. Refer to our [Oracle PeopleSoft SLO guidance](./f5-big-ip-oracle-peoplesoft-easy-button.md#peoplesoft-single-logout) for using BIG-IP irules to achieve this. More details on using BIG-IP iRules to achieve this is available in the F5 knowledge article [Configuring automatic session termination (logout) based on a URI-referenced file name](https://support.f5.com/csp/article/K42052145) and [Overview of the Logout URI Include option](https://support.f5.com/csp/article/K12056).
+Learn more:
-## Summary
+* [PeopleSoft Single Logout](./f5-big-ip-oracle-peoplesoft-easy-button.md#peoplesoft-single-logout)
+* Go to support.f5.com for:
+ * [K42052145: Configuring automatic session termination (logout) based on a URI-referenced file name](https://support.f5.com/csp/article/K42052145)
+ * [K12056: Overview of the Logout URI Include option](https://support.f5.com/csp/article/K12056).
-This last step provides a breakdown of your configurations. Select **Deploy** to commit all settings and verify that the application now exists in your tenants list of ΓÇÿEnterprise applications.
+## Deploy
-Your application should now be published and accessible via SHA, either directly via its URL or through MicrosoftΓÇÖs application portals.
+Deployment provides a breakdown of your configurations.
-## Next steps
+1. To commit settings, select **Deploy**.
+2. Verify the application in your tenant list of Enterprise applications.
+3. The application is published and accessible via SHA, with its URL, or on Microsoft application portals.
-From a browser, **connect** to the applicationΓÇÖs external URL or select the **applicationΓÇÖs icon** in the [Microsoft MyApps portal](https://myapplications.microsoft.com/). After authenticating against Azure AD, youΓÇÖll be redirected to the BIG-IP virtual server for the application and automatically signed in through SSO.
+## Test
-This shows the output of the injected headers displayed by our headers-based application.
+1. From a browser, connect to the application external URL or select the application icon on [My Apps](https://myapplications.microsoft.com/).
+2. Authenticate to Azure AD.
+3. YouΓÇÖre redirected to the BIG-IP virtual server for the application and signed in with SSO.
- ![Screenshot for App views](./media/f5-big-ip-easy-button-ldap/app-view.png)
+The following screenshot is injected headers output from the header-based application.
-For increased security, organizations using this pattern could also consider blocking all direct access to the application, thereby forcing a strict path through the BIG-IP.
+ ![Screenshot of UPN, employee ID, and event roles under Server Variables.](./media/f5-big-ip-easy-button-ldap/app-view.png)
+
+ > [!NOTE]
+ > You can block direct access to the application, thereby enforcing a path through the BIG-IP.
## Advanced deployment
-There may be cases where the Guided Configuration templates lacks the flexibility to achieve more specific requirements. For those scenarios, see [Advanced Configuration for headers-based SSO](./f5-big-ip-header-advanced.md).
+For some scenarios, Guided Configuration templates lack flexibility.
-Alternatively, the BIG-IP gives you the option to disable **Guided ConfigurationΓÇÖs strict management mode**. This allows you to manually tweak your configurations, even though bulk of your configurations are automated through the wizard-based templates.
+Learn more: [Tutorial: Configure F5 BIG-IP Access Policy Manager for header-based SSO](./f5-big-ip-header-advanced.md).
-You can navigate to **Access > Guided Configuration** and select the **small padlock icon** on the far right of the row for your applicationsΓÇÖ configs.
+In BIG-IP, you can disable the Guided Configuration strict management mode. Then, manually change configurations, however most configurations are automated with wizard templates.
- ![Screenshot for Configure Easy Button - Strict Management](./media/f5-big-ip-oracle/strict-mode-padlock.png)
+1. To disable strict mode, navigate to **Access > Guided Configuration**.
+2. On the row for the application configuration, select the **padlock** icon.
+3. BIG-IP objects associated with the published instance of the application are unlocked for management. Changes with the wizard are no longer possible.
-At that point, changes via the wizard UI are no longer possible, but all BIG-IP objects associated with the published instance of the application will be unlocked for direct management.
+ ![Screenshot of the padlock icon.](./media/f5-big-ip-oracle/strict-mode-padlock.png)
-> [!NOTE]
-> Re-enabling strict mode and deploying a configuration will overwrite any settings performed outside of the Guided Configuration UI, therefore we recommend the advanced configuration method for production services.
+ > [!NOTE]
+ > If you re-enable strict mode and deploy a configuration, the action overwrites settings not in the Guided Configuration. We recommend the advanced configuration for production services.
## Troubleshooting
-Failure to access a SHA protected application can be due to any number of factors. BIG-IP logging can help quickly isolate all sorts of issues with connectivity, SSO, policy violations, or misconfigured variable mappings. Start troubleshooting by increasing the log verbosity level.
+Use the following guidance when troubleshooting.
+
+### Log verbosity
+
+BIG-IP logs help isolate issues with connectivity, SSO, policy, or misconfigured variable mappings. To troubleshoot, increase the log verbosity.
+
+1. Navigate to **Access Policy > Overview**.
+2. Select **Event Logs**.
+3. Select **Settings**.
+4. Select the row of your published application
+5. Select **Edit**.
+6. Select **Access System Logs**.
+7. From the SSO list, select **Debug**.
+8. Select **OK**.
+9. Reproduce the issue.
+10. Inspect the logs.
-1. Navigate to **Access Policy > Overview > Event Logs > Settings**
+ > [!NOTE]
+ > Revert this feature when finished. Verbose mode generates excessive data.
-2. Select the row for your published application then **Edit > Access System Logs**
+### BIG-IP error message
-3. Select **Debug** from the SSO list then **OK**
+If a BIG-IP error message appears after Azure AD preauthentication, the issue might relate to Azure AD-to-BIG-IP SSO.
-Reproduce your issue, then inspect the logs, but remember to switch this back when finished as verbose mode generates lots of data.
+1. Navigate to **Access Policy > Overview**.
+2. Select **Access reports**.
+3. Run the report for the last hour.
+4. Review the logs for clues.
-If you see a BIG-IP branded error immediately after successful Azure AD pre-authentication, itΓÇÖs possible the issue relates to SSO from Azure AD to the BIG-IP.
+Use the **View session** variables link, for the session, to help understand if the APM receives expected Azure AD claims.
-1. Navigate to **Access > Overview > Access reports**
+### No BIG-IP error message
-2. Run the report for the last hour to see if the logs provide any clues. The **View session** variables link for your session will also help understand if the APM is receiving the expected claims from Azure AD
+If no BIG-IP error message appears, the issue might be related to the back-end request, or BIG-IP-to-application SSO.
-If you donΓÇÖt see a BIG-IP error page, then the issue is probably more related to the backend request or SSO from the BIG-IP to the application.
+1. Navigate to **Access Policy > Overview**.
+2. Select **Active Sessions**.
+3. Select the active session link.
-1. In which case head to **Access Policy > Overview > Active Sessions** and select the link for your active session
+Use the **View Variables** link to help determine SSO issues, particularly if the BIG-IP APM doesn't obtain correct attributes.
-2. The **View Variables** link in this location may also help root cause SSO issues, particularly if the BIG-IP APM fails to obtain the right attributes from Azure AD or another source
+Learn more:
-For more information, visit this F5 knowledge article [Configuring LDAP remote authentication for Active Directory](https://support.f5.com/csp/article/K11072). ThereΓÇÖs also a great BIG-IP reference table to help diagnose LDAP-related issues in this F5 knowledge article on [LDAP Query](https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/5.html).
+* [Configuring LDAP remote authentication for Active Directory](https://support.f5.com/csp/article/K11072)
+* Go to techdocs.f5.com for [Manual Chapter: LDAP Query](https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/5.html)
active-directory F5 Big Ip Oracle Enterprise Business Suite Easy Button https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-oracle-enterprise-business-suite-easy-button.md
Title: Configure F5 BIG-IP Easy Button for SSO to Oracle EBS
-description: Learn to implement SHA with header-based SSO to Oracle EBS using F5ΓÇÖs BIG-IP Easy Button guided configuration
+description: Learn to implement SHA with header-based SSO to Oracle EBS using F5 BIG-IP Easy Button Guided Configuration
Previously updated : 1/31/2022 Last updated : 03/23/2023
-# Tutorial: Configure F5ΓÇÖs BIG-IP Easy Button for SSO to Oracle EBS
+# Tutorial: Configure F5 BIG-IP Easy Button for SSO to Oracle EBS
-In this article, learn to secure Oracle Enterprise Business Suite (EBS) using Azure Active Directory (Azure AD), through F5ΓÇÖs BIG-IP Easy Button guided configuration.
-
-Integrating a BIG-IP with Azure AD provides many benefits, including:
-
-* [Improved Zero Trust governance](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/) through Azure AD pre-authentication and [Conditional Access](../conditional-access/overview.md)
+Learn to secure Oracle E-Business Suite (EBS) using Azure Active Directory (Azure AD), with F5 BIG-IP Easy Button Guided Configuration. Integrating a BIG-IP with Azure AD has many benefits:
+* Improved Zero Trust governance through Azure AD preauthentication and Conditional Access
+ * See, [What is Conditional Access?](../conditional-access/overview.md)
+ * See, [Zero Trust security](../../security/fundamentals/zero-trust.md)
* Full SSO between Azure AD and BIG-IP published services
+* Managed identities and access from one control plane
+ * See, the [Azure portal](https://azure.microsoft.com/features/azure-portal)
-* Manage Identities and access from a single control plane, the [Azure portal](https://portal.azure.com/)
+Learn more:
-To learn about all the benefits, see the article on [F5 BIG-IP and Azure AD integration](./f5-aad-integration.md) and [what is application access and single sign-on with Azure AD](/azure/active-directory/active-directory-appssoaccess-whatis).
+* [Integrate F5 BIG-IP with Azure AD](./f5-aad-integration.md)
+* [Enable SSO for an enterprise application](add-application-portal-setup-sso.md)
## Scenario description
-This scenario looks at the classic **Oracle EBS application** that uses **HTTP authorization headers** to manage access to protected content.
+This scenario covers the classic Oracle EBS application that uses HTTP authorization headers to manage access to protected content.
-Being legacy, the application lacks modern protocols to support a direct integration with Azure AD. The application can be modernized, but it is costly, requires careful planning, and introduces risk of potential downtime. Instead, an F5 BIG-IP Application Delivery Controller (ADC) is used to bridge the gap between the legacy application and the modern ID control plane, through protocol transitioning.
+Legacy applications lack modern protocols to support Azure AD integration. Modernization is costly, time consuming, and introduces downtime risk. Instead, use an F5 BIG-IP Application Delivery Controller (ADC) to bridge the gap between legacy applications and the modern ID control plane, with protocol transitioning.
-Having a BIG-IP in front of the app enables us to overlay the service with Azure AD pre-authentication and header-based SSO, significantly improving the overall security posture of the application.
+A BIG-IP in front of the app enables overlay of the service with Azure AD preauthentication and header-based SSO. This configuration improves application security posture.
## Scenario architecture
-The secure hybrid access solution for this scenario is made up of several components including a multi-tiered Oracle architecture:
-
-**Oracle EBS Application:** BIG-IP published service to be protected by Azure AD SHA.
-
-**Azure AD:** Security Assertion Markup Language (SAML) Identity Provider (IdP) responsible for verification of user credentials, Conditional Access (CA), and SAML based SSO to the BIG-IP. Through SSO, Azure AD provides the BIG-IP with any required session attributes.
+The secure hybrid access (SHA) solution has the following components:
-**Oracle Internet Directory (OID):** Hosts the user database. BIG-IP checks via LDAP for authorization attributes.
+* **Oracle EBS application** - BIG-IP published service to be protected by Azure AD SHA
+* **Azure AD** - Security Assertion Markup Language (SAML) identity provider (IdP) that verifies user credentials, Conditional Access, and SAML-based SSO to the BIG-IP
+ * With SSO, Azure AD provides BIG-IP session attributes
+* **Oracle Internet Directory (OID)** - hosts the user database
+ * BIG-IP verifies authorization attributes with LDAP
+* **Oracle E-Business Suite AccessGate** - validates authorization attributes with the OID service, then issues EBS access cookies
+* **BIG-IP** - reverse-proxy and SAML service provider (SP) to the application
+ * Authentication is delegated to the SAML IdP, then header-based SSO to the Oracle application occurs
-**Oracle AccessGate:** Validates authorization attributes through back channel with OID service, before issuing EBS access cookies
+SHA supports SP- and IdP-initiated flows. The following diagram illustrates the SP-initiated flow.
-**BIG-IP:** Reverse proxy and SAML service provider (SP) to the application, delegating authentication to the SAML IdP before performing header-based SSO to the Oracle application.
+ ![Diagram of secure hybrid access, based on the SP-initiated flow.](./media/f5-big-ip-oracle/sp-initiated-flow.png)
-SHA for this scenario supports both SP and IdP initiated flows. The following image illustrates the SP initiated flow.
-
-![Secure hybrid access - SP initiated flow](./media/f5-big-ip-oracle/sp-initiated-flow.png)
-
-| Steps| Description |
-| -- |-|
-| 1| User connects to application endpoint (BIG-IP) |
-| 2| BIG-IP APM access policy redirects user to Azure AD (SAML IdP) |
-| 3| Azure AD pre-authenticates user and applies any enforced Conditional Access policies |
-| 4| User is redirected back to BIG-IP (SAML SP) and SSO is performed using issued SAML token |
-| 5| BIG-IP performs LDAP query for users Unique ID (UID) attribute |
-| 6| BIG-IP injects returned UID attribute as user_orclguid header in EBS session cookie request to Oracle AccessGate |
-| 7| Oracle AccessGate validates UID against Oracle Internet Directory (OID) service and issues EBS access cookie
-| 8| EBS user headers and cookie sent to application and returns the payload to the user |
+1. User connects to application endpoint (BIG-IP).
+2. BIG-IP APM access policy redirects user to Azure AD (SAML IdP).
+3. Azure AD preauthenticates user and applies Conditional Access policies.
+4. User is redirected to BIG-IP (SAML SP) and SSO occurs using the issued SAML token.
+5. BIG-IP performs an LDAP query for the user Unique ID (UID) attribute.
+6. BIG-IP injects returned UID attribute as user_orclguid header in Oracle EBS session cookie request to Oracle AccessGate.
+7. Oracle AccessGate validates UID against OID service and issues Oracle EBS access cookie.
+8. Oracle EBS user headers and cookie sent to application and returns the payload to the user.
## Prerequisites
-Prior BIG-IP experience isnΓÇÖt necessary, but you need:
-
-* An Azure AD free subscription or above
-
-* An existing BIG-IP or [deploy a BIG-IP Virtual Edition (VE) in Azure](./f5-bigip-deployment-guide.md)
-
-* Any of the following F5 BIG-IP license SKUs
+You need the following components:
+* An Azure subscription
+ * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/)
+* For the account, have Azure AD Application Administrator permissions
+* A BIG-IP or deploy a BIG-IP Virtual Edition (VE) in Azure
+ * See, [Deploy F5 BIG-IP Virtual Edition VM in Azure](./f5-bigip-deployment-guide.md)
+* Any of the following F5 BIG-IP license SKUs:
* F5 BIG-IP® Best bundle- * F5 BIG-IP Access Policy Manager™ (APM) standalone license
+ * F5 BIG-IP Access Policy Manager™ (APM) add-on license on a BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM)
+ * 90-day BIG-IP full feature trial. See, [Free Trials](https://www.f5.com/trial/big-ip-trial.php).
+* User identities synchronized from an on-premises directory to Azure AD
+ * See, [Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md)
+* An SSL certificate to publish services over HTTPS, or use default certificates while testing
+ * See, [SSL profile](./f5-bigip-deployment-guide.md#ssl-profile)
+* An Oracle EBS, Oracle AccessGate, and an LDAP-enabled Oracle Internet Database (OID)
- * F5 BIG-IP Access Policy Manager™ (APM) add-on license on an existing BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM)
-
- * 90-day BIG-IP full feature [trial license](https://www.f5.com/trial/big-ip-trial.php).
-
-* User identities [synchronized](../hybrid/how-to-connect-sync-whatis.md) from an on-premises directory to Azure AD or created directly within Azure AD and flowed back to your on-premises directory
-
-* An account with Azure AD application admin [permissions](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#application-administrator)
-
-* An [SSL Web certificate](./f5-bigip-deployment-guide.md#ssl-profile) for publishing services over HTTPS, or use default BIG-IP certs while testing
-
-* An existing Oracle EBS suite including Oracle AccessGate and an LDAP enabled OID (Oracle Internet Database)
+## BIG-IP configuration method
-## BIG-IP configuration methods
+This tutorial uses the Guided Configuration v16.1 Easy Button template. With the Easy Button, admins no longer go back and forth to enable services for SHA. The APM Guided Configuration wizard and Microsoft Graph handle deployment and policy management. This integration ensures applications support identity federation, SSO, and Conditional Access, thus reducing administrative overhead.
-There are many methods to configure BIG-IP for this scenario, including two template-based options and an advanced configuration. This tutorial covers the latest Guided Configuration 16.1 offering an Easy button template. With the Easy Button, admins no longer go back and forth between Azure AD and a BIG-IP to enable services for SHA. The deployment and policy management is handled directly between the APMΓÇÖs Guided Configuration wizard and Microsoft Graph. This rich integration between BIG-IP APM and Azure AD ensures that applications can quickly, easily support identity federation, SSO, and Azure AD Conditional Access, reducing administrative overhead.
+ >[!NOTE]
+ > Replace example strings or values with those in your environment.
->[!NOTE]
-> All example strings or values referenced throughout this guide should be replaced with those for your actual environment.
+## Register the Easy Button
-## Register Easy Button
+Before a client or service accesses Microsoft Graph, the Microsoft identity platform must trust it.
-Before a client or service can access Microsoft Graph, it must be trusted by the [Microsoft identity platform.](../develop/quickstart-register-app.md)
+Learn more: [Quickstart: Register an application with the Microsoft identity platform](../develop/quickstart-register-app.md)
-This first step creates a tenant app registration that will be used to authorize the **Easy Button** access to Graph. Through these permissions, the BIG-IP will be allowed to push the configurations required to establish a trust between a SAML SP instance for published application, and Azure AD as the SAML IdP.
+Create a tenant app registration to authorize the Easy Button access to Graph. The BIG-IP pushes configurations to establish a trust between a SAML SP instance for published application, and Azure AD as the SAML IdP.
-1. Sign in to the [Azure portal](https://portal.azure.com/) with Application Administrative rights
-
-2. From the left navigation pane, select the **Azure Active Directory** service
-
-3. Under Manage, select **App registrations > New registration**
-
-4. Enter a display name for your application. For example, F5 BIG-IP Easy Button
-
-5. Specify who can use the application > **Accounts in this organizational directory only**
-
-6. Select **Register** to complete the initial app registration
-
-7. Navigate to **API permissions** and authorize the following Microsoft Graph **Application permissions**:
+1. Sign in to the [Azure portal](https://portal.azure.com/) with Application Administrative permissions.
+2. In the left navigation pane, select the **Azure Active Directory** service.
+3. Under **Manage**, select **App registrations > New registration**.
+4. Enter an application **Name**. For example, F5 BIG-IP Easy Button.
+5. Specify who can use the application > **Accounts in this organizational directory only**.
+6. Select **Register**.
+7. Navigate to **API permissions**.
+8. Authorize the following Microsoft Graph **Application permissions**:
* Application.Read.All * Application.ReadWrite.All
This first step creates a tenant app registration that will be used to authorize
* Policy.ReadWrite.ConditionalAccess * User.Read.All
-8. Grant admin consent for your organization
-
-9. Go to **Certificates & Secrets**, generate a new **Client secret** and note it down
+9. Grant admin consent for your organization.
+10. Go to **Certificates & Secrets**.
+11. Generate a new **Client Secret**. Make a note of the Client Secret.
+12. Go to **Overview**. Make a note of the Client ID and Tenant ID.
-10. Go to **Overview**, note the **Client ID** and **Tenant ID**
+## Configure the Easy Button
-## Configure Easy Button
+1. Initiate the APM **Guided Configuration**.
+2. Start the **Easy Button** template.
+3. Navigate to **Access > Guided Configuration > Microsoft Integration**.
+4. Select **Azure AD Application**.
-Initiate the APM's **Guided Configuration** to launch the **Easy Button** Template.
+ ![Screenshot of the Azure AD Application option.](./media/f5-big-ip-easy-button-ldap/easy-button-template.png)
-1. Navigate to **Access > Guided Configuration > Microsoft Integration** and select **Azure AD Application**.
+5. Review the configuration options.
+6. Select **Next**.
- ![Screenshot for Configure Easy Button- Install the template](./media/f5-big-ip-easy-button-ldap/easy-button-template.png)
+ ![Screenshot of configuration options and the Next option.](./media/f5-big-ip-easy-button-ldap/config-steps.png)
-2. Review the list of configuration steps and select **Next**
+7. Use the graphic to help publish your application.
- ![Screenshot for Configure Easy Button - List configuration steps](./media/f5-big-ip-easy-button-ldap/config-steps.png)
-
-3. Follow the sequence of steps required to publish your application.
-
- ![Configuration steps flow](./media/f5-big-ip-easy-button-ldap/config-steps-flow.png#lightbox)
+ ![Screenshot of graphic indicating configuration areas.](./media/f5-big-ip-easy-button-ldap/config-steps-flow.png#lightbox)
### Configuration Properties
-The **Configuration Properties** tab creates a BIG-IP application config and SSO object. Consider the **Azure Service Account Details** section to represent the client you registered in your Azure AD tenant earlier, as an application. These settings allow a BIG-IP's OAuth client to individually register a SAML SP directly in your tenant, along with the SSO properties you would normally configure manually. Easy Button does this for every BIG-IP service being published and enabled for SHA.
-
-Some of these are global settings so can be re-used for publishing more applications, further reducing deployment time and effort.
-
-1. Provide a unique **Configuration Name** that enables an admin to easily distinguish between Easy Button configurations
+The **Configuration Properties** tab creates a BIG-IP application config and SSO object. The **Azure Service Account Details** section represents the client you registered in your Azure AD tenant, as an application. With these settings, a BIG-IP OAuth client registers a SAML SP in your tenant, with SSO properties. Easy Button does this action for BIG-IP services published and enabled for SHA.
-2. Enable **Single Sign-On (SSO) & HTTP Headers**
+To reduce time and effort, reuse global settings to publish other applications.
-3. Enter the **Tenant Id, Client ID**, and **Client Secret** you noted when registering the Easy Button client in your tenant.
+1. Enter a **Configuration Name**.
+2. For **Single sign-on (SSO) & HTTP Headers**, select **On**.
+3. For **Tenant ID, Client ID**, and **Client Secret** enter what you noted during Easy Button client registration.
+4. Confirm the BIG-IP connects to your tenant.
+5. Select **Next**.
-4. Before you select **Next**, confirm the BIG-IP can successfully connect to your tenant.
-
- ![ Screenshot for Configuration General and Service Account properties](./media/f5-big-ip-oracle/configuration-general-and-service-account-properties.png)
+ ![ Screenshot of input on the Configuration Properties dialog.](./media/f5-big-ip-oracle/configuration-general-and-service-account-properties.png)
### Service Provider
-The Service Provider settings define the properties for the SAML SP instance of the application protected through SHA.
-
-1. Enter **Host**. This is the public FQDN of the application being secured
-
-2. Enter **Entity ID**. This is the identifier Azure AD will use to identify the SAML SP requesting a token
+Use Service Provider settings for the properties of the SAML SP instance of the protected application.
- ![Screenshot for Service Provider settings](./media/f5-big-ip-oracle/service-provider-settings.png)
+1. For **Host**, enter the public FQDN of the application.
+2. For **Entity ID**, enter the identifier Azure AD uses for the SAML SP requesting a token.
- Next, under optional **Security Settings** specify whether Azure AD should encrypt issued SAML assertions. Encrypting assertions between Azure AD and the BIG-IP APM provides assurance that the content tokens canΓÇÖt be intercepted, and personal or corporate data be compromised.
+ ![Screenshot for Service Provider input and options.](./media/f5-big-ip-oracle/service-provider-settings.png)
-3. From the **Assertion Decryption Private Key** list, select **Create New**
+3. (Optional) In **Security Settings**, select or clear the **Enable Encrypted Assertion** option. Encrypting assertions between Azure AD and the BIG-IP APM means the content tokens canΓÇÖt be intercepted, nor personal or corporate data compromised.
+4. From the **Assertion Decryption Private Key** list, select **Create New**
- ![Screenshot for Configure Easy Button- Create New import](./media/f5-big-ip-oracle/configure-security-create-new.png)
+ ![Screenshot of Create New options in the Assertion Decryption Private Key dropdown.](./media/f5-big-ip-oracle/configure-security-create-new.png)
-4. Select **OK**. This opens the **Import SSL Certificate and Keys** dialog in a new tab
+5. Select **OK**.
+6. The **Import SSL Certificate and Keys** dialog appears in a new tab.
+7. Select **PKCS 12 (IIS)**.
+8. The certificate and private key are imported.
+9. Close the browser tab to return to the main tab.
-5. Select **PKCS 12 (IIS)** to import your certificate and private key. Once provisioned close the browser tab to return to the main tab.
+ ![Screenshot of input for Import Type, Certificate and Key Name, and Password.](./media/f5-big-ip-oracle/import-ssl-certificates-and-keys.png)
- ![Screenshot for Configure Easy Button- Import new cert](./media/f5-big-ip-oracle/import-ssl-certificates-and-keys.png)
+6. Select **Enable Encrypted Assertion**.
+7. For enabled encryption, from the **Assertion Decryption Private Key** list, select the certificate private key BIG-IP APM uses to decrypt Azure AD assertions.
+8. For enabled encryption,from the **Assertion Decryption Certificate** list, select the certificate BIG-IP uploads to Azure AD to encrypt the issued SAML assertions.
-6. Check **Enable Encrypted Assertion**
+ ![Screenshot of selected certificates for Assertion Decryption Private Key and Assertion Decryption Certificate.](./media/f5-big-ip-easy-button-ldap/service-provider-security-settings.png)
-7. If you have enabled encryption, select your certificate from the **Assertion Decryption Private Key** list. This is the private key for the certificate that BIG-IP APM uses to decrypt Azure AD assertions
+### Azure AD
-8. If you have enabled encryption, select your certificate from the **Assertion Decryption Certificate** list. This is the certificate that BIG-IP uploads to Azure AD for encrypting the issued SAML assertions.
+Easy Button has application templates for Oracle PeopleSoft, Oracle E-Business Suite, Oracle JD Edwards, SAP ERP and a generic SHA template. The following screenshot is the Oracle E-Business Suite option under Azure Configuration.
- ![Screenshot for Service Provider security settings](./media/f5-big-ip-easy-button-ldap/service-provider-security-settings.png)
+1. Select **Oracle E-Business Suite**.
+2. Select **Add**.
-### Azure Active Directory
-
-This section defines all properties that you would normally use to manually configure a new BIG-IP SAML application within your Azure AD tenant. Easy Button provides a set of pre-defined application templates for Oracle PeopleSoft, Oracle E-business Suite, Oracle JD Edwards, SAP ERP as well as generic SHA template for any other apps. For this scenario select **Oracle E-Business Suite > Add**.
-
-![Screenshot for Azure configuration add BIG-IP application](./media/f5-big-ip-oracle/azure-configuration-add-big-ip-application.png)
+ ![Screenshot of the Oracle E-Business Suite option under Azure Configuration.](./media/f5-big-ip-oracle/azure-configuration-add-big-ip-application.png)
#### Azure Configuration
-1. Enter **Display Name** of app that the BIG-IP creates in your Azure AD tenant, and the icon that the users see on [MyApps portal](https://myapplications.microsoft.com/)
-
-2. In the **Sign On URL (optional)** enter the public FQDN of the EBS application being secured, along with the default path for the Oracle EBS homepage
+1. Enter a **Display Name** for the app BIG-IP creates in your Azure AD tenant, and the icon on MyApps.
+2. In **Sign On URL (optional)**, enter the EBS application public FQDN.
+3. Enter the default path for the Oracle EBS homepage.
![Screenshot for Azure configuration add display info](./media/f5-big-ip-oracle/azure-configuration-add-display-info.png)
-3. Select the refresh icon next to the **Signing Key** and **Signing Certificate** to locate the certificate you imported earlier
-
-4. Enter the certificateΓÇÖs password in **Signing Key Passphrase**
+3. Next to the **Signing Key** and **Signing Certificate**, select the **refresh** icon.
+4. Locate the certificate you imported.
+5. In **Signing Key Passphrase**, enter the certificate password.
+6. (Optional) Enable **Signing Option**. This option ensures BIG-IP accepts tokens and claims signed by Azure AD.
-5. Enable **Signing Option** (optional). This ensures that BIG-IP only accepts tokens and claims that are signed by Azure AD
+ ![Screenshot of options and entries for Signing Key, Signing Certificate, and Signing Key Passphrase.](./media/f5-big-ip-easy-button-ldap/azure-configuration-sign-certificates.png)
- ![Screenshot for Azure configuration - Add signing certificates info](./media/f5-big-ip-easy-button-ldap/azure-configuration-sign-certificates.png)
+7. For **User And User Groups**, add a user or group for testing, otherwise all access is denied. Users and user groups are dynamically queried from the Azure AD tenant and authorize access to the application.
-6. **User and User Groups** are dynamically queried from your Azure AD tenant and used to authorize access to the application. Add a user or group that you can use later for testing, otherwise all access will be denied
-
- ![Screenshot for Azure configuration - Add users and groups](./media/f5-big-ip-easy-button-ldap/azure-configuration-add-user-groups.png)
+ ![Screenshot of the Add option under User And User Groups.](./media/f5-big-ip-easy-button-ldap/azure-configuration-add-user-groups.png)
#### User Attributes & Claims
-When a user successfully authenticates, Azure AD issues a SAML token with a default set of claims and attributes uniquely identifying the user. The **User Attributes & Claims** tab shows the default claims to issue for the new application. It also lets you configure more claims.
-
- ![Screenshot for user attributes and claims](./media/f5-big-ip-kerberos-easy-button/user-attributes-claims.png)
+When a user authenticates, Azure AD issues a SAML token with default claims and attributes identifying the user. The **User Attributes & Claims** tab has default claims to issue for the new application. Use this area to configure more claims. If needed, add Azure AD attributes, however the Oracle EBS scenario requires the default attributes.
-You can include additional Azure AD attributes if necessary, but the Oracle EBS scenario only requires the default attributes.
+ ![Screenshot of options and entries for User Attributes and Claims.](./media/f5-big-ip-kerberos-easy-button/user-attributes-claims.png)
#### Additional User Attributes
-The **Additional User Attributes** tab can support a variety of distributed systems requiring attributes stored in other directories for session augmentation. Attributes fetched from an LDAP source can then be injected as additional SSO headers to further control access based on roles, Partner IDs, etc.
-
-1. Enable the **Advanced Settings** option
+The **Additional User Attributes** tab supports distributed systems that require attributes stored in directories for session augmentation. Attributes fetched from an LDAP source are injected as more SSO headers to control access based on roles, partner ID, etc.
-2. Check the **LDAP Attributes** check box
+1. Enable the **Advanced Settings** option.
+2. Check the **LDAP Attributes** check box.
+3. In **Choose Authentication Server**, select **Create New**.
+4. Depending on your setup, select **Use pool** or **Direct** server connection mode for the target LDAP service server address. For a single LDAP server, select **Direct**.
+5. For **Service Port**, enter **3060** (Default), **3161** (Secure), or another port for the Oracle LDAP service.
+6. Enter a **Base Search DN**. Use the distinguished name (DN) to search for groups in a directory.
+7. For **Admin DN**, enter the account distinguished name APM uses to authenticate LDAP queries.
+8. For **Admin Password**, enter the password.
-3. Select **Create New** in **Choose Authentication Server**
+ ![Screenshot of options and entries for Additional User Attributes.](./media/f5-big-ip-oracle/additional-user-attributes.png)
-4. Select **Use pool** or **Direct** server connection mode depending on your setup. This provides the **Server Address** of the target LDAP service. If using a single LDAP server, select **Direct**.
-
-5. Enter **Service Port** as 3060 (Default), 3161 (Secure), or any other port your Oracle LDAP service operates on
-
-6. Enter the **Base Search DN** (distinguished name) from which to search. This search DN is used to search groups across a whole directory.
-
-7. Set the **Admin DN** to the exact distinguished name for the account the APM will use to authenticate for LDAP queries, along with its password
-
- ![Screenshot for additional user attributes](./media/f5-big-ip-oracle/additional-user-attributes.png)
-
-8. Leave all default **LDAP Schema Attributes**
+9. Leave the default **LDAP Schema Attributes**.
![Screenshot for LDAP schema attributes](./media/f5-big-ip-oracle/ldap-schema-attributes.png)
-9. Under **LDAP Query Properties**, set the **Search Dn** to the base node of the LDAP server from which to search for user objects
-
-10. Add the name of the user object attribute that must be returned from the LDAP directory. For EBS, the default is **orclguid**
+10. Under **LDAP Query Properties**, for **Search Dn** enter the LDAP server base node for user object search.
+11. For **Required Attributes**, enter the user object attribute name to be returned from the LDAP directory. For EBS, the default is **orclguid**.
- ![Screenshot for LDAP query properties.png](./media/f5-big-ip-oracle/ldap-query-properties.png)
+ ![Screenshot of entries and options for LDAP Query Properties](./media/f5-big-ip-oracle/ldap-query-properties.png)
#### Conditional Access Policy
-Conditional Access policies are enforced post Azure AD pre-authentication, to control access based on device, application, location, and risk signals.
+Conditional Access policies control access based on device, application, location, and risk signals. Policies are enforced after Azure AD preauthentication. The Available Policies view has Conditional Access policies with no user actions. The Selected Policies view has policies for cloud apps. You can't deselect these policies or move them to Available Policies because they're enforced at the tenant level.
+
+To select a policy for the application to be published:
-The **Available Policies** view, by default, will list all Conditional Access policies that do not include user-based actions.
+1. In **Available Policies**, select a policy.
+2. Select the **right arrow**.
+3. Move the policy to **Selected Policies**.
-The **Selected Policies** view, by default, displays all policies targeting All cloud apps. These policies cannot be deselected or moved to the Available Policies list as they are enforced at a tenant level.
+ > [!NOTE]
+ > The **Include** or **Exclude** option is selected for some policies. If both options are checked, the policy is unenforced.
-To select a policy to be applied to the application being published:
+ ![Screenshot of the Exclude option selected for four polices.](./media/f5-big-ip-easy-button-ldap/conditional-access-policy.png)
-1. Select the desired policy in the **Available Policies** list
+ > [!NOTE]
+ > Select the **Conditional Access Policy** tab and the policy list appears. Select **Refresh** and the wizard queries your tenant. Refresh appears for deployed applications.
-2. Select the right arrow and move it to the **Selected Policies** list
+### Virtual Server Properties
- The selected policies should either have an **Include** or **Exclude** option checked. If both options are checked, the policy is not enforced.
+A virtual server is a BIG-IP data plane object represented by a virtual IP address listening for application client requests. Received traffic is processed and evaluated against the APM profile associated with the virtual server. Then, traffic is directed according to policy.
- ![Screenshot for CA policies](./media/f5-big-ip-easy-button-ldap/conditional-access-policy.png)
+1. Enter a **Destination Address**, an IPv4 or IPv6 address BIG-IP uses to receive client traffic. Ensure a corresponding record in DNS that enables clients to resolve the external URL, of the BIG-IP published application, to the IP. Use a test computer localhost DNS for testing.
+3. For **Service Port**, enter **443**, and select **HTTPS**.
+4. Select **Enable Redirect Port**.
+5. For **Redirect Port**, enter **80**, and select **HTTP**. This action redirects incoming HTTP client traffic to HTTPS.
+6. Select the **Client SSL Profile** you created, or leave the default for testing. Client SSL Profile enables the virtual server for HTTPS. Client connections are encrypted over TLS.
-> [!NOTE]
-> The policy list is enumerated only once when first switching to this tab. A refresh button is available to manually force the wizard to query your tenant, but this button is displayed only when the application has been deployed.
+ ![Screenshot of options and selections for Virtual Server Properties.](./media/f5-big-ip-easy-button-ldap/virtual-server.png)
-### Virtual Server Properties
+### Pool Properties
-A virtual server is a BIG-IP data plane object represented by a virtual IP address listening for client requests to the application. Any received traffic is processed and evaluated against the APM profile associated with the virtual server, before being directed according to the policy results and settings.
+The **Application Pool** tab has services behind a BIG-IP, a pool with one or more application servers.
-1. Enter **Destination Address**. This is any available IPv4/IPv6 address that the BIG-IP can use to receive client traffic. A corresponding record should also exist in DNS, enabling clients to resolve the external URL of your BIG-IP published application to this IP, instead of the appllication itself. Using a test PC's localhost DNS is fine for testing.
+1. From **Select a Pool**, select **Create New**, or select another option.
+2. For **Load Balancing Method**, select **Round Robin**.
+3. Under **Pool Servers**, select and enter an **IP Address/Node Name** and **Port** for the servers hosting Oracle EBS.
+4. Select **HTTPS**.
-2. Enter **Service Port** as *443* for HTTPS
+ ![Screenshot of options and selections for Pool Properties](./media/f5-big-ip-oracle/application-pool.png)
-3. Check **Enable Redirect Port** and then enter **Redirect Port**. It redirects incoming HTTP client traffic to HTTPS
+5. Under **Access Gate Pool** confirm the **Access Gate Subpath**.
+6. For **Pool Servers** select and enter an **IP Address/Node Name** and **Port** for the servers hosting Oracle EBS.
+7. Select **HTTPS**.
-4. The Client SSL Profile enables the virtual server for HTTPS, so that client connections are encrypted over TLS. Select the **Client SSL Profile** you created as part of the prerequisites or leave the default whilst testing
+ ![Screenshot of options and entries for Access Gate Pool.](./media/f5-big-ip-oracle/accessgate-pool.png)
- ![Screenshot for Virtual server](./media/f5-big-ip-easy-button-ldap/virtual-server.png)
+#### Single Sign-On & HTTP Headers
-### Pool Properties
+The Easy Button wizard supports Kerberos, OAuth Bearer, and HTTP authorization headers for SSO to published applications. The Oracle EBS application expects headers, therefore enable HTTP headers.
-The **Application Pool tab** details the services behind a BIG-IP, represented as a pool containing one or more application servers.
+1. On **Single Sign-On & HTTP Headers**, select **HTTP Headers**.
+2. For **Header Operation**, select **replace**.
+3. For **Header Name**, enter **USER_NAME**.
+4. For **Header Value**, enter **%{session.sso.token.last.username}**.
+5. For **Header Operation**, select **replace**.
+6. For **Header Name**, enter **USER_ORCLGUID**.
+7. For **Header Value**, enter **%{session.ldap.last.attr.orclguid}**.
-1. Choose from **Select a Pool**. Create a new pool or select an existing one
+ ![ Screenshot of entries and selections for Header Operation, Header Name, and Header Value.](./media/f5-big-ip-oracle/sso-and-http-headers.png)
-2. Choose the **Load Balancing Method** as *Round Robin*
+ >[!NOTE]
+ >APM session variables in curly brackets are case-sensitive.
-3. For **Pool Servers** select an existing node or specify an IP and port for the servers hosting the Oracle EBS application.
+### Session Management
- ![Screenshot for Application pool](./media/f5-big-ip-oracle/application-pool.png)
+Use BIG-IP Session Management to define conditions for user session termination or continuation.
-4. The **Access Gate Pool** specifies the servers Oracle EBS uses for mapping an SSO authenticated user to an Oracle E-Business Suite session. Update **Pool Servers** with the IP and port for of the Oracle application servers hosting the application
+To learn more, go to support.f5.com for [K18390492: Security | BIG-IP APM operations guide](https://support.f5.com/csp/article/K18390492)
- ![Screenshot for AccessGate pool](./media/f5-big-ip-oracle/accessgate-pool.png)
+Single Log-Out (SLO) functionality ensures sessions between the IdP, BIG-IP, and the user agent, terminate when users sign out. When the Easy Button instantiates a SAML application in your Azure AD tenant, it populates the Logout URL with the APM SLO endpoint. Thus, IdP-initiated sign out, from the My Apps portal, terminates the session between the BIG-IP and a client.
-#### Single Sign-On & HTTP Headers
+See, Microsoft [My Apps](https://myapplications.microsoft.com/)
-The **Easy Button wizard** supports Kerberos, OAuth Bearer, and HTTP authorization headers for SSO to published applications. As the Oracle EBS application expects headers, enable **HTTP Headers** and enter the following properties.
+The SAML federation metadata for the published application is imported from the tenant. This action provides the APM with the SAML sign out endpoint for Azure AD. Then, SP-initiated sign out terminates the client and Azure AD session. Ensure the APM knows when a user signs out.
-* **Header Operation:** replace
-* **Header Name:** USER_NAME
-* **Header Value:** %{session.sso.token.last.username}
+If you use the BIG-IP webtop portal to access published applications, APM processes a sign out to call the Azure AD sign out endpoint. If you don't use the BIG-IP webtop portal, the user can't instruct the APM to sign out. If the user signs out of the application, the BIG-IP is oblivious to the action. Ensure SP-initiated sign out triggers secure sessions termination. Add an SLO function to the applications **Sign out** button to redirect the client to the Azure AD SAML or BIG-IP sign out endpoint. Find the SAML sign out endpoint URL for your tenant in **App Registrations > Endpoints**.
-* **Header Operation:** replace
-* **Header Name:** USER_ORCLGUID
-* **Header Value:** %{session.ldap.last.attr.orclguid}
+If you can't change the app, have the BIG-IP listen for the application sign out call and then trigger SLO.
- ![ Screenshot for SSO and HTTP headers](./media/f5-big-ip-oracle/sso-and-http-headers.png)
+Learn more:
->[!NOTE]
->APM session variables defined within curly brackets are CASE sensitive. For example, if you enter OrclGUID when the Azure AD attribute name is being defined as orclguid, it will cause an attribute mapping failure
+* [PeopleSoft SLO Logout](./f5-big-ip-oracle-peoplesoft-easy-button.md#peoplesoft-single-logout)
+* Go to support.f5.com for:
+ * [K42052145: Configuring automatic session termination (logout) based on a URI-referenced file name](https://support.f5.com/csp/article/K42052145
+ * [K12056: Overview of the Logout URI Include option](https://support.f5.com/csp/article/K12056)
-### Session Management
+## Deploy
-The BIG-IPs session management settings are used to define the conditions under which user sessions are terminated or allowed to continue, limits for users and IP addresses, and corresponding user info. Refer to [F5's docs](https://support.f5.com/csp/article/K18390492) for details on these settings.
+1. Select **Deploy** to commit settings.
+2. Verify the application appears in the tenant Enterprise applications list.
-What isnΓÇÖt covered here however is Single Log-Out (SLO) functionality, which ensures all sessions between the IdP, the BIG-IP, and the user agent are terminated as users sign off. When the Easy Button instantiates a SAML application in your Azure AD tenant, it also populates the Logout Url with the APMΓÇÖs SLO endpoint. That way IdP initiated sign-outs from the Azure AD MyApps portal also terminate the session between the BIG-IP and a client.
+## Test
-Along with this the SAML federation metadata for the published application is also imported from your tenant, providing the APM with the SAML logout endpoint for Azure AD. This ensures SP initiated sign outs terminate the session between a client and Azure AD. But for this to be truly effective, the APM needs to know exactly when a user signs-out of the application.
+1. From a browser, connect to the Oracle EBS application external URL, or select the application icon in the [My Apps](https://myapps.microsoft.com/).
+2. Authenticate to Azure AD.
+3. YouΓÇÖre redirected to the BIG-IP virtual server for the application and signed in by SSO.
-If the BIG-IP webtop portal is used to access published applications then a sign-out from there would be processed by the APM to also call the Azure AD sign-out endpoint. But consider a scenario where the BIG-IP webtop portal isnΓÇÖt used, then the user has no way of instructing the APM to sign out. Even if the user signs-out of the application itself, the BIG-IP is technically oblivious to this. So for this reason, SP initiated sign-out needs careful consideration to ensure sessions are securely terminated when no longer required. One way of achieving this would be to add an SLO function to your applications sign out button, so that it can redirect your client to either the Azure AD SAML or BIG-IP sign-out endpoint. The URL for SAML sign-out endpoint for your tenant can be found in **App Registrations > Endpoints**.
+For increased security, block direct application access, thereby enforcing a path through the BIG-IP.
-If making a change to the app is a no go, then consider having the BIG-IP listen for the application's sign-out call, and upon detecting the request have it trigger SLO. Refer to our [Oracle PeopleSoft SLO guidance](./f5-big-ip-oracle-peoplesoft-easy-button.md#peoplesoft-single-logout) for using BIG-IP irules to achieve this. More details on using BIG-IP iRules to achieve this is available in the F5 knowledge article [Configuring automatic session termination (logout) based on a URI-referenced file name](https://support.f5.com/csp/article/K42052145) and [Overview of the Logout URI Include option](https://support.f5.com/csp/article/K12056).
+## Advanced deployment
-## Summary
+Sometimes, the Guided Configuration templates lack flexibility for requirements.
-This last step provides a breakdown of your configurations. Select **Deploy** to commit all settings and verify that the application now exists in your tenants list of ΓÇÿEnterprise applications.
+Learn more: [Tutorial: Configure F5 BIG-IPΓÇÖs Access Policy Manager for header-based SSO](./f5-big-ip-header-advanced.md).
-## Next steps
+### Manually change configurations
-From a browser, connect to the **Oracle EBS applicationΓÇÖs external URL** or select the applicationΓÇÖs icon in the [Microsoft MyApps portal](https://myapps.microsoft.com/). After authenticating to Azure AD, youΓÇÖll be redirected to the BIG-IP virtual server for the application and automatically signed in through SSO.
+Alternatively, in BIG-IP disable the Guided Configuration strict management mode to manually change configurations. Wizard templates automate most configurations.
-For increased security, organizations using this pattern could also consider blocking all direct access to the application, thereby forcing a strict path through the BIG-IP.
+1. Navigate to **Access > Guided Configuration**.
+2. On the right end of the row for your application configuration, select the **padlock** icon.
-## Advanced deployment
+ ![Screenshot of the padlock icon](./media/f5-big-ip-oracle/strict-mode-padlock.png)
-There may be cases where the Guided Configuration templates lack the flexibility to achieve more specific requirements. For those scenarios, see [Advanced Configuration for headers-based SSO](./f5-big-ip-header-advanced.md). Alternatively, the BIG-IP gives the option to disable **Guided ConfigurationΓÇÖs strict management mode**. This allows you to manually tweak your configurations, even though bulk of your configurations are automated through the wizard-based templates.
+After you disable strict mode, you can't make changes with the wizard. However, BIG-IP objects associated with the published app instance are unlocked for management.
-You can navigate to **Access > Guided Configuration** and select the **small padlock icon** on the far right of the row for your applicationsΓÇÖ configs.
+ > [!NOTE]
+ > If you re-enable strict mode, new configurations overwrite settings performed without the Guided Configuration. We recommend the advanced configuration method for production services.
-![Screenshot for Configure Easy Button - Strict Management](./media/f5-big-ip-oracle/strict-mode-padlock.png)
+## Troubleshooting
-At that point, changes via the wizard UI are no longer possible, but all BIG-IP objects associated with the published instance of the application will be unlocked for direct management.
+Use the following instructions to help troubleshoot issues.
-> [!NOTE]
-> Re-enabling strict mode and deploying a configuration will overwrite any settings performed outside of the Guided Configuration UI, therefore we recommend the advanced configuration method for production services.
+### Increase log verbosity
-## Troubleshooting
+Use BIG-IP logging to isolate issues with connectivity, SSO, policy violations, or misconfigured variable mappings. Increase the log verbosity level.
+
+1. Navigate to **Access Policy > Overview > Event Logs**.
+2. Select **Settings**.
+3. Select the row for your published application.
+4. Select **Edit > Access System Logs**.
+5. From the SSO list, select **Debug**.
+6. Select **OK**.
+7. Reproduce the issue.
+8. Inspect the logs.
-Failure to access a SHA protected application can be due to any number of factors. BIG-IP logging can help quickly isolate all sorts of issues with connectivity, SSO, policy violations, or misconfigured variable mappings. Start troubleshooting by increasing the log verbosity level.
+Revert the settings changes because verbose mode generates excessive data.
-1. Navigate to **Access Policy > Overview > Event Logs > Settings**
+### BIG-IP error message
-2. Select the row for your published application then **Edit > Access System Logs**
+If a BIG-IP error appears after Azure AD preauthentication, the issue might relate to Azure AD and BIG-IP SSO.
-3. Select **Debug** from the SSO list then **OK**
+1. Navigate to **Access > Overview.
+2. Select **Access reports**.
+3. Run the report for the last hour.
+4. Review the logs for clues.
-Reproduce your issue, then inspect the logs, but remember to switch this back when finished as verbose mode generates lots of data.
+Use the **View session** link for your session to confirm the APM receives expected Azure AD claims.
-If you see a BIG-IP branded error immediately after successful Azure AD pre-authentication, itΓÇÖs possible the issue relates to SSO from Azure AD to the BIG-IP.
+### No BIG-IP error message
-1. Navigate to **Access > Overview > Access reports**
+If no BIG-IP error page appears, the issue might relate to the back-end request, or BIG-IP and application SSO.
-2. Run the report for the last hour to see if the logs provide any clues. The **View session** variables link for your session will also help understand if the APM is receiving the expected claims from Azure AD
+1. Navigate to **Access Policy > Overview**.
+2. Select **Active Sessions**.
+3. Select the link for your active session.
-If you donΓÇÖt see a BIG-IP error page, then the issue is probably more related to the backend request or SSO from the BIG-IP to the application.
+Use the **View Variables** link to investigate SSO issues, particularly if the BIG-IP APM doesn't obtain correct attributes from Azure AD, or another source.
-1. In which case head to **Access Policy > Overview > Active Sessions** and select the link for your active session
+Learn more:
-2. The **View Variables** link in this location may also help root cause SSO issues, particularly if the BIG-IP APM fails to obtain the right attributes from Azure AD or another source
+* Go to devcentral.f5.com for [APM variable assign examples](https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107)
+* Go to techdocs.f5.com for [Manual Chapter: Session Variables](https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/session-variables.html)
-See [BIG-IP APM variable assign examples](https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107) and [F5 BIG-IP session variables reference](https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/session-variables.html) for more info.
+### Validate the APM service account
-The following command from a bash shell validates the APM service account used for LDAP queries and can successfully authenticate and query a user object:
+Use the following bash shell command to validate the APM service account for LDAP queries. The command authenticates and queries user objects.
```ldapsearch -xLLL -H 'ldap://192.168.0.58' -b "CN=oraclef5,dc=contoso,dc=lds" -s sub -D "CN=f5-apm,CN=partners,DC=contoso,DC=lds" -w 'P@55w0rd!' "(cn=testuser)" ```
-For more information, visit this F5 knowledge article [Configuring LDAP remote authentication for Active Directory](https://support.f5.com/csp/article/K11072). ThereΓÇÖs also a great BIG-IP reference table to help diagnose LDAP-related issues in this [F5 knowledge article on LDAP Query](https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-access-policy-manager-authentication-methods/ldap-query.html).
+Learn more:
+
+* Go to support.f5.com for [K11072: Configuring LDAP remote authentication for AD](https://support.f5.com/csp/article/K11072)
+* Go to techdocs.f5.com for [Manual Chapter: LDAP Query](https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-access-policy-manager-authentication-methods/ldap-query.html)
active-directory Howto Enforce Signed Saml Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/howto-enforce-signed-saml-authentication.md
-# SAML Request Signature Verification (Preview)
+# SAML Request Signature Verification
SAML Request Signature Verification is a functionality that validates the signature of signed authentication requests. An App Admin now can enable and disable the enforcement of signed requests and upload the public keys that should be used to do the validation.
active-directory User Admin Consent Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/user-admin-consent-overview.md
Previously updated : 09/28/2022 Last updated : 04/04/2023
For most organizations, one of the built-in options will be appropriate. Some ad
## Admin consent
-During admin consent, a Privileged Administrator may grant an application access on behalf of other users (usually, on behalf of the entire organization). Also during admin consent, applications or services provide direct access to an API, which can be used by the application if there's no signed-in user.
+During admin consent, a Privileged Administrator may grant an application access on behalf of other users (usually, on behalf of the entire organization). Also during admin consent, applications or services provide direct access to an API, which can be used by the application if there's no signed-in user. The specific role needed to grant admin consent differs based on the permissions requested, which are outlined [here.](grant-admin-consent.md#prerequisites)
When your organization purchases a license or subscription for a new application, you might proactively want to set up the application so that all users in the organization can use it. To avoid the need for user consent, an administrator can grant consent for the application on behalf of all users in the organization. After an administrator grants admin consent on behalf of the organization, users aren't usually prompted for consent for that application. In certain cases, a user might be prompted for consent even after consent was granted by an administrator. An example might be if an application requests another permission that the administrator hasn't already granted.
-Granting admin consent on behalf of an organization is a sensitive operation, potentially allowing the application's publisher access to significant portions of the organization's data, or the permission to do highly privileged operations. Examples of such operations might be role management, full access to all mailboxes or all sites, and full user impersonation.
+Granting admin consent on behalf of an organization is a sensitive operation, potentially allowing the application's publisher access to significant portions of the organization's data, or the permission to do highly privileged operations. Examples of such operations might be role management, full access to all mailboxes or all sites, and full user impersonation.
Before you grant tenant-wide admin consent, ensure that you trust the application and the application publisher, for the level of access you're granting. If you aren't confident that you understand who controls the application and why the application is requesting the permissions, do *not* grant consent.
After the admin consent workflow is enabled, users can request admin approval fo
## Next steps - [Configure user consent settings](configure-user-consent.md)-- [Configure the admin consent workflow](configure-admin-consent-workflow.md)
+- [Configure the admin consent workflow](configure-admin-consent-workflow.md)
active-directory Tutorial Windows Vm Access Sql https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql.md
using Microsoft.Data.SqlClient;
try { //
-// Open a connection to the server using Active Direcotry Managed Identity authentication.
+// Open a connection to the server using Active Directory Managed Identity authentication.
// string connectionString = "Data Source=<AZURE-SQL-SERVERNAME>; Initial Catalog=<DATABASE>; Authentication=Active Directory Managed Identity; Encrypt=True"; SqlConnection conn = new SqlConnection(connectionString);
active-directory Howto Manage Inactive User Accounts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-manage-inactive-user-accounts.md
In large environments, user accounts are not always deleted when employees leave
This article explains a method to handle obsolete user accounts in Azure AD.
-> [!IMPORTANT]
-> APIs under the `/beta` version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the **Version** selector.
- ## What are inactive user accounts? Inactive accounts are user accounts that are not required anymore by members of your organization to gain access to your resources. One key identifier for inactive accounts is that they haven't been used *for a while* to sign-in to your environment. Because inactive accounts are tied to the sign-in activity, you can use the timestamp of the last sign-in that was successful to detect them.
The last successful sign-in provides potential insights into a user's continued
You detect inactive accounts by evaluating the **lastSignInDateTime** property exposed by the **signInActivity** resource type of the **Microsoft Graph** API. The **lastSignInDateTime** property shows the last time a user made a successful interactive sign-in to Azure AD. Using this property, you can implement a solution for the following scenarios: -- **Users by name**: In this scenario, you search for a specific user by name, which enables you to evaluate the lastSignInDateTime: `https://graph.microsoft.com/beta/users?$filter=startswith(displayName,'markvi')&$select=displayName,signInActivity`
+- **Users by name**: In this scenario, you search for a specific user by name, which enables you to evaluate the lastSignInDateTime: `https://graph.microsoft.com/v1.0/users?$filter=startswith(displayName,'markvi')&$select=displayName,signInActivity`
+
+- **Users by date**: In this scenario, you request a list of users with a lastSignInDateTime before a specified date: `https://graph.microsoft.com/v1.0/users?$filter=signInActivity/lastSignInDateTime le 2019-06-01T00:00:00Z`
-- **Users by date**: In this scenario, you request a list of users with a lastSignInDateTime before a specified date: `https://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2019-06-01T00:00:00Z`
+> [!NOTE]
+> When you request the signInActivity property while listing users, the maximum page size is 120 users. Requests with $top set higher than 120 will fail. SignInActivity supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`) *but* not with any other filterable properties.
> [!NOTE] > There may be the need to generate a report of the last sign in date of all users, if so you can use the following scenario.
-> **Last Sign In Date and Time for All Users**: In this scenario, you request a list of all users, and the last lastSignInDateTime for each respective user: `https://graph.microsoft.com/beta/users?$select=displayName,signInActivity`
+> **Last Sign In Date and Time for All Users**: In this scenario, you request a list of all users, and the last lastSignInDateTime for each respective user: `https://graph.microsoft.com/v1.0/users?$select=displayName,signInActivity`
## What you need to know
This section lists what you need to know about the lastSignInDateTime property.
### How can I access this property?
-The **lastSignInDateTime** property is exposed by the [signInActivity resource type](/graph/api/resources/signinactivity?view=graph-rest-beta&preserve-view=true) of the [Microsoft Graph API](/graph/overview#whats-in-microsoft-graph).
-
-> [!NOTE]
-> The signInActivity resource type is available only on the Microsoft Graph `beta` endpoint and isn't yet supported in US Government GCC High environments.
+The **lastSignInDateTime** property is exposed by the [signInActivity resource type](/graph/api/resources/signinactivity) of the [Microsoft Graph API](/graph/overview#whats-in-microsoft-graph).
### Is the lastSignInDateTime property available through the Get-AzureAdUser cmdlet?
To access this property, you need an Azure Active Directory Premium edition.
### What permission do I need to read the property?
-To read this property, you need to grant the following rights:
+To read this property, you need to grant the app the following Microsoft Graph permissions:
- AuditLog.Read.All - Directory.Read.All
+- User.Read.All
### When does Azure AD update the property?
active-directory Recommendation Migrate Apps From Adfs To Azure Ad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/recommendation-migrate-apps-from-adfs-to-azure-ad.md
Using Azure AD gives you granular per-application access controls to secure acce
### Guided walkthrough
-For a guided walkthrough of many of the recommendations in this article, see the migration guide [Migrate from AD FS to Microsoft Azure Active Directory for identity management](https://setup.microsoft.com/azure/migrate-ad-fs-to-microsoft-azure-ad).
+For a guided walkthrough of many of the recommendations in this article, see the migration guide [Migrate from AD FS to Microsoft Azure Active Directory for identity management](https://go.microsoft.com/fwlink/?linkid=2225005) when signed in to the Microsoft 365 Admin Center. To review best practices without signing in and activating automated setup features, go to the [M365 Setup portal](https://go.microsoft.com/fwlink/?linkid=2229256).
## Next steps
active-directory Acunetix 360 Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/acunetix-360-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: cb0c2e2c-ade9-4e6b-9ce5-d7c7d2743d90
active-directory Adobe Identity Management Provisioning Oidc Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/adobe-identity-management-provisioning-oidc-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: baa54168-d23a-49d8-94d1-28476138cd90
active-directory Adobe Identity Management Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/adobe-identity-management-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 6ae05dc7-1265-44b4-a20c-512b5218b9d1
active-directory Akamai Enterprise Application Access Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/akamai-enterprise-application-access-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: e4eb183a-192f-49e0-8724-549b2f360b8e
active-directory Alertmedia Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/alertmedia-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: a5df0dd7-05a3-4744-9d51-ec33e89a934f
active-directory Alexishr Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/alexishr-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 438a007c-2c3f-466f-ac9a-7e752e2532a4
active-directory Alinto Protect Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/alinto-protect-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: cc47804c-2d00-402f-8aa5-b6155a81d78d
active-directory Appaegis Isolation Access Cloud Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/appaegis-isolation-access-cloud-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: c845e98a-6fcd-4285-94b7-a72a2175ca7e
active-directory Apple Business Manager Provision Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/apple-business-manager-provision-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 4ad30031-9904-4ac3-a4d2-e8c28d44f319
active-directory Apple School Manager Provision Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/apple-school-manager-provision-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: f006c177-7b35-4af1-84f2-db4a4e2bf96a
active-directory Ardoq Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/ardoq-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 0339e63a-5262-4019-a85d-18c9617fc4b3
active-directory Asana Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/asana-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 274810a2-bd74-4500-95f1-c720abf23541
active-directory Askspoke Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/askspoke-provisioning-tutorial.md
documentationcenter: "" writer: twimmers-+ ms.assetid: f9458aac-f576-49ce-aba4-fc8302ed6360
active-directory Atea Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/atea-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: b788328b-10fd-4eaa-a4bc-909d738d8b8b
active-directory Atlassian Cloud Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/atlassian-cloud-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: 53b804ba-b632-4c4b-a77e-ec6468536898
active-directory Atmos Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/atmos-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 769b98d7-009f-44ed-8569-a5acc52d7552
active-directory Auditboard Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/auditboard-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: e6ab736b-2bb7-4a5a-9f01-67c33f0ff97d
active-directory Autodesk Sso Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/autodesk-sso-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 07782ca6-955c-441e-b28c-5e7f3c3775ac
active-directory Aws Single Sign On Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/aws-single-sign-on-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 54a9f704-7877-4ade-81af-b8d3f7fb9255
active-directory Benq Iam Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/benq-iam-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 8c21c81c-f9dc-4818-b2fe-7a06b205af8d
active-directory Bentley Automatic User Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/bentley-automatic-user-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 08778fff-f252-45c2-95d4-cc640c288af3
active-directory Bic Cloud Design Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/bic-cloud-design-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: 1aace746-6f6d-4ac4-ad2c-7ba65bb86a72
active-directory Bis Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/bis-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: d76e2482-4228-4907-8b4c-c75aa495a2ae
active-directory Bizagi Studio For Digital Process Automation Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/bizagi-studio-for-digital-process-automation-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 2fbff65a-5345-4c08-a6c7-60b80d867a3e
active-directory Bldng App Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/bldng-app-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 5ccc1176-c244-4003-8486-67586bcdf317
active-directory Blinq Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/blinq-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 5b076ac0-cd0e-43c3-85ed-8591bfd424ff
active-directory Blogin Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/blogin-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 4b2ef46c-97a1-450d-bbc8-b2fa76280219
active-directory Boxcryptor Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/boxcryptor-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 656de6d6-399e-4346-a07e-0e5fefb0b4ee
active-directory Bpanda Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/bpanda-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 57e424f8-6fbc-4701-a312-899b562589ea
active-directory Britive Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/britive-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 622688b3-9d20-482e-aab9-ce2a1f01e747
active-directory Browserstack Single Sign On Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/browserstack-single-sign-on-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 39999abc-e4a2-4058-81e0-bf88182f8864
active-directory Bullseyetdp Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/bullseyetdp-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: a1a4e5ab-87ae-4cad-b187-cc474a8ea185
active-directory Cato Networks Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/cato-networks-provisioning-tutorial.md
Title: 'Tutorial: Configure Cato Networks for automatic user provisioning with A
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Cato Networks. writer: twimmers-+ ms.assetid: bdaa6863-c0fe-40b0-8989-3632900464ef
active-directory Cerby Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/cerby-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 465492d5-4f75-4201-bed4-f45b3be18702
active-directory Chaos Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/chaos-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 1a831f80-8fe0-4cb5-a639-ab9e2a0e90f7
active-directory Chatwork Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/chatwork-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 586bcb81-1c00-4b46-9da0-4aa86c6c8fd5
active-directory Checkproof Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/checkproof-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: b036510b-bf7a-4284-ac17-41a5b10e2b55
active-directory Cinode Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/cinode-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 4d6f06dd-a798-4c22-b84f-8a11f1b8592a
active-directory Cisco Umbrella User Management Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/cisco-umbrella-user-management-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 1aa20f40-19ec-4213-9a3b-5eb2bcdd9bbd
active-directory Clarizen One Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/clarizen-one-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: d8021105-eb5b-4a20-8739-f02e0e22c147
active-directory Clebex Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/clebex-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 4746fd14-114c-4e6e-bee4-34a7a34a6237
active-directory Cloud Academy Sso Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/cloud-academy-sso-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 224777cb-fc03-4e4a-8c8d-5befe1174233
active-directory Coda Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/coda-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 4d6f06dd-a798-4c22-b84f-8a11f1b8592a
active-directory Code42 Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/code42-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: ddcb950b-3f9a-4ebb-bf78-4ec42d16d52d
active-directory Cofense Provision Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/cofense-provision-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 84fe20ef-0de0-4f7c-9b42-6385f3d834db
active-directory Connecter Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/connecter-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 6e60505a-f8c8-46f6-8e6f-525e7c8416b7
active-directory Contentful Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/contentful-provisioning-tutorial.md
description: Learn how to automatically provision and deprovision user accounts
documentationcenter: '' -+ ms.assetid: 3b761984-a9a0-4519-b23e-563438978de5
active-directory Cybsafe Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/cybsafe-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 7255fe44-1662-4ae4-9ff3-9492911b7ce0
active-directory Directprint Io Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/directprint-io-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: 0a79e880-bbdf-45e4-ae1e-2c74aec9f51e
active-directory Documo Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/documo-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 92b9561a-5c87-4540-a806-744e35ff5714
active-directory Eletive Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/eletive-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 8a775422-e6d7-4cd5-b8d1-cc8a2db24c4f
active-directory Embed Signage Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/embed-signage-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: 92edbf22-3f7b-43ca-9a9e-0209ac9a12ec
active-directory Evercate Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/evercate-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: df77d462-071a-4889-b6e1-0554adaa2445
active-directory Exium Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/exium-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: fb9d03e1-4365-4932-9403-69acfc3b8671
active-directory Fortes Change Cloud Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/fortes-change-cloud-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: ef9a8f5e-0bf0-46d6-8e17-3bcf1a5b0a6b
active-directory Frankli Io Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/frankli-io-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: 936223d1-7ba5-4300-b05b-cbf78ee45d0e
active-directory Freshservice Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/freshservice-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: e03ec65a-25ef-4c91-a364-36b2f007443c
active-directory Getabstract Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/getabstract-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: bd8898f9-7a01-4e85-9dd4-61ae4b01ab5b
active-directory Ghae Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/ghae-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 4dfc1903-b12e-4b5a-9938-5ebf95189232
active-directory Github Ae Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/github-ae-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: d9818c05-e279-45b4-8aad-0fa156abd74e
active-directory Github Enterprise Managed User Oidc Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/github-enterprise-managed-user-oidc-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
documentationcenter: '' writer: twimmers-+ ms.assetid: e39cbad7-e23a-4986-9725-54a7aeb7b1ea
active-directory Github Enterprise Managed User Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/github-enterprise-managed-user-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
documentationcenter: '' writer: twimmers-+ ms.assetid: 6aee39c7-08a1-4110-b936-4c85d129743b
active-directory Global Relay Identity Sync Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/global-relay-identity-sync-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 0c4a3bf0-d0a6-4eab-909b-6cf9f9234e4c
active-directory Golinks Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/golinks-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: b8a62f41-861f-417a-8925-70b892d9a4de
active-directory Gong Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/gong-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: 6c8285d3-4f35-4325-9adb-d1a44668a03a
active-directory Grammarly Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/grammarly-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: cd2dd9d7-4901-40c8-8888-98850557b072
active-directory Grouptalk Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/grouptalk-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: e537d393-2724-450f-9f5b-4611cdc9237c
active-directory Gtmhub Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/gtmhub-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 10b68d00-a544-480b-9bd6-f6ac291a90d0
active-directory H5mag Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/h5mag-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 87b4715b-c4b4-4e4b-aa25-21dfc5135a0a
active-directory Helloid Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/helloid-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: ffd450a5-03ec-4364-8921-5c468e119c4d
active-directory Holmes Cloud Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/holmes-cloud-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: b1088904-2ea2-4440-b39e-c4b7712b8229
active-directory Hoxhunt Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/hoxhunt-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 24fbe0a4-ab2d-4e10-93a6-c87d634ffbcf
active-directory Ideagen Cloud Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/ideagen-cloud-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: 9d86a706-03d3-4a7e-b76b-2197d6641af4
active-directory Insite Lms Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/insite-lms-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: c4dbe83d-b5b4-4089-be89-b357e8d6f359
active-directory Introdus Pre And Onboarding Platform Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/introdus-pre-and-onboarding-platform-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 829376bb-41d8-42da-89ee-853f5630121b
active-directory Invision Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/invision-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 72518dda-d485-45c8-849e-6b27ee09d9a8
active-directory Invitedesk Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/invitedesk-provisioning-tutorial.md
Title: 'Tutorial: Configure InviteDesk for automatic user provisioning with Azur
description: Learn how to automatically provision and de-provision user accounts from Azure AD to InviteDesk. writer: twimmers-+ ms.assetid: d3291257-0dc0-4ed7-ae21-29249ce664df
active-directory Iris Intranet Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/iris-intranet-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 38db8479-6d33-43de-9f71-1f1bd184fe69
active-directory Jostle Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/jostle-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 6dbb744f-8b8e-4988-b293-ebe079c8c5c5
active-directory Joyn Fsm Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/joyn-fsm-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: e778e26b-c998-4432-85b7-5a0d0047ccae
active-directory Keepabl Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/keepabl-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: 80b48f18-fbdd-4c35-8aa9-b5f7a8331044
active-directory Kisi Physical Security Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/kisi-physical-security-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 2d4840ae-146d-4649-aaf1-5efe35abbd51
active-directory Klaxoon Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/klaxoon-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: b7a61926-171c-415b-858f-54f6e53515f2
active-directory Klaxoon Saml Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/klaxoon-saml-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 5aaacb86-4fb0-49f3-9f7d-e9ea94829b2b
active-directory Knowbe4 Security Awareness Training Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/knowbe4-security-awareness-training-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: e71f7de4-33d0-46cc-85c9-29f24c3e1a25
active-directory Kpifire Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/kpifire-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 8c5dd093-20da-4ff6-a9b2-8071f44accd6
active-directory Kpn Grip Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/kpn-grip-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: 0d2558a4-1c6c-44e0-bf4c-471da6920f5a
active-directory Lanschool Air Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/lanschool-air-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: a589d3c5-6add-4a97-a0ca-4a0a6e816fe4
active-directory Lawvu Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/lawvu-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: 37a258fe-b435-4bd8-88a8-8e93bb6f6b6b
active-directory Limblecmms Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/limblecmms-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 5e0d5369-7230-4a16-bc3f-9eac2bc80a8c
active-directory Logicgate Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/logicgate-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: eea988ef-b0f1-4d22-b867-310f167540c3
active-directory Logmein Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/logmein-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: cf38e6ad-6391-4e5d-98f7-fbdaf3de54f5
active-directory Lucid All Products Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/lucid-all-products-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: 54a47643-8703-4ab9-96a5-a803b344ccc4
active-directory Maptician Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/maptician-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 15ae5ceb-2113-40f8-8d3f-bf8895ef8f42
active-directory Mondaycom Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/mondaycom-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 7dba523e-c75a-4895-bad4-82239a263afe
active-directory Mural Identity Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/mural-identity-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 0b932dbd-b5c9-40e3-baeb-a7c7424e1bfd
active-directory Mx3 Diagnostics Connector Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/mx3-diagnostics-connector-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: 6d54ea28-0208-45bc-8e29-c6cf9a912f00
active-directory Myday Provision Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/myday-provision-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 59b4150a-9530-479b-9f62-a16c3d005dbe
active-directory Netsparker Enterprise Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/netsparker-enterprise-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 6e951318-213e-40d1-9947-88242059f877
active-directory Nordpass Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/nordpass-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: ad92f598-f6f6-4ee4-8de4-a488d4e07126
active-directory Olfeo Saas Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/olfeo-saas-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 5f6b0320-dfe7-451c-8cd8-6ba7f2e40434
active-directory Open Text Directory Services Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/open-text-directory-services-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: ad55ba5f-c56c-4ed0-bdfd-163d2883ed80
active-directory Palo Alto Networks Cloud Identity Engine Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/palo-alto-networks-cloud-identity-engine-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: 48afc8f5-a030-42da-9ffa-14fe5f80e333
active-directory Palo Alto Networks Scim Connector Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/palo-alto-networks-scim-connector-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: b44885ef-fc1c-473c-9948-d7ca54d42d49
active-directory Papercut Cloud Print Management Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/papercut-cloud-print-management-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 7e65d727-2951-4aec-a7a3-7bde49ed09e2
active-directory Parsable Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/parsable-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 1ec33ea6-bff4-4665-bf2b-f4037ff28c09
active-directory Peripass Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/peripass-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 1d036aa3-4e07-4f48-a6ae-40fc6c066e42
active-directory Plandisc Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/plandisc-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 16244680-205d-4763-960a-9bc7a6e915bc
active-directory Playvox Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/playvox-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: c31c20ab-f6cd-40e1-90ad-fa253ecbc0f8
active-directory Preciate Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/preciate-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: fa640971-87e7-49f2-933b-bc7c95fe51e2
active-directory Printer Logic Saas Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/printer-logic-saas-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 001cfccf-b8a4-46e6-b355-94e8b694b122
active-directory Prodpad Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/prodpad-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: 57511d3c-905a-4de5-9cc9-1a08bd7b8457
active-directory Proware Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/proware-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 8887932e-e27e-419b-aa85-a0cda428d525
active-directory Real Links Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/real-links-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: a024c7db-ffe6-4fc9-a0ec-7075930bbf75
active-directory Rouse Sales Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/rouse-sales-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: f25122aa-4a23-4fb9-8d4e-9997b5ba5329
active-directory Sap Analytics Cloud Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/sap-analytics-cloud-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 27d12989-efa8-4254-a4ad-8cb6bf09d839
active-directory Schoolstream Asa Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/schoolstream-asa-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: ac594768-7b76-4e5a-b46e-8f1cb41f2754
active-directory Secure Deliver Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/secure-deliver-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 20bc4dc5-49b3-4f23-bd41-1a36815f9f49
active-directory Secure Login Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/secure-login-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: f37882fb-80fa-446c-8f56-d13fd905fe54
active-directory Segment Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/segment-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 20939a92-5f48-4ef7-ab95-042e70ec1e0e
active-directory Sentry Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/sentry-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 8a4337de-7282-4f0f-8db0-1d999efc70c8
active-directory Servicenow Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/servicenow-provisioning-tutorial.md
description: Learn how to automatically provision and deprovision user accounts
writer: twimmers-+ ms.assetid: 5f03d8b7-c3a0-443e-91af-99cc3956fa18
active-directory Shopify Plus Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/shopify-plus-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: e2fa3ac8-a30f-4dcd-8073-ed7c65909feb
active-directory Sigma Computing Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/sigma-computing-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 6108a4de-4420-4baa-bc2f-1c39a1ebe81d
active-directory Slack Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/slack-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: 7fa2a1b1-7ed3-4c51-ae17-f5d4ee88488c
active-directory Smallstep Ssh Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/smallstep-ssh-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 1f37bd8a-4706-4385-b42e-5507912066f1
active-directory Smartsheet Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/smartsheet-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: 9d391bd3-b0d3-4c7d-af8a-70bc0a538706
active-directory Sosafe Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/sosafe-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 30de9f90-482e-43ef-9fcb-f3d4f5eac533
active-directory Splashtop Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/splashtop-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 8d8c3745-aaa9-4dbd-9fbf-92da4ada2a9e
active-directory Surveymonkey Enterprise Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/surveymonkey-enterprise-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: 50c400a2-8dd9-41ba-b11d-b1516b9d2967
active-directory Swit Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/swit-provisioning-tutorial.md
Title: 'Tutorial: Configure Swit for automatic user provisioning with Azure Acti
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Swit. writer: twimmers-+ ms.assetid: ce8e918b-3a0c-43af-8cb2-3c810143e484
active-directory Tableau Online Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/tableau-online-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: b4038c18-2bfd-47cb-8e74-3873dc85a796
active-directory Talentech Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/talentech-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 0a83529b-b150-4af8-bc5b-a0f4345c3356
active-directory Tap App Security Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/tap-app-security-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: affd297c-2b6f-4dc2-b4c3-d29458cf4b1b
active-directory Taskize Connect Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/taskize-connect-provisioning-tutorial.md
Title: 'Tutorial: Configure Taskize Connect for automatic user provisioning with
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Taskize Connect. writer: twimmers-+ ms.assetid: 295b6542-879d-4330-afd7-e8867d83464d
active-directory Teamgo Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/teamgo-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: d05259eb-97aa-4746-9f0f-a74fe2586ac9
active-directory Terratrue Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/terratrue-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: 80547381-3f42-4e18-b737-20b43402e31e
active-directory Thrive Lxp Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/thrive-lxp-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 1b4993b3-7fb1-4128-a399-3bad8e26559f
active-directory Tic Tac Mobile Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/tic-tac-mobile-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: d0f24e81-fecf-4e71-bd8a-ab911366fdf5
active-directory Timeclock 365 Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/timeclock-365-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: dc5e95c8-d878-43dd-918e-69e1686b4db6
active-directory Timeclock 365 Saml Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/timeclock-365-saml-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 7f87db7f-ee99-4798-bca9-e281508e6b76
active-directory Torii Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/torii-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: e6cfe864-b106-4d24-9070-03864e5dfb83
active-directory Travelperk Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/travelperk-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 3e40f87d-8624-4b14-b098-80ff916103c3
active-directory Tribeloo Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/tribeloo-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: d1063ef2-5d39-4480-a1e2-f58ebe7f98c3
active-directory Twingate Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/twingate-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 39476198-1ade-4c22-b880-111f4c30d823
active-directory Uber Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/uber-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: f16047ee-8ed6-4f8f-86e4-d9bc2cbd9016
active-directory Unifi Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/unifi-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 924c603f-574e-4e0a-9345-0cb0c7593dbb
active-directory Visibly Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/visibly-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 9c658962-8a11-47ca-86ee-34872a39813a
active-directory Vonage Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/vonage-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: dfb7e9bb-c29e-4476-adad-4ab254658e83
active-directory Webroot Security Awareness Training Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/webroot-security-awareness-training-provisioning-tutorial.md
documentationcenter: '' writer: twimmers-+ ms.assetid: 455f4396-930e-4db5-a167-d3ea6a860a17
active-directory Wedo Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/wedo-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 3088D3EB-CED5-45A5-BD7E-E20B1D7C40F6
active-directory Whimsical Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/whimsical-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 4457a724-ed81-4f7b-bb3e-70beea80cb51
active-directory Yellowbox Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/yellowbox-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: 0899c687-c36b-4b53-8fea-f762f0616521
active-directory Zendesk Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/zendesk-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: 620f0aa6-42af-4356-85f9-04aa329767f3
active-directory Zero Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/zero-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 98d13d52-7f7e-4cfe-9ec3-c6a6b647dd80
active-directory Zip Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/zip-provisioning-tutorial.md
description: Learn how to automatically provision and de-provision user accounts
writer: twimmers-+ ms.assetid: 8aea0505-a3a1-4f84-8deb-6e557997c815
active-directory Zoom Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/zoom-provisioning-tutorial.md
documentationcenter: '' writer: Thwimmer-+ ms.assetid: d9bd44ed-2e9a-4a1b-b33c-cb9e9fe8ff47
aks Aks Planned Maintenance Weekly Releases https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/aks-planned-maintenance-weekly-releases.md
-# Use Planned Maintenance window for scheduling exclusive Azure Kubernetes Service (AKS) weekly releases (Preview)
+# Use Planned Maintenance pre-created configurations to schedule Azure Kubernetes Service (AKS) weekly releases (preview)
- Planned Maintenance allows you to schedule weekly maintenance windows that will ensure the weekly releases [releases] are controlled. Maintenance Windows are configured using the Azure CLI, allowing you to select from a set of pre-available configurations.
+Planned Maintenance allows you to schedule weekly maintenance windows that ensure the weekly [releases] are controlled. You can select from the set of pre-created configurations and use the Azure CLI to configure your maintenance windows.
-Weekly releases can also be scheduled with more fine-grained control using Planned Maintenance's `default` configuration type. For more information, see [Planned Maintenance to schedule and control upgrades][planned-maintenance].
+You can also be schedule with more fine-grained control using Planned Maintenance's `default` configuration type. For more information, see [Planned Maintenance to schedule and control upgrades][planned-maintenance].
## Before you begin
aks Azure Cni Powered By Cilium https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-cni-powered-by-cilium.md
Azure CNI powered by Cilium currently has the following limitations:
## Prerequisites * Azure CLI version 2.41.0 or later. Run `az --version` to see the currently installed version. If you need to install or upgrade, see [Install Azure CLI][/cli/azure/install-azure-cli].
-* Azure CLI with aks-preview extension 0.5.109 or later.
+* Azure CLI with aks-preview extension 0.5.135 or later.
* If using ARM templates or the REST API, the AKS API version must be 2022-09-02-preview or later.
+> [!NOTE]
+> Previous AKS API versions (2022-09-02preview to 2023-01-02preview) used the field [`networkProfile.ebpfDataplane=cilium`](https://github.com/Azure/azure-rest-api-specs/blob/06dbe269f7d9c709cc225c92358b38c3c2b74d60/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/preview/2022-09-02-preview/managedClusters.json#L6939-L6955). AKS API versions since 2023-02-02preview use the field [`networkProfile.networkDataplane=cilium`](https://github.com/Azure/azure-rest-api-specs/blob/06dbe269f7d9c709cc225c92358b38c3c2b74d60/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/preview/2023-02-02-preview/managedClusters.json#L7152-L7173) to enable Azure CNI Powered by Cilium.
+ ## Install the aks-preview Azure CLI extension [!INCLUDE [preview features callout](includes/preview/preview-callout.md)]
az network vnet subnet create -g <resourceGroupName> --vnet-name <vnetName> --na
az network vnet subnet create -g <resourceGroupName> --vnet-name <vnetName> --name podsubnet --address-prefixes <address prefix, example: 10.241.0.0/16> -o none ```
-Create the cluster using `--enable-cilium-dataplane`:
+Create the cluster using `--network-dataplane=cilium`:
```azurecli-interactive az aks create -n <clusterName> -g <resourceGroupName> -l <location> \
az aks create -n <clusterName> -g <resourceGroupName> -l <location> \
--network-plugin azure \ --vnet-subnet-id /subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/virtualNetworks/<vnetName>/subnets/nodesubnet \ --pod-subnet-id /subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Network/virtualNetworks/<vnetName>/subnets/podsubnet \
- --enable-cilium-dataplane
+ --network-dataplane=cilium
```
+> [!NOTE]
+> The `--network-dataplane=cilium` flag replaces the deprecated `--enable-ebpf-dataplane` flag used in earlier versions of the aks-preview CLI extension.
+ ### Option 2: Assign IP addresses from an overlay network Run this commands to create a cluster with an overlay network and Cilium. Replace the values for `<clusterName>`, `<resourceGroupName>`, and `<location>`:
az aks create -n <clusterName> -g <resourceGroupName> -l <location> \
--network-plugin azure \ --network-plugin-mode overlay \ --pod-cidr 192.168.0.0/16 \
- --enable-cilium-dataplane
+ --network-dataplane=cilium
``` ## Frequently asked questions
aks Concepts Scale https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/concepts-scale.md
Title: Concepts - Scale applications in Azure Kubernetes Services (AKS)
-description: Learn about scaling in Azure Kubernetes Service (AKS), including horizontal pod autoscaler, cluster autoscaler, and the Azure Container Instances connector.
+description: Learn about scaling in Azure Kubernetes Service (AKS), including the horizontal pod autoscaler, cluster autoscaler, and Azure Container Instances.
Previously updated : 02/28/2019 Last updated : 04/04/2023 # Scaling options for applications in Azure Kubernetes Service (AKS)
-As you run applications in Azure Kubernetes Service (AKS), you may need to increase or decrease the amount of compute resources. As the number of application instances you need change, the number of underlying Kubernetes nodes may also need to change. You also might need to quickly provision a large number of additional application instances.
+When running applications in Azure Kubernetes Service (AKS), you may need to increase or decrease the amount of compute resources. As you change the number of application instances you have, you may need to change the number of underlying Kubernetes nodes. You also may need to provision a large number of additional application instances.
-This article introduces the core concepts that help you scale applications in AKS:
--- [Manually scale](#manually-scale-pods-or-nodes)-- [Horizontal pod autoscaler (HPA)](#horizontal-pod-autoscaler)-- [Cluster autoscaler](#cluster-autoscaler)-- [Azure Container Instance (ACI) integration with AKS](#burst-to-azure-container-instances)
+This article introduces core AKS application scaling concepts, including [manually scaling pods or nodes](#manually-scale-pods-or-nodes), using the [Horizontal pod autoscaler](#horizontal-pod-autoscaler), using the [Cluster autoscaler](#cluster-autoscaler), and integrating with [Azure Container Instances (ACI)](#burst-to-azure-container-instances-aci).
## Manually scale pods or nodes
-You can manually scale replicas (pods) and nodes to test how your application responds to a change in available resources and state. Manually scaling resources also lets you define a set amount of resources to use to maintain a fixed cost, such as the number of nodes. To manually scale, you define the replica or node count. The Kubernetes API then schedules creating additional pods or draining nodes based on that replica or node count.
+You can manually scale replicas, or pods, and nodes to test how your application responds to a change in available resources and state. Manually scaling resources lets you define a set amount of resources to use to maintain a fixed cost, such as the number of nodes. To manually scale, you define the replica or node count. The Kubernetes API then schedules the creation of additional pods or the draining of nodes based on that replica or node count.
-When scaling down nodes, the Kubernetes API calls the relevant Azure Compute API tied to the compute type used by your cluster. For example, for clusters built on VM Scale Sets the logic for selecting which nodes to remove is determined by the VM Scale Sets API. To learn more about how nodes are selected for removal on scale down, see the [VMSS FAQ](../virtual-machine-scale-sets/virtual-machine-scale-sets-faq.yml#if-i-reduce-my-scale-set-capacity-from-20-to-15--which-vms-are-removed-).
+When scaling down nodes, the Kubernetes API calls the relevant Azure Compute API tied to the compute type used by your cluster. For example, for clusters built on Virtual Machine Scale Sets, the logic for selecting which nodes to remove is determined by the Virtual Machine Scale Sets API. To learn more about how nodes are selected for removal on scale down, see the [Virtual Machine Scale Sets FAQ](../virtual-machine-scale-sets/virtual-machine-scale-sets-faq.yml#if-i-reduce-my-scale-set-capacity-from-20-to-15--which-vms-are-removed-).
To get started with manually scaling pods and nodes see [Scale applications in AKS][aks-scale]. ## Horizontal pod autoscaler
-Kubernetes uses the horizontal pod autoscaler (HPA) to monitor the resource demand and automatically scale the number of replicas. By default, the horizontal pod autoscaler checks the Metrics API every 15 seconds for any required changes in replica count, but the Metrics API retrieves data from the Kubelet every 60 seconds. Effectively, the HPA is updated every 60 seconds. When changes are required, the number of replicas is increased or decreased accordingly. Horizontal pod autoscaler works with AKS clusters that have deployed the Metrics Server for Kubernetes 1.8+.
+Kubernetes uses the horizontal pod autoscaler (HPA) to monitor the resource demand and automatically scale the number of pods. By default, the HPA checks the Metrics API every 15 seconds for any required changes in replica count, and the Metrics API retrieves data from the Kubelet every 60 seconds. So, the HPA is updated every 60 seconds. When changes are required, the number of replicas is increased or decreased accordingly. The HPA works with AKS clusters that have deployed the Metrics Server for Kubernetes 1.8+.
![Kubernetes horizontal pod autoscaling](media/concepts-scale/horizontal-pod-autoscaling.png)
-When you configure the horizontal pod autoscaler for a given deployment, you define the minimum and maximum number of replicas that can run. You also define the metric to monitor and base any scaling decisions on, such as CPU usage.
+When you configure the HPA for a given deployment, you define the minimum and maximum number of replicas that can run. You also define the metric to monitor and base any scaling decisions on, such as CPU usage.
To get started with the horizontal pod autoscaler in AKS, see [Autoscale pods in AKS][aks-hpa]. ### Cooldown of scaling events
-As the horizontal pod autoscaler is effectively updated every 60 seconds, previous scale events may not have successfully completed before another check is made. This behavior could cause the horizontal pod autoscaler to change the number of replicas before the previous scale event could receive application workload and the resource demands to adjust accordingly.
-
-To minimize race events, a delay value is set. This value defines how long the horizontal pod autoscaler must wait after a scale event before another scale event can be triggered. This behavior allows the new replica count to take effect and the Metrics API to reflect the distributed workload. There is [no delay for scale-up events as of Kubernetes 1.12](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-cooldown-delay), however the delay on scale down events is defaulted to 5 minutes.
+As the HPA is effectively updated every 60 seconds, previous scale events may not have successfully completed before another check is made. This behavior could cause the HPA to change the number of replicas before the previous scale event could receive application workload and the resource demands to adjust accordingly.
-Currently, you can't tune these cooldown values from the default.
+To minimize race events, a delay value is set. This value defines how long the HPA must wait after a scale event before another scale event can be triggered. This behavior allows the new replica count to take effect and the Metrics API to reflect the distributed workload. There's [no delay for scale-up events as of Kubernetes 1.12](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-cooldown-delay), however, the default delay on scale down events is *5 minutes*.
## Cluster autoscaler
-To respond to changing pod demands, Kubernetes has a cluster autoscaler, that adjusts the number of nodes based on the requested compute resources in the node pool. By default, the cluster autoscaler checks the Metrics API server every 10 seconds for any required changes in node count. If the cluster autoscale determines that a change is required, the number of nodes in your AKS cluster is increased or decreased accordingly. The cluster autoscaler works with Kubernetes RBAC-enabled AKS clusters that run Kubernetes 1.10.x or higher.
+To respond to changing pod demands, the Kubernetes cluster autoscaler adjusts the number of nodes based on the requested compute resources in the node pool. By default, the cluster autoscaler checks the Metrics API server every 10 seconds for any required changes in node count. If the cluster autoscaler determines that a change is required, the number of nodes in your AKS cluster is increased or decreased accordingly. The cluster autoscaler works with Kubernetes RBAC-enabled AKS clusters that run Kubernetes 1.10.x or higher.
![Kubernetes cluster autoscaler](media/concepts-scale/cluster-autoscaler.png)
-Cluster autoscaler is typically used alongside the horizontal pod autoscaler. When combined, the horizontal pod autoscaler increases or decreases the number of pods based on application demand, and the cluster autoscaler adjusts the number of nodes as needed to run those additional pods accordingly.
+The cluster autoscaler is typically used alongside the [horizontal pod autoscaler](#horizontal-pod-autoscaler). When combined, the horizontal pod autoscaler increases or decreases the number of pods based on application demand, and the cluster autoscaler adjusts the number of nodes to run additional pods.
-To get started with the cluster autoscaler in AKS, see [Cluster Autoscaler on AKS][aks-cluster-autoscaler].
+To get started with the cluster autoscaler in AKS, see [Cluster autoscaler on AKS][aks-cluster-autoscaler].
### Scale out events
If a node doesn't have sufficient compute resources to run a requested pod, that
When the cluster autoscaler notices pods that can't be scheduled because of node pool resource constraints, the number of nodes within the node pool is increased to provide the additional compute resources. When those additional nodes are successfully deployed and available for use within the node pool, the pods are then scheduled to run on them.
-If your application needs to scale rapidly, some pods may remain in a state waiting to be scheduled until the additional nodes deployed by the cluster autoscaler can accept the scheduled pods. For applications that have high burst demands, you can scale with virtual nodes and Azure Container Instances.
+If your application needs to scale rapidly, some pods may remain in a state waiting to be scheduled until the additional nodes deployed by the cluster autoscaler can accept the scheduled pods. For applications that have high burst demands, you can scale with virtual nodes and [Azure Container Instances](#burst-to-azure-container-instances-aci).
### Scale in events
-The cluster autoscaler also monitors the pod scheduling status for nodes that haven't recently received new schedul